Commit graph

23700 commits

Author SHA1 Message Date
Matt Caswell
b926f9deb3 Fix crash in X509_STORE_CTX_get_by_subject
If using a custom X509_LOOKUP_METHOD then calls to
X509_STORE_CTX_get_by_subject may crash due to an incorrectly initialised
X509_OBJECT being passed to the callback get_by_subject function.

Fixes #8673

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8698)
2019-04-09 10:26:44 +01:00
Matt Caswell
d030892312 Add a legacy provider and put MD2 in it
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8541)
2019-04-09 10:24:43 +01:00
Matt Caswell
dc46e3dde5 Use the right NID when putting a method in the store
When we attempt to fetch a method with a given NID we will ask the
providers for it if we don't already know about it. During that process
we may be told about other methods with a different NID. We need to
make sure we don't confuse the two.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8541)
2019-04-09 10:24:43 +01:00
Richard Levitte
68ca1737ce Configurations/10-main.conf: Don't inherit assembler in Cygwin-common
The targets Cygwin-x86 and Cygwin-x86_64 are the ones that should do
this.

Fixes #8684

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8685)
2019-04-09 11:19:26 +02:00
Richard Levitte
195852fefc Params: add OSSL_PARAM_construct_end()
OSSL_PARAM_END is a macro that can only be used to initialize an
OSSL_PARAM array, not to assign an array element later on.  For
completion, we add an end constructor to facilitate that kind of
assignment.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8704)
2019-04-09 11:18:26 +02:00
Shane Lontis
bb315ca716 EC keygen updates + changed ecdsa_sign to use BN_secure_new
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8557)
2019-04-09 03:44:13 +03:00
Shane Lontis
97cc9c9b01 Coverity: hkdf ENV_MD_size() is an int that can be negative
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8692)
2019-04-09 09:02:59 +10:00
Pauli
e9cfa19201 Avoid alignment problems in params API.
Using a byte buffer causes problems for device that don't handle unaligned
reads.  Instead use the properly aligned variable that was already pointed at.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8696)
2019-04-08 14:28:59 +10:00
Dan Campbell
f997e456b9 s_client starttls: fix handling of multiline reply
Fixes #8645

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8654)
2019-04-08 11:02:40 +10:00
Shane Lontis
df09b6b5f9 coverity resource leak fixes in apps/pkeyutl
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8691)
2019-04-08 10:21:22 +10:00
Patrick Steuer
61d7045bd2 fix --strict-warnings build
ISO C90 forbids specifying subobject to initialize

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8693)
2019-04-07 13:48:15 +02:00
Patrick Steuer
aa447d6fdb fix --strict-warnings build
C++ style comments are not allowed in ISO C90

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8693)
2019-04-07 13:30:26 +02:00
FdaSilvaYY
23dc8feba8 Coverity: fix two minor NPD issues.
Found by Coverity.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8274)
2019-04-06 19:16:59 +10:00
Pauli
6ce84e6410 Fix big endian param API tests.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/8629)
2019-04-06 19:15:44 +10:00
Bernd Edlinger
8cf85d4899 Fix the allocation size in EVP_OpenInit and PEM_SignFinal
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8620)
2019-04-06 10:17:19 +02:00
Richard Levitte
de3955f662 EVP configuration section: add 'default_properties' command
The value of the 'default_properties' command is simply passed to
EVP_set_default_properties().

