Deprecate OCSP_xxx API for OSSL_HTTP_xxx #13742
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
DDvO
requested changes
Dec 28, 2020
Contributor
DDvO
left a comment
There was a problem hiding this comment.
Thanks for taking care of this.
A couple of things to improve.
DDvO
requested changes
Dec 29, 2020
Contributor
Author
|
fixup commit pushed. |
mattcaswell
requested changes
Jan 4, 2021
Member
mattcaswell
left a comment
There was a problem hiding this comment.
See comment below. I also think this should have a CHANGES entry which outlines the change and says what people should do to change their code to avoid deprecation warnings.
util/missingcrypto.txt
Outdated
Member
There was a problem hiding this comment.
I think we need to document these things before this PR goes in (or document them in this PR). We are introducing a new namespace (OSSL_HTTP) here. We should not instantly pollute it with undocumented functions. I realise that these were undocumented before - but this increases the size of the problem. We used to have one set of functions that were undocumented - we now have a new set of functions plus a set of aliases which are all undocumented.
Contributor
Author
There was a problem hiding this comment.
we need to document these things.
That's a reasonable attitude, but I am not going to do that. I think those involved with the original work should do so; they are free to take over this PR, or push commits, mail me files, whatever works. (If I were paranoid, I would say that not wanting to do documentation was a motivation for the original define hacks in http_local.h :)
Contributor
There was a problem hiding this comment.
That's a reasonable attitude, but I am not going to do that. I think those involved with the original work should do so; they are free to take over this PR, or push commits, mail me files, whatever works.
I second this.
(If I were paranoid, I would say that not wanting to do documentation was a motivation for the original define hacks in http_local.h :)
My motivation for those "#define hacks" was a different one: I did not dare to touch the pretty old OCSP_ function entries in libcrypto.num, fearing that doing so might break binary compatibility of libcrypto with older versions.
Contributor
Author
There was a problem hiding this comment.
So @DDvO, it seems you wrote these functions (or someone at your company). If that's correct, do you have any plans to get them documented? And if I'm wrong, sorry, can you help figure out who did add them?
Contributor
There was a problem hiding this comment.
I did not write these functions - they have been around for many years.
I'm pretty sure that all of them were added by Stephen Henson - see for instance
git blame 29f178bddfdbd11218fbcba0b8060297696968e3^ crypto/ocsp/ocsp_ht.c|grep OCSP_REQ_CTX_new
6f9076ff370 (Dr. Stephen Henson 2012-11-28 16:22:53 +0000 64) OCSP_REQ_CTX *OCSP_REQ_CTX_new(BIO *io, int maxline)
According to git blame, the only other person having had significant impact on that source file is Matt.
So @mattcaswell you seem to be the natural candidate to fill in the documentation for those old functions,
even more since you raised the demand for doing so 😉
Member
There was a problem hiding this comment.
I think my "significant impact" amounts to having run the automated script "openssl-format-source" script over the entire codebase. So, by that measure, I think its my job to document everything :-)
Contributor
There was a problem hiding this comment.
BTW, I still wonder why Stephen Henson left the project - when he did I could not find any reason explained.
Contributor
There was a problem hiding this comment.
I think my "significant impact" amounts to having run the automated script "openssl-format-source" script over the entire codebase. So, by that measure, I think its my job to document everything :-)
Matt's commit 0f113f3 is the great annotation wall. It's impossible to look through it, you need to climb over it if you want to blame other people.
Contributor
Author
There was a problem hiding this comment.
Since @levitte wrote the missing docs, I am resolving this issue.
Contributor
There was a problem hiding this comment.
Matt's commit 0f113f3 is the great annotation wall. It's impossible to look through it, you need to climb over it if you want to blame other people.
