Age | Commit message (Collapse) | Author |
|
Internally, we still need this function, so we make it internal and
then add a new ERR_get_state() that simply calls the internal variant,
unless it's "removed" by configuration.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9462)
|
|
The intention is to make it opaque later on.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9462)
|
|
ERR_func_error_string() essentially returns NULL, and since all
function codes are now removed for all intents and purposes, this
function has fallen out of use and cannot be modified to suit the
data, since its only function is to interpret an error code.
To compensate for the loss of error code, we instead provide new
functions that extracts the function name strings from an error
record:
- ERR_get_error_func()
- ERR_peek_error_func()
- ERR_peek_last_error_func()
Similarly, the once all encompasing functions
ERR_peek_last_error_line_data(), ERR_peek_error_line_data() and
ERR_get_error_line_data() lack the capability of getting the function
name string, so we deprecate those and add these functions to replace
them:
- ERR_get_error_all()
- ERR_peek_error_all()
- ERR_peek_last_error_all()
Finally, we adjust a few lines of code that used the now deprecated
functions.
Fixes #9756
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9756)
|
|
The configuration option 'no-err' is documented to be used to avoid
loading error related string tables. For some reason, it was also
used to define if ERR_PUT_error() would pass the source file name and
line information or not.
The configuration option 'no-filenames' is documented to be used to
avoid passing the source file name and line anywhere. So, the
definition of ERR_PUT_error() should depend on OPENSSL_NO_FILENAMES
rather than OPENSSL_NO_ERR.
Furthermore, the definition of OPENSSL_FILE and OPENSSL_LINE depends
on if OPENSSL_NO_FILENAMES is defined or not, so there was never any
need to do extra macro gymnastics in include/openssl/err.h, so we
simply remove it and use OPENSSL_FILE and OPENSSL_LINE directly.
Finally, the macro OPENSSL_FUNC is unaffected by all these
configuration options, so it should be used in all macros that call
ERR_set_debug().
Fixes #9756
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9756)
|
|
There was a section to define OPENSSL_FUNC that depended on PEDANTIC
being defined. That is an internal build macro that should never
appear in a public header. The solution was simple, replace it with
a check of __STRICT_ANSI__.
Fixes #9756
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9756)
|
|
The output C code was made to use ERR_func_error_string() to see if a
string table was already loaded or not. Since this function returns
NULL always, this check became useless.
Change it to use ERR_reason_error_string() instead, as there's no
reason to believe we will get rid of reason strings, ever.
To top it off, we rebuild all affected C sources.
Fixes #9756
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9756)
|
|
When the new OpenSSL CSPRNG was introduced in version 1.1.1,
it was announced in the release notes that it would be fork-safe,
which the old CSPRNG hadn't been.
The fork-safety was implemented using a fork count, which was
incremented by a pthread_atfork handler. Initially, this handler
was enabled by default. Unfortunately, the default behaviour
had to be changed for other reasons in commit b5319bdbd095, so
the new OpenSSL CSPRNG failed to keep its promise.
This commit restores the fork-safety using a different approach.
It replaces the fork count by a fork id, which coincides with
the process id on UNIX-like operating systems and is zero on other
operating systems. It is used to detect when an automatic reseed
after a fork is necessary.
To prevent a future regression, it also adds a test to verify that
the child reseeds after fork.
CVE-2019-1549
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9832)
|
|
There is no deprecated CTRL support for this new field.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9698)
|
|
This avoids the problems with PBKDF2 and SCRYPT not being of the same form
as the rest.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9814)
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9753)
|
|
We add new functions for getting parameters and discovering the gettable
and settable parameters. We also make EVP_PKEY_CTX_get_signature_md() a
function and implement it in terms of the new functions.
This enables applications to discover the set of parameters that are
supported for a given algorithm implementation.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9753)
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9753)
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9753)
|
|
This makes EVP_PKEY_sign and EVP_PKEY_sign_init provider aware. It
also introduces the new type EVP_SIGNATURE to represent signature
algorithms. This also automatically makes the EVP_Sign* APIs provider
aware because they use EVP_Digest* (which is already provider aware)
and EVP_PKEY_sign(_init) under the covers.
