oweals/openssl.git
4 years agotest/run_tests.pl: Improve indentation parsing workaround for VFO and VFP mode
Dr. David von Oheimb [Sat, 20 Jun 2020 15:20:20 +0000 (17:20 +0200)]
test/run_tests.pl: Improve indentation parsing workaround for VFO and VFP mode

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12175)

4 years agotest/run_tests.pl: Improve newline output for VFO and VFP mode
Dr. David von Oheimb [Sat, 20 Jun 2020 15:07:52 +0000 (17:07 +0200)]
test/run_tests.pl: Improve newline output for VFO and VFP mode

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12175)

4 years agoSpeed-up for tests in 81-test_cmp_cli_data/test_connection.csv
Dr. David von Oheimb [Sat, 20 Jun 2020 15:22:41 +0000 (17:22 +0200)]
Speed-up for tests in 81-test_cmp_cli_data/test_connection.csv

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12175)

4 years agoDisable tests in cmp_vfy_test.c that make no sense if FUZZING_BUILD_MODE_UNSAFE_FOR_P...
Dr. David von Oheimb [Thu, 18 Jun 2020 05:30:09 +0000 (07:30 +0200)]
Disable tests in cmp_vfy_test.c that make no sense if FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12175)

4 years ago81-test_cmp_cli.t: Disable CLI-based tests in case fuzzing is enabled
Dr. David von Oheimb [Thu, 18 Jun 2020 05:42:22 +0000 (07:42 +0200)]
81-test_cmp_cli.t: Disable CLI-based tests in case fuzzing is enabled

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12175)

4 years ago81-test_cmp_cli.t: Do connections to 127.0.0.1 (e.g., Mock server) without proxy
Dr. David von Oheimb [Thu, 18 Jun 2020 04:33:43 +0000 (06:33 +0200)]
81-test_cmp_cli.t: Do connections to 127.0.0.1 (e.g., Mock server) without proxy

Fixes #12156

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12175)

4 years agoFix CMP -days option range checking and test failing with enable-ubsan
Dr. David von Oheimb [Wed, 17 Jun 2020 06:12:19 +0000 (08:12 +0200)]
Fix CMP -days option range checking and test failing with enable-ubsan

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12175)

4 years agoAdd documentation of OSSL_CRMF_CERTID_dup()
Dr. David von Oheimb [Fri, 19 Jun 2020 18:39:33 +0000 (20:39 +0200)]
Add documentation of OSSL_CRMF_CERTID_dup()

Fixes #12190

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12208)

4 years agoPrint CPUINFO also for s390 processors
Patrick Steuer [Sat, 20 Jun 2020 15:59:02 +0000 (17:59 +0200)]
Print CPUINFO also for s390 processors

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12216)

4 years ago[doc/man3] finish EC_GROUP_get_field_type documentation
Billy Brumley [Sat, 20 Jun 2020 07:11:11 +0000 (10:11 +0300)]
[doc/man3] finish EC_GROUP_get_field_type documentation

https://github.com/openssl/openssl/pull/11928 documented
`EC_GROUP_get_field_type` behavior in the `man` page but did not add the
name to the function list.

Fixes #12189.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12214)

4 years agoFlag RSA secret BNs as consttime on keygen and checks
Nicola Tuveri [Tue, 16 Jun 2020 17:12:13 +0000 (20:12 +0300)]
Flag RSA secret BNs as consttime on keygen and checks

<https://github.com/openssl/openssl/pull/11765> switched the default
code path for keygen.

External testing through TriggerFlow highlighted that in several places
we failed (once more!) to set the `BN_FLG_CONSTTIME` flag on critical
secret values (either long term or temporary values).

This commit tries to make sure that the secret BN values inside the
`rsa struct` are always flagged on creation, and that temporary values
derived from these secrets are flagged when allocated from a BN_CTX.

Acknowledgments
---------------

Thanks to @Voker57, @bbbrumley, @sohhas, @cpereida for the
[OpenSSL Triggerflow CI] ([paper]) through which this defect was detected and
tested, and for providing early feedback to fix the issue!

[OpenSSL Triggerflow CI]: https://gitlab.com/nisec/openssl-triggerflow-ci
[paper]: https://eprint.iacr.org/2019/366

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12167)

4 years agoFix one typo in a comment.
FdaSilvaYY [Fri, 19 Jun 2020 21:33:24 +0000 (23:33 +0200)]
Fix one typo in a comment.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12209)

4 years agoFix `no-ts` builds.
FdaSilvaYY [Fri, 19 Jun 2020 21:22:09 +0000 (23:22 +0200)]
Fix `no-ts` builds.
`ess_lib.c` is called from `cms` and `ts` modules.