There is usually a way over, around, below, or through almost any wall 😉
As far as analyzing the change history is concerned, as already mentioned above, there is a very simple way:
git blame 0f113f3^ crypto/ocsp/ocsp_ht.c
I'm unresolving this (part of the) issue just to make my comment to @mspncp better visible.
levitte
requested changes
Jan 11, 2021
Contributor
Author
|
Rebased to get the 2021 updates for generated files. Added commit to address @levitte's feedback. |
Member
I assume there's going to be another update that includes moving documentation of OSSL_HTTP_REQ_CTX to |
Contributor
Author
To make sure I get it right: You want all |
Member
All |
Contributor
Author
|
I added a CHANGES entry and split some off into the new |
levitte
requested changes
Jan 12, 2021
Contributor
Author
|
@levitte thanks for the suggestions, they all seem reasonable. I've stopped working on this PR until the project decides it will be accepted (the issue @mattcaswell raised at #13742 (comment)). If not, and someone steps forward to document those functions, they are of course free to use this work if it will help. |
Member
|
So, uhm, someone blocks this PR for the lack of documentation, but no one is stepping up to write that documentation... am I getting the situation correctly? |
Contributor
Author
|
This is a good summary: #13742 (comment) The only thing worth adding is that I agreed to do the deprecation only. |
Member
|
I wasn't trying to point fingers at anyone in particular, just noted that the situation is a kinda catch-22... |
Contributor
Author
Sure, and I was likewise just trying to give a summary to help folks decide what to do. I'm sure this is exactly the kind of thing you want to think about just returning from your holidays. :) |
Member
Believe you me, this is light-weight 😉 |
Member
|
There. I took the opportunity to complete stuff I'd asked for that weren't done yet. |
Contributor
Author
|
I also pushed a fixup commit that fixes a typo and also adds some additional warnings to the new manpage. |
Member
|
So, uhm, @mattcaswell, does this meet your request at this point? |
levitte
approved these changes
Jan 14, 2021
Member
Member
|
@DDvO, you might want to re-approve... so much has been done since yours... |
DDvO
requested changes
Jan 14, 2021
Contributor
DDvO
left a comment
There was a problem hiding this comment.
A couple of small additions to be done in doc/man3/OCSP_sendreq_new.pod
and several more in doc/man3/OSSL_HTTP_REQ_CTX.pod.
Thanks for documenting both the old and the new functions!
Member
|
@DDvO's change request is big enough that there will be a need for re-approval. Stay tuned |
Member
|
My approval on stuff I haven't touched remains. @mattcaswell, @DDvO, please re-review |
Contributor
|
@levitte, LGTM apart from a single leftover: list |
Contributor
|
Please squash as far as appropriate |
Deprecations made:
OCSP_REQ_CTX typedef->OSSL_HTTP_REQ_CTX
OCSP_REQ_CTX_new->OSSL_HTTP_REQ_CTX_new
OCSP_REQ_CTX_free->OSSL_HTTP_REQ_CTX_free
OCSP_REQ_CTX_http-> OSSL_HTTP_REQ_CTX_header
OCSP_REQ_CTX_add1_header->OSSL_HTTP_REQ_CTX_add1_header
OCSP_REQ_CTX_i2d->OSSL_HTTP_REQ_CTX_i2d
OCSP_REQ_CTX_get0_mem_bio->OSSL_HTTP_REQ_CTX_get0_mem_bio
OCSP_set_max_response_length->OSSL_HTTP_REQ_CTX_set_max_response_length
OCSP_REQ_CTX_nbio_d2i->OSSL_HTTP_REQ_CTX_sendreq_d2i
OCSP_REQ_CTX_nbio->OSSL_HTTP_REQ_CTX_nbio
Made some editorial changes to man3/OCSP_sendreq.pod; move the NOTES
text inline. Some of the original functions had no documentation:
OCSP_REQ_CTX_new, OCSP_REQ_CTX_http, OCSP_REQ_CTX_get0_mem_bio,
OCSP_REQ_CTX_nbio_d2i, and OCSP_REQ_CTX_nbio. Their new counterparts
are now documented in doc/man3/OSSL_HTTP_REQ_CTX.pod
Fixes #12234
Co-authored-by: Richard Levitte <levitte@openssl.org>
Member
Done |
Contributor
|
@levitte, I'm not sure if you received a notification, but this should be ready to merge now. |
Member
|
I'm merging now |
openssl-machine
pushed a commit
that referenced
this pull request
Jan 19, 2021
Deprecations made:
OCSP_REQ_CTX typedef->OSSL_HTTP_REQ_CTX
OCSP_REQ_CTX_new->OSSL_HTTP_REQ_CTX_new
OCSP_REQ_CTX_free->OSSL_HTTP_REQ_CTX_free
OCSP_REQ_CTX_http-> OSSL_HTTP_REQ_CTX_header
OCSP_REQ_CTX_add1_header->OSSL_HTTP_REQ_CTX_add1_header
OCSP_REQ_CTX_i2d->OSSL_HTTP_REQ_CTX_i2d
OCSP_REQ_CTX_get0_mem_bio->OSSL_HTTP_REQ_CTX_get0_mem_bio
OCSP_set_max_response_length->OSSL_HTTP_REQ_CTX_set_max_response_length
OCSP_REQ_CTX_nbio_d2i->OSSL_HTTP_REQ_CTX_sendreq_d2i
OCSP_REQ_CTX_nbio->OSSL_HTTP_REQ_CTX_nbio
Made some editorial changes to man3/OCSP_sendreq.pod; move the NOTES
text inline. Some of the original functions had no documentation:
OCSP_REQ_CTX_new, OCSP_REQ_CTX_http, OCSP_REQ_CTX_get0_mem_bio,
OCSP_REQ_CTX_nbio_d2i, and OCSP_REQ_CTX_nbio. Their new counterparts
are now documented in doc/man3/OSSL_HTTP_REQ_CTX.pod
Fixes #12234
