Fixed linux_x86_icc compiler errors in EC code related to __uint128_t/__int128_t
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8697)
Jakub Wilk [Wed, 10 Apr 2019 10:00:20 +0000 (12:00 +0200)]
Fix typos
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8714)
Richard Levitte [Thu, 4 Apr 2019 23:22:14 +0000 (01:22 +0200)]
EVP_*Update: ensure that input NULL with length 0 isn't passed
Even with custome ciphers, the combination in == NULL && inl == 0
should not be passed down to the backend cipher function. The reason
is that these are the values passed by EVP_*Final, and some of the
backend cipher functions do check for these to see if a "final" call
is made.
Fixes #8675
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8676)
Paul Yang [Mon, 1 Apr 2019 01:21:53 +0000 (10:21 +0900)]
Make X509_set_sm2_id consistent with other setters
This commit makes the X509_set_sm2_id to 'set0' behaviour, which means
the memory management is passed to X509 and user doesn't need to free
the sm2_id parameter later. API name also changes to X509_set0_sm2_id.
Document and test case are also updated.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8626)
Richard Levitte [Tue, 9 Apr 2019 06:31:09 +0000 (08:31 +0200)]
Params API: {utf8,octet}_ptr need to know the data size
When the purpose is to pass parameters to a setter function, that
setter function needs to know the size of the data passed. This
remains true for the pointer data types as well.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8703)
Matt Caswell [Mon, 8 Apr 2019 10:22:37 +0000 (11:22 +0100)]
Fix crash in X509_STORE_CTX_get_by_subject
If using a custom X509_LOOKUP_METHOD then calls to
X509_STORE_CTX_get_by_subject may crash due to an incorrectly initialised
X509_OBJECT being passed to the callback get_by_subject function.
Fixes #8673
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8698)
Matt Caswell [Wed, 20 Mar 2019 17:51:29 +0000 (17:51 +0000)]
Use the right NID when putting a method in the store
When we attempt to fetch a method with a given NID we will ask the
providers for it if we don't already know about it. During that process
we may be told about other methods with a different NID. We need to
make sure we don't confuse the two.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8541)
Richard Levitte [Tue, 9 Apr 2019 07:49:58 +0000 (09:49 +0200)]
Params: add OSSL_PARAM_construct_end()
OSSL_PARAM_END is a macro that can only be used to initialize an
OSSL_PARAM array, not to assign an array element later on. For
completion, we add an end constructor to facilitate that kind of
assignment.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8704)
Pauli [Mon, 8 Apr 2019 04:28:59 +0000 (14:28 +1000)]
Avoid alignment problems in params API.
Using a byte buffer causes problems for device that don't handle unaligned
reads. Instead use the properly aligned variable that was already pointed at.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8696)
Dan Campbell [Thu, 4 Apr 2019 21:15:33 +0000 (15:15 -0600)]
s_client starttls: fix handling of multiline reply
Fixes #8645
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8654)
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8691)
Patrick Steuer [Sun, 7 Apr 2019 11:48:15 +0000 (13:48 +0200)]
fix --strict-warnings build
ISO C90 forbids specifying subobject to initialize
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8693)
Patrick Steuer [Sun, 7 Apr 2019 11:30:26 +0000 (13:30 +0200)]
fix --strict-warnings build
C++ style comments are not allowed in ISO C90
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8693)
Coverity: fix two minor NPD issues.
Found by Coverity.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8274)
Richard Levitte [Fri, 5 Apr 2019 08:46:18 +0000 (10:46 +0200)]
EVP_set_default_properties(): New function to set global properties
EVP_MD_fetch() can be given a property query string. However, there
are cases when it won't, for example in implicit fetches. Therefore,
we also need a way to set a global property query string to be used in
all subsequent fetches. This also applies to all future algorithm
fetching functions.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8681)
Richard Levitte [Fri, 5 Apr 2019 09:20:28 +0000 (11:20 +0200)]
Convert the ENGINE_CONF trace calls to use CONF instead
Additionally, merge ENGINE_CONF into CONF.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8680)
Richard Levitte [Fri, 5 Apr 2019 09:02:17 +0000 (11:02 +0200)]
Add a bit of tracing in the core conf module runner
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8680)
Richard Levitte [Fri, 5 Apr 2019 08:58:16 +0000 (10:58 +0200)]
Rename the PROVIDER_CONF trace to CONF
Other configuration modules may have use for tracing, and having one
tracing category for each of them is a bit much. Instead, we make one
category for them all.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8680)
It was assumed that the config functionality returned a boolean.