Fixes #12155

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12209)

4 years agonamemap: change ossl_namemap_empty() to do what the documentation says.
Pauli [Thu, 18 Jun 2020 01:01:08 +0000 (11:01 +1000)]
namemap: change ossl_namemap_empty() to do what the documentation says.

The function is documented as returning 1 when passed a NULL argument.
Instead it core dumps.  Added a unit test for this.

Additionally, a performance improvement is incorporated.  The namemap
max_number field is only ever compared against zero and incremented.
The zero comparison grabs a lock specifically for this check.  This change
uses TSAN operations instead if they are available.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12181)

4 years agoAllow oversized buffers for provider cipher IV fetch
Benjamin Kaduk [Mon, 1 Jun 2020 19:31:55 +0000 (12:31 -0700)]
Allow oversized buffers for provider cipher IV fetch

When we're fetching an IV, there's no need to enforce that the
provided buffer is exactly the same size as the IV we want to
write into it.  This might happen, for example, when
EVP_CIPHER_CTX_iv_noconst() passes sizeof(ctx->iv) (that is,
EVP_MAX_IV_LENGTH) for an AES-GCM cipher that uses a shorter IV.
AES-OCB and CCM were also affected.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12039)

4 years agoSet cipher IV as octet string and pointer from providers
Benjamin Kaduk [Mon, 1 Jun 2020 21:33:54 +0000 (14:33 -0700)]
Set cipher IV as octet string and pointer from providers

OSSL_CIPHER_PARAM_IV can be accessed both as an octet string and as
an octet pointer (for routines like EVP_CIPHER_CTX_iv() that are
in a nebulous undocumented-and-might-go-away-eventually state),
the latter for when there is need to modify the actual value in
the provider.

Make sure that we consistently try to set it as both the string and pointer
forms (not just octet string) and only fail if neither version succeeds.  The
generic cipher get_ctx_params routine was already doing so, but the
AES-variant-, GCM-, and CCM-specific ones were not.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12039)

4 years agoBuild: Remove faulty DES assembler spec
Richard Levitte [Fri, 19 Jun 2020 08:08:33 +0000 (10:08 +0200)]
Build: Remove faulty DES assembler spec

crypto/des/build.info had a faulty spec that ghash-ia64 should be
compiled for DES.  Removed.

Fixes #12197

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12203)

4 years agodoc: Document OSSL_PARAM_modified and OSSL_PARAM_set_all_unmodified.
Pauli [Fri, 19 Jun 2020 07:17:37 +0000 (17:17 +1000)]
doc: Document OSSL_PARAM_modified and OSSL_PARAM_set_all_unmodified.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12200)

4 years agoReturn the cookie_len value from generate_cookie_callback
Matt Caswell [Wed, 17 Jun 2020 10:37:39 +0000 (11:37 +0100)]
Return the cookie_len value from generate_cookie_callback

The generate_cookie_callback was failing to pass back the generated
cookie length to the caller. This results in DTLS connection failures
from s_server.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12179)

4 years agoFix the DTLS1_COOKIE_LENGTH value
Matt Caswell [Wed, 17 Jun 2020 10:34:49 +0000 (11:34 +0100)]
Fix the DTLS1_COOKIE_LENGTH value

The DTLS1_COOKIE_LENGTH value was incorrect in the header files. We
couldn't change it before due to ABI concerns. However 3.0 is not ABI
compatible so we can now fix it.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12179)

4 years agoAdd evp_extra_test2 to .gitignore
Matt Caswell [Tue, 16 Jun 2020 15:15:52 +0000 (16:15 +0100)]
Add evp_extra_test2 to .gitignore

This is a test executable which should not be added to the repository

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12159)

4 years agoAdd a test for d2i_AutoPrivateKey_ex with a non-default libctx
Matt Caswell [Mon, 15 Jun 2020 16:48:39 +0000 (17:48 +0100)]
Add a test for d2i_AutoPrivateKey_ex with a non-default libctx

Really this test should go in evp_extra_test. However that doesn't
currently support a non-default libctx (with the "null" provider in the
default libctx). So (for now) we create evp_extra_test2.c

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12159)

4 years agoEnsure creating an EC public key uses the libctx
Matt Caswell [Mon, 15 Jun 2020 13:29:37 +0000 (14:29 +0100)]
Ensure creating an EC public key uses the libctx

Creating an EC public key from the private key uses random numbers
internally, which require use of the proper libtx. Therefore we make
sure the libctx is used during this operation.

