Commit graph

2569 commits

Author SHA1 Message Date
Matt Caswell
29dc6e00f2 Load the config file by default
Previously we only loaded the config file by default for libssl. Now we do
it for libcrypto too.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9492)
2019-08-01 09:59:20 +01:00
Matt Caswell
988b29850b Suppress loading the FIPS module in evp_test
Running evp_test with the FIPS module has never worked because the
config file was never loaded by default. Actually loading the FIPS module
reveals lots of failures in evp_test. The following commits will enable
loading the config file by default and so we temporarily disable running
the evp_test with the FIPS module until the tests can be fixed.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9492)
2019-08-01 09:58:54 +01:00
Matt Caswell
8453096ebf Properly process the "Availablein" keyword for evp_test
The "Availablein" keyword is supposed to indicate which providers are
required in evp_test in order for a particular test to pass. Unfortunately
this didn't work. If the provider was available then the test failed.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9492)
2019-08-01 09:58:54 +01:00
Nicola Tuveri
f5b7f99e69 Temporary workaround for ectest.c for [extended tests]
[extended tests]

This is a temporary workaround for issue #9251, which contains a full
discussion of the real problem.

As a temporary workaround, we test `EC_GROUP_new_from_ecparameters()`
against a curve that does not currently have alternative
implementations.

The proper fix is dependant on resolution of issue #8615

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9474)
2019-07-31 14:41:44 +03:00
Richard Levitte
add8c8e964 ERR: Remove ERR_put_func_error() and reimplement ERR_put_error() as a macro
Also, deprecate ERR_put_error()

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9452)
2019-07-31 06:44:45 +02:00
Bernd Edlinger
35f6fe7ac4 Fix BIO_printf format warnings
[extended tests]

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9479)
2019-07-30 20:41:30 +02:00
Pauli
e9a5932d04 Add weak platform independent PRNG to test framework.
Implement the GNU C library's random(3) pseudorandom number generator.
The algorithm is described: https://www.mscs.dal.ca/~selinger/random/

The rationale is to make the tests repeatable across differing platforms with
different underlying implementations of the random(3) library call.

More specifically: when executing tests with random ordering.

[extended tests]

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9463)
2019-07-29 09:11:15 +10:00
Richard Levitte
e2f72313cc test/recipes/30-test_evp.t: Modify to test with different providers
Different providers will give different results, and we need to test
them all.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9398)
2019-07-26 18:14:41 +02:00
Richard Levitte
3b5d61f472 test/evp_test.c: modify to use OSSL_PROVIDER_available()
This changes the stanza format used so far.  Some test stanza had the
following line, only possible for digests:

    Legacy = 1

These have been traded for the following:

    Availablein = legacy

That line is globally available in all test stanza and can be used to
tell what providers a certain algorithm may be available in.  Only one
provider needs to match, so one might have something like this for
some tests:

    Availablein = default fips

This means that one of those providers must be available for the test
stanza to be performed.

If the providers mentioned for a stanza aren't available, the test is
skipped.
If this line isn't used in a stanza, the algorithm is assumed to be
available unconditionally (either by fallback providers, or providers
loaded by the config file).

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9398)
2019-07-26 18:14:41 +02:00
Bernd Edlinger
6de1fe9086 Enforce a minimum DH modulus size of 512 bits
[extended tests]

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9437)
2019-07-24 14:44:08 +02:00
Richard Levitte
2617501348 Replace OSSL_ITEM with OSSL_PARAM as parameter descriptor, everywhere
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9346)
2019-07-23 07:30:33 +02:00
Bernd Edlinger
a38c878c2e Change DH parameters to generate the order q subgroup instead of 2q
This avoids leaking bit 0 of the private key.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/9363)
2019-07-22 20:03:27 +02:00
Rich Salz
56c3a135b2 Add ERR_put_func_error, and use it.
Change SYSerr to have the function name; remove SYS_F_xxx defines
Add a test and documentation.
Use get_last_socket_err, which removes some ifdef's in OpenSSL code.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9072)
2019-07-22 16:24:56 +02:00
Pauli
7312ef3fc4 Add param builder free function.
This means include deallocation information in the return from
the ossl_param_bld_to_param function.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9404)
2019-07-19 01:14:07 +10:00
Richard Levitte
5800ba7610 test/enginetest.c: Make sure no config file is loaded
If a config file gets loaded, the tests get disturbed.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9393)
2019-07-19 20:18:34 +02:00
Pauli
3c93fbacf6 Parameter building utilities.
A fuller implementation of PARAMS_TEMPLATE as per #9266 but renamed.
This introduces a statis data type which can be used to constructor a
description of a parameter array.  It can then be converted into a OSSL_PARAM
array and the allocated storage freed by a single call to OPENSSL_free.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9305)
2019-07-17 16:59:09 +10:00
Pauli
4bd8b24045 remove end of line spaces
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
(Merged from https://github.com/openssl/openssl/pull/9397)
2019-07-16 20:35:42 +10:00
Pauli
dd6b270618 Remove tab characters from C source files.
Some have been creeping into the source code.

Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
(Merged from https://github.com/openssl/openssl/pull/9397)
2019-07-16 20:24:10 +10:00
Rich Salz
aac96e2797 Remove function name from errors
Deprecate all xxx_F_ defines.
Removed some places that tested for a specific function.
Use empty field for the function names in output.
Update documentation.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9058)
2019-07-16 05:26:28 +02:00
Shane Lontis
459b15d451 Add Common shared code needed to move aes ciphers to providers
Custom aes ciphers will be placed into multiple new files
(instead of the monolithic setup used in the e_aes.c legacy code)
so it makes sense to have a header for the platform specific
code that needs to be shared between files.
modes_lcl.h has also moved to modes_int.h to allow sharing with the
provider source.
Code that will be common to AEAD ciphers has also been added. These
will be used by seperate PR's for GCM, CCM & OCB.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9301)
2019-07-16 09:46:14 +10:00
Matt Caswell
0d345f0e10 Make the PACKET/WPACKET code available to both libcrypto and libssl
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9111)
2019-07-12 06:26:46 +10:00
David Makepeace
54846b7c6e Add simple ASN.1 utils for DSA signature DER.
Adds simple utility functions to allow both the default and fips providers to
encode and decode DSA-Sig-Value and ECDSA-Sig-Value (DSA_SIG and ECDSA_SIG
structures) to/from ASN.1 DER without requiring those providers to have a
dependency on the asn1 module.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9111)
2019-07-12 06:26:46 +10:00
Richard Levitte
48ebde226d test/evp_test.c: [ciphers] Test that we get back the same IV we gave
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9328)
2019-07-11 07:27:02 +02:00
Shane Lontis
1aec7716c1 Add X9.42 KDF.
Move the KDF code for CMS DH key agreement into an EVP_KDF object.
There are 2 specifications for X9.42 KDF. This implementation uses DER for
otherinfo which embeds the KDF loop counter inside the DER object.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8898)
2019-07-09 09:33:18 +10:00
Bernd Edlinger
291f616ced Fix an endless loop in BN_generate_prime_ex
Happens when trying to generate 4 or 5 bit safe primes.

[extended tests]

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9311)
2019-07-07 08:05:33 +02:00
Richard Levitte
7e47db5b56 test/recipes/02_test_errstr.t: Make it less fragile
Change it to split the error string returned by `openssl errstr` in a
more robust manner, and ensure it's the reason code we look at.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9304)
2019-07-04 12:06:43 +02:00
Antoine Cœur
c2969ff6e7 Fix Typos
CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/9288)
2019-07-02 14:22:29 +02:00
Patrick Steuer
f663ddc7b0 test/p_test.c: silence -Wstringop-overflow
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9282)
2019-07-02 13:14:42 +02:00
Rich Salz
6b10d29c1a Remove NextStep support
Because of that we can remove OPENSSL_UNISTD and some other
macros from e_os2.h and opensslconf.h

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9204)
2019-07-01 13:32:46 -04:00
Matt Caswell
19ea6b2b37 Fix a leak in evp_test
If evp_test fails to load the legacy provider then it leaks a reference
to the default provider.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9270)
2019-07-01 10:30:49 +01:00
Matt Caswell
9a131ad747 Change RC5_32_set_key to return an int type
If the key is too long we now return an error.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8834)
2019-07-01 10:18:37 +01:00
Antoine Cœur
68756b12f5 Fix Typos
CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/9275)
2019-07-01 10:09:22 +02:00
Paul Yang
bc42bd6298
Support SM2 certificate signing
SM2 certificate signing request can be created and signed by OpenSSL
now, both in library and apps.

