Commit Graph

3978 Commits

Author SHA1 Message Date
Pauli
bc2a4225a4 fipsinstall: add -pedantic option
This adds a -pedantic option to fipsinstall that adjusts the various
settings to ensure strict FIPS compliance rather than backwards
compatibility.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20752)
2023-04-20 09:21:51 +10:00
Dr. David von Oheimb
25b18e629d crypto/cmp: fix CertReqId to use in p10cr transactions acc. to RFC 4210
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20298)
2023-04-18 07:26:11 +02:00
GauriSpears
7eab7680ee List also non-fetchable hashes in openssl dgst -list
CLA: trivial

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20651)
2023-04-14 14:40:41 +02:00
Michael Baentsch
4557e28008 Provider-based KEM and SIG alg speed testing added
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/19968)
2023-03-31 14:19:18 -04:00
Matt Caswell
d07b763bb9 Add a new advanced command mode to s_client
The s_client command mode just looks at the first letter on a line
and if it is one that maps to a "command" then that command is executed
and everything else on the line is ignored.

This means it is impossible to send anything over s_client that starts with
one of the "magic" letters unless you switch off command processing
entirely.

With the forthcoming quic support that will be added to s_client we expect
a significant new number of commands being added (for example to send fin
on a stream, or to list or swap between different streams, etc). This will
use up more "letters" and reduces the usability of s_client.

This PR adds a new "advanced" command processing mode. Commands are enclosed
in braces {}, and can appear anywhere in the text typed into s_client. A
brace can be escaped by sending a double {{. This gives much more
flexibility without reducing the usability of s_client. Commands can also
have "arguments" which also extends the scope of what they can be used for.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20566)
2023-03-30 08:53:39 +01:00
Michael Baentsch
7c966ab6b3 remove DSA512 from speed testing
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20603)
2023-03-30 12:26:50 +11:00
Pauli
b345dbed28 Let fipsinstall know about DRBG digiest limiting
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20521)
2023-03-29 09:25:58 +11:00
Todd Short
3c95ef22df RFC7250 (RPK) support
Add support for the RFC7250 certificate-type extensions.
Alows the use of only private keys for connection (i.e. certs not needed).

Add APIs
Add unit tests
Add documentation
Add s_client/s_server support

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18185)
2023-03-28 13:49:54 -04:00
Dr. David von Oheimb
46032426e4 apps/lib/http_server.c: improve diagnostics, e.g., on port number already in use
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19947)
2023-03-25 10:31:39 +01:00
Dr. David von Oheimb
4b0c27d445 CMP add: fix -reqin option, which requires adding OSSL_CMP_MSG_update_recipNonce()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20204)
2023-03-25 09:55:26 +01:00
Dr. David von Oheimb
f1e144f277 apps/cmp.c: make sure that last -reqin argument is actually used
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20204)
2023-03-25 09:55:04 +01:00
Dr. David von Oheimb
77aa006976 CMP app: improve doc and help output on -{req,rsp}{in,out} options
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20204)
2023-03-25 09:55:04 +01:00
Aleksey Sanin
438068674b Added tests and updated help
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19898)
2023-03-23 11:09:17 +11:00
Aleksey Sanin
535ddd3752 Add an option to specify number of bits in the subprime (q) when generating DSA keys
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19898)
2023-03-23 11:09:17 +11:00
Pauli
dc43f080c5 Include the default iteration count in the help for the enc command
The only way to discover this otherwise is looking at the code.

Fixes #20466

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20471)
2023-03-20 08:24:26 +11:00
Čestmír Kalina
6dfa998f7e providers: add Argon2 KDF
https://datatracker.ietf.org/doc/rfc9106/

Signed-off-by: Čestmír Kalina <ckalina@redhat.com>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12256)
2023-03-17 11:12:47 +11:00
Dmitry Belyavskiy
07626ea9e5 Avoid erroneous diagnostics in speed measuring
Fixes #20291

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20306)
2023-03-15 08:46:54 +11:00
Dr. David von Oheimb
0e89b39619 apps/x509 etc.: allow private key input when public key is expected
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19076)
2023-03-14 17:26:49 +01:00
Dr. David von Oheimb
091fef4936 apps/{dsa,ec,rsa,pkey}.c: harmonize coding w.r.t. 'pubin' variable
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19076)
2023-03-14 17:26:49 +01:00
slontis
50ea5cdcb7 Add option to FIPS module to enforce EMS check during KDF TLS1_PRF.
Fixes #19989

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20241)
2023-03-07 18:24:45 +01:00
Michael Baentsch
ee58915cfd first cut at sigalg loading
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19312)
2023-02-24 11:02:48 +11:00
slontis
2c1ec72a7a Add help for pkeyopt values for the genpkey commandline app.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/19931)
2023-02-23 10:12:35 -05:00
Dr. David von Oheimb
6b58f498b3 OSSL_CMP_certConf_cb(): fix regression on checking newly enrolled cert
Also add corresponding tests and to this end update credentials

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20160)
2023-02-13 11:56:10 +01:00
Dr. David von Oheimb
6f88876d4e cmp_client_test.c: add tests for errors reported by server on subsequent requests in a transaction
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20190)
2023-02-08 17:05:47 +01:00
Dr. David von Oheimb
260878f7aa CMP app and doc: improve texts on (un-)trusted certs, srvCert, etc.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19946)
2023-02-08 16:29:00 +01:00
besher
8e2552b1ea Fix a potential memory leak in apps/s_server.c
Allocate memory for a new SSL session.
If any of these steps fail,
free the key memory and the tmpsess object
before returning 0 to prevent a memory leak.