Fixes #12150

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12159)

4 years agoAdd more complete support for libctx/propq in the EC code
Matt Caswell [Mon, 15 Jun 2020 13:21:00 +0000 (14:21 +0100)]
Add more complete support for libctx/propq in the EC code

Renames some "new_ex" functions to "new_with_libctx" and ensures that we
pass around the libctx AND the propq everywhere.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12159)

4 years agoCreate defines for TLS Group Ids
Matt Caswell [Tue, 16 Jun 2020 14:30:46 +0000 (15:30 +0100)]
Create defines for TLS Group Ids

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11914)

4 years agoDon't send supported groups if no-ec and we're doing DTLS
Matt Caswell [Thu, 11 Jun 2020 15:47:50 +0000 (16:47 +0100)]
Don't send supported groups if no-ec and we're doing DTLS

The supported_groups extension only supported EC groups in DTLS.
Therefore we shouldn't send it in a no-ec build.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11914)

4 years agoProvider a better error message if we fail to copy parameters
Matt Caswell [Fri, 22 May 2020 13:11:43 +0000 (14:11 +0100)]
Provider a better error message if we fail to copy parameters

If EVP_PKEY_copy_parameters() failed in libssl we did not provide a very
helpful error message. We provide a better one.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11914)

4 years agoMake sure we save the copy function when registering a new Keymgmt
Matt Caswell [Fri, 22 May 2020 13:09:13 +0000 (14:09 +0100)]
Make sure we save the copy function when registering a new Keymgmt

If a provider had a "copy" function in the its keymgmt definition we
were ignoring it.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11914)

4 years agoWrite a test provider to test the TLS-GROUPS capability
Matt Caswell [Thu, 21 May 2020 16:59:47 +0000 (17:59 +0100)]
Write a test provider to test the TLS-GROUPS capability

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11914)

4 years agoUpdate the various SSL group getting and setting functions
Matt Caswell [Thu, 21 May 2020 15:36:32 +0000 (16:36 +0100)]
Update the various SSL group getting and setting functions

A number of these functions returned a NID or an array of NIDs for the
groups. Now that groups can come from the providers we do not necessarily
know the NID. Therefore we need to handle this in a clean way.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11914)

4 years agoAdd some missing OSSL_PKEY_PARAM_GROUP_NAME documentation
Matt Caswell [Thu, 21 May 2020 15:16:41 +0000 (16:16 +0100)]
Add some missing OSSL_PKEY_PARAM_GROUP_NAME  documentation

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11914)

4 years agoAdd documentation about Capabilities
Matt Caswell [Thu, 21 May 2020 14:57:35 +0000 (15:57 +0100)]
Add documentation about Capabilities

Document the OSSL_PROVIDER_get_capabilities() function as well as the
provider side support for capabilities.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11914)

4 years agoMake EVP_PKEY_CTX_[get|set]_group_name work for ECX too
Matt Caswell [Wed, 20 May 2020 13:47:39 +0000 (14:47 +0100)]
Make EVP_PKEY_CTX_[get|set]_group_name work for ECX too

The previous commits made EVP_PKEY_CTX_[get|set]_group_name work for
EC and DH keys. We now extend this to ECX. Even though that keys with
these key types only have one group we still allow it to be explicitly
set so that we have only one codepath for all keys. Setting the group
name for these types of keys is optional, but if you do so it must have
the correct name.

Additionally we enable parameter generation for these keys. Parameters
aren't actually needed for this key type, but for the same reasons as
above (to ensure a single codepath for users of these algorithms) we
enable it anyway.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11914)

4 years agoMake EVP_PKEY_CTX_[get|set]_group_name work for DH too
Matt Caswell [Wed, 20 May 2020 13:46:22 +0000 (14:46 +0100)]
Make EVP_PKEY_CTX_[get|set]_group_name work for DH too

The previous commit added the EVP_PKEY_CTX_[get|set]_group_name
functions to work with EC groups. We now extend that to also work for
DH.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11914)

4 years agoMake EVP_PKEY_CTX_[get|set]_ec_paramgen_curve_name more generic
Matt Caswell [Tue, 19 May 2020 14:24:25 +0000 (15:24 +0100)]
Make EVP_PKEY_CTX_[get|set]_ec_paramgen_curve_name more generic

We rename these function to EVP_PKEY_CTX_get_group_name and
EVP_PKEY_CTX_set_group_name so that they can be used for other algorithms
other than EC.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11914)

4 years agoModify libssl to discover supported groups based on available providers
Matt Caswell [Mon, 18 May 2020 22:37:18 +0000 (23:37 +0100)]
Modify libssl to discover supported groups based on available providers

Now that we have added the TLS-GROUP capability to the default provider
we can use that to discover the supported group list based on the loaded
providers.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11914)

4 years agoAdd the OSSL_PROVIDER_get_capabilities() API function
Matt Caswell [Mon, 18 May 2020 14:13:09 +0000 (15:13 +0100)]
Add the OSSL_PROVIDER_get_capabilities() API function

Provide a function to applications to query the capabilities that a
provider can perform.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11914)

4 years agoAdd the concept of "Capabilities" to the default and fips providers
Matt Caswell [Mon, 18 May 2020 13:11:06 +0000 (14:11 +0100)]
Add the concept of "Capabilities" to the default and fips providers

