Import OpenSSL 3.0-alpha6

schwabe · Aug 12, 2020 · 373d1ee · 373d1ee
1 parent 0e08af1
commit 373d1ee
Show file tree

Hide file tree

Showing 194 changed files with 5,613 additions and 1,698 deletions.
diff --git a/apps/ca.c b/apps/ca.c
@@ -1049,7 +1049,7 @@ int ca_main(int argc, char **argv)
         for (i = 0; i < sk_X509_num(cert_sk); i++) {
             BIO *Cout = NULL;
             X509 *xi = sk_X509_value(cert_sk, i);
-            ASN1_INTEGER *serialNumber = X509_get_serialNumber(xi);
+            const ASN1_INTEGER *serialNumber = X509_get0_serialNumber(xi);
             const unsigned char *psn = ASN1_STRING_get0_data(serialNumber);
             const int snl = ASN1_STRING_length(serialNumber);
             const int filen_len = 2 * (snl > 0 ? snl : 1) + sizeof(".pem");
@@ -1463,7 +1463,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
         row[i] = NULL;
 
     if (subj) {
-        X509_NAME *n = parse_name(subj, chtype, multirdn);
+        X509_NAME *n = parse_name(subj, chtype, multirdn, "subject");
 
         if (!n) {
             ERR_print_errors(bio_err);
@@ -1643,7 +1643,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
         BIO_printf(bio_err,
                    "Everything appears to be ok, creating and signing the certificate\n");
 
-    if ((ret = X509_new()) == NULL)
+    if ((ret = X509_new_with_libctx(app_get0_libctx(), app_get0_propq())) == NULL)
         goto end;
 
 #ifdef X509_V3
@@ -2113,7 +2113,7 @@ static int do_revoke(X509 *x509, CA_DB *db, REVINFO_TYPE rev_type,
     for (i = 0; i < DB_NUMBER; i++)
         row[i] = NULL;
     row[DB_name] = X509_NAME_oneline(X509_get_subject_name(x509), NULL, 0);
-    bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(x509), NULL);
+    bn = ASN1_INTEGER_to_BN(X509_get0_serialNumber(x509), NULL);
     if (!bn)
         goto end;
     if (BN_is_zero(bn))

diff --git a/apps/cmp.c b/apps/cmp.c
@@ -321,7 +321,7 @@ const OPTIONS cmp_options[] = {
     {OPT_MORE_STR, 0, 0,
      "also used as reference (defaulting to -cert) for subject DN and SANs."},
     {OPT_MORE_STR, 0, 0,
-     "Its issuer is used as recipient unless -srvcert, -recipient or -issuer given"},
+     "Its issuer is used as recipient unless -recipient, -srvcert, or -issuer given"},
     {"revreason", OPT_REVREASON, 'n',
      "Reason code to include in revocation request (rr); possible values:"},
     {OPT_MORE_STR, 0, 0,
@@ -354,7 +354,7 @@ const OPTIONS cmp_options[] = {
     {"srvcert", OPT_SRVCERT, 's',
      "Server cert to pin and trust directly when verifying signed CMP responses"},
     {"recipient", OPT_RECIPIENT, 's',
-     "Distinguished Name (DN) to use as msg recipient; see man page for defaults"},
+     "DN of CA. Default: subject of -srvcert, -issuer, issuer of -oldcert or -cert"},
     {"expect_sender", OPT_EXPECT_SENDER, 's',
      "DN of expected sender of responses. Defaults to subject of -srvcert, if any"},
     {"ignore_keyusage", OPT_IGNORE_KEYUSAGE, '-',
@@ -934,7 +934,6 @@ static X509_STORE *sk_X509_to_store(X509_STORE *store /* may be NULL */,
 static int write_PKIMESSAGE(const OSSL_CMP_MSG *msg, char **filenames)
 {
     char *file;
-    BIO *bio;
 
     if (msg == NULL || filenames == NULL) {
         CMP_err("NULL arg to write_PKIMESSAGE");
@@ -947,25 +946,17 @@ static int write_PKIMESSAGE(const OSSL_CMP_MSG *msg, char **filenames)
 
     file = *filenames;
     *filenames = next_item(file);
-    bio = BIO_new_file(file, "wb");
-    if (bio == NULL) {
-        CMP_err1("Cannot open file '%s' for writing", file);
-        return 0;
-    }
-    if (i2d_OSSL_CMP_MSG_bio(bio, msg) < 0) {
+    if (OSSL_CMP_MSG_write(file, msg) < 0) {
         CMP_err1("Cannot write PKIMessage to file '%s'", file);
-        BIO_free(bio);
         return 0;
     }
-    BIO_free(bio);
     return 1;
 }
 