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8681)
2019-04-05 15:43:37 +02:00
Richard Levitte
cb92964563 EVP_set_default_properties(): New function to set global properties
EVP_MD_fetch() can be given a property query string.  However, there
are cases when it won't, for example in implicit fetches.  Therefore,
we also need a way to set a global property query string to be used in
all subsequent fetches.  This also applies to all future algorithm
fetching functions.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8681)
2019-04-05 15:43:37 +02:00
Richard Levitte
bc362b9b72 Convert the ENGINE_CONF trace calls to use CONF instead
Additionally, merge ENGINE_CONF into CONF.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8680)
2019-04-05 12:50:55 +02:00
Richard Levitte
0196ad63d3 Add a bit of tracing in the core conf module runner
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8680)
2019-04-05 12:50:55 +02:00
Richard Levitte
71849dff56 Rename the PROVIDER_CONF trace to CONF
Other configuration modules may have use for tracing, and having one
tracing category for each of them is a bit much.  Instead, we make one
category for them all.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8680)
2019-04-05 12:50:55 +02:00
Richard Levitte
e3af453bac OPENSSL_init_crypto(): check config return code correctly
It was assumed that the config functionality returned a boolean.
However, it may return a negative number on error, so we need to take
that into account.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8679)
2019-04-05 11:32:07 +02:00
Richard Levitte
0f5163bd1c Fix number clash: EVP_F_AESNI_XTS_INIT_KEY vs EVP_F_EVP_MD_BLOCK_SIZE
The three macros EVP_F_AESNI_XTS_INIT_KEY, EVP_F_AES_T4_XTS_INIT_KEY
and EVP_F_AES_XTS_INIT_KEY are affected.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8682)
2019-04-05 11:15:23 +02:00
Pauli
3538b0f7ad Move the AES-XTS mode duplicated key check into the init_key function rather
than the update call.  The means an earlier error return at the cost of some
duplicated code.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8625)
2019-04-05 10:55:40 +10:00
Matt Caswell
0be2cc5eb3 Complain if there are missing symbols when creating a provider .so file
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8537)
2019-04-04 23:09:47 +01:00
Matt Caswell
1576dfe090 Test that we can use the FIPS provider
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8537)
2019-04-04 23:09:47 +01:00
Matt Caswell
e75455173b Add a no-fips Configure option
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8537)
2019-04-04 23:09:47 +01:00
Matt Caswell
9efa0ae0b6 Create a FIPS provider and put SHA256 in it
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8537)
2019-04-04 23:09:47 +01:00
Dr. Matthias St. Pierre
ecbfaef2aa trace: add PROVIDER_CONF trace category
Fixes #8667

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8672)
2019-04-04 18:35:22 +02:00
Matt Caswell
69539990a8 Correct the documentation about SSL_CIPHER_description()
There are some ciphersuites that were introduced in TLSv1.0/TLSv1.1 but
are backwards compatible with SSLv3.

Fixes #8655

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8658)
2019-04-04 16:57:00 +01:00
Matt Caswell
fd3a904636 Skip the correct number of tests if SM2 is disabled
Fixes no-sm2 (and also no-sm3 and no-ec)

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8650)
2019-04-04 16:51:51 +01:00
Richard Levitte
2a2bc6fc12 For provider tests, don't define a OPENSSL_NO_ macro
Since the macro to indicate if the test provider module is available
is local to the test programs, it's better to use a name that isn't
as easily confused with a library feature disabling macro that one
would expect to find in opensslconf.h.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8664)
2019-04-04 13:39:33 +02:00
Richard Levitte
706b6333a6 Document the 'no-module' configuration option
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8665)
2019-04-04 12:56:57 +02:00
Richard Levitte
e321ba28e8 Correct EVP_F_EVP_MD_BLOCK_SIZE number
The number that was used was already taken

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8656)
2019-04-04 01:08:52 +02:00
Tomas Mraz
b8472b4e67 Use AI_ADDRCONFIG hint with getaddrinfo if available.
This prevents failure of openssl s_server socket binding to wildcard
address on hosts with disabled IPv6.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8550)
2019-04-03 22:56:54 +02:00
Todd Short
0770c88215 Modify OCSP to use alt MD for cert IDs in responses
Modify openssl OCSP utility to produce certIDs in responses using other
hash algorithms (e.g. SHA256).

Added option -rcid for this purpose.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5274)
2019-04-03 15:56:45 +01:00
Matt Caswell
64f4fff796 Add a test for EVP_MD_block_size()
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8604)
2019-04-03 15:50:13 +01:00
Matt Caswell
7556b9df59 Support EVP_MD_block_size() with providers
Fixes #8565

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8604)
2019-04-03 15:50:13 +01:00
Matt Caswell
5a2bd6bc66 Add an EVP_MD_CTX_md() test
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8614)
2019-04-03 15:44:36 +01:00
Matt Caswell
b7c913c820 Ensure EVP_MD_CTX_md returns the EVP_MD originally used
Fixes #8613