Co-authored-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from #13742)
Member
|
Merged 83b6dc8 Deprecate OCSP_xxx API for OSSL_HTTP_xxx |
baentsch
added a commit
to open-quantum-safe/openssl
that referenced
this pull request
Jan 22, 2021
* Update copyright years of auto-generated headers (make update) Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from openssl#13764) * crypto/win: Don't use disallowed APIs on UWP CreateFiber and ConvertThreadToFiber are not allowed in Windows Store (Universal Windows Platform) apps since they have been replaced by their Ex variants which have a new dwFlags parameter. This flag allows the fiber to do floating-point arithmetic in the fiber on x86, which would silently cause corruption otherwise since the floating-point state is not switched by default. Switch to these "new" APIs which were added in Vista. See: https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createfiberex#parameters Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl#12400) * win-onecore: Build with /APPCONTAINER for UWP compat When targeting the win-onecore configuration, we must link with /APPCONTAINER which is a requirement for submitting apps to the Windows Store. Without this, the Windows App Certificate Kit will reject the app: https://docs.microsoft.com/en-us/cpp/build/reference/appcontainer-windows-store-app Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl#12400) * EVP_SIGNATURE-ED25519.pod: fix typo in algo name CLA: trivial Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13768) * 28-seclevel.cnf.in: fix typo in algo name CLA: trivial Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13768) * Updated SSL_CTX_new doc Fixes openssl#13703 Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl#13741) * Use CRIOGET to fetch a crypto descriptor when present. FreeBSD's current /dev/crypto implementation requires that consumers clone a separate file descriptor via the CRIOGET ioctl that can then be used with other ioctls such as CIOCGSESSION. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from openssl#13468) * Support session information on FreeBSD. FreeBSD's /dev/crypto does not provide a CIOCGSESSINFO ioctl, but it does provide other ioctls that can be used to provide similar functionality. First, FreeBSD's /dev/crypto defines a CIOCGESSION2 ioctl which accepts a 'struct session2_op'. This structure extends 'struct session_op' with a 'crid' member which can be used to either request an individual driver by id, or a class of drivers via flags. To determine if the available drivers for a given algorithm are accelerated or not, use CIOCGESSION2 to first attempt to create an accelerated (hardware) session. If that fails, fall back to attempting a software session. In addition, when requesting a new cipher session, use the current setting of the 'use_softdrivers' flag to determine the value assigned to 'crid' when invoking CIOCGSESSION2. Finally, use the returned 'crid' value from CIOCGSESSION2 to look up the name of the associated driver via the CIOCFINDDEV ioctl. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from openssl#13468) * Mac M1 setting change proposal. Running tests takes very long with the current setting while it takes a lot shorter time with this change. Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13771) * Only perform special TLS handling if TLS has been configured Skip over special TLS steps for stream ciphers if we haven't been configured for TLS. Fixes openssl#12528 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from openssl#13774) * Update copyright year Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from openssl#13800) * Prepare for release of 3.0 alpha 10 Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> * Prepare for 3.0 alpha 11 Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> * Fix set_ciphersuites ignore unknown ciphers. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#12100) * Add a CHANGES entry for ignore unknown ciphers in set_ciphersuites. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#12100) * Fixed error and return code. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#12100) * Remove extra space. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#12100) * Ensure DTLS free functions can handle NULL Our free functions should be able to deal with the case where the object being freed is NULL. This turns out to not be quite the case for DTLS related objects. Fixes openssl#13649 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13655) * [crypto/dh] side channel hardening for computing DH shared keys Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13783) * Adding TLS group name retrieval Function SSL_group_to_name() added, together with documentation and tests. This now permits displaying names of internal and external provider-implemented groups. Partial fix of openssl#13767 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl#13785) * [test] Add `pkey -check` validation tests Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13359) * [apps/pkey] Return error on failed `-[pub]check` Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13359) * [test][pkey_check] Add invalid SM2 key test SM2 private keys have different validation requirements than EC keys: this test checks one corner case highlighted in openssl#8435 As @bbbrumley mentioned in openssl#8435 (comment) this only fixes the absence of a regression test for validation of this kind of boundary issues for decoded SM2 keys. