Commit graph

2019 commits

Author SHA1 Message Date
raja-ashok
84d4b9e31d API to get negotiated key exchange algorithm in TLS1.3
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9323)
2019-08-06 12:04:52 +01:00
Matt Caswell
a9612d6c03 Make the EC code available from inside the FIPS provider
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/9380)
2019-08-06 11:19:07 +01:00
Dr. Matthias St. Pierre
afdec13dd9 Add missing accessors for X509 AuthorityKeyIdentifier
Complements commit b383aa2081, which added X509_get0_authority_key_id().

 const ASN1_OCTET_STRING *X509_get0_authority_key_id(X509 *x);
 const GENERAL_NAMES *X509_get0_authority_issuer(X509 *x);      [NEW]
 const ASN1_INTEGER *X509_get0_authority_serial(X509 *x);       [NEW]

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9493)
2019-08-01 11:32:12 +02:00
FdaSilvaYY
8c00f267b8 CAdES : lowercase name for now internal methods.
CAdES : rework CAdES signing API.
Make it private, as it is unused outside library bounds.
Fix varous doc-nits.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
2019-07-31 19:14:12 +10:00
Richard Levitte
c361297046 Avoid using ERR_put_error() directly in OpenSSL code
If compiled with 'no-deprecated', ERR_put_error() is undefined.  We
had one spot where we were using it directly, because the file and
line information was passed from elsewhere.

Fortunately, it's possible to use ERR_raise() for that situation, and
call ERR_set_debug() immediately after and thereby override the
information that ERR_raise() stored in the error record.

util/mkerr.pl needed a small adjustment to not generate code that
won't compile in a 'no-deprecated' configuration.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9452)
2019-07-31 06:45:21 +02:00
Richard Levitte
add8c8e964 ERR: Remove ERR_put_func_error() and reimplement ERR_put_error() as a macro
Also, deprecate ERR_put_error()

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9452)
2019-07-31 06:44:45 +02:00
Richard Levitte
ed57f7f935 ERR: Implement the macros ERR_raise() and ERR_raise_data() and use them
The ERR_raise() macro uses a trick in C.  The following is permitted:

    #include <stdio.h>

    void first(void)
    {
        printf("Hello! ");
    }

    void foo(const char *bar)
    {
        printf("%s", bar);
    }

    int main()
    {
        /* This */
        (first(),foo)("cookie");
    }

ERR_raise_data() can be used to implement FUNCerr() as well, which
takes away the need for the special function ERR_put_func_error().

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9452)
2019-07-31 06:43:21 +02:00
Richard Levitte
7c0e20dc6f ERR: Add new building blocks for reporting errors
The new building block are ERR_new(), ERR_set_debug(),
ERR_set_error(), ERR_vset_error(), which allocate a new error record
and set the diverse data in them.  They are designed in such a way
that it's reasonably easy to create macros that use all of them but
then rely completely on the function signature of ERR_set_error() or
ERR_vset_error().

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9452)
2019-07-31 06:42:45 +02:00
Richard Levitte
36f5ec55e6 Add functions to see if a provider is available for use.
Public function OSSL_PROVIDER_available() takes a library context and
a provider name, and returns 1 if it's available for use, i.e. if it's
possible to fetch implementations from it, otherwise 0.

Internal function ossl_provider_activated() returns 1 if the given
OSSL_PROVIDER is activated, otherwise 0.

