Commit graph

3031 commits

Author SHA1 Message Date
Richard Levitte
467b8e5675 Re-implement 'openssl list -mac-algorithms'
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8877)
2019-08-15 22:12:25 +02:00
Richard Levitte
d747fb2ec5 Adapt apps/mac.c to use provider based MACs
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8877)
2019-08-15 22:12:25 +02:00
Richard Levitte
e74bd29053 Prepare EVP_MAC infrastructure for moving all MACs to providers
Quite a few adaptations are needed, most prominently the added code
to allow provider based MACs.

As part of this, all the old information functions are gone, except
for EVP_MAC_name().  Some of them will reappear later, for example
EVP_MAC_do_all() in some form.

MACs by EVP_PKEY was particularly difficult to deal with, as they
need to allocate and deallocate EVP_MAC_CTXs "under the hood", and
thereby implicitly fetch the corresponding EVP_MAC.  This means that
EVP_MACs can't be constant in a EVP_MAC_CTX, as their reference count
may need to be incremented and decremented as part of the allocation
or deallocation of the EVP_MAC_CTX.  It may be that other provider
based EVP operation types may need to be handled in a similar manner.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8877)
2019-08-15 22:12:25 +02:00
Richard Levitte
ad623ec0cb Modify 'openssl list' to give more verbose descriptions
With the diverse {get,set}table_params functions, it's possible to
give a more verbose description of the diverse algorithm
implementations.  Most notably, we add a description of the parameters
that each implementation is willing to share.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9576)
2019-08-15 10:51:08 +02:00
Matt Caswell
a9612d6c03 Make the EC code available from inside the FIPS provider
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/9380)
2019-08-06 11:19:07 +01:00
Rich Salz
ff988500c2 Replace FUNCerr with ERR_raise_data
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9496)
2019-08-02 11:41:54 +02:00
Dr. Matthias St. Pierre
d0cf719efb Remove HEADER_X509_H and HEADER_SSL_H include detectors from apps
The HEADER_X509_H check is redundant, because <openssl/x509.h>
is already included.

Instead of of checking for HEADER_SSL_H, include <openssl/ssl.h>
explicitly in "s_apps.h" and don't include "s_apps.h" where it's
not necessary.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9364)
2019-07-24 15:48:53 +02:00
Richard Levitte
b8441adb59 Re-implement the cipher and digest listings for 'openssl list'
They now display both legacy and provided algorithms.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9356)
2019-07-23 06:34:09 +02:00
Bernd Edlinger
a38c878c2e Change DH parameters to generate the order q subgroup instead of 2q
This avoids leaking bit 0 of the private key.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/9363)
2019-07-22 20:03:27 +02:00
Rich Salz
46160e6fb9 Deprecate SYSerr, add new FUNCerr macro
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9072)
2019-07-22 16:24:56 +02:00
Rich Salz
56c3a135b2 Add ERR_put_func_error, and use it.
Change SYSerr to have the function name; remove SYS_F_xxx defines
Add a test and documentation.
Use get_last_socket_err, which removes some ifdef's in OpenSSL code.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9072)
2019-07-22 16:24:56 +02:00
Pauli
4bd8b24045 remove end of line spaces
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
(Merged from https://github.com/openssl/openssl/pull/9397)
2019-07-16 20:35:42 +10:00
Pauli
dd6b270618 Remove tab characters from C source files.
Some have been creeping into the source code.

Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
(Merged from https://github.com/openssl/openssl/pull/9397)
2019-07-16 20:24:10 +10:00
Viktor Dukhovni
5fe499cb75 Actually silently ignore GET / OCSP requests
Reviewed-by: Matt Caswell <matt@openssl.org>
2019-07-16 06:11:15 -04:00
Rich Salz
aac96e2797 Remove function name from errors
Deprecate all xxx_F_ defines.
Removed some places that tested for a specific function.
Use empty field for the function names in output.
Update documentation.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9058)
2019-07-16 05:26:28 +02:00
Pauli
b481fbe68b Coverity #1451595: use correct free function.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9362)
2019-07-12 05:41:47 +10:00
Richard Levitte
753149d97f Move the code for 'openssl list' to its own translation unit.
That makes it easier to work with than going through apps/openssl.c
This also moves the implementation of calculate_columns() and makes it
generally accessible.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9340)
2019-07-15 07:00:29 +02:00
Richard Levitte
4b62b8ed49 Refactor apps/progs.* to be generate with 'make update'
This makes for a cleaner apps/progs.h as well as as cleaner
apps/build.info.

