Richard Levitte [Mon, 7 Oct 2019 05:23:32 +0000 (07:23 +0200)]
Add documentation for PEM_{read,write}_bio_Parameters()
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10113)
Rich Salz [Sun, 6 Oct 2019 17:38:52 +0000 (13:38 -0400)]
Fix typo in flag name
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10110)
Matt Caswell [Fri, 4 Oct 2019 10:12:04 +0000 (11:12 +0100)]
Fix no-autoerrinit
Don't run the test_CTX_print_errors test test in test_cmp_ctx if
no-autoerrinit has been configured.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10091)
Matt Caswell [Fri, 4 Oct 2019 13:01:21 +0000 (14:01 +0100)]
Send bad_record_mac instead of decryption_failed
The decryption failed alert was deprecated a long time ago. It can
provide an attacker too much information to be able to distinguish between
MAC failures and decryption failures and can lead to oracle attacks.
Instead we should always use the bad_record_mac alert for these issues.
This fixes one instance that still exists. It does not represent a
security issue in this case because it is only ever sent if the record is
publicly invalid, i.e. we have detected it is invalid without using any
secret material.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10093)
Paul Yang [Sun, 29 Sep 2019 14:25:10 +0000 (22:25 +0800)]
Support SM2 in apps/speed
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10053)
Richard Levitte [Sun, 6 Oct 2019 08:45:17 +0000 (10:45 +0200)]
EVP_{CIPHER,MD}_CTX_ctrl(): make sure to return 0 or 1
Even thought the underlying calls might return something other than 0
or 1, EVP_CIPHER_CTX_ctrl() and EVP_MD_CTX_ctrl() were made to only
return those values regardless. That behaviour was recently lost, so
we need to restore it.
Fixes #10106
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10108)
Rich Salz [Mon, 12 Aug 2019 20:55:25 +0000 (16:55 -0400)]
Deprecate NCONF_WIN32() function
Extensive documentation added in HISTORY section in doc/man5/config.pod
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9578)
Rich Salz [Wed, 2 Oct 2019 19:40:42 +0000 (15:40 -0400)]
Also mention -- flag and ignore if undocumented
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10077)
Pauli [Sun, 6 Oct 2019 03:39:01 +0000 (13:39 +1000)]
Fix typo in comment
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10105)
Rich Salz [Mon, 23 Sep 2019 18:54:42 +0000 (14:54 -0400)]
Add missing help text for some options
Fixes: #9952
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/9989)
Matt Caswell [Sat, 5 Oct 2019 01:42:32 +0000 (11:42 +1000)]
RC4 is not a block cipher
RC4 is a stream cipher therefore EVP_CIPHER_CTX_block_size() should
return 1.
This fixes a test failure in ssl_test_old when enable-weak-ssl-ciphers
has been configured.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10090)
Rich Salz [Fri, 4 Oct 2019 17:40:14 +0000 (13:40 -0400)]
Fix L<EVP_KDF-derive> to L<EVP_DEF_derive>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10096)
Richard Levitte [Tue, 4 Jun 2019 11:58:43 +0000 (13:58 +0200)]
Move MD5-SHA1 digest completely to the default provider
This leaves minimal implementations of EVP_md5_sha1, which is now only
there to provide a name for implicit fetches.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9076)
Pauli [Thu, 3 Oct 2019 09:06:35 +0000 (19:06 +1000)]
Remove unused fields in method store structure.
The random bit caching was a residue of earlier code and isn't used any more.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10089)
Richard Levitte [Mon, 30 Sep 2019 15:04:33 +0000 (17:04 +0200)]
Move all SHA digests completely to the default provider
This leaves minimal implementations of EVP_sha* and EVP_shake*, which
is now only there to provide a name for implicit fetches.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10059)
Rich Salz [Fri, 27 Sep 2019 18:03:57 +0000 (14:03 -0400)]
Rename "private" file, doc doc changes in CHANGES
Use err() for find-doc-nits -e output
Doing this meant we could remove the -s flag, so we do so; move
option/help stuff to top of script.