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8614)
2019-04-03 15:44:36 +01:00
Richard Levitte
e4e91084d6 replaced snprintf with BIO version (for windows builds)
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8651)
2019-04-03 15:44:17 +02:00
Richard Levitte
b6670f690c Replumbing: add documentation for the provider configuration module
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8549)
2019-04-03 11:42:48 +02:00
Richard Levitte
6d872a838d Add test for the provider configuration module
We reuse test/provider_internal_test.c and test/p_test.c,
and get it loaded one more time via the configuration file
test/provider_internal_test.conf

To support different platform standards regarding module
extensions, we generate test/provider_internal_test.conf

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8549)
2019-04-03 11:42:48 +02:00
Richard Levitte
abbc2c4083 Replumbing: add a configuration module for providers
This configuration module supports a configuration structure pretty
much like the engine configuration module, i.e. something like this:

    openssl_conf = openssl_init

    [openssl_init]
    providers = provider_section

    [provider_section]
    # Configure the provider named "foo"
    foo = foo_section
    # Configure the provider named "bar"
    bar = bar_section

    [foo_section]
    # Override name given in the provider section
    identity = myfoo
    # The exact path of the module.  This is platform specific
    module_path = /opt/openssl/modules/foo.so
    # Whether it should be automatically activated.  Value is unimportant
    activate = whatever

    # Anything else goes as well, and becomes parameters that the
    # provider can get
    what = 1
    # sub-sections will be followed as well
    ever = ever_section

    [ever_section]
    cookie = monster

All the configurations in a provider section and its sub-sections
become parameters for the provider to get, i.e. the "foo" provider
will be able to get values for the following keys (with associated
values shown):

    identity            => myfoo
    module_path         => /opt/openssl/modules/foo.so
    activate            => whatever
    what                => 1
    ever.cookie         => monster

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8549)
2019-04-03 11:42:48 +02:00
Richard Levitte
ac1055ef13 Replumbing: add functionality to set provider parameters
Provider parameters are parameters set by the core that the provider
can retrieve.  The primary use it to support making OpenSSL
configuration data available to the provider.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8549)
2019-04-03 11:42:48 +02:00
Pauli
5516c19b03 AES-XTS block limit.
Limit the number of AES blocks in a data unit to 2^20 or less.
This corresponds to the mandates in IEEE Std 1619-2018 and NIST SP 800-38E.

Note: that this is a change from IEEE Std 1619-2007 which only recommended
this limit.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8627)
2019-04-03 16:03:46 +10:00
Richard Levitte
705a27f7e0 Revert "crypto/rand/rand_win.c: include "e_os.h" to get the default _WIN32_WINNT"
I turns out that this made crypto/rand/rand_win.c to never build with
BCrypt support unless the user sets _WIN32_WINNT.  That wasn't the
intent.

This reverts commit cc8926ec8f.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8641)
2019-04-02 14:49:54 +02:00
Dr. Matthias St. Pierre
2621e6405d rand_win.c: loosen version requirements for BCryptGenRandom
BCryptGenRandom() is available for Windows Vista and newer versions, see
https://docs.microsoft.com/en-us/windows/desktop/api/bcrypt/nf-bcrypt-bcryptgenrandom

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8639)
2019-04-02 13:38:34 +02:00
Richard Levitte
cc8926ec8f crypto/rand/rand_win.c: include "e_os.h" to get the default _WIN32_WINNT
This helps decide if the BCrypt API should be used or not.

Fixes #8635

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8638)
2019-04-02 11:14:10 +02:00
Richard Levitte
521b7cb388 Correct the checks of module availability in provider test programs
Previously, the macro OPENSSL_NO_SHARED was defined of the test/p_test
module wasn't built, but the provider test programs didn't check that
macro.  We rename it to OPENSSL_NO_MODULE, since that name describes
the situation more than OPENSSL_NO_SHARED does, and use it.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8623)
2019-04-02 07:30:07 +02:00
Richard Levitte
34786bdee0 Configuration / build: make it possible to disable building of modules
While we're at it, sort out inconsistencies with the build of modules:
- not building shared libraries means not building dynamic engines.
  However, other modules may still be built.
- not having DSO functionality doesn't mean not to build modules (even
  though we can't use them from apps linked with libraries that are
  built this way).

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8623)
2019-04-02 07:30:06 +02:00