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13359) * Add SM2 private key range validation According to the relevant standards, the valid range for SM2 private keys is [1, n-1), where n is the order of the curve generator. For this reason we cannot reuse the EC validation function as it is, and we introduce a new internal function `sm2_key_private_check()`. Partially fixes openssl#8435 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13359) * [test][pkey_check] Add more invalid SM2 key tests Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13359) * replace 'unsigned const char' with 'const unsigned char' The openssl code base has only a few occurrences of 'unsigned const char' (15 occurrences), compared to the more common 'const unsigned char' (4420 occurrences). While the former is not illegal C, mixing the 'const' keyword (a 'type qualifier') in between 'unsigned' and 'char' (both 'type specifiers') is a bit odd. The background for writing this patch is not to be pedantic, but because the 'opmock' program (used to mock headers for unit tests) does not accept the 'unsigned const char' construct. While this definitely is a bug in opmock or one of its dependencies, openssl is the only piece of software we are using in combination with opmock that has this construct. CLA: trivial Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from openssl#13722) * Fix simpledynamic test compilation when condigured without DSO support. This fixes this compilation error: In file included from test/simpledynamic.c:13: test/simpledynamic.h:39:35: error: unknown type name 'SD' 39 | int sd_load(const char *filename, SD *sd, int type); | ^~ test/simpledynamic.h:40:12: error: unknown type name 'SD' 40 | int sd_sym(SD sd, const char *symname, SD_SYM *sym); | ^~ test/simpledynamic.h:40:40: error: unknown type name 'SD_SYM' 40 | int sd_sym(SD sd, const char *symname, SD_SYM *sym); | ^~~~~~ test/simpledynamic.h:41:14: error: unknown type name 'SD' 41 | int sd_close(SD lib); | ^~ make[1]: *** [Makefile:24670: test/moduleloadtest-bin-simpledynamic.o] Error 1 make[1]: *** Waiting for unfinished jobs.... In file included from test/moduleloadtest.c:19: test/simpledynamic.h:39:35: error: unknown type name 'SD' 39 | int sd_load(const char *filename, SD *sd, int type); | ^~ test/simpledynamic.h:40:12: error: unknown type name 'SD' 40 | int sd_sym(SD sd, const char *symname, SD_SYM *sym); | ^~ test/simpledynamic.h:40:40: error: unknown type name 'SD_SYM' 40 | int sd_sym(SD sd, const char *symname, SD_SYM *sym); | ^~~~~~ test/simpledynamic.h:41:14: error: unknown type name 'SD' 41 | int sd_close(SD lib); | ^~ Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl#13802) * Fix for negative return value from `SSL_CTX_sess_accept()` Fixes openssl#13183 From the original issue report, before this commit, on master and on 1.1.1, the issue can be detected with the following steps: - Start with a default SSL_CTX, initiate a TLS 1.3 connection with SNI, "Accept" count of default context gets incremented - After servername lookup, "Accept" count of default context gets decremented and that of SNI context is incremented - Server sends a "Hello Retry Request" - Client sends the second "Client Hello", now again "Accept" count of default context is decremented. Hence giving a negative value. This commit fixes it by adding a check on `s->hello_retry_request` in addition to `SSL_IS_FIRST_HANDSHAKE(s)`, to ensure the counter is moved only on the first ClientHello. CLA: trivial Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from openssl#13297) * doc/man7/provider.pod: updates providers to use EVP_MD_free() and EVP_CIPHER_free() instead of EVP_MD_meth_free() and EVP_CIPHER_meth_free() respectively which are used mostly by the engine (legacy) code. Signed-off-by: Sahana Prasad <sahana@redhat.