Trev Larock [Fri, 28 May 2021 12:54:44 +0000 (12:54 +0000)]
Modify ssl_handshake_hash to call SSLfatal
When EVP_MD_CTX_new fails call SSLfatal before the goto err.
This resolves a state machine issue on the out of memory condition.
Fixes #15491.
CLA: trivial
Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15520)
Tomas Mraz [Mon, 31 May 2021 15:00:38 +0000 (17:00 +0200)]
Make the 00-prep_*.t recipe truly mandatory
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15550)
Tomas Mraz [Mon, 31 May 2021 12:22:35 +0000 (14:22 +0200)]
Windows CI: enable fips on shared 64 bit build
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15550)
Tomas Mraz [Mon, 31 May 2021 12:18:56 +0000 (14:18 +0200)]
Fix enable-fips builds on Windows
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15550)
Jon Spillett [Tue, 18 May 2021 03:37:35 +0000 (13:37 +1000)]
Pass library context and property query into private key decoders
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14587)
Jon Spillett [Thu, 6 May 2021 01:55:42 +0000 (11:55 +1000)]
Fix up encoder/decoder issues caused by not passing a library context to the PKCS8 encrypt/decrypt
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14587)
Jon Spillett [Mon, 15 Mar 2021 04:26:09 +0000 (14:26 +1000)]
Enhance the encoder/decoder tests to allow testing with a non-default library context and configurable providers
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14587)
Shane Lontis [Sat, 29 May 2021 07:16:22 +0000 (17:16 +1000)]
Fix error stack for some fetch calls.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15532)
Shane Lontis [Thu, 27 May 2021 08:08:53 +0000 (18:08 +1000)]
Fix aes cfb1 so that it can operate in bit mode.
The code to handle the cipher operation was already in the provider.
It just needed a OSSL_PARAM in order to set this into the algorithm.
EVP_CIPHER_CTX_set_flags() has been modified to pass the OSSL_PARAM.
Issue reported by Mark Powers from Acumen.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15496)
Pauli [Mon, 31 May 2021 00:29:55 +0000 (10:29 +1000)]
add some cross compilation builds
Add some cross compiling builds to test things aren't broken.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15535)
Pauli [Mon, 31 May 2021 05:33:22 +0000 (15:33 +1000)]
sparc: fix cross compile build
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15535)
Pauli [Mon, 31 May 2021 05:16:16 +0000 (15:16 +1000)]
ppc: fix ambiguous if if else statement
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15535)
Jan Lana [Thu, 27 May 2021 21:27:58 +0000 (23:27 +0200)]
Update solaris64-sparcv9-cc build target cflags
Fixes #15507
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15509)
Richard Levitte [Fri, 28 May 2021 16:09:51 +0000 (18:09 +0200)]
Add the usual autowarn perl snippet in providers/common/der/*.in
We have this in all other .in files, so these should have that as well.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15524)
Matt Caswell [Mon, 24 May 2021 10:40:34 +0000 (11:40 +0100)]
Teach EVP_PKEYs to say whether they were decoded from explicit params
Currently we explicitly downgrade an EVP_PKEY to an EC_KEY and ask
the EC_KEY directly whether it was decoded from explicit parameters or not.
Instead we teach EVP_PKEYs to respond to a new parameter for this purpose.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15526)
Matt Caswell [Fri, 21 May 2021 10:55:33 +0000 (11:55 +0100)]
Special case SM2 when decoding
SM2 abuses the EC oid by reusing it - but an EC key is different to an SM2
key. Therefore we have to special case SM2 during decoding. If we encounter
the EC OID then we have to try both algorithms.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15522)
Shane Lontis [Fri, 28 May 2021 01:42:41 +0000 (11:42 +1000)]
Fix PKCS7_verify to not have an error stack if it succeeds.
Revert a change in behavior to BIO_write(). If a NULL BIO
is passed, no error is raised and the return value is 0. There are
many places where the return code from the write was not checked,
resulting in an error stack with no error status being returned.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15493)
Richard Levitte [Fri, 28 May 2021 05:54:04 +0000 (07:54 +0200)]
Rearrange the check of providers/fips.so dependencies
The mechanism had special cases to guess when something was generated
from a .in file. It's better, though, to use the knowledge in
configdata.pm, especially when the generated file is in a different
location than its source.
Cleanups are added, and we change the use of sed to a use of perl
when cleaning up paths with 'something/../' in them, since perl has
more powerful tools for this sort of thing.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15514)
Amitay Isaacs [Tue, 13 Oct 2020 09:11:40 +0000 (05:11 -0400)]
ec: Add PPC64 vector assembly version of p521 field operations
Only field multiplication and squaring (but not reduction) show a
significant improvement. This is enabled on Power ISA >= 3.0.
On a Power 9 CPU an average 10% performance improvement is seen (ECHDE:
14%, ECDSA sign: 6%, ECDSA verify 10%), compared to existing code.