 /* read DER-encoded OSSL_CMP_MSG from the specified file name item */
 static OSSL_CMP_MSG *read_PKIMESSAGE(char **filenames)
 {
     char *file;
-    BIO *bio;
     OSSL_CMP_MSG *ret;
 
     if (filenames == NULL) {
@@ -979,15 +970,10 @@ static OSSL_CMP_MSG *read_PKIMESSAGE(char **filenames)
 
     file = *filenames;
     *filenames = next_item(file);
-    bio = BIO_new_file(file, "rb");
-    if (bio == NULL) {
-        CMP_err1("Cannot open file '%s' for reading", file);
-        return NULL;
-    }
-    ret = d2i_OSSL_CMP_MSG_bio(bio, NULL);
+
+    ret = OSSL_CMP_MSG_read(file);
     if (ret == NULL)
         CMP_err1("Cannot read PKIMessage from file '%s'", file);
-    BIO_free(bio);
     return ret;
 }
 
@@ -1123,12 +1109,10 @@ static int set_name(const char *str,
                     OSSL_CMP_CTX *ctx, const char *desc)
 {
     if (str != NULL) {
-        X509_NAME *n = parse_name(str, MBSTRING_ASC, 0);
+        X509_NAME *n = parse_name(str, MBSTRING_ASC, 0, desc);
 
-        if (n == NULL) {
-            CMP_err2("cannot parse %s DN '%s'", desc, str);
+        if (n == NULL)
             return 0;
-        }
         if (!(*set_fn) (ctx, n)) {
             X509_NAME_free(n);
             CMP_err("out of memory");
@@ -1883,7 +1867,7 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
     if (opt_days > 0
             && !OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_VALIDITY_DAYS,
                                         opt_days)) {
-        CMP_err("could to set requested cert validity period");
+        CMP_err("could not set requested cert validity period");
         goto err;
     }
 
@@ -2109,7 +2093,6 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
 
     if (opt_proxy != NULL)
         (void)BIO_snprintf(proxy_buf, sizeof(proxy_buf), " via %s", opt_proxy);
-    CMP_info2("will contact %s%s", server_buf, proxy_buf);
 
     if (!transform_opts())
         goto err;
@@ -2231,6 +2214,9 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
     if (opt_geninfo != NULL && !handle_opt_geninfo(ctx))
         goto err;
 
+    /* not printing earlier, to minimize confusion in case setup fails before */
+    CMP_info2("will contact %s%s", server_buf, proxy_buf);
+
     ret = 1;
 
  err:
@@ -2924,15 +2910,13 @@ int cmp_main(int argc, char **argv)
     ret = 0;
 
     if (opt_batch) {
-#ifndef OPENSSL_NO_ENGINE
         UI_METHOD *ui_fallback_method;
-# ifndef OPENSSL_NO_UI_CONSOLE
+#ifndef OPENSSL_NO_UI_CONSOLE
         ui_fallback_method = UI_OpenSSL();
-# else
+#else
         ui_fallback_method = (UI_METHOD *)UI_null();
-# endif
-        UI_method_set_reader(ui_fallback_method, NULL);
 #endif
+        UI_method_set_reader(ui_fallback_method, NULL);
     }
 
     if (opt_engine != NULL)

diff --git a/apps/enc.c b/apps/enc.c
@@ -551,7 +551,7 @@ int enc_main(int argc, char **argv)
 
         BIO_get_cipher_ctx(benc, &ctx);
 
