Pauli [Fri, 23 Jul 2021 01:48:32 +0000 (11:48 +1000)]
QEMU: include test runs for most cross compilation targets
For the cross compiles where the tests couldn't be run, most are capable
of being run when statically linked. For these, a shared with FIPS build
but not test run is also included to maximise compilation coverage.
The builds take a couple of minutes so the impact of these extra jobs
isn't great.
The test failures for test_includes, test_store and test_x509_store
across several platforms are related the the OPENSSL_DIR_read() call.
This gets a "Value too large for defined data type" error calling the
standard library's readdir() wrapper. That is, the failure is during
the translation from the x86-64 structure to the 32 bit structure.
I've tried tweaking the include defines to use larger fields but couldn't
figure out how to make it work. The most prudent fix is to ignore these
tests for these platforms.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16144)
Matt Caswell [Tue, 20 Jul 2021 15:18:04 +0000 (16:18 +0100)]
Mark the EVP_PKEY_METHOD arg as const on some EVP_PKEY_meth_get_*() funcs
Most EVP_PKEY_meth_get_*() functions mark the EVP_PKEY_METHOD argument as
const. But 3 did not. We fix those to be consistent.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16128)
Tomas Mraz [Thu, 22 Jul 2021 13:01:53 +0000 (15:01 +0200)]
Fix potential problems with EVP_PKEY_CTX_new() with engine set
If an engine is non-NULL in EVP_PKEY_CTX_new() call an assert might
have been incorrectly triggered or the engine might be finished
without being inited.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16137)
Tomas Mraz [Thu, 22 Jul 2021 13:25:32 +0000 (15:25 +0200)]
do_sigver_init: Add missing ERR_clear_last_mark()
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16138)
Pauli [Thu, 22 Jul 2021 09:13:41 +0000 (19:13 +1000)]
ci: QEMU based cross compiled testing
With a little set up, Debian provides an ability to use QEMU to execute
programs compiled for other architectures. Using this, most of our cross
compilation CI builds can be executed.
This PR does this.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16133)
Makefile: Avoid changing LIBDIR based on whether it already exists
unix-Makefile.tmpl checks if the target LIBDIR exists on the build
machine or not and based on the result modify the final LIBDIR.
This should be avoided, build results should not depend on the build
machine root filesystem layout. It makes the build results unstable.
The fix simply removes the dir existence test from the unix-Makefile.tmpl.
Fixes: openssl#16121 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16122)
Matt Caswell [Tue, 20 Jul 2021 15:18:58 +0000 (16:18 +0100)]
Add a test for custom EVP_PKEY_METHODs
Adds a test for using custom EVP_PKEY_METHODs without an ENGINE. As part
of this we also test having a custom EVP_PKEY_METHOD that wraps a built-in
EVP_PKEY_METHOD. We do this for both legacy and provided keys.
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16118)
Matt Caswell [Mon, 19 Jul 2021 15:17:50 +0000 (16:17 +0100)]
Fix custom EVP_PKEY_METHOD implementations where no engine is present
It is possible to have a custom EVP_PKEY_METHOD implementation without
having an engine. In those cases we were failing to use that custom
implementation.
Fixes #16088
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16118)
Matt Caswell [Tue, 20 Jul 2021 08:58:53 +0000 (09:58 +0100)]
Update our EVP_PKEY_METHODs to get low level keys via public APIs
It is possible to call built-in EVP_PKEY_METHOD functions with a provided
key. For example this might occur if a custom EVP_PKEY_METHOD is in use
that wraps a built-in EVP_PKEY_METHOD. Therefore our EVP_PKEY_METHOD
functions should not assume that we are using a legacy key. Instead we
get the low level key using EVP_PKEY_get0_RSA() or other similar functions.
This "does the right thing" if the key is actually provided.
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16118)
SSL_CTX_set_cert_verify_callback.pod: various corrections and clarifications
- Make clear the callback is called whenever a peer certificate has been received,
which is independent of the verification mode.
- Make clear that a return value > 1 always leads to handshake failure.
- Make clear that in server mode also return values <= 0 lead to handshake failure.
- For client mode replace the incorrect formulation "if B<SSL_VERIFY_PEER> is set"
by what is actually implemented: "if the verification mode is not B<SSL_VERIFY_NONE>".
