Commit graph

661 commits

Author SHA1 Message Date
Kurt Roeckx
68436f0a89 Stop accepting certificates signed using SHA1 at security level 1
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
GH: #10786
(cherry picked from commit b744f915ca8bb37631909728dd2529289bda8438)
2020-02-05 22:07:38 +01:00
Kurt Roeckx
cc7c6eb813 Check that the default signature type is allowed
TLS < 1.2 has fixed signature algorithms: MD5+SHA1 for RSA and SHA1 for the
others. TLS 1.2 sends a list of supported ciphers, but allows not sending
it in which case SHA1 is used. TLS 1.3 makes sending the list mandatory.

When we didn't receive a list from the client, we always used the
defaults without checking that they are allowed by the configuration.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
GH: #10784
(cherry picked from commit b0031e5dc2c8c99a6c04bc7625aa00d3d20a59a5)
2020-01-25 14:12:10 +01:00
Patrick Steuer
a13dddea6b Allow specifying the tag after AAD in CCM mode (2)
In addition to 67c81ec3 which introduced this behavior in CCM mode
docs but only implemented it for AES-CCM.

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10331)

(cherry picked from commit f7382fbbd846dd3bdea6b8c03b6af22faf0ab94f)

Conflicts:
	test/recipes/30-test_evp_data/evpciph.txt
2019-11-20 11:07:07 +01:00
Nicola Tuveri
bd2931bf45 Add more tests for apps/req
https://github.com/openssl/openssl/issues/10224#issuecomment-546593113
highlighted that existing testing infrastructure is not covering common
usage patterns of the `req` app.

This commit explicitly adds request generations thorugh the CLI using
RSA, DSA and ECDSA (P-256) keys.

(cherry picked from commit b2a7310af0dd190712bae2e462a7708483dd4628)

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10369)
2019-11-13 17:20:14 +02:00
Cesar Pereida Garcia
aa20a9b3e0 Add GCD testing infrastructure.
This commit adds testing and Known Answer Tests (KATs) to OpenSSL for
the `BN_gcd` function.

(cherry picked from commit b75d6310857bc44ef2851bde68a1979c18bb4807)

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10122)
2019-10-17 14:31:52 +03:00
Matt Caswell
1cb7eff45b Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9847)
2019-09-10 13:56:40 +01:00
Matt Caswell
6f34a16ea9 Teach TLSProxy how to parse CertificateRequest messages
We also use this in test_tls13messages to check that the extensions we
expect to see in a CertificateRequest are there.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9780)

(cherry picked from commit dc5bcb88d819de55eb37460c122e02fec91c6d86)
2019-09-06 10:12:51 +01:00
Matt Caswell
57a3af94a7 Extend tests of SSL_check_chain()
Actually supply a chain and then test:
1) A successful check of both the ee and chain certs
2) A failure to check the ee cert
3) A failure to check a chain cert

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9443)
2019-08-14 11:09:16 +01:00
Pauli
58ae5a47da Excise AES-XTS FIPS check.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9255)
2019-06-25 03:37:17 +10:00
Pauli
2a5f63c9a6 Allow AES XTS decryption using duplicate keys.
This feature is enabled by default outside of FIPS builds
which ban such actions completely.

Encryption is always disallowed and will generate an error.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9112)

(cherry picked from commit 2c840201e5)
2019-06-24 17:58:57 +10:00
Shane Lontis
d63d841fb5 Add the content type attribute to additional CMS signerinfo.
Fixes #8923

Found using the openssl cms -resign option.
This uses an alternate path to do the signing which was not adding the required signed attribute
content type. The content type attribute should always exist since it is required is there are
any signed attributes.
As the signing time attribute is always added in code, the content type attribute is also required.
The CMS_si_check_attributes() method adds validity checks for signed and unsigned attributes
e.g. The message digest attribute is a signed attribute that must exist if any signed attributes
exist, it cannot be an unsigned attribute and there must only be one instance containing a single
value.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8944)

(cherry picked from commit 19e512a824)
2019-06-03 15:25:10 +10:00
Richard Levitte
35fd99538a Update copyright year
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9034)
2019-05-28 14:49:38 +02:00
Matt Caswell
9fc194321e Add the NIST CAVS test vectors for CCM
This imports all of the NIST CAVS test vectors for CCM (SP800-38C) and
coverts them for use within evp_test. This commit also adds a script to
convert the .rsp CAVS files into the evp_test format.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8981)

(cherry picked from commit ecb0f148a9)
2019-05-23 10:55:42 +01:00
Tobias Nießen
b48e3be947 Allow specifying the tag after AAD in CCM mode
This change allows to pass the authentication tag after specifying
the AAD in CCM mode. This is already true for the other two supported
AEAD modes (GCM and OCB) and it seems appropriate to match the
behavior.

GCM and OCB also support to set the tag at any point before the call
to `EVP_*Final`, but this won't work for CCM due to a restriction
imposed by section 2.6 of RFC3610: The tag must be set before
actually decrypting data.