Add a CHANGES entry.
Rename missing to other.syms
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10039)
Richard Levitte [Thu, 23 May 2019 01:39:15 +0000 (03:39 +0200)]
Adapt existing providers to posibly have name lists
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/8985)
Richard Levitte [Thu, 23 May 2019 01:36:21 +0000 (03:36 +0200)]
Replumbing: make it possible for providers to specify multiple names
This modifies the treatment of algorithm name strings to allow
multiple names separated with colons.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/8985)
NaveenShivanna86 [Wed, 21 Aug 2019 06:28:29 +0000 (11:58 +0530)]
'init_buf' memory can be freed when DTLS is used over SCTP (not over UDP).
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/9653)
Dr. Matthias St. Pierre [Thu, 3 Oct 2019 12:20:52 +0000 (14:20 +0200)]
rsa: replace magic number '11' by RSA_PKCS1_PADDING_SIZE
Suggested by Matt Hart
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10084)
Matt Caswell [Thu, 3 Oct 2019 11:44:55 +0000 (12:44 +0100)]
Don't follow legacy path if ctx->pctx is set
EVP_DigestInit_ex forced following of the legacy path if ctx->pctx is
set (meaning we've actually been called via EVP_DigestSignInit_ex).
There is some code in the legacy path that calls the
EVP_PKEY_CTRL_DIGESTINIT ctrl on the pctx. Not going down the legacy path
if ctx->pctx is set means that ctrl message will neve get sent. However,
it turns out that all algs that understand that ctrl also set the
EVP_MD_CTX_FLAG_NO_INIT flag which forces legacy anyway. Therefore the
ctx->pctx check is not required and can be removed.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10082)
Matt Caswell [Wed, 2 Oct 2019 09:50:57 +0000 (10:50 +0100)]
Fix no-err
Skip the test_CTX_print_errors in cmp_ctx_test if no-err has been
configured.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10071)
Matt Caswell [Thu, 26 Sep 2019 13:55:00 +0000 (14:55 +0100)]
Free a fetched digest during EVP_MD_CTX_reset() not EVP_MD_free()
Otherwise a mem leak can occur since EVP_MD_free() calls
EVP_MD_CTX_reset() which then clears the contents of the ctx.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10013)
Matt Caswell [Thu, 26 Sep 2019 13:31:56 +0000 (14:31 +0100)]
Don't call EVP_MD_CTX_reset during EVP_DigestFinal
This resets the fields of the EVP_MD_CTX and means we can no longer
make calls using the EVP_MD_CTX, such as to query parameters.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10013)
Matt Caswell [Wed, 25 Sep 2019 10:49:04 +0000 (11:49 +0100)]
Add a test for the newly added md params code
Previous commits added code for routing md related parameters via and
EVP_SIGNATURE implementation during a DigestSign operation. This adds a
test to make sure this works as expected.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10013)
Matt Caswell [Tue, 24 Sep 2019 11:07:48 +0000 (12:07 +0100)]
Update EVP_MD_CTX_get_params() et al to be EVP_DigestSign*() aware
If doing an EVP_DigestSign*() or EVP_DigestVerify*() operation we use
the embedded pctx for communication with the provider. Any MD params need
to use that ctx instead.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10013)
Matt Caswell [Mon, 23 Sep 2019 15:43:08 +0000 (16:43 +0100)]
Update documentation
Add documentation for EVP_DigestSignInit_ex() and
EVP_DigestVerifyInit_ex(), and add an appropriate CHANGES entry.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10013)
Matt Caswell [Tue, 24 Sep 2019 09:23:41 +0000 (10:23 +0100)]
Ensure we look at EVP_MD_CTX_FLAG_KEEP_PKEY_CTX in non-legacy code
This flag is still relevant even for non-legacy code so we should check
it where appropriate.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10013)
Matt Caswell [Mon, 23 Sep 2019 13:36:32 +0000 (14:36 +0100)]
Add EVP_DigestSign/EVP_DigestVerify support for DSA
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10013)
Matt Caswell [Mon, 16 Sep 2019 16:14:21 +0000 (17:14 +0100)]
Add the provider function signatures for DigestSign*
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10013)
Shane Lontis [Thu, 3 Oct 2019 06:05:49 +0000 (16:05 +1000)]
Add rc5 ciphers to default provider
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10006)
Fangming.Fang [Sun, 29 Sep 2019 05:58:19 +0000 (05:58 +0000)]
Add arm64 in test matrix on TravisCI.