To make this possible, the activation of fallbacks got refactored out
to a separate function, which ended up simplifying the code.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9398)
2019-07-26 18:14:41 +02:00
Richard Levitte
8b84b075ff Adapt DH to use with KEYMGMT
The biggest part in this was to move the key->param builder from EVP
to the DH ASN.1 method, and to implement the KEYMGMT support in the
provider DH.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9394)
2019-07-23 19:43:09 +02:00
Rich Salz
584410227a Don't complain if function name doesn't match
The "function" argument is now unused in the XXXerr defines, so mkerr
doesn't need to check if the value/name match.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9413)
2019-07-23 10:22:17 +02:00
Richard Levitte
c540f00f38 Add EVP_CIPHER_do_all_ex() and EVP_MD_do_all_ex()
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9356)
2019-07-23 06:34:09 +02:00
Richard Levitte
b37066fdf7 Add OSSL_PROVIDER_name()
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9356)
2019-07-23 06:34:09 +02:00
Richard Levitte
1d2622d4f3 Add EVP_MD_provider() and EVP_CIPHER_provider()
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9356)
2019-07-23 06:34:09 +02:00
Richard Levitte
c750bc0851 Re-implement EVP_MD_name() and EVP_CIPHER_name() as functions
They will do the same as usual for non-provider algorithms
implementations, but can handle provider implementations as well.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9356)
2019-07-23 06:34:09 +02:00
Rich Salz
56c3a135b2 Add ERR_put_func_error, and use it.
Change SYSerr to have the function name; remove SYS_F_xxx defines
Add a test and documentation.
Use get_last_socket_err, which removes some ifdef's in OpenSSL code.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9072)
2019-07-22 16:24:56 +02:00
Dr. Matthias St. Pierre
a8f1aabd4b x509: publish X509_PUBKEY_dup
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9353)
2019-07-22 07:34:30 +02:00
Richard Levitte
a94a3e0d91 Add basic EVP_KEYMGMT API and libcrypto <-> provider interface
The idea with the key management "operation" is to support the
following set of functionality:

- Key domain parameter generation
- Key domain parameter import
- Key domain parameter export

- Key generation
- Key import
- Key export
- Key loading (HSM / hidden key support)

With that set of function, we can support handling domain parameters
on one provider, key handling on another, and key usage on a third,
with transparent export / import of applicable data.  Of course, if a
provider doesn't offer export / import functionality, then all
operations surrounding a key must be performed with the same
provider.

This method also avoids having to do anything special with legacy
assignment of libcrypto key structures, i.e. EVP_PKEY_assign_RSA().
They will simply be used as keys to be exported from whenever they are
used with provider based operations.

This change only adds the EVP_KEYMGMT API and the libcrypto <->
provider interface.  Further changes will integrate them into existing
libcrypto functionality.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9312)
2019-07-22 06:17:38 +02:00
Richard Levitte
f6800e37b7 util/find-doc-nits: fixups
- Treat .pod.in files as well, and parse out the base name for those
  too.
- Correct the detection of the description part in the NAME section
  (the separating dash MUST be preceeded with a space)
- Allow slahes in names of the NAME section (convert them to dashes
  for file name comparison).  This allows manual pages for some of our
  header files, such as openssl/core.h.
- Properly detect repeated names in the NAME section.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9407)
2019-07-19 20:16:30 +02:00
Rich Salz
e7aa7c11c7 Deprecated {OPENSSL,CRYPTO}_debug_mem_{push,pop}
They were only used for recursive ASN1 parsing.
Even if the internal memory-debugging facility remains,
this simplification seems worthwhile.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9342)
2019-07-17 14:48:06 +02:00
Matt Caswell
35aca9eccb Add the ability to set PKCS#3 DH padding in providers
This also adds the ability to set arbitrary parameters on key exchange
algorithms. The ability to pad the output is one such parameter for DH.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9266)
2019-07-16 10:16:32 +01:00
Matt Caswell
ff64702b3d Make the EVP Key Exchange code provider aware
We introduce a new EVP_KEYEXCH type to represent key exchange algorithms
and refactor the existing code to use it where available.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9266)
2019-07-16 10:16:32 +01:00
Rich Salz
aac96e2797 Remove function name from errors
Deprecate all xxx_F_ defines.
Removed some places that tested for a specific function.
Use empty field for the function names in output.
Update documentation.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9058)
2019-07-16 05:26:28 +02:00
Richard Levitte
d5fdb6a695 util/opensslwrap.sh: adjust to define OPENSSL_MODULES as well
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9379)
2019-07-15 16:14:35 +02:00
Matt Caswell
2934be9134 Make sure all BIGNUM operations work within the FIPS provider
The FIPS provider does not have a default OPENSSL_CTX so, where
necessary, we need to ensure we can always access an explicit
OPENSSL_CTX. We remove functions from the FIPS provider that use
the default OPENSSL_CTX, and fixup some places which were using
those removed functions.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9310)
2019-07-15 11:03:44 +01:00
Martin Peylo
7a2027240e Adding Test.pm with workaround for Perl abs2rel bug
If SRCTOP != BLDTOP, and SRCTOP is given in relative form, e.g.
"./config ../openssl", then a bug in Perl's abs2rel may trigger that directory-
rewriting in __cwd results in wrong entries in %directories under certain
circumstances, e.g. when a test executes run(app(["openssl"]) after indir.