With capabilities we can query a provider about what it can do.
Initially we support a "TLS-GROUP" capability.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11914)

4 years agoAdd missing section on asymmetric ciphers
Benny Baumann [Tue, 16 Jun 2020 21:43:24 +0000 (23:43 +0200)]
Add missing section on asymmetric ciphers

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12170)

4 years agoRemove whitespace from 'white space'
haykam821 [Mon, 15 Jun 2020 20:17:15 +0000 (16:17 -0400)]
Remove whitespace from 'white space'

CLA: trivial

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12161)

4 years agoConfigure DEPs for FIPS provider on AIX.
Matthias Kraft [Mon, 25 May 2020 08:10:24 +0000 (10:10 +0200)]
Configure DEPs for FIPS provider on AIX.

The binder of the AIX linker needs to be told which functions to call on
loading and initializing a shared object. Therefore another configuration
variable shared_fipsflag is introduced, which is appended to shared_defflag
when the providers/fips module gets configured.

It was suggested to refactor the line in the build file template to become
more generic and less magic. There is, however, currently no suggestion how
to actually achive this, so we leave a TODO comment.
The possible shared_fipsflag must only be appended to the shared_def iff
this code is acting on behalf of the fips provider module build.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11950)

4 years agoDOC: Spelling fixes
Sebastian Andrzej Siewior [Tue, 16 Jun 2020 22:20:40 +0000 (00:20 +0200)]
DOC: Spelling fixes

Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12172)

4 years agoFix segfault in openssl app called with no args.
Shane Lontis [Wed, 17 Jun 2020 23:03:32 +0000 (09:03 +1000)]
Fix segfault in openssl app called with no args.

This is a result of removal of interactive mode.
Redirected it to now use 'openssl help'.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12164)

4 years agocoverity 1464213: API usage errors (PRINTF_ARGS)
Pauli [Sun, 14 Jun 2020 22:13:43 +0000 (08:13 +1000)]
coverity 1464213:  API usage errors  (PRINTF_ARGS)

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12149)

4 years agocoverity 1464212, 1464214 & 1464215: Resource leaks
Pauli [Sun, 14 Jun 2020 22:11:13 +0000 (08:11 +1000)]
coverity 14642121464214 & 1464215: Resource leaks

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12149)

4 years agoAdd ACVP fips module tests
Shane Lontis [Wed, 17 Jun 2020 01:33:16 +0000 (11:33 +1000)]
Add ACVP fips module tests

For FIPS validation purposes - Automated Cryptographic Validation Protocol (ACVP) tests need to be
performed. (See https://github.com/usnistgov/ACVP). These tests are very similiar to the old CAVS tests.

This PR uses a hardwired subset of these test vectors to perform similiar operations,
to show the usage and prove that the API's are able to perform the required operations.
It may also help with communication with the lab (i.e- The lab could add a test here to show
a unworking use case - which we can then address).

The EVP layer performs these tests instead of calling lower level API's
as was done in the old FOM.
Some of these tests require access to internals that are not normally allowed/required.

The config option 'acvp_tests' (enabled by default) has been added so that this
access may be removed.

The mechanism has been implemented as additional OSSL_PARAM values that can be set and get.
A callback mechanism did not seem to add any additional benefit.
These params will not be added to the gettables lists.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11572)

4 years agoUpdate gost-engine submodule to match EVP_MAC renaming
Dmitry Belyavskiy [Fri, 12 Jun 2020 07:59:46 +0000 (10:59 +0300)]
Update gost-engine submodule to match EVP_MAC renaming

[extended tests]

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12124)

4 years agoRefactor BN_R_NO_INVERSE logic in internal functions
Nicola Tuveri [Sat, 13 Jun 2020 14:29:09 +0000 (17:29 +0300)]
Refactor BN_R_NO_INVERSE logic in internal functions

Closes #12129

As described in https://github.com/openssl/openssl/issues/12129 the
readability of the internal functions providing the two alternative
implementations for `BN_mod_inverse()` is a bit lacking.

Both these functions are now completely internal, so we have the
flexibility needed to slightly improve readability and remove
unnecessary NULL checks.