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from openssl#13814) * apps.c: Fix crash in case uri arg of IS_HTTP or IS_HTTPS is NULL Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13712) * apps/pkey.c: Make clear that -passout is not supported for DER output Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13712) * apps/pkey.c: Re-order help output and option documentation Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13712) * apps/pkey.c: Forther improve user guidance, also on non-sensical option combinations Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13712) * APPS: Fix confusion between program and app/command name used in diagnostic/help output Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13799) * APPS: Print help also on -h and --h; print high-level help when no cmd given Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13799) * Close /dev/crypto file descriptor after CRIOGET ioctl(). Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from openssl#13807) * v3_ocsp.c: fix indentation of include directives Fixes openssl#13820 Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from openssl#13822) * Configure: Check all SOURCE declarations, to ensure consistency If the given sources are GENERATEd, we check those generators as well. This ensures that the declarations in the diverse build.info files are consistent with existing files. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13824) * Configure: clean away perl syntax faults The faults aren't fatal (i.e. perl just shrugs), but are curious. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13824) * Configure: warn about duplicate GENERATE declarations in build.info files This sort of duplication is permitted, as the end result will be a single item anyway, but we might as well warn to avoid future confusion. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13824) * Remove duplicate GENERATE declarations for .pod files Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13824) * Use centralized fetching errors We've spread around FETCH_FAILED errors in quite a few places, and that gives somewhat crude error records, as there's no way to tell if the error was unavailable algorithms or some other error at such high levels. As an alternative, we take recording of these kinds of errors down to the fetching functions, which are in a much better place to tell what kind of error it was, thereby relieving the higher level calls from having to guess. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13467) * Clean away extraneous library specific FETCH_FAILED reason codes Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13467) * Add X509_NAME_hash_ex() to be able to check if it failed due to unsupported SHA1 Deprecate X509_NAME_hash() Document X509_NAME_hash_ex(), X509_NAME_hash(), X509_{subject,issuer}_name_hash() Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13762) * TEST: move cert, key, and CSR loading aux functions to new testutil/load.c Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13762) * Make PEM_X509_INFO_read_bio_ex() conservative on the error queue Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13762) * x509_vfy.c: Fix a regression in find_issuer() ...in case the candidate issuer cert is identical to the target cert. This is the v3.0.0 variant of openssl#13749 fixing openssl#13739 for v1.1.1. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13762) * Fix enable-weak-ssl-ciphers Commit e260bee broke the enable-weak-ssl-ciphers option. The stitched rc4-hmac-md5 cipher implementation did not recognise the tls_version parameter, and therefore was being incorrectly handled. Fixes openssl#13795 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from openssl#13803) * Fix incorrect use of BN_CTX API In some edge cases BN_CTX_end was being called without first calling BN_CTX_start. This creates a situation where the state of the big number allocator is corrupted and may lead to crashes. Fixes openssl#13812 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13813) * d2i_X509(): Make deallocation behavior consistent with d2i_X509_AUX() Partly fixes openssl#13754 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13755) * X509_cmp(): Fix comparison in case x509v3_cache_extensions() failed to due to invalid cert This is the upstream fix for openssl#13698 reported for v1.1.1 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13755) * apps/{req,x509,ca}.c Make sure certs have SKID and AKID X.509 extensions by default Fixes openssl#13603 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13658) * APPS: Allow OPENSSL_CONF to be empty, not loading a config file Also document the function CONF_get1_default_config_file() Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13658) * apps/req.c: add -CA and -CAkey options; improve code and doc Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13658) * Add tests for (non-)default SKID and AKID inclusion by apps/{req,x509,ca}.c Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13658) * apps/lib/opt.c: Fix error message on unknown option/digest Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13658) * X509_PUBKEY_set(): Fix error