summaryrefslogtreecommitdiffstats
path: root/providers/nullprov.c (unfollow)
Commit message (Collapse)AuthorFilesLines
2021-07-29make updateMatt Caswell4-1061/+1063
Reviewed-by: Richard Levitte <levitte@openssl.org>
2021-07-29Update copyright yearMatt Caswell65-65/+65
Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16176)
2021-07-29Update fingerprints.txtMatt Caswell1-9/+7
Add Paul Dale as an approved release signer. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16175)
2021-07-28Add missing session timeout calcTodd Short1-0/+1
Fixes #16142 Add missing session timeout calculation in `ssl_get_new_session()` Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16145)
2021-07-28test: add a comment indication that a bad MAC is intentionalPauli1-1/+3
This permits negative testing of FIPS module load failure. Also changed the MAC to all zeros to make it even clearer. Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16168)
2021-07-28Add some testing for the case where the FIPS provider fails to loadMatt Caswell4-14/+65
Ensure we get correct behaviour in the event that an attempt is made to load the fips provider but it fails to load. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16168)
2021-07-28Don't try and load the config file while already loading the config fileMatt Caswell3-7/+16
Calls to the API function EVP_default_properties_enable_fips() will automatically attempt to load the default config file if it is not already loaded. Therefore this function should not be called from inside code to process the config file. Fixes #16165 Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16168)
2021-07-28Ensure any default_properties still apply even in the event of a provider ↵Matt Caswell1-1/+15
load failure We don't treat a failure to load a provider as a fatal error. If it is fatal then we give up attempting to load the config file - including reading any default properties. Additionally if an attempt has been made to load a provider then we disable fallback loading. Fixes #16166 Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16168)
2021-07-28Don't leak the OSSL_LIB_CTX in the event of a failure to load the FIPS moduleMatt Caswell1-0/+1
Ensure we free the OSSL_LIB_CTX on the error path. Fixes #16163 Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16168)
2021-07-28ci: disable async for the SH4 build and reenable the associated testPauli1-2/+2
The platform doesn't seem to have support for this. Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16144)
2021-07-28ci: get rid of no-asm flag to m68k cross compilesPauli1-2/+2
Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16144)
2021-07-28ci: add the param conversion tests to the cross compiles.Pauli1-1/+1
There was a failure because an "inf" values was being read as a "NaN" not an infinity. Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16144)
2021-07-28QEMU: include test runs for most cross compilation targetsPauli1-9/+49
For the cross compiles where the tests couldn't be run, most are capable of being run when statically linked. For these, a shared with FIPS build but not test run is also included to maximise compilation coverage. The builds take a couple of minutes so the impact of these extra jobs isn't great. The test failures for test_includes, test_store and test_x509_store across several platforms are related the the OPENSSL_DIR_read() call. This gets a "Value too large for defined data type" error calling the standard library's readdir() wrapper. That is, the failure is during the translation from the x86-64 structure to the 32 bit structure. I've tried tweaking the include defines to use larger fields but couldn't figure out how to make it work. The most prudent fix is to ignore these tests for these platforms. Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16144)
2021-07-28test: handle not a number (NaN) values in the param conversion test.Pauli1-2/+22
Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16144)
2021-07-28Add a test case for EVP_MD_meth_dup() and EVP_CIPHER_meth_dup()Matt Caswell1-1/+20
Check that EVP_MD_meth_free() and EVP_CIPHER_meth_free() does actually free the data. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16159)
2021-07-28Fix EVP_MD_meth_dup and EVP_CIPHER_meth_dupMatt Caswell2-0/+2
Make sure the origin is set correctly when duping an EVP_MD or EVP_CIPHER. Fixes #16157 Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16159)
2021-07-27Mark the EVP_PKEY_METHOD arg as const on some EVP_PKEY_meth_get_*() funcsMatt Caswell4-10/+10
Most EVP_PKEY_meth_get_*() functions mark the EVP_PKEY_METHOD argument as const. But 3 did not. We fix those to be consistent. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16128)
2021-07-27KTLS: AES-CCM in TLS-1.3 is broken on 5.x kernels, disable itTomas Mraz1-1/+2
Fixes #16089 Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16120)
2021-07-27Test ktls in non-default options CI buildTomas Mraz1-1/+3
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16120)
2021-07-27Drop no-ktls from runchecker daily build as it has no effectTomas Mraz1-1/+0
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16120)
2021-07-27ECDSA_SIG_set0(): Clarify documentation and fix formatting errorsTomas Mraz1-33/+32
Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16129)
2021-07-27ECDSA_SIG_set0: r and s parameters cannot be NULLTomas Mraz1-2/+2
Fixes #7731 Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16129)
2021-07-26DOCS: Move the description of EVP_PKEY_get0_description()Richard Levitte2-7/+8
It appears to have been misplaced Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16063)
2021-07-26EVP: Add EVP_PKEY_get0_provider() and EVP_PKEY_CTX_get0_provider()Richard Levitte6-8/+56
Fixes #16058 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16063)
2021-07-23Fix potential problems with EVP_PKEY_CTX_new() with engine setTomas Mraz1-9/+14
If an engine is non-NULL in EVP_PKEY_CTX_new() call an assert might have been incorrectly triggered or the engine might be finished without being inited. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16137)
2021-07-23do_sigver_init: Add missing ERR_clear_last_mark()Tomas Mraz1-0/+1
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16138)
2021-07-23ci: QEMU based cross compiled testingPauli1-30/+88
With a little set up, Debian provides an ability to use QEMU to execute programs compiled for other architectures. Using this, most of our cross compilation CI builds can be executed. This PR does this. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16133)
