Commit Graph

3304 Commits

Author SHA1 Message Date
Shane Lontis
90a1f2d76f Add libctx support to PKCS7.
-Public PKCS7 methods that create a PKCS7 object now have variants that also add a libctx and propq.
 This includes PKCS7_new_with_libctx(), PKCS7_sign_with_libctx() and PKCS7_encrypt_with_libctx()
-Added SMIME_read_PKCS7_ex() so that a created PKCS7 object can be passed to the read.
-d2i_PKCS7_bio() has been modified so that after it loads the PKCS7 object it then resolves any subobjects that require
 the libctx/propq (such as objects containing X509 certificates).

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11884)
2020-08-09 17:34:52 +10:00
Shane Lontis
c1669f41ea Add libctx support to CMS.
-Public CMS methods that create a CMS_ContentInfo object now have variants that also add a libctx and propq.
 This includes CMS_ContentInfo_new_with_libctx(), CMS_sign_with_libctx(), CMS_data_create_with_libctx(),
 CMS_digest_create_with_libctx(), CMS_EncryptedData_encrypt_with_libctx(), CMS_EnvelopedData_create_with_libctx().
-Added CMS_ReceiptRequest_create0_with_libctx().
-Added SMIME_read_CMS_ex() so that a new CMS_ContentInfo object (created using CMS_ContentInfo_new_with_libctx()) can
be passed to the read.
-d2i_CMS_bio() has been modified so that after it loads the CMS_ContentInfo() it then resolves any subobjects that require
 the libctx/propq (such as objects containing X509 certificates).

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11884)
2020-08-09 17:34:52 +10:00
Jon Spillett
c5ec6dcf0b Add new APIs to get PKCS12 secretBag OID and value
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10063)
2020-08-07 07:59:48 +10:00
Sahana Prasad
15c9aa3aef apps/pkcs12: Change defaults from RC2 to PBES2 with PBKDF2
Fixes #11672

Add "-legacy" option to load the legacy provider and
fall back to the old legacy default algorithms.

doc/man1/openssl-pkcs12.pod.in: updates documentation about the new
"-legacy" option

Signed-off-by: Sahana Prasad <sahana@redhat.com>

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12540)
2020-08-06 18:03:29 +02:00
Dr. David von Oheimb
ebc1e8fc4e openssl-cmp.pod.in: Update and extend example using Insta Demo CA
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12534)
2020-08-04 12:11:46 +02:00
Dr. David von Oheimb
aff8c0a411 Fix error message on setting cert validity period in apps/cmp.c
Fixes #12268

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12296)
2020-08-04 09:17:47 +02:00
Dr. David von Oheimb
57c05c57c3 apps: Correct and extend diagnostics of parse_name()
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12296)
2020-08-04 09:17:47 +02:00
Dr. David von Oheimb
8f7e897995 apps/cmp.c: Defer diagnostic output on server+proxy to be contacted
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12296)
2020-08-04 09:17:47 +02:00
Dr. David von Oheimb
1202de4481 Add OSSL_CMP_MSG_write(), use it in apps/cmp.c
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12421)
2020-07-30 20:14:51 +02:00
Dr. David von Oheimb
fafa56a14f Export ossl_cmp_msg_load() as OSSL_CMP_MSG_read(), use it in apps/cmp.c
Fixes #12403

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12421)
2020-07-30 20:14:49 +02:00
Dr. David von Oheimb
87d20a9651 apps/cmp.c: Improve documentation of -recipient option
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12421)
2020-07-30 20:10:07 +02:00
Pauli
a3f15e237c deserialisation: add deserialisation to the base provider
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12104)
2020-07-30 20:15:59 +10:00
Pauli
dfc0857d81 serialisation: Add a built-in base provider.
Move the libcrypto serialisation functionality into a place where it can
be provided at some point. The serialisation still remains native in the
default provider.

Add additional code to the list command to display what kind of serialisation
each entry is capable of.