There should not be any need to go to a higher directory from BLDDIR or SRCDIR,
so it should be OK to use them in their absolute form, also resolving all
possible symlinks, right from the start.

Following the File::Spec::Functions bug description (reported to perl.org):

When abs2rel gets a path argument with ..s that are crossing over the ..s
trailing the base argument, the result is wrong.

Example
PATH: /home/goal/test/..
BASE: /home/goal/test/../../base
Good result: ../goal
Bad  result: ../..

Bug verified with File::Spec versions
- 3.6301
- 3.74 (latest)

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7031)
2019-07-02 20:10:57 +02:00
Matt Caswell
ee1d4f3db4 Make BIGNUM rand functions available within the FIPS module
The BIGNUM rand functions were previously disabled for the FIPS module.
We can now re-enable them.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/9193)
2019-07-02 16:49:18 +01:00
Antoine Cœur
c2969ff6e7 Fix Typos
CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/9288)
2019-07-02 14:22:29 +02:00
Rich Salz
211da00b79 Remove EXPORT_VAR_AS_FUNC
We only export functions, not global, so remove the config option
and some of the #ifdef stuff.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9285)
2019-07-01 20:13:03 -04:00
Rich Salz
66e2dbc01c Remove global-var/function macros
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9284)
2019-07-01 19:42:12 -04:00
Rich Salz
b66a481888 Remove DES_check_key global
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9284)
2019-07-01 19:42:12 -04:00
Paul Yang
bc42bd6298
Support SM2 certificate signing
SM2 certificate signing request can be created and signed by OpenSSL
now, both in library and apps.

Documentation and test cases are added.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9085)
2019-06-28 18:58:19 +08:00
Matt Caswell
0da1d43a94 Document EVP_CIPHER_up_ref()
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9233)
2019-06-28 10:02:09 +01:00
Matt Caswell
70c35fd1f6 Rename EVP_MD_upref/EVP_CIPHER_upref to EVP_MD_up_ref/EVP_CIPHER_up_ref
All the other upref functions are spelled as "up_ref". These new functions
should be consistent.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9233)
2019-06-28 10:02:09 +01:00
Matt Caswell
42738cdeaa Add documentation for EVP_CIPHER_fetch
We extend the EVP_MD_fetch documentation to be more generic and to also
cover EVP_CIPHER_fetch. We expect this to be further expanded with other
"fetch" functions in the future.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9233)
2019-06-28 10:02:09 +01:00
Matt Caswell
743694a6c2 Move the public SIV mode functions from public headers to internal ones
SIV mode is accessible via EVP. There should be no reason to make the low
level SIV functions from the modes directory part of the public API. Since
these functions do not exist in 1.1.1 we are still able to make this change.