Change-Id: I5d2b729699cfd8e80c3df17db4a9d2edcbf64454
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10046)
Christian Heimes [Fri, 27 Sep 2019 09:08:43 +0000 (11:08 +0200)]
doc: EVP_DigestInit clears all flags
Mention that EVP_DigestInit() also clears all flags.
Fixes: 10031
Signed-off-by: Christian Heimes <christian@python.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10032)
Rich Salz [Fri, 27 Sep 2019 17:17:09 +0000 (13:17 -0400)]
Fix errors found by new find-doc-nits
Also patch find-doc-nits to ignore a Microsoft trademark and not
flag it as a spelling error.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10023)
Rich Salz [Wed, 25 Sep 2019 19:39:03 +0000 (15:39 -0400)]
Add wordlist from man7.org
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10023)
Daniil Zotkin [Tue, 24 Sep 2019 08:08:23 +0000 (11:08 +0300)]
Do not print extensions in Certificate message for TLS1.2 and lower
According to RFC8446 CertificateEntry in Certificate message contains
extensions that were not present in the Certificate message in RFC5246.
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9994)
Shane Lontis [Wed, 2 Oct 2019 23:29:51 +0000 (09:29 +1000)]
Fix Coverity issues
CID
1453954 &
1453955
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9977)
Michael Osipov [Fri, 27 Sep 2019 07:04:53 +0000 (09:04 +0200)]
Fix long name of some Microsoft objects
CLA: trivial
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10029)
Richard Levitte [Wed, 2 Oct 2019 15:13:03 +0000 (17:13 +0200)]
doc/man1: fix malformed options
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10073)
Richard Levitte [Wed, 2 Oct 2019 11:16:48 +0000 (13:16 +0200)]
util/find-doc-nits: more precise option and function name checker
The checks for our uses of 'B<' and 'I<' for options, and possibly
function names, was over-reaching quite a bit.
So we fine-tune it a bit:
- by only checking for options in man1 pages, and only in SYNOPSIS
and *OPTIONS sections.
- by only checking for function names in man3 pages.
The man1 option checker has the additional check that options found in
*OPTIONS are also found in SYNOPSIS andd vice versa.
In all cases, this also handles options and function names with
additional markup, such as 'B<-I<cipher>>' and 'B<sk_I<TYPE>_push>'.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10073)
Rich Salz [Tue, 1 Oct 2019 20:15:22 +0000 (16:15 -0400)]
Update "missing documentation" function lists
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10064)
Rich Salz [Sun, 22 Sep 2019 23:49:25 +0000 (19:49 -0400)]
Add '=for comment ifdef' to pod pages
Make find-doc-nits understand that
=for comment ifdef ssl3 ...
in a POD page means that the "-ssl3" flag might be ifdef'd out in the
local environment, and not to complain about it.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9974)
Richard Levitte [Wed, 25 Sep 2019 07:15:42 +0000 (09:15 +0200)]
Make EVP_CIPHER_is_a() work with legacy cipher implementations too
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10008)
Richard Levitte [Wed, 25 Sep 2019 07:07:20 +0000 (09:07 +0200)]
Remove EVP_CIPH_FLAG_DEFAULT_ASN1 from all provided implementations
Since that flag has lost its relevance, don't use it any more.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10008)
Richard Levitte [Wed, 25 Sep 2019 06:56:14 +0000 (08:56 +0200)]
Adapt EVP_CIPHER_{param_to_asn1,asn1_to_param} for use with provider.