Documentation and test cases are added.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9085)
2019-06-28 18:58:19 +08:00
Matt Caswell
57ca171a13 Make the RAND code available from inside the FIPS module
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/9035)
2019-06-28 10:22:21 +01:00
Matt Caswell
70c35fd1f6 Rename EVP_MD_upref/EVP_CIPHER_upref to EVP_MD_up_ref/EVP_CIPHER_up_ref
All the other upref functions are spelled as "up_ref". These new functions
should be consistent.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9233)
2019-06-28 10:02:09 +01:00
Benjamin Kaduk
7cb8fb07e8 Add regression test for #9099
Augment the cert_cb sslapitest to include a run that uses
SSL_check_chain() to inspect the certificate prior to installing
it on the SSL object.  If the check shows the certificate as not
valid in that context, we do not install a certificate at all, so
the handshake will fail later on in processing (tls_choose_sigalg()),
exposing the indicated regression.

Currently it fails, since we have not yet set the shared sigalgs
by the time the cert_cb runs.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9157)
2019-06-26 12:20:55 -05:00
Paul Yang
4b931252be Fix incorrect usage of a test case
test/x509_check_cert_pkey_test.c has incorrect usage description.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9250)
2019-06-26 17:36:56 +08:00
Pauli
edc6235648 The params_test uses wrong size for BN check.
Before the return size was included in the OSSL_PARAM structure, the size
global was updated via a pointer.  The size global variable has been removed
and the in structure return size used instead.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9248)
2019-06-26 16:33:41 +10:00
Shane Lontis
10c25644e3 EC only uses approved curves in FIPS mode.
Once there are buildable fips tests, some tests that are data driven
from files will need to be modified to exclude non approved curves in
fips mode.

These changes were tested by temporarily adding #define FIPS_MODE 1 to
all the modified source files.

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9081)
2019-06-25 12:00:25 +10:00
Richard Levitte
a9550b74d3 OSSL_NAMEMAP: make names case insensitive
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8967)
2019-06-24 10:58:13 +02:00
Richard Levitte
734a462e40 Add a namemap test
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8967)
2019-06-24 10:58:13 +02:00
Pauli
2c840201e5 Allow AES XTS decryption using duplicate keys.
This feature is enabled by default outside of FIPS builds
which ban such actions completely.

Encryption is always disallowed and will generate an error.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9112)
2019-06-24 17:54:47 +10:00
Pauli
4e7991b497 Change OSSL_PARAM return size to not be a pointer.
Instead of referencing the return size from the OSSL_PARAM structure, make the
size a field within the structure.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9135)
2019-06-24 14:43:55 +10:00
Pauli
2d905f6715 Print thread IDs nicely.
Remove the union that effectively cast thread IDs to long integers before
display and instead print a hex dump of the entire object.

Refer #9191

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9194)
2019-06-21 08:29:44 +10:00
Richard Levitte
ba4341316c test/testutil/init.c, apps/openssl.c: add trace cleanup handle earlier
It turned out that the internal trace cleanup handler was added too
late, so it would be executed before OPENSSL_cleanup().
This results in address errors, as the trace code that's executed in
OPENSSL_cleanup() itself tries to reach for data that's been freed at
that point.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9196)
2019-06-20 18:19:06 +02:00
Frederik Wedel-Heinen
7a5f5fd32a Update test/README
Changed a bad reference: test/Makefile -> test/build.info

Add ../apps/include as include path to include opt.h used by test/testutil.h.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9154)
2019-06-20 17:16:50 +10:00
Tomas Mraz
8b7b32921e Fix and document BIO_FLAGS_NONCLEAR_RST behavior on memory BIO
The BIO_FLAGS_NONCLEAR_RST flag behavior was not properly documented
and it also caused the length to be incorrectly set after the reset
operation.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9179)
2019-06-19 14:29:27 +02:00
Richard Levitte
d73458d17a Add tracing capability in test utilities
If a test program goes wrong, it's sometimes helpful to be able to
trace what goes on in libcrypto and libssl.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9191)
2019-06-19 12:43:05 +02:00
Rich Salz
8908d18cb1 Change ERR_add_error_[v]data to append
The "add error data" functions now append to the current error.
Add a test for this.
Cleanup some of the ERR_put functions.
In the FIPS module, always append "(in the FIPS module)" to any errors.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9181)
2019-06-18 23:21:38 +02:00
Matt Caswell
52b18ce104 Add the function OPENSSL_thread_stop_ex()
This adds the ability to clean up a thread on a per OPENSSL_CTX basis.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9040)
2019-06-17 16:19:44 +01:00