- Refer to X509_STORE_CTX_set_error() rather than to internal error variable.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13937)
Pauli [Fri, 16 Jul 2021 01:38:23 +0000 (11:38 +1000)]
drbg: allow the ctr derivation function to be disabled in FIPS mode
Word from the lab is:
The use of the derivation function is optional if either an approved
RBG or an entropy source provides full entropy output when entropy
input is requested by the DRBG mechanism. Otherwise, the derivation
function shall be used.
So our disallowing it's use was more than required.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16096)
The ASN1_STRING_get0_data(3) manual explitely cautions the reader
that the data is not necessarily NUL-terminated, and the function
X509_alias_set1(3) does not sanitize the data passed into it in any
way either, so we must assume the return value from X509_alias_get0(3)
is merely a byte array and not necessarily a string in the sense
of the C language.
I found this bug while writing manual pages for X509_print_ex(3)
and related functions. Theo Buehler <tb@openbsd.org> checked my
patch to fix the same bug in LibreSSL, see
As an aside, note that the function still produces incomplete and
misleading results when the data contains a NUL byte in the middle
and that error handling is consistently absent throughout, even
though the function provides an "int" return value obviously intended
to be 1 for success and 0 for failure, and even though this function
is called by another function that also wants to return 1 for success
and 0 for failure and even does so in many of its code paths, though
not in others. But let's stay focussed. Many things would be nice
to have in the wide wild world, but a buffer overflow must not be
allowed to remain in our backyard.
CLA: trivial
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16108)
Petr Gotthard [Sun, 18 Jul 2021 12:19:11 +0000 (14:19 +0200)]
doc: fix OPENSSL_VERSION_NUMBER length in the synopsis
The number has 8 digits (not 9). It is a single integer `0xMNN00PP0L`.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16106)
Matt Caswell [Thu, 15 Jul 2021 13:08:56 +0000 (14:08 +0100)]
Fix some minor record layer issues
Various comments referred to s->packet and s->packet_length instead of
s->rlayer.packet and s->rlayer.packet_length. Also fixed is a spot where
RECORD_LAYER_write_pending() should have been used. Based on the review
comments in #16077.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/16086)
Matt Caswell [Tue, 13 Jul 2021 16:44:44 +0000 (17:44 +0100)]
Disallow SSL_key_update() if there are writes pending
If an application is halfway through writing application data it should
not be allowed to attempt an SSL_key_update() operation. Instead the
SSL_write() operation should be completed.
Fixes #12485
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16077)
Matt Caswell [Tue, 13 Jul 2021 16:19:12 +0000 (17:19 +0100)]
Don't reset the packet pointer in ssl3_setup_read_buffer
Sometimes this function gets called when the buffers have already been
set up. If there is already a partial packet in the read buffer then the
packet pointer will be set to an incorrect value. The packet pointer already
gets reset to the correct value when we first read a packet anyway, so we
don't also need to do it in ssl3_setup_read_buffer.
Fixes #13729
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16077)
Tomas Mraz [Wed, 14 Jul 2021 13:41:22 +0000 (15:41 +0200)]
Signature algos: allow having identical digest in params
The flag_allow_md prevents setting a digest in params however
this is unnecessarily strict. If the digest is the same as the
one already set, we do not return an error.
Fixes #16071
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16076)
apps: Use the first detected address family if IPv6 is not available
This is a follow up of 15729bef385211bc2a0497e2d53a45c45d677d2c. Even
when the host does not support IPv6 at all, BIO_lookup_ex may now
return IN6ADDR_ANY in addition to INADDR_ANY, as the second element of
the ai_next field.
After eee8a40aa5e06841eed6fa8eb4f6109238d59aea, the do_server function
prefers the IPv6 address and fails on the BIO_socket call. This adds
a fallback code to retry with the IPv4 address returned as the first
element to avoid the error.
The failure had been partially avoided in the previous code with
AI_ADDRCONFIG, because getaddrinfo returns only IPv4 address if no
IPv6 address is associated with external interface. However, it would
be still a problem if the external interface has an IPv6 address
assigned, while the loopback interface doesn't.
Signed-off-by: Daiki Ueno <dueno@redhat.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16074)
Tomas Mraz [Tue, 13 Jul 2021 15:41:02 +0000 (17:41 +0200)]
Make EVP_PKEY_check() be an alias for EVP_PKEY_pairwise_check()
The implementation of EVP_PKEY_pairwise_check() is also changed
to handle the legacy keys.
Fixes #16046
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16069)
Pauli [Wed, 14 Jul 2021 01:02:57 +0000 (11:02 +1000)]
apps: avoid using POSIX IO macros and functions when built without them.
