Commit graph

2468 commits

Author SHA1 Message Date
Paul Yang
ccf453610f Make X509_set_sm2_id consistent with other setters
This commit makes the X509_set_sm2_id to 'set0' behaviour, which means
the memory management is passed to X509 and user doesn't need to free
the sm2_id parameter later. API name also changes to X509_set0_sm2_id.

Document and test case are also updated.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8626)
2019-04-09 20:44:42 +08:00
Richard Levitte
f55ed701a4 Params API: {utf8,octet}_ptr need to know the data size
When the purpose is to pass parameters to a setter function, that
setter function needs to know the size of the data passed.  This
remains true for the pointer data types as well.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8703)
2019-04-09 14:10:23 +02:00
Matt Caswell
dc46e3dde5 Use the right NID when putting a method in the store
When we attempt to fetch a method with a given NID we will ask the
providers for it if we don't already know about it. During that process
we may be told about other methods with a different NID. We need to
make sure we don't confuse the two.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8541)
2019-04-09 10:24:43 +01:00
Richard Levitte
195852fefc Params: add OSSL_PARAM_construct_end()
OSSL_PARAM_END is a macro that can only be used to initialize an
OSSL_PARAM array, not to assign an array element later on.  For
completion, we add an end constructor to facilitate that kind of
assignment.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8704)
2019-04-09 11:18:26 +02:00
Richard Levitte
de3955f662 EVP configuration section: add 'default_properties' command
The value of the 'default_properties' command is simply passed to
EVP_set_default_properties().

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8681)
2019-04-05 15:43:37 +02:00
Richard Levitte
cb92964563 EVP_set_default_properties(): New function to set global properties
EVP_MD_fetch() can be given a property query string.  However, there
are cases when it won't, for example in implicit fetches.  Therefore,
we also need a way to set a global property query string to be used in
all subsequent fetches.  This also applies to all future algorithm
fetching functions.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8681)
2019-04-05 15:43:37 +02:00
Dr. Matthias St. Pierre
ecbfaef2aa trace: add PROVIDER_CONF trace category
Fixes #8667

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8672)
2019-04-04 18:35:22 +02:00
Matt Caswell
69539990a8 Correct the documentation about SSL_CIPHER_description()
There are some ciphersuites that were introduced in TLSv1.0/TLSv1.1 but
are backwards compatible with SSLv3.

Fixes #8655

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8658)
2019-04-04 16:57:00 +01:00
Todd Short
0770c88215 Modify OCSP to use alt MD for cert IDs in responses
Modify openssl OCSP utility to produce certIDs in responses using other
hash algorithms (e.g. SHA256).

Added option -rcid for this purpose.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5274)
2019-04-03 15:56:45 +01:00
Matt Caswell
b7c913c820 Ensure EVP_MD_CTX_md returns the EVP_MD originally used
Fixes #8613

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8614)
2019-04-03 15:44:36 +01:00
Richard Levitte
b6670f690c Replumbing: add documentation for the provider configuration module
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8549)
2019-04-03 11:42:48 +02:00
Boris Pismenny
9058d9bcd0 add documentation
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7848)
2019-04-01 11:54:48 +01:00
Pauli
f3448f5481 issue-8493: Fix for filenames with newlines using openssl dgst
The output format now matches coreutils *dgst tools.

[ edited to remove trailing white space ]

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8578)
2019-03-30 11:22:51 +10:00
Paul Yang
7eba43e837 Add documents for SM2 cert verification
This follows #8321 which added the SM2 certificate verification feature.
This commit adds the related docs - the newly added 2 APIs and options
in apps/verify.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8465)
2019-03-30 08:31:25 +09:00
Dr. Matthias St. Pierre
3a8269b319 trace: rename the default trace category from 'ANY' to 'ALL'
It seems more intuitive to set `OPENSSL_TRACE=all` instead of
`OPENSSL_TRACE=any` to obtain trace output for all categories.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8552)
2019-03-30 00:04:37 +01:00
Dr. Matthias St. Pierre
02bd2d7f5c trace: apps/openssl: print the correct category name
Previously, if the openssl application was run with OPENSSL_TRACE=any,
all trace output would just show 'ANY' as the category name, which was
not very useful. To get the correct category name printed in the trace
output, the openssl application now registers separate channels for
each category.