We also break out the type declarations to apps/include/function.h

apps/progs.c and apps/progs.h are NOT regenerated when 'apps' is
disabled.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9340)
2019-07-15 07:00:29 +02:00
Dmitry Belyavskiy
9fd6f7d1cd Avoid NULL pointer dereference. Fixes #9043.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9059)
2019-07-08 20:14:50 +10:00
Antoine Cœur
c2969ff6e7 Fix Typos
CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/9288)
2019-07-02 14:22:29 +02:00
Rich Salz
6b10d29c1a Remove NextStep support
Because of that we can remove OPENSSL_UNISTD and some other
macros from e_os2.h and opensslconf.h

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9204)
2019-07-01 13:32:46 -04:00
Matt Caswell
9a131ad747 Change RC5_32_set_key to return an int type
If the key is too long we now return an error.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8834)
2019-07-01 10:18:37 +01:00
Antoine Cœur
68756b12f5 Fix Typos
CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/9275)
2019-07-01 10:09:22 +02:00
Paul Yang
bc42bd6298
Support SM2 certificate signing
SM2 certificate signing request can be created and signed by OpenSSL
now, both in library and apps.

Documentation and test cases are added.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9085)
2019-06-28 18:58:19 +08:00
Pauli
2d905f6715 Print thread IDs nicely.
Remove the union that effectively cast thread IDs to long integers before
display and instead print a hex dump of the entire object.

Refer #9191

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9194)
2019-06-21 08:29:44 +10:00
Richard Levitte
ba4341316c test/testutil/init.c, apps/openssl.c: add trace cleanup handle earlier
It turned out that the internal trace cleanup handler was added too
late, so it would be executed before OPENSSL_cleanup().
This results in address errors, as the trace code that's executed in
OPENSSL_cleanup() itself tries to reach for data that's been freed at
that point.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9196)
2019-06-20 18:19:06 +02:00
Richard Levitte
989b2ad786 Move uplink file information to build.info files
This file information was hidden in config target files, when they
should really be part of build.info like any other file we build
from.  With build.info variables, the task became much easier.

We take the opportunity to move apps_init_src and apps_aux_src to
apps/build.info as well, and to clean up apps/build.info.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9166)
2019-06-17 16:08:52 +02:00
Tomas Mraz
a6dfa18820 ts: Use sha256 as default digest for TS query
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7900)
2019-06-12 11:45:57 +02:00
Shane Lontis
53f5469604 Fix app opt compile failure due to missing <inttypes.h>
opt.c uses functions that are only available if inttypes.h exists.
It now checks a define which is unavailable if
inttypes.h is included. The include is done automagically inside e_os2.h.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8986)
2019-06-11 21:27:55 +10:00
Shane Lontis
ad14e8e508 Coverity fixes
covID 1445689 Resource leak (in error path)
covID 1445318 Resource leak (in test - minor)
covID 1443705 Unchecked return value (Needed if CRYPTO_atomic_add() was used)
covID 1443691 Resource leak (in app - minor)

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9071)
2019-06-06 09:34:17 +10:00
FdaSilvaYY
8c89c80a55 CAdES: Fix SignerInfo attribute construction order.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8117)
2019-05-29 11:14:46 +10:00
Daniël van Eeden
7817e74dc8 Use fixed length for formatting standard cipher names
Example with patch:
```
$ openssl ciphers -stdname 'TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-CHACHA20-POLY1305'
TLS_AES_256_GCM_SHA384                        - TLS_AES_256_GCM_SHA384         TLSv1.3 Kx=any      Au=any   Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256                  - TLS_CHACHA20_POLY1305_SHA256   TLSv1.3 Kx=any      Au=any   Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256                        - TLS_AES_128_GCM_SHA256         TLSv1.3 Kx=any      Au=any   Enc=AESGCM(128) Mac=AEAD
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - ECDHE-ECDSA-CHACHA20-POLY1305  TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
```

Example without patch:
```
$ openssl ciphers -stdname 'TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-CHACHA20-POLY1305'
TLS_AES_256_GCM_SHA384 - TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 - TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256 - TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
```

CLA: Trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8999)
2019-05-27 07:22:45 +10:00
Bernd Edlinger
5d238a1032 Fix a crash in the speed command with wrap ciphers
e.g. openssl speed -evp id-aes256-wrap-pad
was crashing because the return code from EVP_CipherInit_ex
was ignored.
Not going to allow that cipher mode because wrap ciphers
produces more bytes output than the input length
and EVP_Update_loop is not really prepared for that.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8739)
2019-05-23 16:12:27 +02:00
Pauli
bddf965d29 Avoid trailing space in "openssl version -o".
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8963)
2019-05-23 10:28:02 +10:00
Pauli
1dea43c3d3 Always show application and library versions in "openssl version".
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8963)
2019-05-23 10:28:02 +10:00
Lorinczy Zsigmond
c3be39f2e4 Squashed commit of the following:
Add new option '-http_server_binmode' which allows the server to open and send
binary files as well as text.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8811)
2019-05-09 09:16:19 +10:00
Pauli
0dc6bf3c39 Coverity CID 1444950: Control flow issues
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8888)
2019-05-08 09:52:58 +10:00
Klotz, Tobias
61783db5b5 Use vxRandLib for VxWorks7
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/8023)
2019-05-02 23:32:44 +02:00
Dr. Matthias St. Pierre
42151b8edb openssl cms: add error message if operation option is missing
If the `openssl cms` command is called without specifying an
operation option, it replies with the following laconic error message:

    cms: Use -help for summary.