On an upcoming Power 10 CPU we see an average performance improvement
of 26% (ECHDE: 38%, ECDSA sign: 16%, ECDSA verify 25%), compared to
existing code.
Signed-off-by: Amitay Isaacs <amitay@ozlabs.org> Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15401)
Martin Schwenke [Wed, 12 May 2021 04:21:58 +0000 (14:21 +1000)]
ec: Add run time code selection for p521 field operations
This is only used if ECP_NISTP521_ASM is defined and this currently
only occurs on PPC64.
This simply chooses the C reference implementation, which will be the
default when custom code is available for certain CPUs.
Only the multiplication and squaring operations are handled, since the
upcoming assembly code only contains those. This scheme can be easily
extended to handle reduction too.
Signed-off-by: Martin Schwenke <martin@meltin.net> Signed-off-by: Amitay Isaacs <amitay@ozlabs.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15401)
Martin Schwenke [Wed, 12 May 2021 01:47:55 +0000 (11:47 +1000)]
ec: Rename reference p521 field operations and use them via macros
This will allow clean addition of assembly versions of these operations.
Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15401)
Martin Schwenke [Wed, 2 Dec 2020 08:05:44 +0000 (19:05 +1100)]
perlasm/ppc-xlate.pl: Handle rewriting of vector registers
Power has 2 numbering systems for vector registers:
* VR: Vector Registers are numbered from 0 to 31
* VSR: Vector-Scalar registers are numbers from 32 to 63
These refer to the same registers. Some instructions use VR numbering
for their operands, while others use VSR numbering.
When using Perl to provide a meaningful name for a register it makes
sense to use the same variable for both VR and VSR instructions. This
makes the code more readable.
However, providing a VSR number (i.e. >=32) to an instruction that
expects a VR number will cause an assembler error.
So, for instructions that require VR numbering, map VSR numbers
(i.e. >=32) to VR numbers. This also allows existing code that uses
VR numbering to remain unchanged.
Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15401)
Shane Lontis [Fri, 28 May 2021 07:18:56 +0000 (17:18 +1000)]
Fix intermittent CI failure in evp_kdf_test for non_caching build.
Fixes #15515
Another case of the order that tests run in causes a failure.
A new test was loading "legacy" into the default lib ctx. If it
ran first then everything fails. The test now has its own lib ctx.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15516)
Shane Lontis [Sat, 22 May 2021 02:29:18 +0000 (12:29 +1000)]
EVP_CIPHER Documentation updates
EVP_EncryptInit.pod now follows the pattern used in EVP_DigestInit.pod.
i.e.
'=item' is used for methods
PARAMETERS and CONTROLS sections have been added.
The PARAMETERS list has been moved from provider-cipher.pod (this file just
has a link now).
Missing fields were updated.
The CONTROLS shows the mappings to OSSL_PARAM keys.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15416)
Sven Schwermer [Thu, 27 May 2021 06:41:07 +0000 (08:41 +0200)]
ERR: Rebuild generated engine error files
CLA: trivial
Signed-off-by: Sven Schwermer <sven.schwermer@disruptive-technologies.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15495)
Sven Schwermer [Thu, 27 May 2021 06:33:08 +0000 (08:33 +0200)]
mkerr: Fix string literal conversion
This fixes a compiler warning on clang-1205.0.22.9 when compiling the
generated code as C++11:
ISO C++11 does not allow conversion from string literal to 'char *'
[-Wwritable-strings]
CLA: trivial
Signed-off-by: Sven Schwermer <sven.schwermer@disruptive-technologies.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15495)
Shane Lontis [Wed, 26 May 2021 00:26:27 +0000 (10:26 +1000)]
Fix PKCS12_create() so that a fetch error is not added to the error stack.
Fixes #15392
PBE algorithms such as NID_pbe_WithSHA1And3_Key_TripleDES_CBC will
currently always fail to the EVP_CIPHER_fetch() call, so the fallback to
a legacy algorithm always happens. In this case the error stack should
ignore the fetch error.
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15473)
Tommy Chiang [Wed, 26 May 2021 18:46:13 +0000 (02:46 +0800)]
Fix typo about SSL_CONF_FLAG_CMDLINE
change SSL_CONF_CMDLINE to SSL_CONF_FLAG_CMDLINE
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15489)
Rich Salz [Wed, 19 May 2021 15:09:49 +0000 (11:09 -0400)]
Rework and make DEBUG macros consistent.
Remove unused -DCONF_DEBUG and -DBN_CTX_DEBUG.
Rename REF_PRINT to REF_DEBUG for consistency, and add a new
tracing category and use it for printing reference counts.
Rename -DDEBUG_UNUSED to -DUNUSED_RESULT_DEBUG
Fix BN_DEBUG_RAND so it compiles and, when set, force DEBUG_RAND to
be set also.
Rename engine_debug_ref to be ENGINE_REF_PRINT also for consistency.
Fixes #15357
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15353)
David Makepeace [Wed, 26 May 2021 13:07:38 +0000 (23:07 +1000)]
Fix doc typos.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15483)