-        if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, enc)) {
+        if (!EVP_CipherInit_ex(ctx, cipher, e, NULL, NULL, enc)) {
             BIO_printf(bio_err, "Error setting cipher %s\n",
                        EVP_CIPHER_name(cipher));
             ERR_print_errors(bio_err);

diff --git a/apps/fipsinstall.c b/apps/fipsinstall.c
@@ -38,7 +38,7 @@ typedef enum OPTION_choice {
     OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
     OPT_IN, OPT_OUT, OPT_MODULE,
     OPT_PROV_NAME, OPT_SECTION_NAME, OPT_MAC_NAME, OPT_MACOPT, OPT_VERIFY,
-    OPT_NO_LOG, OPT_CORRUPT_DESC, OPT_CORRUPT_TYPE, OPT_QUIET
+    OPT_NO_LOG, OPT_CORRUPT_DESC, OPT_CORRUPT_TYPE, OPT_QUIET, OPT_CONFIG
 } OPTION_CHOICE;
 
 const OPTIONS fipsinstall_options[] = {
@@ -62,6 +62,7 @@ const OPTIONS fipsinstall_options[] = {
     {"noout", OPT_NO_LOG, '-', "Disable logging of self test events"},
     {"corrupt_desc", OPT_CORRUPT_DESC, 's', "Corrupt a self test by description"},
     {"corrupt_type", OPT_CORRUPT_TYPE, 's', "Corrupt a self test by type"},
+    {"config", OPT_CONFIG, '<', "The parent config to verify"},
     {"quiet", OPT_QUIET, '-', "No messages, just exit status"},
     {NULL}
 };
@@ -202,6 +203,11 @@ static void free_config_and_unload(CONF *conf)
     }
 }
 
+static int verify_module_load(const char *parent_config_file)
+{
+    return OPENSSL_CTX_load_config(NULL, parent_config_file);
+}
+
 /*
  * Returns 1 if the config file entries match the passed in module_mac and
  * install_mac values, otherwise it returns 0.
@@ -271,7 +277,7 @@ int fipsinstall_main(int argc, char **argv)
     const char *prov_name = "fips";
     BIO *module_bio = NULL, *mem_bio = NULL, *fout = NULL;
     char *in_fname = NULL, *out_fname = NULL, *prog;
-    char *module_fname = NULL;
+    char *module_fname = NULL, *parent_config = NULL;
     EVP_MAC_CTX *ctx = NULL, *ctx2 = NULL;
     STACK_OF(OPENSSL_STRING) *opts = NULL;
     OPTION_CHOICE o;
@@ -328,6 +334,9 @@ int fipsinstall_main(int argc, char **argv)
         case OPT_MAC_NAME:
             mac_name = opt_arg();
             break;
+        case OPT_CONFIG:
+            parent_config = opt_arg();
+            break;
         case OPT_MACOPT:
             if (!sk_OPENSSL_STRING_push(opts, opt_arg()))
                 goto opthelp;
@@ -342,6 +351,17 @@ int fipsinstall_main(int argc, char **argv)
         }
     }
     argc = opt_num_rest();
+
+    if (parent_config != NULL) {
+        /* Test that a parent config can load the module */
+        if (verify_module_load(parent_config)) {
+            ret = OSSL_PROVIDER_available(NULL, prov_name) ? 0 : 1;
+            if (!quiet)
+                BIO_printf(bio_out, "FIPS provider is %s\n",
+                           ret == 0 ? "available" : " not available");
+        }
+        goto end;
+    }
     if (module_fname == NULL
         || (verify && in_fname == NULL)
         || (!verify && out_fname == NULL)

diff --git a/apps/genpkey.c b/apps/genpkey.c
@@ -280,7 +280,7 @@ int init_gen_str(EVP_PKEY_CTX **pctx,
 
     ameth = EVP_PKEY_asn1_find_str(&tmpeng, algname, -1);
 
-#ifndef OPENSSL_NO_ENGINE
+#if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DEPRECATED_3_0)
     if (!ameth && e)
         ameth = ENGINE_get_pkey_asn1_meth_str(e, algname, -1);
 #endif
@@ -293,7 +293,7 @@ int init_gen_str(EVP_PKEY_CTX **pctx,
     ERR_clear_error();
 
     EVP_PKEY_asn1_get0_info(&pkey_id, NULL, NULL, NULL, NULL, ameth);
-#ifndef OPENSSL_NO_ENGINE
+#if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DEPRECATED_3_0)
     ENGINE_finish(tmpeng);
 #endif
     ctx = EVP_PKEY_CTX_new_id(pkey_id, e);

diff --git a/apps/include/apps.h b/apps/include/apps.h
@@ -65,6 +65,7 @@ CONF *app_load_config_bio(BIO *in, const char *filename);
 CONF *app_load_config(const char *filename);
 CONF *app_load_config_quiet(const char *filename);
 int app_load_modules(const CONF *config);
+CONF *app_load_config_modules(const char *configfile);
 void unbuffer(FILE *fp);
 void wait_for_async(SSL *s);
 # if defined(OPENSSL_SYS_MSDOS)
@@ -200,7 +201,8 @@ void free_index(CA_DB *db);
 int index_name_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b);
 int parse_yesno(const char *str, int def);
 