The main changes here are:
- rename `BN_mod_inverse_no_branch()` as `bn_mod_inverse_no_branch()`:
  this function is `static` so it is not even visible within the rest of
  libcrypto. By convention upcase prefixes are reserved for public
  functions.
- remove `if (pnoinv == NULL)` checks in `int_bn_mod_inverse()`: this
  function is internal to the BN module and we can guarantee that all
  callers pass non-NULL arguments.
- `bn_mod_inverse_no_branch()` takes an extra `int *pnoinv` argument, so
  that it can signal if no inverse exists for the given inputs: in this
  way the caller is in charge of raising `BN_R_NO_INVERSE` as it is the
  case for the non-consttime implementation of `int_bn_mod_inverse()`.
- `BN_mod_inverse()` is a public function and must guarantee that the
  internal functions providing the actual implementation receive valid
  arguments. If the caller passes a NULL `BN_CTX` we create a temporary
  one for internal use.
- reorder function definitions in `crypto/bn/bn_gcd.c` to avoid forward
  declaration of `static` functions (in preparation for inlining).
- inline `bn_mod_inverse_no_branch()`.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12142)

4 years agoImprove BIO_socket_wait(), BIO_wait(), BIO_connect_retry(), and their docs
Dr. David von Oheimb [Thu, 28 May 2020 13:16:45 +0000 (15:16 +0200)]
Improve BIO_socket_wait(), BIO_wait(), BIO_connect_retry(), and their docs

Add/extend range check for 'fd' argument of BIO_socket_wait() and bio_wait()
Correct nap time calculations in bio_wait(), thus correcting also BIO_wait()
Update a type cast from 'unsigned long' to 'unsigned int'
Extend the comments and documentation of BIO_wait()

Rename BIO_connect_retry() to BIO_do_connect_retry()
Make its 'timeout' argument < 0 lead to BIO_do_connect() tried only once
Add optional 'nap_milliseconds' parameter determining the polling granularity
Correct and generalize the retry case checking
Extend the comments and documentation of BIO_do_connect_retry()

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11986)

4 years agoAdd OPENSSL_strdup failure check to cpt_ctrl() in bss_acpt.c
Dr. David von Oheimb [Thu, 4 Jun 2020 08:33:28 +0000 (10:33 +0200)]
Add OPENSSL_strdup failure check to cpt_ctrl() in bss_acpt.c

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11986)

4 years agoFix err checking and mem leaks of BIO_set_conn_port and BIO_set_conn_address
Dr. David von Oheimb [Wed, 3 Jun 2020 05:49:27 +0000 (07:49 +0200)]
Fix err checking and mem leaks of BIO_set_conn_port and BIO_set_conn_address

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11986)

4 years agoCMS_get0_signers() description
olszomal [Fri, 12 Jun 2020 10:09:02 +0000 (12:09 +0200)]
CMS_get0_signers() description

CLA: trivial

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12055)

4 years agoEVP: allow empty strings to EVP_Decode* functions
Richard Levitte [Sat, 13 Jun 2020 20:16:14 +0000 (22:16 +0200)]
EVP: allow empty strings to EVP_Decode* functions

This is a simple check order correction.

Fixes #12143

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12144)

4 years agoFix logic error for building x86 CAST assembly
Benjamin Kaduk [Sat, 13 Jun 2020 02:56:11 +0000 (19:56 -0700)]
Fix logic error for building x86 CAST assembly

The assembly code is not PIC, so we should only try to build it
when the configuration has disabled PIC, not the other way around.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/12128)

4 years agoFix nits detected by make cmd-nits
Nicola Tuveri [Fri, 12 Jun 2020 15:11:09 +0000 (18:11 +0300)]
Fix nits detected by make cmd-nits

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/12127)

4 years agoUpdate and extend NOTES.WIN, adding 'Quick start' subsection
Dr. David von Oheimb [Tue, 9 Jun 2020 12:04:49 +0000 (14:04 +0200)]
Update and extend NOTES.WIN, adding 'Quick start' subsection

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12098)

4 years agoChunk 12 of CMP contribution to OpenSSL: CLI-based high-level tests
Dr. David von Oheimb [Sat, 30 May 2020 16:27:03 +0000 (18:27 +0200)]
Chunk 12 of CMP contribution to OpenSSL: CLI-based high-level tests

Certificate Management Protocol (CMP, RFC 4210) extension to OpenSSL
Also includes CRMF (RFC 4211) and HTTP transfer (RFC 6712).
Adds the CMP and CRMF API to libcrypto and the "cmp" app to the CLI.
Adds extensive documentation and tests.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11998)

4 years agoRemove extra newline from CMP mock server error and add TODO on using request template
Dr. David von Oheimb [Fri, 29 May 2020 19:52:27 +0000 (21:52 +0200)]
Remove extra newline from CMP mock server error and add TODO on using request template

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11998)

4 years agoMove part of OSSL_CMP_validate_msg() to ossl_cmp_msg_check_update()
Dr. David von Oheimb [Fri, 29 May 2020 15:14:14 +0000 (17:14 +0200)]
Move part of OSSL_CMP_validate_msg() to ossl_cmp_msg_check_update()

as checking expected_sender and adding caPubs is not part of msg validation.
Also constify a couple of internal and public functions related to cmp_vfy.c

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11998)