reporting Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13658) * apps/req.c: make -subj work with -x509; clean up related code Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13658) * Add X509V3_set_issuer_pkey, needed for AKID of self-issued not self-signed cert Also clean up some related auxiliary functions and documentation Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13658) * apps/req.c: Add -copy_extensions option for use with -x509; default: none Fixes openssl#13708 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13658) * crypto/x509: Rename v3_{skey,skid}.c, v3_{akey,akid}.c, v3_{alt,san}.c Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13658) * apps/req.c: Cosmetic improvements of code and documentation Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13658) * apps/req.c: Make sure -verify option takes effect also with -x509 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13658) * x509v3.h.in: Deprecate CTX_TEST and replace it by X509V3_CTX_TEST Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13658) * chacha20: Properly reinitialize the cipher context with NULL key Same for chacha20-poly1305. The test_cipher_reinit and test_cipher_reinit_partialupdate is modified to test this case of cipher context reinitialization. Fixes openssl#13064 Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from openssl#13850) * Make the OSSL_PARAM manual conform with man-pages(7) Details from man-pages(7) that are used: Formatting conventions for manual pages describing functions ... Variable names should, like argument names, be specified in italics. ... Formatting conventions (general) ... Special macros, which are usually in uppercase, are in bold. Exception: don't boldface NULL. ... Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from openssl#13848) * Make the OSSL_SELF_TEST manual conform with man-pages(7) Details from man-pages(7) that are used: Formatting conventions for manual pages describing functions ... Variable names should, like argument names, be specified in italics. ... Formatting conventions (general) ... Special macros, which are usually in uppercase, are in bold. Exception: don't boldface NULL. ... Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13849) * Make the OSSL_HTTP manual conform with man-pages(7) Details from man-pages(7) that are used: Formatting conventions for manual pages describing functions ... Variable names should, like argument names, be specified in italics. ... Formatting conventions (general) ... Special macros, which are usually in uppercase, are in bold. Exception: don't boldface NULL. ... Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13847) * Make the OSSL_PROVIDER manual conform with man-pages(7) Details from man-pages(7) that are used: Formatting conventions for manual pages describing functions ... Variable names should, like argument names, be specified in italics. ... Formatting conventions (general) ... Special macros, which are usually in uppercase, are in bold. Exception: don't boldface NULL. ... Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13845) * Make the OSSL_trace manual conform with man-pages(7) Details from man-pages(7) that are used: Formatting conventions for manual pages describing functions ... Variable names should, like argument names, be specified in italics. ... Formatting conventions (general) ... Special macros, which are usually in uppercase, are in bold. Exception: don't boldface NULL. ... Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13842) * Make header references conform with man-pages(7) in all manuals Details from man-pages(7) that are used: Formatting conventions (general) ... Filenames (whether pathnames, or references to header files) are always in italics (e.g., <stdio.h>), except in the SYNOPSIS section, where in‐ cluded files are in bold (e.g., #include <stdio.h>). When referring to a standard header file include, specify the header file surrounded by angle brackets, in the usual C way (e.g., <stdio.h>). ... Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13843) * OPENSSL_cpuid_setup FreeBSD PowerPC update Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl#13821) * OPENSSL_cpuid_setup FreeBSD arm update. when possible using the getauxval equivalent which has similar ids as Linux, instead of bad instructions catch approach. Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl#13650) * Skip BOM when reading the config file Fixes openssl#13840 Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from openssl#13857) * Make the OSSL_CMP manual conform with man-pages(7) Details from man-pages(7) that are used: Formatting conventions for manual pages describing functions ... Variable names should, like argument names, be specified in italics. ... Formatting conventions (general) ... Special macros, which are usually in uppercase, are in bold. Exception: don't boldface NULL. ... Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13846) * find_issuer(): When returning an expired issuer, take the most recently expired one Also point out in the documenting comment that a non-expired issuer is preferred. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13805) * Fix a crash with multi-threaded applications using the FIPS module The FIPS implementation of the ossl_ctx_thread_stop function needs to use an OSSL_LIB_CTX - but gets passed a provctx as an argument. It was assuming that these are the same thing (which was true at one point during development) - but that is no longer the case. The fix is to get the OSSL_LIB_CTX out of the provctx. Fixes openssl#13469 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13660) * Add a test for performing work in multiple concurrent threads We test both the default provider and the fips provider Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13660) * Document the core_thread_start upcall The core_thread_start upcall previously had a placeholder in the docs. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13660) * Lock the provider operation_bits The provider operation_bits array can see concurrent access by multiple threads and can be reallocated at any time. Therefore we need to ensure that it is appropriately locked. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13660) * Make sure we take the ctx->lock in ossl_lib_ctx_generic_new() The function ossl_lib_ctx_generic_new() modifies the exdata. This may be simultaneously being modified by other threads and therefore we need to make sure we take the lock before doing so. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13660) * Enable locking on the primary DRBG when we create it The primary DRBG may be shared across multiple threads and therefore we must use locking to access it. Previously we were enabling that locking lazily when we attempted to obtain one of the child DRBGs. Part of the process of enabling the lock, is to create the lock. But if we create the lock lazily then it is too late - we may race with other threads where each thread is independently attempting to enable the locking. This results in multiple locks being created - only one of which "sticks" and the rest are leaked. Instead we enable locking on the primary when we first create it. This is already locked and therefore we cannot race. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13660) * Extend the threads test to add simple fetch from multi threads Issue openssl#13682 suggests that doing a simple fetch from multi-threads may result in issues so we add a test for that. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13660) * Fix an issue in provider_activate_fallbacks() The above function was running while holding the store lock with a read lock. Unfortunately it actually modifies the store, so a write lock is required instead. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13660) * Fix a failure where fetches can return NULL in multi-threaded code When a fetch is attempted simultaneously from multiple threads then both threads can attempt to construct the method. However only one of those will get added to the global evp method store. The one that "lost" the race to add the method to the global evp method store ended up with the fetch call returning NULL, instead of returning the method that was already available. Fixes openssl#13682 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13660) * Enhance default provider documentation Bring Wiki and man page documentation in line regarding default provider fall-back behaviour. Fixes openssl#13844 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl#13859) * Correct typo in rsa_oaep.c Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13861) * Remove unused DRBG tests. The DRBG known answer tests are performed by evp_test and the old vectors are not used. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from openssl#13867) * Document openssl thread-safety Also discuss reference-counting, mutability and safety. Thanks to David Benjamin for pointing to comment text he added to boringSSL's header files. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13788) * Fix crypto/des/build.info !$disabled{mdc2} was used to determine if DES files should be included in providers/liblegacy.a. Use !$disabled{des} instead. Fixes openssl#13865 Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl#13866) * Fix incomplete deprecation guard in test/sslapitest.c OPENSSL_NO_DEPRECATED_3_0 should be used rather than OPENSSL_NO_DEPRECATED, as the latter doesn't take the configuration option '--api=' in account. Fixes openssl#13865 Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl#13866) * Allow EVP_PKEY private key objects to be created without a public component Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13855) * X509V3_EXT_CRL_add_nconf(): Fix mem leak on error and simplify it Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#13713) * bio_lib.c: Fix error queue entries and return codes on NULL args etc. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#13713) * replace all BIO_R_NULL_PARAMETER by ERR_R_PASSED_NULL_PARAMETER Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#13713) * Update SERVER_HELLO_MAX_LENGTH Update constant to maximum permitted by RFC 8446 Fixes openssl#13868 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl#13874) * Rename EVP_CIPHER_CTX_get_iv and EVP_CIPHER_CTX_get_iv_state for clarity To clarify the purpose of these two calls rename them to EVP_CIPHER_CTX_get_original_iv and EVP_CIPHER_CTX_get_updated_iv. Also rename the OSSL_CIPHER_PARAM_IV_STATE to OSSL_CIPHER_PARAM_UPDATED_IV to better align with the function name. Fixes openssl#13411 Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl#13870) * CMS: Fix NULL access if d2i_CMS_bio() is not passed a CMS_ContentInfo**. Fixes openssl#13624 Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#13668) * Fix PKCS7 potential segfault As the code that handles libctx, propq for PKCS7 is very similar to CMS code, a similiar fix for issue openssl#13624 needs to be applied. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#13668) * Fix memory leak in mac_newctx() on error Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#13702) * DOCS: Fix the last few remaining pass phrase options references There were a few lingering older style references to the pass phrase options section, now streamlined with all the others. Fixes openssl#13883 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl#13885) * Deprecate OCSP_xxx API for OSSL_HTTP_xxx Deprecations made: OCSP_REQ_CTX typedef->OSSL_HTTP_REQ_CTX OCSP_REQ_CTX_new->OSSL_HTTP_REQ_CTX_new OCSP_REQ_CTX_free->OSSL_HTTP_REQ_CTX_free OCSP_REQ_CTX_http-> OSSL_HTTP_REQ_CTX_header OCSP_REQ_CTX_add1_header->OSSL_HTTP_REQ_CTX_add1_header OCSP_REQ_CTX_i2d->OSSL_HTTP_REQ_CTX_i2d OCSP_REQ_CTX_get0_mem_bio->OSSL_HTTP_REQ_CTX_get0_mem_bio OCSP_set_max_response_length->OSSL_HTTP_REQ_CTX_set_max_response_length OCSP_REQ_CTX_nbio_d2i->OSSL_HTTP_REQ_CTX_sendreq_d2i OCSP_REQ_CTX_nbio->OSSL_HTTP_REQ_CTX_nbio Made some editorial changes to man3/OCSP_sendreq.pod; move the NOTES text inline. Some of the original functions had no documentation: OCSP_REQ_CTX_new, OCSP_REQ_CTX_http, OCSP_REQ_CTX_get0_mem_bio, OCSP_REQ_CTX_nbio_d2i, and OCSP_REQ_CTX_nbio. Their new counterparts are now documented in doc/man3/OSSL_HTTP_REQ_CTX.pod Fixes openssl#12234 Co-authored-by: Richard Levitte <levitte@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from openssl#13742) * cleaned internal crypto references; activated all tests * clarified provider activation Co-authored-by: Dr. David von Oheimb <David.von.Oheimb@siemens.com> Co-authored-by: Nirbheek Chauhan <nirbheek.chauhan@gmail.com> Co-authored-by: Etienne Millon <me@emillon.org> Co-authored-by: bazmoz <bazmoz@protonmail.com> Co-authored-by: John Baldwin <jhb@FreeBSD.org> Co-authored-by: David CARLIER <devnexen@gmail.com> Co-authored-by: Matt Caswell <matt@openssl.org> Co-authored-by: Otto Hollmann <otto@hollmann.cz> Co-authored-by: Billy Brumley <bbrumley@gmail.com> Co-authored-by: Nicola Tuveri <nic.tuv@gmail.com> Co-authored-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com> Co-authored-by: Romain Geissler <romain.geissler@amadeus.com> Co-authored-by: anupamam13 <anuavnd@gmail.com> Co-authored-by: Sahana Prasad <sahana@redhat.com> Co-authored-by: Dr. Matthias St. Pierre <matthias.st.pierre@ncp-e.com> Co-authored-by: Richard Levitte <levitte@openssl.org> Co-authored-by: Agustin Gianni <agustingianni@gmail.com> Co-authored-by: Tomas Mraz <tmraz@fedoraproject.org> Co-authored-by: Dmitry Belyavskiy <beldmit@gmail.com> Co-authored-by: Daniel Bevenius <daniel.bevenius@gmail.com> Co-authored-by: Pauli <ppzgs1@gmail.com> Co-authored-by: Rich Salz <rsalz@akamai.com> Co-authored-by: Jon Spillett <jon.spillett@oracle.com> Co-authored-by: Shane Lontis <shane.lontis@oracle.com> Co-authored-by: Kurt Roeckx <kurt@roeckx.be>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is the replacement for #13671. It deprecated various
OCSP_functions for theirOSSL_HTTP_replacements.I did not add documentation; things that were undocumented before, remain undocumented.
I also noticed that, arguably, some functions are missing; e.g., while there's
OSSL_HTTP_REQ_CTX_free, and there'sOCSP_sendreq_newwhich returns a context that free uses, there's no genericOSSL_HTTP_sendreq_new(or whatever the name should be). Things where were missing before, remain missing.This PR just renames functions as described/evolved in the comment thread in the other PR, especially #13671 (comment)