This also reduces the list of newly added undocumented symbols from
issue #9095.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9232)
2019-06-27 09:47:23 +01:00
Pauli
4e7991b497 Change OSSL_PARAM return size to not be a pointer.
Instead of referencing the return size from the OSSL_PARAM structure, make the
size a field within the structure.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9135)
2019-06-24 14:43:55 +10:00
Pauli
0ccff7a7ea Add documentation for CRYPTO_memcmp.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/9225)
2019-06-24 10:19:04 +10:00
Pauli
32ee452496 Remove OPENSSL_memcmp.
After avoiding OPENSSL_memcmp for EC curve comparison, there are no remaining
uses in the source code.  The function is only defined in an internal header
and thus should be safe to remove for 3.0.0.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/9207)
2019-06-21 10:03:55 +10:00
Matt Caswell
52b18ce104 Add the function OPENSSL_thread_stop_ex()
This adds the ability to clean up a thread on a per OPENSSL_CTX basis.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9040)
2019-06-17 16:19:44 +01:00
Pauli
1313e37ab9 Better document specific OSSL_PARAM symbols.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9114)
2019-06-17 11:34:09 +10:00
Matt Caswell
a03749a8f1 Enable find-doc-nits to find undocumented symbols since 1.1.1
A previous commit added the ability to find newly undocumented symbols.
We extend this capability to check anything that was newly added since
1.1.1 which is undocumented. A new option -o is added to find-doc-nits
to amend the behaviour of -v or -e to check symbols that were newly
added since the release of 1.1.1.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9094)
2019-06-12 10:12:24 +01:00
Matt Caswell
b5283535d5 Make find-doc-nits check for newly added undocumented symbols
We create lists of undocumented functions and macros as they are now so
that find-doc-nits can check for newly introduced functions/macros that
are undocumented.

This works in a similar way to the -u and -d options to find-doc-nits.
These count undocumented symbols and print a detailed list of undocumented
symbols repsectively. This commit adds the -v and -e options to restrict
the count/detailed list to newly added undocumented symbols only.

There is also a new -s option that does the same as -e except that it
produces no output if there are no newly undocumented symbols.

We also amend "make doc-nits" to add the -s option which should cause
travis to fail if a PR adds undocumented symbols.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9094)
2019-06-12 10:12:14 +01:00
Matt Caswell
7bc081dda3 Create BN_CTX_new_ex() and BN_CTX_secure_new_ex()
These variants of BN_CTX_new() and BN_CTX_secure_new() enable passing
an OPENSSL_CTX so that we can access this where needed throughout the
BIGNUM sub library.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9130)
2019-06-12 09:16:43 +01:00
Shane Lontis
83b4a24384 Make EVP_MD_CTX_ctrl() work for legacy use cases (ssl3).
This is still required currently by engines and digestsign/digestverify.
This PR contains merged in code from Richard Levitte's PR #9126.

[extended tests]

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9103)
2019-06-11 20:25:33 +10:00
Todd Short
5d12051167 Change cipher default strings to a function
Making the default cipher strings a function gives the library more
control over the defaults. Potentially allowing a change in the
future as ciphers become deprecated or dangerous.
Also allows third party distributors to change the defaults for their
installations.

Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8686)
2019-06-11 09:44:26 +01:00
Matt Caswell
da0d114cd9 Convert drbg_lib to use OPENSSL_CTX for its global data
In preparation for moving the RAND code into the FIPS module we make
drbg_lib.c OPENSSL_CTX aware.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9039)
2019-06-07 12:04:34 +01:00
Kurt Roeckx
be5fc053ed Replace EVP_MAC_CTX_copy() by EVP_MAC_CTX_dup()
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
GH: #7651
2019-06-06 17:41:41 +02:00
Shane Lontis
d5e5e2ffaf Move digests to providers
Move digest code into the relevant providers (fips, default, legacy).
The headers are temporarily moved to be internal, and will be moved
into providers after all external references are resolved. The deprecated
digest code can not be removed until EVP_PKEY (signing) is supported by
providers. EVP_MD data can also not yet be cleaned up for the same reasons.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8763)
2019-06-04 12:09:50 +10:00
Andreas Kretschmer
8869ad4a39 Certificate Management Protocol (CMP, RFC 4210) extension to OpenSSL
Also includes CRMF (RFC 4211) and HTTP transfer (RFC 6712)

CMP and CRMF API is added to libcrypto, and the "cmp" app to the openssl CLI.
    Adds extensive man pages and tests.  Integration into build scripts.

Incremental pull request based on OpenSSL commit 1362190b1b of 2018-09-26

3rd chunk: CMP ASN.1 structures (in crypto/cmp/cmp_asn.c) and related files

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8669)
2019-05-30 11:18:52 +01:00