So far, these two funtions have depended on legacy EVP_CIPHER
implementations to be able to do their work. This change adapts them
to work with provided implementations as well, in one of two possible
ways:
1. If the implementation's set_asn1_parameters or get_asn1_parameters
function pointers are non-NULL, this is a legacy implementation,
and that function is called.
2. Otherwise, if the cipher doesn't have EVP_CIPH_FLAG_CUSTOM_ASN1
set, the default AlgorithmIdentifier parameter code in libcrypto
is executed.
3. Otherwise, if the cipher is a provided implementation, the ASN1
type structure is converted to a DER blob which is then passed to
the implementation as a parameter (param_to_asn1) or the DER blob
is retrieved from the implementation as a parameter and converted
locally to a ASN1_TYPE (asn1_to_param).
With this, the old flag EVP_CIPH_FLAG_DEFAULT_ASN1 has become
irrelevant and is simply ignored.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10008)
Richard Levitte [Sat, 28 Sep 2019 05:33:38 +0000 (07:33 +0200)]
Make manuals with TYPE conform with man-pages(7)
Details from man-pages(7) that are used:
Formatting conventions for manual pages describing functions
...
Variable names should, like argument names, be specified in italics.
...
Formatting conventions (general)
...
Special macros, which are usually in uppercase, are in bold.
Exception: don't boldface NULL.
...
Furthermore, for TYPE used as a placeholder for types and correponding
part of function names, we extrapolate that it's both a type and a
variable, and should therefore be bold (typical for types and function
names) and italic (typical for variables). POD processors don'e know
this, so we have to help them along. Therefore:
SPARSE_ARRAY_OF(TYPE) => B<SPARSE_ARRAY_OF>(B<I<TYPE>>)
ossl_sa_TYPE_num() => B<ossl_sa_I<TYPE>_num>()
TYPE => B<I<TYPE>>
There are some other less typical uses where one simply has to give
formatting some extra though.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10041)
Richard Levitte [Sat, 28 Sep 2019 06:07:18 +0000 (08:07 +0200)]
Make ASN1 manuals conform with man-pages(7)
Details from man-pages(7) that are used:
Formatting conventions for manual pages describing functions
...
Variable names should, like argument names, be specified in italics.
...
Formatting conventions (general)
...
Special macros, which are usually in uppercase, are in bold.
Exception: don't boldface NULL.
...
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10042)
Rich Salz [Wed, 25 Sep 2019 19:20:11 +0000 (15:20 -0400)]
Consistent formatting of flags with args
For documentation of all commands with "-flag arg" format them
consistently: "B<-flag> I<arg>", except when arg is literal
(for example "B<-inform> B<PEM>|B<DER>")
Update find-doc-nits to complain if badly formatted strings are found.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10022)
Kurt Roeckx [Sat, 28 Sep 2019 12:59:32 +0000 (14:59 +0200)]
Add defines for __NR_getrandom for all Linux architectures
Fixes: #10015
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
GH: #10044
Richard Levitte [Sat, 28 Sep 2019 06:45:05 +0000 (08:45 +0200)]
Make ASYNC manuals conform with man-pages(7)
Details from man-pages(7) that are used:
Formatting conventions for manual pages describing functions
...
Variable names should, like argument names, be specified in italics.
...
Formatting conventions (general)
...
Special macros, which are usually in uppercase, are in bold.
Exception: don't boldface NULL.
...
Additionally, expanded some lists to make better use of POD formatting.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10043)
Matt Caswell [Fri, 27 Sep 2019 10:24:26 +0000 (11:24 +0100)]
Correct the function names in SSL_CTX_set_stateless_cookie_generate_cb.pod
Although the synopsis used the correct function names, the description did
not. Also the description of the equivalent DTLSv1_listen() callbacks was
missing, so these have been added.