Having the FIPS provider auto load the base provider is a future
(but necessary) enhancement.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12104)
2020-07-30 20:15:22 +10:00
Pauli
aa97970c1a unify spelling of serialize
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12104)
2020-07-30 20:15:22 +10:00
Dr. David von Oheimb
ef8980176d Deprecate -nodes in favor of -noenc in pkcs12 and req app
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12495)
2020-07-28 09:17:56 +02:00
Shane Lontis
6725682d77 Add X509 related libctx changes.
- In order to not add many X509_XXXX_with_libctx() functions the libctx and propq may be stored in the X509 object via a call to X509_new_with_libctx().
- Loading via PEM_read_bio_X509() or d2i_X509() should pass in a created cert using X509_new_with_libctx().
- Renamed some XXXX_ex() to XXX_with_libctx() for X509 API's.
- Removed the extra parameters in check_purpose..
- X509_digest() has been modified so that it expects a const EVP_MD object() and then internally it does the fetch when it needs to (via ASN1_item_digest_with_libctx()).
- Added API's that set the libctx when they load such as X509_STORE_new_with_libctx() so that the cert chains can be verified.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12153)
2020-07-24 22:53:27 +10:00
Shane Lontis
ae89578be2 Test RSA oaep in fips mode
Added RSA oaep test that uses the pkeyutl application.
Added an openssl application option to support loading a (fips) provider via the '-config' option.
Added openssl application related environment variable 'OPENSSL_TEST_LIBCTX' (for testing purposes only),
that creates a non default library context.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11948)
2020-07-23 17:40:40 +10:00
Pauli
41bbba5375 EVP: deprecate the EVP_X_meth_ functions.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11082)
2020-07-22 20:19:01 +10:00
gujinqiang
1d864f0f53 Specific the engine pointer
CLA: trivial

I found that when I wanted to use an engine by the option-engine XXX , it didn't work. Checking the code, I guess it missed the engine pointer when calling EVP_CipherInit_ex.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12475)
2020-07-22 10:37:49 +03:00
Dr. David von Oheimb
bf19b64aae Fix UI method setup, which should be independent of (deprecated) engine use
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12422)
2020-07-22 07:27:42 +02:00
Nihal Jere
7e4f01d8ba fixed swapped parameter descriptions for x509
CLA: trivial

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12482)
2020-07-21 10:32:13 +03:00
Shane Lontis
9f7bdcf37f Add ERR_raise() errors to fips OSSL_provider_init and self tests.
As the ERR_raise() is setup at this point returng a range of negative values for errors is not required.
This will need to be revisited if the code ever moves to running from the DEP.
Added a -config option to the fips install so that it can test if a fips module is loadable from configuration.
(The -verify option only uses the generated config, whereas -config uses the normal way of including the generated data via another config file).
Added more failure tests for the raised errors.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12346)
2020-07-21 16:30:02 +10:00
Dr. David von Oheimb
1337a3a998 Constify X509_check_akid and prefer using X509_get0_serialNumber over X509_get_serialNumber
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12375)
2020-07-16 15:48:53 +02:00
Matt Caswell
660c534435 Revert "kdf: make function naming consistent."
The commit claimed to make things more consistent. In fact it makes it
less so. Revert back to the previous namig convention.

This reverts commit 765d04c946.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12186)
2020-07-16 14:21:07 +02:00
Matt Caswell
865adf97c9 Revert "The EVP_MAC functions have been renamed for consistency. The EVP_MAC_CTX_*"
The commit claimed to make things more consistent. In fact it makes it
less so. Revert back to the previous namig convention.

This reverts commit d9c2fd51e2.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12186)
2020-07-16 14:21:07 +02:00
Pauli
ad8fc6f626 apps: deprecate engines
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12226)
2020-07-16 09:12:27 +02:00
Pauli
0a684b09d8 apps/list: deprecate engine support
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12226)
2020-07-16 09:12:26 +02:00
Todd Short
8c2bfd2512 Add SSL_get[01]_peer_certificate()
Deprecate SSL_get_peer_certificte() and replace with
SSL_get1_peer_certificate().
Add SSL_get0_peer_certificate.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/8730)
2020-07-16 09:08:21 +02:00
Shane Lontis
e45d943665 Add FIPS related configuration data to the default openssl application configuration file
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12333)
2020-07-15 23:20:32 +02:00
Rich Salz
5744dacb3a Make -provider_name and -section_name optional
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12311)
2020-07-15 23:17:29 +02:00
Rich Salz
d3b243d15b Use defaults FIPSKEY if not given on command line
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12311)
2020-07-15 23:17:29 +02:00
Nicola Tuveri
466d30c0d7 [apps/genpkey] exit status should not be 0 on output errors
If the key is to be serialized or printed as text and the framework
returns an error, the app should signal the failure to the user using
a non-zero exit status.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12305)
2020-07-06 19:15:36 +03:00
Pauli
c996f71bab apps: remove NULL check imn release_engine since ENGINE_free also does it.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12309)
2020-07-05 13:20:09 +10:00
Pauli
9283e9bd11 cmp: remove NULL check.
Instead appease coverity by marking 1464986 as a false positive.
Coverity is confused by the engine reference counting.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12309)
2020-07-05 13:20:09 +10:00
Matt Caswell
ca3245a619 If an empty password is supplied still try to use it
If an empty password was supplied we ignored it and were trying to use
the fallback method to read the password instead (i.e. read from stdin).
However if that failed (which it always does if the cmp option -batch is
used) then we were reporting that we had successfully read the password
without actually setting one.