2021-07-23ci: reinstate the passwd tests for the no-cached-fetch run.Pauli2-14/+28
By selectively skipping the high round test cases, the out of memory problem can be avoided. partially fixes #16127 Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16132)
2021-07-23Makefile: Avoid changing LIBDIR based on whether it already existsjenda11-8/+1
unix-Makefile.tmpl checks if the target LIBDIR exists on the build machine or not and based on the result modify the final LIBDIR. This should be avoided, build results should not depend on the build machine root filesystem layout. It makes the build results unstable. The fix simply removes the dir existence test from the unix-Makefile.tmpl. Fixes: openssl#16121 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16122)
2021-07-23DSA/RSA_print(): Fix potential memory leakTomas Mraz2-6/+12
Fixes #10777 Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16130)
2021-07-22Add a test for custom EVP_PKEY_METHODsMatt Caswell1-0/+328
Adds a test for using custom EVP_PKEY_METHODs without an ENGINE. As part of this we also test having a custom EVP_PKEY_METHOD that wraps a built-in EVP_PKEY_METHOD. We do this for both legacy and provided keys. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16118)
2021-07-22Fix custom EVP_PKEY_METHOD implementations where no engine is presentMatt Caswell2-35/+21
It is possible to have a custom EVP_PKEY_METHOD implementation without having an engine. In those cases we were failing to use that custom implementation. Fixes #16088 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16118)
2021-07-22Update our EVP_PKEY_METHODs to get low level keys via public APIsMatt Caswell5-43/+94
It is possible to call built-in EVP_PKEY_METHOD functions with a provided key. For example this might occur if a custom EVP_PKEY_METHOD is in use that wraps a built-in EVP_PKEY_METHOD. Therefore our EVP_PKEY_METHOD functions should not assume that we are using a legacy key. Instead we get the low level key using EVP_PKEY_get0_RSA() or other similar functions. This "does the right thing" if the key is actually provided. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16118)
2021-07-22OSSL_HTTP_open(): Fix memory leak on TLS connect failure via proxyDr. David von Oheimb1-1/+2
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16119)
2021-07-21ci: omit tests that consume too much memoryPauli1-1/+1
The SSL API tests and the passwd command test trigger memory leakage in the address sanitizer. Fixes #16116 Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16125)
2021-07-21tls_process_{client,server}_certificate(): allow verify_callback return > 1Dr. David von Oheimb4-12/+13
Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13937)
2021-07-21SSL_CTX_set_cert_verify_callback.pod: various corrections and clarificationsDr. David von Oheimb1-17/+28
- Make clear the callback is called whenever a peer certificate has been received, which is independent of the verification mode. - Make clear that a return value > 1 always leads to handshake failure. - Make clear that in server mode also return values <= 0 lead to handshake failure. - For client mode replace the incorrect formulation "if B<SSL_VERIFY_PEER> is set" by what is actually implemented: "if the verification mode is not B<SSL_VERIFY_NONE>". - Refer to X509_STORE_CTX_set_error() rather than to internal error variable. Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13937)
2021-07-21Add testcases for SSL_key_update() corner case callsyangyangtiantianlonglong3-10/+274
Test that SSL_key_update() is not allowed if there are writes pending. Test that there is no reset of the packet pointer in ssl3_setup_read_buffer(). Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16085)
2021-07-20test: include all DRBG tests in FIPS modePauli1-144/+0
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/16096)
2021-07-20docs: update CTR DRBG documentation to not mention the lack of a derivation ↵Pauli1-2/+1
function in FIPS Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/16096)
2021-07-20err: remove the derivation function is mandatory for FIPS error message ↵Pauli3-5/+0
since it's no longer used and newly introduced Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/16096)
2021-07-20drbg: allow the ctr derivation function to be disabled in FIPS modePauli1-14/+0
Word from the lab is: The use of the derivation function is optional if either an approved RBG or an entropy source provides full entropy output when entropy input is requested by the DRBG mechanism. Otherwise, the derivation function shall be used. So our disallowing it's use was more than required. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/16096)
2021-07-20Fix a read buffer overrun in X509_aux_print().Ingo Schwarze1-2/+2
The ASN1_STRING_get0_data(3) manual explitely cautions the reader that the data is not necessarily NUL-terminated, and the function X509_alias_set1(3) does not sanitize the data passed into it in any way either, so we must assume the return value from X509_alias_get0(3) is merely a byte array and not necessarily a string in the sense of the C language. I found this bug while writing manual pages for X509_print_ex(3) and related functions. Theo Buehler <tb@openbsd.org> checked my patch to fix the same bug in LibreSSL, see http://cvsweb.openbsd.org/src/lib/libcrypto/asn1/t_x509a.c#rev1.9 As an aside, note that the function still produces incomplete and misleading results when the data contains a NUL byte in the middle and that error handling is consistently absent throughout, even though the function provides an "int" return value obviously intended to be 1 for success and 0 for failure, and even though this function is called by another function that also wants to return 1 for success and 0 for failure and even does so in many of its code paths, though not in others. But let's stay focussed. Many things would be nice to have in the wide wild world, but a buffer overflow must not be allowed to remain in our backyard. CLA: trivial Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16108)
2021-07-20doc: fix OPENSSL_VERSION_NUMBER length in the synopsisPetr Gotthard1-1/+1
The number has 8 digits (not 9). It is a single integer `0xMNN00PP0L`. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16106)
2021-07-20demos: update readme file with pbkdf2 and scrypt examples.Pauli1-0/+2
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/16109)
2021-07-20demos: add Makefile support for pbkdf2 and scrypt KDF demosPauli1-2/+4
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/16109)