However, it may return a negative number on error, so we need to take
that into account.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8679)
Pauli [Mon, 1 Apr 2019 00:04:57 +0000 (10:04 +1000)]
Move the AES-XTS mode duplicated key check into the init_key function rather
than the update call. The means an earlier error return at the cost of some
duplicated code.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8625)
Matt Caswell [Wed, 3 Apr 2019 08:44:41 +0000 (09:44 +0100)]
Skip the correct number of tests if SM2 is disabled
Fixes no-sm2 (and also no-sm3 and no-ec)
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8650)
Richard Levitte [Thu, 4 Apr 2019 10:35:47 +0000 (12:35 +0200)]
For provider tests, don't define a OPENSSL_NO_ macro
Since the macro to indicate if the test provider module is available
is local to the test programs, it's better to use a name that isn't
as easily confused with a library feature disabling macro that one
would expect to find in opensslconf.h.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8664)
Tomas Mraz [Thu, 21 Mar 2019 12:17:29 +0000 (13:17 +0100)]
Use AI_ADDRCONFIG hint with getaddrinfo if available.
This prevents failure of openssl s_server socket binding to wildcard
address on hosts with disabled IPv6.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8550)
Richard Levitte [Wed, 20 Mar 2019 15:53:19 +0000 (16:53 +0100)]
Replumbing: add a configuration module for providers
This configuration module supports a configuration structure pretty
much like the engine configuration module, i.e. something like this:
openssl_conf = openssl_init
[openssl_init]
providers = provider_section
[provider_section]
# Configure the provider named "foo"
foo = foo_section
# Configure the provider named "bar"
bar = bar_section
[foo_section]
# Override name given in the provider section
identity = myfoo
# The exact path of the module. This is platform specific
module_path = /opt/openssl/modules/foo.so
# Whether it should be automatically activated. Value is unimportant
activate = whatever
# Anything else goes as well, and becomes parameters that the
# provider can get
what = 1
# sub-sections will be followed as well
ever = ever_section
[ever_section]
cookie = monster
All the configurations in a provider section and its sub-sections
become parameters for the provider to get, i.e. the "foo" provider
will be able to get values for the following keys (with associated
values shown):
Richard Levitte [Thu, 21 Mar 2019 07:44:06 +0000 (08:44 +0100)]
Replumbing: add functionality to set provider parameters
Provider parameters are parameters set by the core that the provider
can retrieve. The primary use it to support making OpenSSL
configuration data available to the provider.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8549)
rand_win.c: loosen version requirements for BCryptGenRandom
BCryptGenRandom() is available for Windows Vista and newer versions, see
https://docs.microsoft.com/en-us/windows/desktop/api/bcrypt/nf-bcrypt-bcryptgenrandom
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8639)
Richard Levitte [Sun, 31 Mar 2019 13:26:26 +0000 (15:26 +0200)]
Correct the checks of module availability in provider test programs
Previously, the macro OPENSSL_NO_SHARED was defined of the test/p_test
module wasn't built, but the provider test programs didn't check that
macro. We rename it to OPENSSL_NO_MODULE, since that name describes
the situation more than OPENSSL_NO_SHARED does, and use it.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8623)
Richard Levitte [Sun, 31 Mar 2019 13:17:58 +0000 (15:17 +0200)]
Configuration / build: make it possible to disable building of modules
While we're at it, sort out inconsistencies with the build of modules:
- not building shared libraries means not building dynamic engines.
However, other modules may still be built.
- not having DSO functionality doesn't mean not to build modules (even
though we can't use them from apps linked with libraries that are
built this way).
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8623)
Richard Levitte [Sun, 31 Mar 2019 13:14:00 +0000 (15:14 +0200)]
Build cleanup: don't use SHARED_SOURCE with modules
SHARED_SOURCE is reserved for products that are expected to come in
dual shared / non-shared form, i.e. the routine libraries like
libcrypto and libssl, to distinguish source that should only appear in
their shared form.
Modules are always shared, so there's no need for them to have this
type of distinction.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8623)
Boris Pismenny [Thu, 21 Feb 2019 14:39:36 +0000 (16:39 +0200)]
ssl: Linux TLS Rx Offload
This patch adds support for the Linux TLS Rx socket option.
It completes the previous patch for TLS Tx offload.
If the socket option is successful, then the receive data-path of the TCP
socket is implemented by the kernel.
We choose to set this option at the earliest - just after CCS is complete.
Change-Id: I59741e04d89dddca7fb138e88fffcc1259b30132 Signed-off-by: Boris Pismenny <borisp@mellanox.com> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7848)
Richard Levitte [Sun, 31 Mar 2019 14:15:02 +0000 (16:15 +0200)]
Rework DSO API conditions and configuration option
'no-dso' is meaningless, as it doesn't get any macro defined.
Therefore, we remove all checks of OPENSSL_NO_DSO. However, there may
be some odd platforms with no DSO scheme. For those, we generate the
internal macro DSO_NONE aand use it.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/#8622)
Pauli [Sat, 30 Mar 2019 01:22:51 +0000 (11:22 +1000)]
issue-8493: Fix for filenames with newlines using openssl dgst
The output format now matches coreutils *dgst tools.