4 years agoBug fix in ossl_cmp_hdr_init(): sould not remember recipient as expected sender
Dr. David von Oheimb [Fri, 29 May 2020 15:11:48 +0000 (17:11 +0200)]
Bug fix in ossl_cmp_hdr_init(): sould not remember recipient as expected sender

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11998)

4 years agoBug fix in ossl_cmp_certRep_new(): must allocate empty extraCerts stack
Dr. David von Oheimb [Fri, 29 May 2020 15:10:48 +0000 (17:10 +0200)]
Bug fix in ossl_cmp_certRep_new(): must allocate empty extraCerts stack

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11998)

4 years agoImprove description of CMP untrusted certs and msg 'sender' field
Dr. David von Oheimb [Fri, 29 May 2020 11:30:03 +0000 (13:30 +0200)]
Improve description of CMP untrusted certs and msg 'sender' field

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11998)

4 years agoMake CMP server use same protection for response as for request
Dr. David von Oheimb [Fri, 29 May 2020 08:16:06 +0000 (10:16 +0200)]
Make CMP server use same protection for response as for request

Also adds ossl_cmp_hdr_get_protection_nid() simplifying cmp_vfy.c

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11998)

4 years agoFill in transactionID on any error in OSSL_CMP_SRV_process_request()
Dr. David von Oheimb [Thu, 28 May 2020 19:42:26 +0000 (21:42 +0200)]
Fill in transactionID on any error in OSSL_CMP_SRV_process_request()

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11998)

4 years agoImprove ossl_cmp_msg_check_received() and rename to ossl_cmp_msg_check_update()
Dr. David von Oheimb [Thu, 28 May 2020 15:19:36 +0000 (17:19 +0200)]
Improve ossl_cmp_msg_check_received() and rename to ossl_cmp_msg_check_update()

Bugfix: allow using extraCerts contained in msg already while checking signature
Improve function name, simplify its return value, and update its documentation

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11998)

4 years agoImprove cert checking diagnostics of OSSL_CMP_validate_msg()
Dr. David von Oheimb [Thu, 28 May 2020 15:09:21 +0000 (17:09 +0200)]
Improve cert checking diagnostics of OSSL_CMP_validate_msg()

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11998)

4 years agoRemove misleading diagnostics on pinned sender cert in OSSL_CMP_validate_msg()
Dr. David von Oheimb [Wed, 27 May 2020 15:52:53 +0000 (17:52 +0200)]
Remove misleading diagnostics on pinned sender cert in OSSL_CMP_validate_msg()

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11998)

4 years agoCorrect error reason of verify_signature() in cmp_vfy.c
Dr. David von Oheimb [Wed, 27 May 2020 15:28:35 +0000 (17:28 +0200)]
Correct error reason of verify_signature() in cmp_vfy.c

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11998)

4 years agoExtend error output of apps/opt_format() to all error cases
Dr. David von Oheimb [Tue, 26 May 2020 09:09:03 +0000 (11:09 +0200)]
Extend error output of apps/opt_format() to all error cases

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11998)

4 years agoRemove meanwhile redundant error output of apps/opt_next(void) parsing numbers
Dr. David von Oheimb [Tue, 26 May 2020 08:44:10 +0000 (10:44 +0200)]
Remove meanwhile redundant error output of apps/opt_next(void) parsing numbers

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11998)

4 years agoFix use of -no-proxy option of CMP app
Dr. David von Oheimb [Tue, 26 May 2020 06:35:33 +0000 (08:35 +0200)]
Fix use of -no-proxy option of CMP app

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11998)

4 years agoAdd request URL path checking and status responses to HTTP server
Dr. David von Oheimb [Mon, 25 May 2020 15:32:26 +0000 (17:32 +0200)]
Add request URL path checking and status responses to HTTP server

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11998)

4 years agoAllow subject of CMP -oldcert as sender unless protection cert is given
Dr. David von Oheimb [Wed, 20 May 2020 13:10:05 +0000 (15:10 +0200)]
Allow subject of CMP -oldcert as sender unless protection cert is given

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11998)

4 years agoCorrect error output of parse_name() in apps/lib/apps.c and apps/cmp.c
Dr. David von Oheimb [Wed, 20 May 2020 07:14:30 +0000 (09:14 +0200)]
Correct error output of parse_name() in apps/lib/apps.c and apps/cmp.c

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11998)

4 years agoCheck expected sender not only for signature-protected CMP messages
Dr. David von Oheimb [Wed, 20 May 2020 06:11:47 +0000 (08:11 +0200)]
Check expected sender not only for signature-protected CMP messages

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11998)

4 years agoImprove description of -trusted, -srvcert, -recipient, and -expect_sender CMP options
Dr. David von Oheimb [Tue, 19 May 2020 07:47:46 +0000 (09:47 +0200)]
Improve description of -trusted, -srvcert, -recipient, and -expect_sender CMP options

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11998)

4 years agoStreamline the approach to set CMP message recipient and expected sender
Dr. David von Oheimb [Tue, 19 May 2020 10:30:11 +0000 (12:30 +0200)]
Streamline the approach to set CMP message recipient and expected sender

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11998)

4 years agoFix too strict checks of ossl_cmp_calc_protection()
Dr. David von Oheimb [Mon, 18 May 2020 08:50:30 +0000 (10:50 +0200)]
Fix too strict checks of ossl_cmp_calc_protection()

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11998)

4 years agoGuard new header mac.h against C++isms.
Pauli [Thu, 11 Jun 2020 22:48:06 +0000 (08:48 +1000)]
Guard new header mac.h against C++isms.