This commit also adds a test case for setting the tag after supplying
plaintext length and AAD.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7243)

(cherry picked from commit 67c81ec311)
2019-05-08 11:02:42 +01:00
Dr. Matthias St. Pierre
49142bcb18 Test: use keywords instead of magic numbers for 'rsa_pss_saltlen'
Since commit 137096a7ea it is possible to specify keywords instead
of negative magic numbers for the salt length. This commit replaces
the remaining occurrences of `rsa_pss_saltlen:-3` in the test recipes
by `rsa_pss_saltlen:max`.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8860)

(cherry picked from commit 31fc48ddc3)
2019-05-02 23:02:47 +02:00
Matt Caswell
af0bab3227 Add some more test vectors for ChaCha20
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8780)

(cherry picked from commit a595b10d34)
2019-04-19 09:42:31 +01:00
Bernd Edlinger
d8ceb24607 Avoid creating invalid rsa pss params
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8621)

(cherry picked from commit 491360e7ab)
2019-04-10 20:24:57 +02:00
Matt Caswell
66ed53c848 Don't allow SHAKE128/SHAKE256 with HMAC
See discussion in github issue #8563

Fixes #8563

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8585)
2019-03-27 14:37:22 +00:00
Matt Caswell
e7a621d57b Fix a memory leak in ARIA GCM
Fixes #8567

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8586)

(cherry picked from commit 183f52e29a)
2019-03-27 10:31:05 +00:00
Matt Caswell
9b10d1bf77 Test an overlong ChaCha20-Poly1305 nonce
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8406)

(cherry picked from commit a4f0b50eaf)
2019-03-06 13:30:39 +00:00
Matt Caswell
72a7a7021f Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8347)
2019-02-26 14:05:09 +00:00
Richard Levitte
a2854abe54 Disable 02-test_errstr.t on msys/mingw as well as MSWin32
There is too high a risk that perl and OpenSSL are linked with
different C RTLs, and thereby get different messages for even the most
mundane error numbers.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8343)

(cherry picked from commit 565a19eef3)
2019-02-26 10:44:23 +00:00
Richard Levitte
f30022cd58 VMS: disable the shlibload test for now
test/shlibloadtest.c needs added code for VMS shared libraries

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8342)
2019-02-26 10:02:45 +00:00
Billy Brumley
d11e4bcddd [test] unit test for field_inv function pointer in EC_METHOD
(cherry picked from commit 8f58ede095)

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/8262)
2019-02-20 19:55:15 +02:00
Matt Caswell
15c1e0a7cb Add a test for interleaving app data with handshake data in TLSv1.3
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/8191)

(cherry picked from commit 73e62d40eb)
2019-02-19 09:37:29 +00:00
Richard Levitte
0e1b0e510d test/recipes/02-err_errstr: skip errors that may not be loaded on Windows
Fixes #8091

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8094)
2019-02-11 16:29:23 +01:00
Tomas Mraz
95f59d398c Allow the syntax of the .include directive to optionally have '='
If the old openssl versions not supporting the .include directive
load a config file with it, they will bail out with error.

This change allows using the .include = <filename> syntax which
is interpreted as variable assignment by the old openssl
config file parser.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8141)

(cherry picked from commit 9d5560331d)
2019-02-11 15:25:00 +01:00
Michael Tuexen
243ff51cc6 Fix end-point shared secret for DTLS/SCTP
When computing the end-point shared secret, don't take the
terminating NULL character into account.
Please note that this fix breaks interoperability with older
versions of OpenSSL, which are not fixed.

Fixes #7956

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7957)

(cherry picked from commit 09d62b336d)
2019-02-01 12:03:43 +00:00
Matt Caswell
a6d6d64570 Fix no-dso builds
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8111)

(cherry picked from commit 522b11e969)
2019-01-30 15:30:56 +00:00
Corey Minyard
492f70645c Fix a memory leak in the mem bio
If you use a BIO and set up your own buffer that is not freed, the
memory bio will leak the BIO_BUF_MEM object it allocates.

The trouble is that the BIO_BUF_MEM is allocated and kept around,
but it is not freed if BIO_NOCLOSE is set.

The freeing of BIO_BUF_MEM was fairly confusing, simplify things
so mem_buf_free only frees the memory buffer and free the BIO_BUF_MEM
in mem_free(), where it should be done.

Alse add a test for a leak in the memory bio
Setting a memory buffer caused a leak.

