Configure/Makefile: separate install of the FIPS module

Fixes #13693

Co-authored-by: Richard Levitte <levitte@openssl.org>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(

Configure/Makefile: separate install of the FIPS module

Fixes #13693

Co-authored-by: Richard Levitte <levitte@openssl.org>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13684)

show more ...

Configure/Makefile: correct the FIPS module configuration file path

According to the OpenSSL 3.0 Wiki, the file should be located at

$(DESTDIR)$(OPENSSLDIR)/fipsmodule.cnf

Configure/Makefile: correct the FIPS module configuration file path

According to the OpenSSL 3.0 Wiki, the file should be located at

$(DESTDIR)$(OPENSSLDIR)/fipsmodule.cnf

next to the openssl.cnf file.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13684)

show more ...

Configure/Makefile: use the correct openssl app for FIPS installation

The `openssl` app was previously called without a path, which
would generally invoke the system's copy of the openss

Configure/Makefile: use the correct openssl app for FIPS installation

The `openssl` app was previously called without a path, which
would generally invoke the system's copy of the openssl application.
Currently, that's most likely an openssl version 1.1.1 application,
which does not recognize the `fipsinstall` command and terminates
with an error message.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13684)

show more ...

Configure/Makefile: fix the `-macopt` argument of the fipsinstall command

The FIPS hmac key is provided as a hexadezimal string, which needs to
be be prefixed with `hexkey:`, not `key:`.

Configure/Makefile: fix the `-macopt` argument of the fipsinstall command

The FIPS hmac key is provided as a hexadezimal string, which needs to
be be prefixed with `hexkey:`, not `key:`.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13684)

show more ...

runchecker: fix no-sock build by conditioning clean up on the NO_SOCK symbol.

Fixes #15054

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/op

runchecker: fix no-sock build by conditioning clean up on the NO_SOCK symbol.

Fixes #15054

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15055)

show more ...

test: never run fipsinstall if the tests are not enabled.

Fixes #15056

The dependency for fipsinstall was being added to the makefile regardless of
it being used. This means th

test: never run fipsinstall if the tests are not enabled.

Fixes #15056

The dependency for fipsinstall was being added to the makefile regardless of
it being used. This means that a subsequent `make test` would fail if the
command line application wasn't present. Rather than fix the instance in question,
it is better to leave out this part of the makefile if the tests cannot be
run.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15057)

show more ...

util/add-depends.pl: Adapt to localized /showIncludes output

It was discovered that MSVC has localized /showIncludes output.
Fortunately, it still seems to follow the same generic format

util/add-depends.pl: Adapt to localized /showIncludes output

It was discovered that MSVC has localized /showIncludes output.
Fortunately, it still seems to follow the same generic format, so we
can adapt the regular expression to make it language agnostic.

Fixes #14994

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/15006)

show more ...

Configuration: rework how dependency making is handled

Previously, we had dependency making pretty much hard coded in the
build file templates, with a bit of an exception for Unix family

Configuration: rework how dependency making is handled

Previously, we had dependency making pretty much hard coded in the
build file templates, with a bit of an exception for Unix family
platforms, where we had different cases depending on what dependency
making program was found.

With the Embarcadero C++ builder, a separate scheme appeared, with a
different logic.

This change merges the two, and introduces two config target
attributes:

makedepcmd The program to use, where this is relevant.
This replaces the earlier configuration
attribute 'makedepprog'.
makedep_scheme This is a keyword that can be used by build
files templates to produce different sorts of
commands, but most importantly, to pass as
argument to util/add-depend.pl, which uses
this keyword as a "producer" for the
dependency lines.

If the config target doesn't define the 'makedep_scheme' attribute,
Configure tries to figure it out by looking for GCC compatible
compilers or for the 'makedepend' command.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/15006)

show more ...

Windows bulding: Make dependency generation not quite as talkative

The modified way to generate .d files had an unfortunate side effect,
that it outputs the whole preprocessed file and n

Windows bulding: Make dependency generation not quite as talkative

The modified way to generate .d files had an unfortunate side effect,
that it outputs the whole preprocessed file and not just the dependency
lines, at least with MSVC's cl. That gave util/add-depends.pl a whole
lot more to read through, which impacts greatly on the performance of
dependency treatment.

We modify the process by adding a config target attribute 'make_depend',
which can be any suitable command for generating such lines. All it
needs is to also accept C flags and macro definitions.

Fixes #14994

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/15006)

show more ...

Test a Finished message at the wrong time results in unexpected message

We test that sending a Finished message instead of a ClientHello results
in an unexpected message error.