[extended tests]

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12121)

4 years agoFix two additional instances of the old EVP_MAC_CTX_ functions being used.
Pauli [Thu, 11 Jun 2020 21:49:18 +0000 (07:49 +1000)]
Fix two additional instances of the old EVP_MAC_CTX_ functions being used.

[extended tests]

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12121)

4 years agoUse the inherited 'bsd-gcc-shared' config on 32-bit x86 BSDs.
John Baldwin [Wed, 10 Jun 2020 22:19:00 +0000 (15:19 -0700)]
Use the inherited 'bsd-gcc-shared' config on 32-bit x86 BSDs.

BSD-generic32 already uses this for building shared libraries on other
32-bit BSD platforms.  Commit b7efa56 collapsed various *BSD targets
down to the BSD-generic ones and BSD-x86.  At the time only
OpenBSD/i386 used `bsd-shared` while both FreeBSD and NetBSD used
`bsd-gcc-shared`.  In practice, all of the BSDs are using either a
GCC/ld.bfd toolchain or a clang/lld toolchain both of which are
compatible with 'bsd-gcc-shared'.

Retire 'bsd-shared' since this removes the last user.

Fixes #12050.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12110)

4 years agodoc: Add a hint to man3/EVP_$hash that it is legacy
Sebastian Andrzej Siewior [Sat, 6 Jun 2020 16:22:04 +0000 (18:22 +0200)]
doc: Add a hint to man3/EVP_$hash that it is legacy

Some hash algorithms are only provided by the legacy provider. This
information is not mentioned in EVP_md4(3) for md4 and one might wonder
why it is no longer working.

Add a note to the EVP_ man page for md2, md4, mdc2, ripemd160 and
whirlpool that it is only available with the legacy provider.

Fixes #11650

Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12074)

4 years agoAPPS: Use a second EVP_MD_CTX for EdDSA verify
Sebastian Andrzej Siewior [Sat, 6 Jun 2020 15:21:15 +0000 (17:21 +0200)]
APPS: Use a second EVP_MD_CTX for EdDSA verify

Verify for the two EdDSA algorithms fails in "speed eddsa".
It appears that the same ctx can not be used for the sign and verify
process.

Create a second EVP_MD_CTX for the verify purpose.

Fixes #11650

Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12074)

4 years agoAPPS: Exclude legacy algorighms from speed
Sebastian Andrzej Siewior [Sat, 6 Jun 2020 12:35:57 +0000 (14:35 +0200)]
APPS: Exclude legacy algorighms from speed

Legacy crypto algorithms are not provided by the default "provider"
leading to a warning.
Remove legacy algorithms from the set that is tested by default. The
algorihms can be tested manually if selected manually and using the
legacy provider.

Fixes #11650

Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12074)

4 years agoThe EVP_MAC functions have been renamed for consistency. The EVP_MAC_CTX_*
Pauli [Mon, 8 Jun 2020 22:53:05 +0000 (08:53 +1000)]
The EVP_MAC functions have been renamed for consistency.  The EVP_MAC_CTX_*
functions are now EVP_MAC functions, usually with ctx in their names.

Before 3.0 is released, the names are mutable and this prevents more
inconsistencies being introduced.

There are no functional or code changes.
Just the renaming and a little reformatting.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11997)

4 years agokdf: make function naming consistent.
Pauli [Mon, 8 Jun 2020 23:10:41 +0000 (09:10 +1000)]
kdf: make function naming consistent.

The EVP_KDF_CTX_* functions have been relocated to the EVP_KDF_* namespace
for consistency.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11996)

4 years agoMake it clear that you can't use all ciphers for CMAC
Matt Caswell [Wed, 27 May 2020 10:50:05 +0000 (11:50 +0100)]
Make it clear that you can't use all ciphers for CMAC

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11972)

4 years agoAdd a CMAC test
Matt Caswell [Wed, 27 May 2020 10:40:24 +0000 (11:40 +0100)]
Add a CMAC test

We did not have a test of the low level CMAC APIs so we add one. This is
heavily based on the HMAC test.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11972)

4 years agoCorrectly handle the return value from EVP_Cipher() in the CMAC code
Matt Caswell [Wed, 27 May 2020 10:38:39 +0000 (11:38 +0100)]
Correctly handle the return value from EVP_Cipher() in the CMAC code

EVP_Cipher() is a very low level routine that directly calls the
underlying cipher function. It's return value semantics are very odd.
Depending on the type of cipher 0 or -1 is returned on error. We should
just check for <=0 for a failure.