-X509_NAME *parse_name(const char *str, long chtype, int multirdn);
+X509_NAME *parse_name(const char *str, int chtype, int multirdn,
+                      const char *desc);
 void policies_print(X509_STORE_CTX *ctx);
 int bio_to_mem(unsigned char **out, int maxlen, BIO *in);
 int pkey_ctrl_string(EVP_PKEY_CTX *ctx, const char *value);
@@ -290,9 +292,15 @@ typedef struct verify_options_st {
 
 extern VERIFY_CB_ARGS verify_args;
 
+OPENSSL_CTX *app_create_libctx(void);
+OPENSSL_CTX *app_get0_libctx(void);
 OSSL_PARAM *app_params_new_from_opts(STACK_OF(OPENSSL_STRING) *opts,
                                      const OSSL_PARAM *paramdefs);
 void app_params_free(OSSL_PARAM *params);
+int app_provider_load(OPENSSL_CTX *libctx, const char *provider_name);
 void app_providers_cleanup(void);
 
+OPENSSL_CTX *app_get0_libctx(void);
+const char *app_get0_propq(void);
+
 #endif
diff --git a/apps/include/opt.h b/apps/include/opt.h
@@ -273,6 +273,9 @@
         OPT_PROV_PROVIDER, OPT_PROV_PROVIDER_PATH, \
         OPT_PROV__LAST
 
+# define OPT_CONFIG_OPTION \
+        { "config", OPT_CONFIG, '<', "Load a configuration file (this may load modules)" }
+
 # define OPT_PROV_OPTIONS \
         OPT_SECTION("Provider"), \
         { "provider_path", OPT_PROV_PROVIDER_PATH, 's', "Provider load path (must be before 'provider' argument if required)" }, \

diff --git a/apps/insta.ca.crt b/apps/insta.ca.crt
diff --git a/apps/lib/app_provider.c b/apps/lib/app_provider.c
@@ -8,6 +8,7 @@
  */
 
 #include "apps.h"
+#include <string.h>
 #include <openssl/err.h>
 #include <openssl/provider.h>
 #include <openssl/safestack.h>
@@ -21,14 +22,19 @@ enum prov_range { OPT_PROV_ENUM };
 
 static STACK_OF(OSSL_PROVIDER) *app_providers = NULL;
 
-static int opt_provider_load(const char *provider)
+static void provider_free(OSSL_PROVIDER *prov)
+{
+    OSSL_PROVIDER_unload(prov);
+}
+
+int app_provider_load(OPENSSL_CTX *libctx, const char *provider_name)
 {
     OSSL_PROVIDER *prov;
 
-    prov = OSSL_PROVIDER_load(NULL, provider);
+    prov = OSSL_PROVIDER_load(libctx, provider_name);
     if (prov == NULL) {
         opt_printf_stderr("%s: unable to load provider %s\n",
-                          opt_getprog(), provider);
+                          opt_getprog(), provider_name);
         return 0;
     }
     if (app_providers == NULL)
@@ -41,11 +47,6 @@ static int opt_provider_load(const char *provider)
     return 1;
 }
 
-static void provider_free(OSSL_PROVIDER *prov)
-{
-    OSSL_PROVIDER_unload(prov);
-}
-
 void app_providers_cleanup(void)
 {
     sk_OSSL_PROVIDER_pop_free(app_providers, provider_free);
@@ -56,7 +57,7 @@ static int opt_provider_path(const char *path)
 {
     if (path != NULL && *path == '\0')
         path = NULL;
-    return OSSL_PROVIDER_set_default_search_path(NULL, path);
+    return OSSL_PROVIDER_set_default_search_path(app_get0_libctx(), path);
 }
 
 int opt_provider(int opt)
@@ -66,7 +67,7 @@ int opt_provider(int opt)
     case OPT_PROV__LAST:
         return 1;
     case OPT_PROV_PROVIDER:
-        return opt_provider_load(opt_arg());
+        return app_provider_load(app_get0_libctx(), opt_arg());
     case OPT_PROV_PROVIDER_PATH:
         return opt_provider_path(opt_arg());
     }