The trace API is unchanged, it is still possible for an application to
register a single channel for the 'ANY' category to see all outputt,
if it does not need this level of detail.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8552)
2019-03-30 00:01:55 +01:00
Richard Levitte
558ea84743 Remove heartbeats completely
Fixes #4856

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1928)
2019-03-29 13:50:59 +01:00
Matt Caswell
cc6d92619f Make OCSP_id_cmp and OCSP_id_issuer_cmp accept const params
Fixes #8589

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8597)
2019-03-28 09:56:05 +00:00
Matt Caswell
48fdeca01d Don't allow SHAKE128/SHAKE256 with HMAC
See discussion in github issue #8563

Fixes #8563

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8584)
2019-03-27 14:32:08 +00:00
Dr. Matthias St. Pierre
fc4e500b03 Fix three identical grammatical errors
Reported by Mak Kolybabi

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8591)
2019-03-27 01:00:57 +01:00
Hubert Kario
29716a03e8 ts(1): digest option is mandatory
not specifying the digest both on command line and in the config file
will lead to response generation aborting with

140617514493760:error:2F098088:time stamp routines:ts_CONF_lookup_fail: \
    cannot find config variable:crypto/ts/ts_conf.c:106:tsr_test::signer_digest

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8421)
2019-03-25 13:36:40 +01:00
Matt Caswell
fdf6c0b6b7 Document the functions EVP_MD_fetch() and EVP_MD_upref()
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8513)
2019-03-21 09:23:38 +00:00
Shane Lontis
138ef774fe Updated doc for BN_clear, BN_CTX_end when param is NULL
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8532)
2019-03-20 10:29:51 +01:00
David von Oheimb
ce9b996409 replace 'OpenSSL license' by 'Apache License 2.0'
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/8527)
2019-03-20 10:33:39 +02:00
Richard Levitte
e55008a9f2 Replumbing: add fallback provider capability
To ensure that old applications aren't left without any provider, and
at the same time not forcing any default provider on applications that
know how to deal with them, we device the concept of fallback
providers, which are automatically activated if no other provider is
already activated.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8480)
2019-03-19 14:06:58 +01:00
Matt Caswell
6a6d9ecd1d Update pkeyutl documentation about the digest option
DSA can accept other digests other than SHA1. EC ignores the digest option
altogether.

Fixes #8425

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8432)
2019-03-19 11:40:53 +00:00
Shane Lontis
9537fe5757 Single step kdf implementation
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8230)
2019-03-19 11:03:45 +00:00
Dmitry Belyavskiy
770dfe8dfa EVP_PKEY_get0_engine documentation
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8329)
2019-03-19 10:42:35 +00:00
Pauli
d7b2124a42 Add documentation for the -sigopt option.
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
(Merged from https://github.com/openssl/openssl/pull/8520)
2019-03-19 18:25:02 +10:00
Richard Levitte
16bfe6cee0 doc/man3/OSSL_PARAM_TYPE.pod: modify Example 2 to allow unspecified params
A parameter requestor is never obligated to ask for all available
parameters on an object.  Unfortunately, Example 2 showed a code
pattern that introduced such an obligation, and therefore needed a
small adjustment.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8523)
2019-03-19 07:08:47 +01:00
David von Oheimb
529586085e Add -new and -subj options to x509 app for direct cert generation
Complete and improve error output of parse_name() in apps/apps.c

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8193)
2019-03-19 09:35:03 +10:00
Richard Levitte
c13d2ab439 Add generic EVP method fetcher
This is an interface between Core dispatch table fetching and
EVP_{method}_fetch().  All that's needed from the diverse method
fetchers are the functions to create a method structure from a
dispatch table, a function that ups the method reference counter and a
function to free the method (in case of failure).

This routine is internal to the EVP API andis therefore only made
accessible within crypto/evp, by including evp_locl.h

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8341)
2019-03-18 14:27:02 +01:00
Richard Levitte
a383083194 Replumbing: better reference counter control in ossl_method_construct()
Fully assume that the method constructors use reference counting.
Otherwise, we may leak memory, or loose track and do a double free.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8341)
2019-03-18 14:27:02 +01:00
Dr. Matthias St. Pierre
c37e635065 trace: update the documentation
This commit adds some missing symbols and other minor enhancements.
In particular, it establishes the term 'channel' as a synonym for
a BIO object attached to a trace category, and introduces the
concept of a 'simple' channel versus a 'callback' channel.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8463)
2019-03-15 08:48:43 +01:00
Matt Caswell
ee633ace73 Enable pkeyutl to use Ed448 and Ed25519
With the recent addition of the -rawin option it should be possible for
pkeyutl to sign and verify with Ed448 and Ed2559. The main remaining
stumbling block is that those algorirthms only support "oneshot" operation.
This commit enables pkeyutl to handle that.