[ edited to remove trailing white space ]
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8578)
Paul Yang [Wed, 13 Mar 2019 09:22:31 +0000 (17:22 +0800)]
Add documents for SM2 cert verification
This follows #8321 which added the SM2 certificate verification feature.
This commit adds the related docs - the newly added 2 APIs and options
in apps/verify.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8465)
trace: apps/openssl: print the correct category name
Previously, if the openssl application was run with OPENSSL_TRACE=any,
all trace output would just show 'ANY' as the category name, which was
not very useful. To get the correct category name printed in the trace
output, the openssl application now registers separate channels for
each category.
The trace API is unchanged, it is still possible for an application to
register a single channel for the 'ANY' category to see all outputt,
if it does not need this level of detail.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8552)
When OSSL_trace_get_category_num() is called with an unknown category
name, it returns -1. This case needs to be considered in order to
avoid out-of-bound memory access to the `trace_channels` array.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8552)
Partially reverts d33d76168fb7 Don't fail when tracing is disabled
Commit d33d76168fb7 fixed the problem that the initialization of
libcrypto failed when tracing was disabled, because the unoperational
ossl_trace_init() function returned a failure code. The problem was
fixed by changing its return value from failure to success.
As part of the fix the return values of other unimplemented trace API
functions (like OSSL_trace_set_channel(),OSSL_trace_set_callback())
was changed from failure to success, too. This change was not necessary
and is a bit problematic IMHO, because nobody expects an unimplemented
function to pretend it succeeded.
It's the application's duty to handle the case correctly when the trace
API is not enabled (i.e., OPENSSL_NO_TRACE is defined), not the API's job
to pretend success just to prevent the application from failing.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8552)
Patrick Steuer [Fri, 22 Mar 2019 23:03:24 +0000 (00:03 +0100)]
s390x assembly pack: import poly from cryptogams repo
>=20% faster than present code.
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8560)
Richard Levitte [Tue, 19 Mar 2019 13:43:31 +0000 (14:43 +0100)]
Windows, VMS: build fixes
The naming of generated assembler wasn't done quite right. There are
assembler files that are generated from a perl script, and there are
those who are not. Only the former must be renamed to the platform
specific asm extension.
Furthermore, we need to make sure that 'OSSL_provider_init' isn't case
sensitive on VMS, to allow for the least surprise for provider
builders.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8529)
Pauli [Fri, 29 Mar 2019 08:19:19 +0000 (18:19 +1000)]
It isn't necessary to initialise a struct stat before a stat(2) system call.
The initialisation was also flawed, failing to account for padding and
alignment bytes.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8611)
Pauli [Fri, 29 Mar 2019 07:46:11 +0000 (17:46 +1000)]
Clear seed source structures.
If the structures have empty padding bytes, ensure they are zeroed.
These structures are added to seed pools as complete blocks including
any padding and alignment bytes.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8610)
Soujyu Tanaka [Wed, 27 Mar 2019 08:30:47 +0000 (17:30 +0900)]
For the lack of GetModuleHandleEx(), we use DSO route for WinCE.
Revert win32_pathbyaddr() which is used in DSO_dsobyaddr().
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8596)
Soujyu Tanaka [Wed, 27 Mar 2019 07:21:58 +0000 (16:21 +0900)]
Circumvent a problem of lacking GetEnvironmentVariable() in WindowsCE.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8596)
Soujyu Tanaka [Wed, 27 Mar 2019 07:15:31 +0000 (16:15 +0900)]
Avoid linking error for InitializeCriticalSectionAndSpinCount().
Replace it with InitializeCriticalSection()
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8596)
Soujyu Tanaka [Wed, 27 Mar 2019 06:55:32 +0000 (15:55 +0900)]
Avoid linking error on WCE700 for _InterlockedExchangeAdd().
This implementation is referenced to https://www.boost.org/doc/libs/1_69_0/boost/detail/interlocked.hpp
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8596)
Pauli [Fri, 29 Mar 2019 07:50:48 +0000 (17:50 +1000)]
Add the FIPS related continuous random number generator (CRNG) testing.
Refer to FIPS 140-2 section 4.9.2 Conditional Tests for details.
The check is fairly simplistic, being for the entropy sources to not feed
the DRBG the same block of seed material twice in a row. Only the first
DRBG in a chain is subject to this check, latter DRBGs are assumed to be
safely seeded via the earlier DRBGs.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8599)
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8540)
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8540)
Shane Lontis [Sun, 24 Mar 2019 23:52:28 +0000 (09:52 +1000)]
Fixed unmatched BN_CTX_start/end if an invalid exponent is used.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8569)
projects / openssl / log