At this stage there are no signature algorithms in any providers. That
will come in the following commits.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9753)
|
|
The check was missing in DH_check and DH_check_params.
[extended tests]
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9796)
|
|
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/9812)
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9770)
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9662)
|
|
The EVP_KDF_ definitions are no longer needed, and neither is
EVP_get_kdfbyname()
test/evp_kdf_test.c tried to use a EVP_get_kdfbyname() that was rewritten
to use EVP_KDF_fetch() without ever freeing the resulting KDF method.
It's better to refactor the test to use EVP_KDF_fetch directly.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9662)
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9662)
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9662)
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9662)
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9662)
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9662)
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9662)
|
|
The OpenSSL_version_num() function returns at runtime the
OPENSSL_VERSION_NUMBER of the compiled OpenSSL library. This is a
used and useful interface, and should not (at least yet) be
deprecated, we just introduced the new versioning schema, it seems
too early to deprecate the old.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7853)
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9699)
|
|
This function re-implements EVP_CIPHER_meth_free(), but has a name that
isn't encumbered by legacy EVP_CIPHER construction functionality.
We also refactor most of EVP_CIPHER_meth_new() into an internal
evp_cipher_new() that's used when creating fetched methods.
EVP_CIPHER_meth_new() and EVP_CIPHER_meth_free() are rewritten in terms of
evp_cipher_new() and EVP_CIPHER_free(). This means that at any time, we can
deprecate all the EVP_CIPHER_meth_ functions with no harmful consequence.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9758)
|
|
This function re-implements EVP_MD_meth_free(), but has a name that
isn't encumbered by legacy EVP_MD construction functionality.
We also refactor most of EVP_MD_meth_new() into an internal
evp_md_new() that's used when creating fetched methods.
EVP_MD_meth_new() and EVP_MD_meth_free() are rewritten in terms of
evp_md_new() and EVP_MD_free(). This means that at any time, we can
deprecate all the EVP_MD_meth_ functions with no harmful consequence.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9758)
|
|
KEYMGMT methods were attached to other methods after those were fully
created and registered, thereby creating a potential data race, if two
threads tried to create the exact same method at the same time.
Instead of this, we change the method creating function to take an
extra data parameter, passed all the way from the public fetching
function. In the case of EVP_KEYEXCH, we pass all the necessary data
that evp_keyexch_from_dispatch() needs to be able to fetch the
appropriate KEYMGMT method on the fly.
Fixes #9592
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9678)
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9669)
|
|
1. There are still references to the removed ERR_put_func_error().
2. ERR_put_error() is deprecated as off version 3.0, so should
ERR_PUT_error().
3. 'no-err' didn't affect what was passed to ERR_set_debug().
Fixes #9522
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9747)
|
|
Use the header file internal/cryptlib.h instead.
Remove checks for OPENSSL_NO_ASM and I386_ONLY
in cryptlib.c, to match the checks in other
places where OPENSSL_ia32cap_P is used and
assumed to be initialized.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/9688)
|
|
The EC_GROUP_new() function does not take a libctx parameter
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
(Merged from https://github.com/openssl/openssl/pull/9715)
|
|
Simplify the initialisation of the core by pre-initialising properties.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9590)
|
|
'openssl version -r' prints the seed source based on compiler macros.
This does not necessarily reflect the library's idea of what seed
sources to use, so we reimplement the list of seed sources as a
OPENSSL_info() item and display that instead.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9689)
|
|
Moved the relevant ciphers into default and restructed headers to allow the move.
This removed most of the cases of #ifdef NO_XXX (which are now specified in build.info)
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9482)
|
|
The EVP_PKEY MAC implementations had a diversity of controls that were
really the same thing. We did reproduce that for the provider based
MACs, but are changing our minds on this. Instead of that, we now use
one parameter name for passing the name of the underlying ciphers or
digests to a MAC implementation, "cipher" and "digest", and one
parameter name for passing the output size of the MAC, "size".