Fall back to stdio functions if not available.
Fixes a daily run-checker failure (no-posix-io)
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16073)
Syrone Wong [Tue, 13 Jul 2021 02:04:56 +0000 (10:04 +0800)]
Fix OSSL_TRACE9 missing arg9
Signed-off-by: Syrone Wong <wong.syrone@gmail.com>
CLA: trivial
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16060)
Remove executable mode attributes of non-executable files
Remove the executable attributes of some C code files and key files,
change the file mode from 0755 to 0644.
Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16045)
Pauli [Thu, 8 Jul 2021 01:24:05 +0000 (11:24 +1000)]
apps: add a function opt_legacy_okay() that indicates if legacy paths are permitted or not
By default they are. However, if a provider, provider path or a property query has been specified
they are not. Likewise, if a library context or a property query has been
specified by the command, they are not.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16022)
BIO_lookup_ex: use AI_ADDRCONFIG only if explicit host name is given
The flag only affects which record types are queried via DNS (A or
AAAA, or both). When node is NULL and AF_UNSPEC is used, it prevents
getaddrinfo returning the right address associated with the loopback
interface.
Signed-off-by: Daiki Ueno <dueno@redhat.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16033)
Tomas Mraz [Fri, 9 Jul 2021 13:48:02 +0000 (15:48 +0200)]
test_cmp_ctx: Avoid using empty X509 with i2d
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/16036)
Richard Levitte [Thu, 8 Jul 2021 17:05:34 +0000 (19:05 +0200)]
Configurations/unix-Makefile.tmpl: use platform->sharedlib() as fallback
If platform->sharedlib_simple() and platform->sharedlib_import()
return undefined, try platform->sharedlib() as a fallback before
platform->staticlib().
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16023)
Richard Levitte [Thu, 8 Jul 2021 03:18:25 +0000 (05:18 +0200)]
platform->sharedlib_simple(): return undef when same as platform->sharedlib()
On some Unix-like platforms, there is no such thing as versioned shared
libraries. In this case, platform->sharedlib_simple() should simply
return undef. Among others, this avoids the shared libraries to be
installed as symlinks on themselves.
Fixes #16012
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16023)
Matt Caswell [Tue, 6 Jul 2021 15:24:07 +0000 (16:24 +0100)]
Fix s_server PSK handling
Issue #15951 describes a scenario which causes s_server to fail when using
a PSK. In the originally described issue this only impacted master and not
1.1.1. However, in fact this issue does also impact 1.1.1 - but only if you
additionally supply the option "-no_ticket" to the s_server command line.
The difference between the behaviour in master and 1.1.1 is due to 9c13b49,
which changed PSK_MAX_IDENTITY_LEN from 128 to 256. It just so happens that
a default OpenSSL TLSv1.3 ticket length happens to fall between those 2
values. Tickets are presented in TLSv1.3 as a PSK "identity". Passing
"no_ticket" doesn't actually stop TLSv1.3 tickets completely, it just
forces the use of "session ids as a ticket" instead. This significantly
reduces the ticket size to below 128 in 1.1.1.
The problem was due to s_server setting a TLSv1.2 PSK callback and a
TLSv1.3 PSK callback. For backwards compat reasons the TLSv1.2 PSK
callbacks also work in TLSv1.3 but are not preferred. In the described
scenario we use a PSK to create the initial connection. Subsequent to that
we attempt a resumption using a TLSv1.3 ticket (psk). If the psk length is
below PSK_MAX_IDENTITY_LEN then we first call the TLSv1.2 PSK callback.
Subsequently we call the TLSv1.3 PSK callback. Unfortunately s_server's
TLSv1.2 PSK callback accepts the identity regardless, even though it is an
unexpected value, and hence the binder subsequently fails to verify.
The fix is to bail early in the TLSv1.2 callback if we detect we are being
called from a TLSv1.3 connection.
Fixes #15951
Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16008)
Matt Caswell [Tue, 6 Jul 2021 10:31:28 +0000 (11:31 +0100)]
Add a PKCS12 test to check with one input cert we get one output cert
Following on from the regression in issue #15983, add a test that with
one input cert, we get one cert in the pkcs12 file, and that it has the
expected friendlyName.