Test a Finished message at the wrong time results in unexpected message

We test that sending a Finished message instead of a ClientHello results
in an unexpected message error.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14930)

show more ...

Defer Finished MAC handling until after state transition

In TLS we process received messages like this:

1) Read Message Header
2) Validate and transition state based on received

Defer Finished MAC handling until after state transition

In TLS we process received messages like this:

1) Read Message Header
2) Validate and transition state based on received message type
3) Read Message Body
4) Process Message

In DTLS we read messages like this:

1) Read Message Header and Body
2) Validate and transition state based on received message type
3) Process Message

The difference is because of the stream vs datagram semantics of the
underlying transport.

In both TLS and DTLS we were doing finished MAC processing as part of
reading the message body. This means that in DTLS this was occurring
*before* the state transition has been validated. A crash was occurring
in DTLS if a Finished message was sent in an invalid state due to
assumptions in the code that certain variables would have been setup by
the time a Finished message arrives.

To avoid this problem we shift the finished MAC processing to be after
the state transition in DTLS.

Thanks to github user @bathooman for reporting this issue.

Fixes #14906

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14930)

show more ...

Store the list of activated providers in the libctx

The provider config module was storing the list of activated providers
in a global variable. However, because different libctxs can ea

Store the list of activated providers in the libctx

The provider config module was storing the list of activated providers
in a global variable. However, because different libctxs can each load
providers via config files we need to keep the list of activated providers
separate and in the libctx.

Partially fixes #15030

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15033)

show more ...

Properly protect access to the provider flag_activated field

This was not always locked when it should be.

Fixes #15005

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merg

Properly protect access to the provider flag_activated field

This was not always locked when it should be.

Fixes #15005

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15010)

show more ...

Add a threading test for loading/unloading providers

Check that we don't see any threading issues when loading/unloading a
provider from multiple threads.

Reviewed-by: Paul Dale

Add a threading test for loading/unloading providers

Check that we don't see any threading issues when loading/unloading a
provider from multiple threads.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15010)

show more ...

CMS ESS: Move four internal aux function to where they belong in crypto/cms

Also constify and slightly refactor them.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from ht

CMS ESS: Move four internal aux function to where they belong in crypto/cms

Also constify and slightly refactor them.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14601)

show more ...

TS ESS: Move four internal aux function to where they belong in crypto/ts

Also constify and slightly refactor them.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from http

TS ESS: Move four internal aux function to where they belong in crypto/ts

Also constify and slightly refactor them.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14601)

show more ...

ESS: Export three core functions, clean up TS and CMS CAdES-BES usage

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14601)

Skip test_fipsload when fips is disabled.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/15027)

Explicitly enable or disable fips if it is or is not relevant for the test

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl

Explicitly enable or disable fips if it is or is not relevant for the test

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/15027)

show more ...

Add X509 version constants.

The X509 version APIs return the numerical values of the version
numbers, which are one off from the names. This is a bit confusing.
Where they don't get

Add X509 version constants.

The X509 version APIs return the numerical values of the version
numbers, which are one off from the names. This is a bit confusing.
Where they don't get it wrong (accidentally making an "X509v4"
certificate), callers tend to try commenting every call site to explain
the mismatch, including in OpenSSL itself.

Define constants for these values, so code can be self-documenting and
callers are nudged towards the right values.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14549)

show more ...

memleaktest with MSVC's AddressSanitizer

Disabling memleaktest under MSVC because leak detection is not a supported feature with MSVC's AddressSanitizer. Leaving ASan enabled in this case ca

memleaktest with MSVC's AddressSanitizer

Disabling memleaktest under MSVC because leak detection is not a supported feature with MSVC's AddressSanitizer. Leaving ASan enabled in this case causes a test failure because the test suite is expecting the leak to be detected.

CLA: trivial

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14581)

show more ...

OPENSSL_sk functions are effectively already documented

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14728)

Improve the implementation of X509_STORE_CTX_get1_issuer()

It is possible for the stack of X509_OBJECTs held in an X509_STORE_CTX to
have a custom compare function associated with it. No

Improve the implementation of X509_STORE_CTX_get1_issuer()

It is possible for the stack of X509_OBJECTs held in an X509_STORE_CTX to
have a custom compare function associated with it. Normally (by default)
this uses X509_NAME_cmp(). The X509_STORE_CTX_get1_issuer() function
assumed that it would always be X509_NAME_cmp().

By implementing OPENSSL_sk_find_all() function we can avoid explicitly
using X509_NAME_cmp() in X509_STORE_CTX_get1_issuer().

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14728)

show more ...

Add testing for updated cipher IV

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15041)

Use "canonical" names when matching the output of the commands

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15028)