Then we leave it to the EVP_PKEY->EVP_MAC bridge to translate "md"
to "digest", and "digestsize" to "size".
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9667)
|
|
The current EVP_PEKY_ctrl for SM2 has no capability of parsing an ID
input in hexdecimal.
The newly added ctrl string is called: sm2_hex_id
Test cases and documentation are updated.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9584)
|
|
If ossl_method_store_add() gets called with a method that already exists
(i.e. the store has one with matching provider, nid and properties), that
method should not be stored. We do this check inside ossl_method_store_add()
because it has all the locking required to do so safely.
Fixes #9561
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9650)
|
|
Because this function affects the reference count on failure (the call
to impl_free() does this), it may as well handle incrementing it as
well to indicate the extra reference in the method store.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9650)
|
|
ossl_param_bld_push_{utf8,octet}_string() saved the constant string
pointer to a non-constant structure field, so we change that field to
a pointer to a constant. We also modify param_bld_convert() to
pretend the resulting pointer for PTR types points to a constant as
well.
Completes #9649
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9651)
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9649)
|
|
The macros are defined in include/openssl/core_names.h and follow the
naming standard OSSL_{OPNAME}_NAME_{ALGONAME}, where {OPNAME} is the
name of the operation (such as MAC) and {ALGONAME} is the name of the
algorithm. Example: OSSL_MAC_NAME_HMAC
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9635)
|
|
When openssl/macros.h is included without openssl/opensslv.h, it can't
define OPENSSL_API_4 properly (with sufficient warnings enabled, the
compiler will complain about OPENSSL_VERSION_MAJOR not being defined).
The quick fix could have been to include openssl/opensslv.h in
openssl/macros.h, but that would create a nasty include loop, since
openssl/opensslv.h includes openssl/opensslconf.h, which includes
openssl/macros.h, in an order that leads back to macro check errors.
The objective is to make these headers more independent:
- openssl/opensslconf.h should really be completely independent, as it
only defines macros for configuration values. However, it needs to
include openssl/macros.h for backward compatibility reasons. We do
this at the very end, under inclusion guards.
- openssl/macros.h is changed to include openssl/opensslconf.h, so it
gets necessary configuration values to build some macros. This will
not cause an endless inclusion loop, since opensslconf.h's inclusion
of macros.h is under guard.
- openssl/opensslv.h is changed to include openssl/macros.h instead of
openssl/opensslconf.h.
Only one last piece needs to be done to make openssl/macros.h
independent from openssl/opensslv.h. We can realise that the
definition of OPENSSL_API_4 doesn't need to depend on the current
version number. There's nothing in our configuration that would have
OPENSSL_API_4 defined to 1, and if the user sets OPENSSL_API_COMPAT or
OPENSSL_API_LEVEL to a high enough value, we consider that a
deliberate and knowledgable action on their part.
Fixes #7874
Fixes #9601
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/9626)
|
|
Add test to evp_test_extra for ciphers (that is similiar to the digest_fetch).
Move some of the aes and gcm methods that can be shared with other ciphers into ciphers_common.c
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9580)
|
|
More PR's related to self test will be derived from this PR.
Note: the code removed in core_get_params() was causing a freeze since the
fips module was being loaded from a config file, which then called core_get_params()
which then tried to init the config fle again...
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9596)
|
|
Recently, we added dispatched functions to get parameter descriptions,
and those for operation context parameters ended up being called
something_gettable_ctx_params and something_settable_ctx_params.
The corresponding dispatched functions to actually perform parameter
transfers were previously called something_ctx_get_params and
something_ctx_set_params, which doesn't quite match, so we rename them
to something_get_ctx_params and something_set_ctx_params.
An argument in favor of this name change is English, where you'd
rather say something like "set the context parameters".
This only change the libcrypto <-> provider interface.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9612)
|
|
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8877)
|
|
For information processing.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8877)
|