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16001)
Matt Caswell [Mon, 5 Jul 2021 16:19:59 +0000 (17:19 +0100)]
Don't add the first pkcs12 certificate multiple times
This fixes a regression introduced by commit 1d6c867. When exporting a set
of certificates to a PKCS12 file we shouldn't add the first one twice. Also
we restore historic behaviour with respect to the canames option where we
have no ee certificate with key.
Fixes #15983
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16001)
Pauli [Wed, 7 Jul 2021 06:32:16 +0000 (16:32 +1000)]
evp: detect and raise an error if no digest is found for a sign/verify operation
If no digest is specified, the code looks for a default digest per PKEY via the
evp_keymgmt_util_get_deflt_digest_name() call. If this call returns NULL,
indicating no digest found, the code continues regardless. If the verify/sign
init later fails, it returns an error without raising one. This change raises
an error in this case.
Fixes #15372
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16015)
Fix by copying one byte less than the buffer size. We anyway overwrite the
last byte.
Signed-off-by: Juergen Christ <jchrist@linux.ibm.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15993)
Signed-off-by: Randall S. Becker <rsbecker@nexbridge.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16011)
If the user set nmflags == XN_FLAG_COMPAT and X509_NAME_print_ex(3)
failed, the error return value of 0 was misinterpreted as an indicator
of success, causing X509_print_ex(3) to ignore the error, continue
printing, and potentially return successfully even though not all
the content of the certificate was printed.
The X509_NAME_print_ex(3) manual page explains that this function
indicates failure by returning 0 if nmflags == XN_FLAG_COMPAT
and by returning -1 if nmflags != XN_FLAG_COMPAT.
Note that just checking for <= 0 in all cases would not be correct
either because X509_NAME_print_ex(3) returns 0 to indicate that it
successfully printed zero bytes in some cases, for example when all
three of the following conditions hold:
1. nmflags != XN_FLAG_COMPAT
2. indent == 0 (which X509_print_ex(3) does use in some cases)
3. the name object is NULL or empty
Thanks to Ingo Schwarze <schwarze@openbsd.org> for finding the bug,
and Joel Sing <jsing@openbsd.org> for contributing an idea for the
fix.
Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16009)
Benjamin Kaduk [Tue, 6 Jul 2021 14:49:39 +0000 (07:49 -0700)]
Fix comment for test_negotiated_group() test order
Because of how the 'client_multi' variable is set, we end up
running the tests where the client configures multiple groups (and
the server only configures one) before the ones where the server configures
multiple groups (and the client only configures one).
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16007)
Richard Levitte [Tue, 6 Jul 2021 06:44:37 +0000 (08:44 +0200)]
CRYPTO: Remove the check for built-in methods in the export_to function
That check was seen as necessary at the time, but other changes have
been made since, so we now have better control on when we're handling
legacy structures and methods, making it safe to run the export_to
function on keys with foreign methods.
The basic message is that foreign methods must set key structure
values according to our standards no matter what, or not set them at
all. This has really always been the case, but was harder to see at
the time because of interaction with other bugs.
Fixes #15927
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15996)
Pauli [Mon, 5 Jul 2021 01:01:59 +0000 (11:01 +1000)]
bn: procduce correct sign for result of BN_mod()
There is a problem that appears when calling BN_div(a, c, a, b) with negative b.
In this case, the sign of the remainder c is incorrect. The problem only
occurs if the dividend and the quotient are the same BIGNUM.
Fixes #15982
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/15991)
Pauli [Tue, 6 Jul 2021 08:50:11 +0000 (18:50 +1000)]
err: remove ERR_GET_FUNC()
This is problematic in 3.0 because the function codes are all defined as zero.
This leads to either every error matching or no error ever matching. Both
are problematic for users. The OTC vote resolved to remove this function
completely.
Fixes #15946
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16004)
Pauli [Fri, 18 Jun 2021 23:54:55 +0000 (09:54 +1000)]
test: add some integral type size sanity checks
With the recent problem on VMS of maxint_t being defined as a 32 bit integer
despite OpenSSL mandating 64 bit integers being available, it seems prudent
to add some sanity checks for out integral types.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15830)
Matt Caswell [Wed, 23 Jun 2021 07:54:12 +0000 (08:54 +0100)]
Avoid "excessive message size" for session tickets
We received a report of an "excessive message size" for a received
session ticket. Our maximum size was significantly less than the theoretical
maximum. The server may put any data it likes in the session ticket
including (for example) the full certificate chain so we should be able to
handle longer tickets. Update the value to the maximum allowed by the spec.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15877)
projects / thirdparty / openssl.git / log