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/8431)
2019-03-14 12:42:16 +00:00
Dr. Matthias St. Pierre
6bc62a620e Configure: disable new trace api by default
Fixes #8472

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8474)
2019-03-14 10:32:58 +01:00
Richard Levitte
9e11fe0d85 Replumbing: Add constructor of libcrypto internal method structures
This queries the provider for its available functionality (unless a
matching method structured is already cached, in which case that's
used instead), and creates method structure with the help of a passed
constructor.  The result is cached if the provider allows it (or if
caching is forced).

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8340)
2019-03-12 20:25:46 +01:00
Richard Levitte
099bd33920 Replumbing: Add support for the provider query_operation function
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8340)
2019-03-12 20:25:46 +01:00
Richard Levitte
85e2417c0d Replumbing: Add an OSSL_PROVIDER iterator with callback
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8340)
2019-03-12 20:25:46 +01:00
Pauli
7ffbd7ca96 OSSL_PARAM helper functions.
Provide a number of functions to allow parameters to be set and
retrieved in a type safe manner.  Functions are provided for many
integral types plus double, BIGNUM, UTF8 strings and OCTET strings.

All of the integer functions will widen the parameter data as
required.  This permits a degree of malleability in the parameter
definition.  For example a type can be changed from a thirty two bit
integer to a sixty four bit one without changing application code.
Only four and eight byte integral sizes are supported here.

A pair of real functions are available for doubles.

A pair of functions is available for BIGNUMs.  These accept any sized
unsigned integer input and convert to/from a BIGNUM.

For each OCTET and UTF8 strings, four functions are defined.  This
provide get and set functionality for string and for pointers to
strings.  The latter avoiding copies but have other inherent risks.

Finally, some utility macros and functions are defined to allow
OSSL_PARAM definition arrays to be specified in a simple manner.
There are two macro and one function for most types.  The exception
being BIGNUM, for which there is one macro and one function.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8451)
2019-03-12 19:12:12 +01:00
Richard Levitte
8c4412ed8f Rename 'buffer' to 'data' in OSSL_PARAM
The OSSL_PARAM attribute names |buffer| and |buffer_size| may lead to
confusion, as they may make some think that the memory pointed at is
an intermediate memory are.  This is not generally the case, so we
rename |buffer| and |buffer_size| to |data| and |data_size|

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8451)
2019-03-12 18:56:42 +01:00
David von Oheimb
a61b7f2fa6 2nd chunk: CRMF code (crypto/crmf/, ) and its integration
in INSTALL, Configure, crypto/build.info, include/openssl/crmferr.h,
crypto/err/, include/openssl/err.h, and (to be updated:) util/libcrypto.num

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7646)
2019-03-12 12:26:06 +00:00
David von Oheimb
2a3b52eacd Certificate Management Protocol (CMP, RFC 4210) extension to OpenSSL
Also includes CRMF (RFC 4211) and HTTP transfer (RFC 6712)

CMP and CRMF API is added to libcrypto, and the "cmp" app to the openssl CLI.
Adds extensive man pages and tests.  Integration into build scripts.

Incremental pull request based on OpenSSL commit 1362190b1b of 2018-09-26

1st chunk: CRMF API (include/openssl/crmf.h) and its documentation (reviewed)

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7328)
2019-03-12 12:22:59 +00:00
Richard Levitte
c453283421 Add documentation
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8287)
2019-03-11 20:40:13 +01:00
Shane Lontis
4d768e966f openssl app for macs that uses the new EVP_MAC interface (the code inside dgst uses EVP_PKEY)
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7661)
2019-03-11 12:44:56 +00:00
A. Schulze
3dcbb6c4a3 Fix two spelling errors
CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8447)
2019-03-10 20:59:42 +01:00
Tomas Mraz
ebb7823e14 Print all loaded engines with openssl list -engines
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8434)
2019-03-09 00:32:04 +01:00
Bernd Edlinger
f0e4a860d0 Update documentation of RSA_padding_check_PKCS1_OAEP_mgf1
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/8365)
2019-03-07 22:45:55 +01:00
Bernd Edlinger
b89fdeb2f7 Update documentation regarding required output buffer memory size
of RSA_private_decrypt/RSA_public_encrypt.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/8365)
2019-03-07 22:45:52 +01:00
David von Oheimb
9fdcc21fdc constify *_dup() and *i2d_*() and related functions as far as possible, introducing DECLARE_ASN1_DUP_FUNCTION
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8029)
2019-03-06 16:10:09 +00:00