Fixes #11957

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11972)

4 years agoEnsure we never use a partially initialised CMAC_CTX
Matt Caswell [Wed, 27 May 2020 10:37:39 +0000 (11:37 +0100)]
Ensure we never use a partially initialised CMAC_CTX

If the CMAC_CTX is partially initialised then we make a note of this so
that future operations will fail if the initialisation has not been
completed.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11972)

4 years agorun_tests.pl: Add options for focussing output on failed (sub-)tests
Dr. David von Oheimb [Mon, 8 Jun 2020 11:40:34 +0000 (13:40 +0200)]
run_tests.pl: Add options for focussing output on failed (sub-)tests

VERBOSE_FAILURES_ONLY (VFO): verbose output only of failed (sub-)tests
VERBOSE_FAILURES_PROGRESS (VFP): in addition summary for passed tests
This adds a workaroud for TAP::Parser not coping well with indentation.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12088)

4 years agoMake error output of dhparams and dsaparams app more consistent
Dr. David von Oheimb [Fri, 5 Jun 2020 19:40:28 +0000 (21:40 +0200)]
Make error output of dhparams and dsaparams app more consistent

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12062)

4 years agoGenerate error queue entry on FFC_CHECK_BAD_LN_PAIR for DH and DSA
Dr. David von Oheimb [Fri, 5 Jun 2020 19:27:34 +0000 (21:27 +0200)]
Generate error queue entry on FFC_CHECK_BAD_LN_PAIR for DH and DSA

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12062)

4 years agoSilence gcc false positive warning on refdatalen in test/tls13encryptiontest.c
Dr. David von Oheimb [Fri, 5 Jun 2020 14:42:39 +0000 (16:42 +0200)]
Silence gcc false positive warning on refdatalen in test/tls13encryptiontest.c

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12042)

4 years agoSilence gcc false positive warning on alpn_protos_len in test/handshake_helper.c
Dr. David von Oheimb [Thu, 4 Jun 2020 10:37:50 +0000 (12:37 +0200)]
Silence gcc false positive warning on alpn_protos_len in test/handshake_helper.c

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12042)

4 years agoUpdate RSA keygen to use sp800-56b by default
Shane Lontis [Tue, 9 Jun 2020 22:59:56 +0000 (08:59 +1000)]
Update RSA keygen to use sp800-56b by default

Fixes #11742
Fixes #11764

The newer RSA sp800-56b algorithm is being used for the normal case of a non multiprime key of at least length 2048.
Insecure key lengths and mutltiprime RSA will use the old method.

Bad public exponents are no longer allowed (i.e values less than 65537 or even). Values such as 2 that would cause a infinite loop now result in an error. The value of 3 has been marked as deprecated but is still allowed for legacy purposes.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11765)

4 years agoAdd a test for renegotiation with EXTMS dropped
Tomas Mraz [Fri, 5 Jun 2020 08:50:25 +0000 (10:50 +0200)]
Add a test for renegotiation with EXTMS dropped

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12045)

4 years agoDo not allow dropping Extended Master Secret extension on renegotiaton
Tomas Mraz [Thu, 4 Jun 2020 09:40:29 +0000 (11:40 +0200)]
Do not allow dropping Extended Master Secret extension on renegotiaton

Abort renegotiation if server receives client hello with Extended Master
Secret extension dropped in comparison to the initial session.

Fixes #9754

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12045)

4 years agouse safe primes in ssl_get_auto_dh()
Hubert Kario [Fri, 5 Jun 2020 18:21:55 +0000 (20:21 +0200)]
use safe primes in ssl_get_auto_dh()

DH_get_1024_160() and DH_get_2048_224() return parameters from
RFC5114. Those parameters include primes with known small subgroups,
making them unsafe. Change the code to use parameters from
RFC 2409 and RFC 3526 instead (group 2 and 14 respectively).

This patch also adds automatic selection of 4096 bit params for 4096 bit
RSA keys

Signed-off-by: Hubert Kario <hkario@redhat.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12061)

4 years agoAPPS: Fix 'openssl dhparam'
Richard Levitte [Fri, 5 Jun 2020 21:40:49 +0000 (23:40 +0200)]
APPS: Fix 'openssl dhparam'

'dhparam' can't be completely rewritten in terms of EVP_PKEY functions
yet, because we lack X9.42 support.  However, we do when generating,
but forgot to extract a DH pointer with EVP_PKEY_get0_DH().

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/12048)