Fixes #10030
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10033)
Paul Yang [Mon, 30 Sep 2019 06:05:31 +0000 (14:05 +0800)]
Fix a bundle of mischecks of return values
Several EVP_PKEY_xxxx functions return 0 and a negative value for
indicating errors. Some places call these functions with a zero return
value check only, which misses the check for the negative scenarios.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10055)
Dr. David von Oheimb [Thu, 19 Sep 2019 13:02:50 +0000 (15:02 +0200)]
Make default values by ERR_get_error_all() and friends more consistent
Unset data defaults to the empty string ("") or 0.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9948)
Paul Yang [Mon, 30 Sep 2019 03:33:24 +0000 (11:33 +0800)]
Fix a return value bug in apps/speed.c
Those functions returns less than and equal to 0 to indicate an error
occured.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10054)
Pauli [Fri, 27 Sep 2019 06:35:45 +0000 (16:35 +1000)]
Consistent naming for context gettable param queries .
All instances of EVP_*_CTX_gettable_params functions have been renamed
to EVP_*_gettable_ctx_params. Except for the EVP_MD ones which were changed
already.
These functions do not take EVP_*_CTX arguments so their prior naming was
misleading.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10052)
Richard Levitte [Sun, 29 Sep 2019 08:32:04 +0000 (10:32 +0200)]
Make relevant tests more sensitive to 'no-fips'
This applies to test/recipes/30-test_evp.t and
test/recipes/30-test_evp_fetch_prov.t.
Additionally, we make test/recipes/30-test_evp_fetch_prov.t data
driven, to make test number planning more automated, and to separate
what is unique from what is common to all the test cases.
[extended tests]
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10047)
Paul Yang [Thu, 26 Sep 2019 02:57:23 +0000 (10:57 +0800)]
Fix a document description in apps/req
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9958)
Paul Yang [Fri, 20 Sep 2019 16:32:57 +0000 (00:32 +0800)]
Fix a double free issue when signing SM2 cert
If the SM2 ID value has not been passed correctly when signing an SM2
certificate/certificate request, a double free occurs. For instance:
openssl req -x509 ... -sm2-id
1234567812345678
The '-sm2-id' should not be used in this scenario, while the '-sigopt' is
the correct one to use. Documentation has also been updated to make the
options more clear.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9958)
Dr. Matthias St. Pierre [Fri, 27 Sep 2019 22:46:00 +0000 (00:46 +0200)]
Add util/fix-includes script
This script contains all adjustments to header files which were made
during the reorganization of the header files. It is meant as an aid
for other contributors which encounter preprocessor #include errors
after rebasing over this pull request. Simply running
util/fix-includes
from the root of the source directory should hopefully fix the problem.
Note: such #include errors are expected only for pull requests which
add a lot of new code, in particular new compilation modules.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9333)
Dr. Matthias St. Pierre [Fri, 27 Sep 2019 22:46:00 +0000 (00:46 +0200)]
Add legacy include guards to public header files
For every public header file, the old include guard definition needs
to be added in addition to the new one
include/openssl/file.h:
#ifndef OPENSSL_FILE_H
# define OPENSSL_FILE_H
# pragma once
# include <openssl/macros.h>
# if !OPENSSL_API_3
# define HEADER_FILE_H
# endif
...
This is going to ensure that applications which use the old include guards
externally, for example like this
#ifndef HEADER_FILE_H
# include <openssl/file.h>
#endif
will not fail to compile.