Instead, if an empty password is explicitly provided we should use it. If
no password is supplied explicitly and we have no fallback method then we
assume the empty password.

[extended tests]

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12275)
2020-07-03 17:20:38 +01:00
Dr. David von Oheimb
ade08735f9 Improve documentation, layout, and code comments regarding self-issued certs etc.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10587)
2020-07-01 11:14:54 +02:00
Benny Baumann
2c9ba46c90 Force ssl/tls protocol flags to use stream sockets
Prior to this patch doing something like
  openssl s_client -dtls1 -tls1 ...
could cause s_client to speak TLS on a UDP socket
which does not normally make much sense.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12266)
2020-06-30 11:12:59 +10:00
Rich Salz
3121425830 Add --fips-key configuration parameter to fipsinstall application.
Change default FIPS HMAC KEY from all-zero's
Use default FIPSKEY if not given on command line.
Make all -macopt in fipsinstall optional
Make all tests, except fipsinstall, use the default -macopt and
-mac_name flags.
Define and use FIPSDIR variable on VMS/MMS.
Also use SRCDIR/BLDDIR in SRCTOP/BLDTOP.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12235)
2020-06-29 12:20:41 +10:00
Richard Levitte
96e0445195 apps/openssl: clean-up of unused fallback code
Remove code in help_main() that duplicates the case when 'openssl' is
called with no arguments, which is now handled in main().

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/12295)
2020-06-28 18:49:50 +02:00
Matt Caswell
fbd2ece171 Update copyright year
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/12273)
2020-06-25 14:13:12 +01:00
Dr. David von Oheimb
19765f5bcf apps/cmp.c: Add workaround for Coverity false positive; rename e -> engine
CID 1463570:    (USE_AFTER_FREE)
CID 1463570:    (USE_AFTER_FREE)
Passing freed pointer "e" as an argument to "release_engine".

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12231)
2020-06-25 07:49:41 +10:00
Dr. David von Oheimb
33c41876ed apps/cmp.c: Fix memory leaks in handle_opt_geninfo() found by Coverity
CID 1463578:  Resource leaks  (RESOURCE_LEAK)
CID 1463575:  Resource leaks  (RESOURCE_LEAK)

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12231)
2020-06-25 07:49:41 +10:00
Dr. Matthias St. Pierre
23c48d94d4 Rename <openssl/core_numbers.h> -> <openssl/core_dispatch.h>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12222)
2020-06-24 22:01:22 +02:00
Pauli
5b286641ef apps: avoid memory overrun.
NULL terminate the built in "help" argv array to avoid
reading beyond the end.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/12258)
2020-06-24 21:54:52 +02:00
Pauli
2dee33dfb3 app/list: add RNG list option
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/11682)
2020-06-24 20:05:41 +10:00
Dmitry Belyavskiy
6ec351f449 CMS print should support string conversion
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12206)
2020-06-24 09:56:50 +03:00
Sebastian Andrzej Siewior
00493490dd APPS: Properly pass -no-CAstore
Since its introduction the option no-CAstore maps to OPT_NOCAPATH and so
behaves like -no-CApath.

Map no-CAstore to OPT_NOCASTORE.

Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12171)
2020-06-23 12:25:48 +02:00
Sebastian Andrzej Siewior
96786ad123 APPS: Fix invoking openssl without a command
Invoking help with "empty" argc leads to a segfault.
Invoke do_cmd() with help as argument which invokes help_main() with
proper argv.

Fixes #12069

Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12070)
2020-06-23 12:23:02 +02:00
Dr. David von Oheimb
11baa470a2 Fix CMP -days option range checking and test failing with enable-ubsan
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12175)
2020-06-22 16:39:26 +02:00
Matt Caswell
f36c3885b5 Return the cookie_len value from generate_cookie_callback
The generate_cookie_callback was failing to pass back the generated
cookie length to the caller. This results in DTLS connection failures
from s_server.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12179)
2020-06-19 11:25:56 +01:00