This commit adds a helpful error message:

    No operation option (-encrypt|-decrypt|-sign|-verify|...) specified.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8861)
2019-05-02 23:05:38 +02:00
Philip Prindeville
b6a07f6760 gendsa: dsaparam: introduce -verbose option to enable output
Other commands like 'req' support -verbose, so why not gendsa and dsaparam?

Part of a larger and more ambitious effort to add -verbose to all apps
that might be used in scripts and need to otherwise run silently (well,
without belching out anything that isn't a warning or error... which ties
into a later scrub of using STDOUT were appropriate for informative
messages instead of STDERR)... so that scripts also have the option of
doing >/dev/null without losing anything critical.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6908)
2019-05-01 16:41:49 +10:00
Philip Prindeville
c43fa566ea genrsa: introduce -verbose option to enable output
Other commands like 'req' support -verbose, so why not genrsa?

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6897)
2019-05-01 16:02:56 +10:00
Shane Lontis
c54492ecf8 Added app for EVP_KDF
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8762)
2019-04-24 11:56:47 +02:00
Richard Levitte
0109e030db Add a way for the application to get OpenSSL configuration data
OpenSSL_version(OPENSSL_DIR) gives you a nicely formatted string for
display, but if all you really want is the directory itself, you were
forced to parsed the string.

This introduces a new function to get diverse configuration data from
the library, OPENSSL_info().  This works the same way as
OpenSSL_version(), but has its own series of types, currently
including:

OPENSSL_INFO_CONFIG_DIR         returns OPENSSLDIR
OPENSSL_INFO_ENGINES_DIR        returns ENGINESDIR
OPENSSL_INFO_MODULES_DIR        returns MODULESDIR
OPENSSL_INFO_DSO_EXTENSION      returns DSO_EXTENSION

OPENSSL_INFO_DIR_FILENAME_SEPARATOR     returns directory/filename separator
OPENSSL_INFO_LIST_SEPARATOR             returns list separator

For scripting purposes, this also adds the command 'openssl info'.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8709)
2019-04-23 15:51:39 +02:00
Richard Levitte
47ca833835 Add the possibility to display and use MODULESDIR
This adds the flag OPENSSL_MODULES_DIR for OpenSSL_version(), and the
flag '-m' for 'openssl version'.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8709)
2019-04-23 15:50:35 +02:00
Richard Levitte
4f29f3a29b asn1parse: avoid double free
|str| was used for multiple conflicting purposes.  When using
'-strictpem', it's used to uniquely hold a reference to the loaded
payload.  However, when using '-strparse', |str| was re-used to hold
the position from where to start parsing.

So when '-strparse' and '-strictpem' are were together, |str| ended up
pointing into data pointed at by |at|, and was yet being freed, with
the result that the payload it held a reference to became a memory
leak, and there was a double free conflict when both |str| and |at|
were being freed.

The situation is resolved by always having |buf| hold the pointer to
the file data, and always and only use |str| to hold the position to
start parsing from.  Now, we only need to free |buf| properly and not
|str|.

Fixes #8752

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8753)
2019-04-18 19:20:55 +02:00
Matt Caswell
fd367b4ce3 Deprecate AES_ige_encrypt() and AES_bi_ige_encrypt()
These undocumented functions were never integrated into the EVP layer
and implement the AES Infinite Garble Extension (IGE) mode and AES
Bi-directional IGE mode. These modes were never formally standardised
and usage of these functions is believed to be very small. In particular
AES_bi_ige_encrypt() has a known bug. It accepts 2 AES keys, but only
one is ever used. The security implications are believed to be minimal,
but this issue was never fixed for backwards compatibility reasons.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8710)
2019-04-12 14:22:41 +01:00
Bernd Edlinger
9bba2c4c97 Add CMAC speed measurements
usage: openssl speed -cmac aes128

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8721)
2019-04-12 13:52:43 +02:00
Shane Lontis
8402cd5f75 added code to validate EC named curve parameters
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8555)
2019-04-11 12:05:38 +03:00
Jakub Wilk
ee215c7eea Fix typos
CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8714)
2019-04-10 12:00:20 +02:00
Paul Yang
ccf453610f Make X509_set_sm2_id consistent with other setters
This commit makes the X509_set_sm2_id to 'set0' behaviour, which means
the memory management is passed to X509 and user doesn't need to free
the sm2_id parameter later. API name also changes to X509_set0_sm2_id.

Document and test case are also updated.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8626)
2019-04-09 20:44:42 +08:00