In addition to the legacy guard, the public header files also receive a
'# pragma once' directive.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9333)
Dr. Matthias St. Pierre [Fri, 27 Sep 2019 22:45:57 +0000 (00:45 +0200)]
Fix header file include guard names
Make the include guards consistent by renaming them systematically according
to the naming conventions below
For the public header files (in the 'include/openssl' directory), the guard
names try to match the path specified in the include directives, with
all letters converted to upper case and '/' and '.' replaced by '_'. For the
private header files files, an extra 'OSSL_' is added as prefix.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9333)
Dr. Matthias St. Pierre [Fri, 27 Sep 2019 22:45:46 +0000 (00:45 +0200)]
Reorganize public header files (part 2)
Add an <openssl/ossl_typ.h> compatibility header.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9333)
Dr. Matthias St. Pierre [Fri, 27 Sep 2019 22:45:46 +0000 (00:45 +0200)]
Reorganize public header files (part 1)
Rename <openssl/ossl_typ.h> to <openssl/types.h>.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9333)
Dr. Matthias St. Pierre [Fri, 27 Sep 2019 22:45:40 +0000 (00:45 +0200)]
Reorganize local header files
Apart from public and internal header files, there is a third type called
local header files, which are located next to source files in the source
directory. Currently, they have different suffixes like
'*_lcl.h', '*_local.h', or '*_int.h'
This commit changes the different suffixes to '*_local.h' uniformly.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9333)
Dr. Matthias St. Pierre [Fri, 27 Sep 2019 22:45:33 +0000 (00:45 +0200)]
Reorganize private crypto header files
Currently, there are two different directories which contain internal
header files of libcrypto which are meant to be shared internally:
While header files in 'include/internal' are intended to be shared
between libcrypto and libssl, the files in 'crypto/include/internal'
are intended to be shared inside libcrypto only.
To make things complicated, the include search path is set up in such
a way that the directive #include "internal/file.h" could refer to
a file in either of these two directoroes. This makes it necessary
in some cases to add a '_int.h' suffix to some files to resolve this
ambiguity:
#include "internal/file.h" # located in 'include/internal'
#include "internal/file_int.h" # located in 'crypto/include/internal'
This commit moves the private crypto headers from
'crypto/include/internal' to 'include/crypto'
As a result, the include directives become unambiguous
#include "internal/file.h" # located in 'include/internal'
#include "crypto/file.h" # located in 'include/crypto'
hence the superfluous '_int.h' suffixes can be stripped.
The files 'store_int.h' and 'store.h' need to be treated specially;
they are joined into a single file.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9333)
Dr. Matthias St. Pierre [Thu, 22 Aug 2019 15:33:38 +0000 (17:33 +0200)]
Add legacy include guard manually to opensslconf.h.in
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9333)
Richard Levitte [Sat, 28 Sep 2019 03:48:54 +0000 (05:48 +0200)]
Funtion name with variable part in doc/man7/ and doc/internal/man3/
We have a few pages where part of function names can be considered
variable. There are no normative guidelines for such a case, but if
we draw from the formatting convention of variable and argument names,
we can draw the conclusion that this variable part should be italized,
within already given conventions. In other words, we need to help the
POD processor along in cases like these:
SPARSE_ARRAY_OF(TYPE)
ossl_sa_TYPE_num()
These need explicit formatting:
B<SPARSE_ARRAY_OF>(I<TYPE>)
B<ossl_sa_I<TYPE>_num>()
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10034)
Richard Levitte [Fri, 27 Sep 2019 11:26:22 +0000 (13:26 +0200)]
Make doc/man7/ and doc/internal/man3/ conform with man-pages(7)
It's all in the details, from man-pages(7):
Formatting conventions for manual pages describing functions
...
Variable names should, like argument names, be specified in italics.
...
Formatting conventions (general)
...
Special macros, which are usually in uppercase, are in bold.
Exception: don't boldface NULL.
...
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10034)
Robbie Harwood [Tue, 10 Sep 2019 21:46:44 +0000 (17:46 -0400)]
[KDF] Add KBKDF implementation for counter-mode HMAC
Implement SP800-108 section 5.1 with HMAC intended for use in Kerberos.
Add test vectors from RFC 8009.