Signed-off-by: Corey Minyard <minyard@acm.org>

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8051)

(cherry picked from commit c6048af23c)
2019-01-21 17:50:04 +10:00
Matt Caswell
d3b574fee1 Add a test for correct handling of the cryptopro bug extension
This was complicated by the fact that we were using this extension for our
duplicate extension handling tests. In order to add tests for cryptopro
bug the duplicate extension handling tests needed to change first.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7984)

(cherry picked from commit 9effc496ad)
2019-01-07 09:43:28 +00:00
Matt Caswell
980f7419cb Fix no-cmac
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7979)

(cherry picked from commit 87bbbfb1e4)
2019-01-06 10:01:55 +00:00
Matt Caswell
f5f3dfd5ef Test atexit handlers
Test that atexit handlers get called properly at process exit, unless we
have explicitly asked for them not to be.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7983)
2019-01-04 20:23:16 +00:00
Bernd Edlinger
c25ae0fff7 Fix cert with rsa instead of rsaEncryption as public key algorithm
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/7962)

(cherry picked from commit 1f483a69bc)
2018-12-31 09:51:04 +01:00
Matt Caswell
0643ffdecb Add an Ed448 malleability test
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/7748)

(cherry picked from commit 6de98b4fb6)
2018-12-11 11:58:40 +00:00
Matt Caswell
cc4e37f1e4 Add an Ed25519 signature maleability test
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7697)

(cherry picked from commit e65a79d2aa)
2018-12-03 14:25:20 +00:00
Richard Levitte
89cb61de2a Don't test the collected system errors when configured to not have them
Config options 'no-err' and 'no-autoerrinit'

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7711)

(cherry picked from commit f1d49ed947)
2018-11-27 09:03:59 +00:00
Richard Levitte
ca554c02df Avoid test_errstr in a cross compiled configuration
There's too high a chance that the openssl app and perl get different
messages for some error numbers.

[extended tests]

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7699)

(cherry picked from commit 0777de15ff)
2018-11-24 18:49:23 +01:00
Richard Levitte
a9334a490d Add an error message test recipes for system error messages
This ensures we collected them properly and and as completely as can
be tested safely.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7681)

(cherry picked from commit 4b801fdcf4)
2018-11-23 12:35:54 +01:00
Matt Caswell
7c6d372aff Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7669)
2018-11-20 13:27:36 +00:00
Matt Caswell
eaa32f3679 Fix no-ec and no-tls1_2
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7620)

(cherry picked from commit 65d2c16cbe)
2018-11-14 11:33:24 +00:00
Richard Levitte
86736316b7 Fix rpath-related Linux "test_shlibload" failure.
When libssl and libcrypto are compiled on Linux with "-rpath", but
not "--enable-new-dtags", the RPATH takes precedence over
LD_LIBRARY_PATH, and we end up running with the wrong libraries.
This is resolved by using full (or at least relative, rather than
just the filename to be found on LD_LIBRARY_PATH) paths to the
shared objects.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7626)

(cherry picked from commit 1828939974)
2018-11-14 00:42:57 +01:00
Richard Levitte
61e78e7ace Fix SipHash init order.
Setting the SipHash hash size and setting its key is done with two
independent functions...  and yet, the internals depend on both.

Unfortunately, the function to change the size wasn't adapted for the
possibility that the key was set first, with a different hash size.

This changes the hash setting function to fix the internal values
(which is easy, fortunately) according to the hash size.

evpmac.txt value for digestsize:8 is also corrected.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7613)

(cherry picked from commit 425036130d)
2018-11-12 07:16:58 +01:00
Tomas Mraz
e37b7014f3 Unbreak SECLEVEL 3 regression causing it to not accept any ciphers.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Richard Levitte <levitte@openssl.org>
GH: #7391
(cherry picked from commit 75b68c9e4e)
2018-11-10 21:30:27 +01:00
Dr. Matthias St. Pierre
cdf33504ef Test: enable internal tests for shared Windows builds
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7462)

(cherry picked from commit 1901516a4b)
2018-11-08 16:32:35 +01:00
Richard Levitte
d308458ef1 test/evp_test.c: don't misuse pkey_test_ctrl() in mac_test_run()
pkey_test_ctrl() was designed for parsing values, not for using in
test runs.  Relying on its returned value when it returned 1 even for
control errors made it particularly useless for mac_test_run().

Here, it gets replaced with a MAC specific control function, that
parses values the same way but is designed for use in a _run() rather
than a _parse() function.

This uncovers a SipHash test with an invalid control that wasn't
caught properly.  After all, that stanza is supposed to test that
invalid control values do generate an error.  Now we catch that.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7500)

(cherry picked from commit ce5d64c79c)
2018-10-29 17:32:27 +01:00
Matt Caswell
1212818eb0 Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7176)
2018-09-11 13:45:17 +01:00
Richard Levitte
c2278c8bc4 TESTS: add test of decoding of invalid zero length ASN.1 INTEGER zero
Confirms #7134

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7153)
2018-09-09 03:35:26 +02:00
Richard Levitte
2725232132 TESTS: add SipHash tests with digestsize controls
Confirms #7143

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7154)
2018-09-09 01:47:56 +02:00
Matt Caswell
f01344cb5c Do not reset SNI data in SSL_do_handshake()
PR #3783 introduce coded to reset the server side SNI state in
SSL_do_handshake() to ensure any erroneous config time SNI changes are
cleared. Unfortunately SSL_do_handshake() can be called mid-handshake
multiple times so this is the wrong place to do this and can mean that
any SNI data is cleared later on in the handshake too.

Therefore move the code to a more appropriate place.

Fixes #7014

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/7149)
2018-09-07 18:24:59 +01:00