Adds error codes PROV_R_INVALID_MAC and PROV_R_MISSING_MAC.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9924)
Richard Levitte [Thu, 26 Sep 2019 05:45:33 +0000 (07:45 +0200)]
OSSL_PARAM functions: change to allow the data field to be NULL
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10025)
Richard Levitte [Thu, 26 Sep 2019 05:42:06 +0000 (07:42 +0200)]
OSSL_PARAM.pod: document the mechanism to figure out buffer sizes
When requesting parameters, it's acceptable to make a first pass with
the |data| field of some parameters being NULL. That can be used to
help the requestor to figure out dynamically what buffer size is
needed. For variable size parameters, there's no other way to find
out.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10025)
Dr. David von Oheimb [Sat, 10 Aug 2019 12:07:22 +0000 (14:07 +0200)]
Certificate Management Protocol (CMP, RFC 4210) extension to OpenSSL
Also includes CRMF (RFC 4211) and HTTP transfer (RFC 6712)
CMP and CRMF API is added to libcrypto, and the "cmp" app to the openssl CLI.
Adds extensive man pages and tests. Integration into build scripts.
Incremental pull request based on OpenSSL commit
8869ad4a39f of 2019-04-02
4th chunk: CMP context/parameters and utilities
in crypto/cmp/cmp_ctx.c, crypto/cmp/cmp_util.c, and related files
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9107)
Pauli [Tue, 10 Sep 2019 08:05:57 +0000 (18:05 +1000)]
Reformat param description lines
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10024)
Pauli [Thu, 26 Sep 2019 02:14:00 +0000 (12:14 +1000)]
Make OSSL_PARAM descriptions uniformly formatted.
=item B<MACRO> ("name") <type>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10024)
Richard Levitte [Mon, 19 Aug 2019 06:55:53 +0000 (08:55 +0200)]
When building of modules is disabled, build the legacy provider into libcrypto
This makes the legacy provider available regardless of building conditions.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9637)
Richard Levitte [Mon, 19 Aug 2019 06:54:00 +0000 (08:54 +0200)]
Configure, build.info: make it possible to use variables in indexes
That will make it possible to assign different goals for translation
units depending on need.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9637)
Rich Salz [Tue, 24 Sep 2019 15:32:01 +0000 (11:32 -0400)]
Ensure man1 POD files start with openssl-
Commit
b6b66573 (PR #9679) renamed most POD files. This change causes
find-doc-nits to flag misnamed files.
Also fix the two misnamed files that it found.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10000)
Fangming.Fang [Thu, 26 Sep 2019 02:14:54 +0000 (12:14 +1000)]
Missing else in cipher_hw_aes_ocb_generic_initkey
This came from commit
3837c202 "Add aes_ocb cipher to providers". It
causes the default non-hardware accelerated AES implementation to be
used even if HWAES_CAPABLE is set. Affects all platforms except X86 and
SPARC.
Patch by: Nick Gasson <Nick.Gasson@arm.com>
Change-Id: I26001a3a922ff23f6090fdcefefaecf68e92e2a6
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10012)
Pauli [Wed, 25 Sep 2019 10:43:03 +0000 (20:43 +1000)]
Use OSSL_PARAM types. Limits are explained in the description where appropriate.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10011)
Pauli [Wed, 25 Sep 2019 10:42:42 +0000 (20:42 +1000)]
Use OSSL_PARAM types. Limits are explained in the description where appropriate.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10011)
Pauli [Wed, 25 Sep 2019 10:30:09 +0000 (20:30 +1000)]
KDF section 3 clean up
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10011)
Pauli [Wed, 25 Sep 2019 10:27:36 +0000 (20:27 +1000)]
Use OSSL_PARAM types for MAC documentation
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10011)
Pauli [Wed, 25 Sep 2019 10:27:27 +0000 (20:27 +1000)]
Use OSSL_PARAM types for KDF documentation
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10011)
Patrick Steuer [Thu, 19 Sep 2019 13:31:27 +0000 (15:31 +0200)]
s390x assembly pack: accelerate X25519, X448,
Ed25519 and Ed448
using PCC and KDSA instructions.
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10004)
Patrick Steuer [Tue, 24 Sep 2019 12:44:27 +0000 (14:44 +0200)]
s390x assembly pack: cleanse only sensitive fields
of instruction parameter blocks.
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10004)
Patrick Steuer [Tue, 24 Sep 2019 21:20:00 +0000 (23:20 +0200)]
s390x assembly pack: fix OPENSSL_s390xcap z15 cpu mask
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10004)
Patrick Steuer [Tue, 24 Sep 2019 21:03:19 +0000 (23:03 +0200)]
s390x assembly pack: fix msa3 stfle bit detection
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10004)
Matt Caswell [Tue, 24 Sep 2019 14:17:15 +0000 (15:17 +0100)]
Make EVP_MD_CTX_[gettable|settable]_params() take an EVP_MD_CTX
EVP_MD_CTX_gettable_params() and EVP_MD_CTX_settable_params() were
confusingly named because they did not take an EVP_MD_CTX parameter.
In addition we add the functions EVP_MD_gettable_ctx_params() and
EVP_MD_settable_ctx_params() which do the same thing but are passed
an EVP_MD object instead.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9998)
Pauli [Sun, 22 Sep 2019 00:49:10 +0000 (10:49 +1000)]
Remove the engine parameter from the provider MAC documentations
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9971)
Pauli [Sun, 22 Sep 2019 00:48:40 +0000 (10:48 +1000)]
Remove the engine parameter from the individual MAC documentation
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9971)
Pauli [Sun, 22 Sep 2019 00:46:54 +0000 (10:46 +1000)]
Remove engine param from EVP_KDF and EVP_MAC documentation
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9971)
Pauli [Sun, 22 Sep 2019 00:45:07 +0000 (10:45 +1000)]
Remove engine param from the settable list
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9971)
Pauli [Sun, 22 Sep 2019 00:43:08 +0000 (10:43 +1000)]
Remove engine param macros from wrapper APIs
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9971)
Pauli [Sun, 22 Sep 2019 00:39:17 +0000 (10:39 +1000)]
Make the "engine" parameter to some provider algorithms (KDF/PRF) hidden.
This parameter will disappear once engines are wrapped by a provider so
it shouldn't ever be visible to the public.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9971)
Shane Lontis [Wed, 25 Sep 2019 00:46:39 +0000 (10:46 +1000)]
Add rc4 cipher to default provider
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9992)
Richard Levitte [Tue, 24 Sep 2019 11:23:38 +0000 (13:23 +0200)]
DOC: fix documentation of som EVP_MD_CTX functions
They were documented to take an EVP_MD pointer, when they really take
an EVP_MD_CTX pointer.
Fixes #9993
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9996)
Rich Salz [Mon, 23 Sep 2019 16:29:20 +0000 (12:29 -0400)]
Fix bugs in "info" commands flags
Remove -c/-e/-m aliases, OpenSSL commands don't do that.
Fix typo's in the documentation.
Fix -module flag to print the right thing.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9986)
jayaram [Mon, 23 Sep 2019 10:44:56 +0000 (16:14 +0530)]
fix for dsa key size feature request issue: pkey -text or -text_pub should show dsa key size
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/9983)
Dmitry Belyavskiy [Wed, 21 Aug 2019 15:28:48 +0000 (18:28 +0300)]
Support printing out some otherName variants
The supported variants are
- SmtpUTF8Name
- xmppAddr
- MS UPN
- SRVName
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9965)
Simo Sorce [Thu, 19 Sep 2019 17:51:34 +0000 (13:51 -0400)]
Add SSKDF test vectors from RFC 8636
RFC 8636 defines the Pkinit Agility KDF, which turns out to be just a
standard SSKDF with the Info built out of the ASN.1 option of SP 800 56A
(See 5.8.2.1.2 of NIST SP 800-56A Rev. 3)
RFC 8636 Also defines test vectors, so let's add them in addition to the
tests from "non-official" test vectors.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9957)