Fixes: #20110

CLA: trivial

Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20213)
2023-02-08 09:47:45 -05:00
Dmitry Belyavskiy
98283a61f5 Enable some disabled __owurs
Fixes #15902

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/15905)
2023-02-07 11:56:27 -05:00
Dr. David von Oheimb
323c47532e APPS/{storeutl,gendsa}: give error on extra arguments, improve doc
Point out that options must be given before the final file/URI arg.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20156)
2023-02-02 08:58:10 +01:00
Dr. David von Oheimb
fedab100a4 APPS load_key_certs_crls(): improve diagnostics on not finding expected types of contents
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20156)
2023-02-02 08:58:10 +01:00
Dr. David von Oheimb
342e3652c7 APPS: generated certs bear X.509 V3, unless -x509v1 option of req app is given
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19271)
2023-01-24 15:16:47 +01:00
Dr. David von Oheimb
66fc90f18c apps/req.c: properly report parse errors by duplicated(); simplify the function
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19271)
2023-01-24 15:16:25 +01:00
FdaSilvaYY
91b968bc8e Typos fixing
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20109)
2023-01-24 11:03:20 +00:00
FdaSilvaYY
4a6e5a11c7 Fix windows builds
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20109)
2023-01-24 11:03:19 +00:00
Tomas Mraz
3b1c0c8f3c pkey: Imply public check if -pubin is specified
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20044)
2023-01-17 12:18:50 +01:00
Dr. David von Oheimb
60c3d732b7 CMP app: fix file output of certs and cert lists on non-existing cert(s)
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20035)
2023-01-16 08:32:52 +01:00
Pauli
a167e048a4 Coverity: fix 272011 resource leak
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/19900)
2022-12-15 11:30:49 +11:00
Simo Sorce
abdf35158e Fix openssl storeutl to allow serial + issuer
storeutl wants to enforce the use of issuer and serial together,
however the current code prevents to use them together and returns an
error if only one of them is specified.

Signed-off-by: Simo Sorce <simo@redhat.com>

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19856)
2022-12-14 09:33:25 +01:00
wangyuhang
efec0f4611 unbuffer stdin before get passwd from stdin
commond LD_LIBRARY_PATH= openssl rsa -aes256 -passout stdin <<< "xxxxxx” will get pass(fun app_get_pass()) from stdin first, and then load key(fun load_key()). but it unbuffer stdin before load key, this will cause the load key to fail.

now unbuffer stdin before get pass, this will solve https://github.com/openssl/openssl/issues/19835

CLA: trivial

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19851)
2022-12-12 07:23:37 +11:00
Dr. David von Oheimb
084d3afd26 Compensate for CMP-related TODOs removed by PR #15539
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/16006)
2022-12-07 21:57:36 +01:00
Peiwei Hu
25d02f333b Fix the check of BIO_set_write_buffer_size and BIO_set_read_buffer_size
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19819)
2022-12-05 13:04:18 +01:00
Peiwei Hu
4c3fadfe57 Fix the checks in rsautl_main
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19819)
2022-12-05 13:04:18 +01:00
Tomas Mraz
d861bc03ee Fix build on NonStop
Fixes #19810

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19811)
2022-12-05 11:32:19 +01:00
Dr. David von Oheimb
1c04866c67 OSSL_CMP_CTX_reinit(): fix missing reset of ctx->genm_ITAVs
Otherwise, further OSSL_CMP_exec_GENM_ses() calls will go wrong.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19216)
2022-11-25 09:19:34 +01:00
Dr. David von Oheimb
19ddcc4cbb CMP: fix status held in OSSL_CMP_CTX, in particular for genp messages
On this occasion, replace magic constants by mnemonic ones; update doc

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19205)
2022-11-24 14:00:46 +01:00
Maxim Mikityanskiy
cd715b7e7f Add support for KTLS zerocopy sendfile on Linux
TLS device offload allows to perform zerocopy sendfile transmissions.
FreeBSD provides this feature by default, and Linux 5.19 introduced it
as an opt-in. Zerocopy improves the TX rate significantly, but has a
side effect: if the underlying file is changed while being transmitted,
and a TCP retransmission happens, the receiver may get a TLS record
containing both new and old data, which leads to an authentication
failure and termination of connection. This effect is the reason Linux
makes a copy on sendfile by default.

This commit adds support for TLS zerocopy sendfile on Linux disabled by
default to avoid any unlikely backward compatibility issues on Linux,
although sacrificing consistency in OpenSSL's behavior on Linux and
FreeBSD. A new option called KTLSTxZerocopySendfile is added to enable
the new zerocopy behavior on Linux. This option should be used when the
the application guarantees that the file is not modified during
transmission, or it doesn't care about breaking the connection.

The related documentation is also added in this commit. The unit test
added doesn't test the actual functionality (it would require specific
hardware and a non-local peer), but solely checks that it's possible to
set the new option flag.

Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>
Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
Reviewed-by: Boris Pismenny <borisp@nvidia.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18650)
2022-11-24 13:19:37 +01:00
Daniel Fiala
18af4d154c Make parsing of piped data in speed.c more robust
Fixes openssl#19050

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19238)
2022-11-24 10:10:04 +01:00
FdaSilvaYY
f2a6f83862 Cleanup : directly include of internal/nelem.h when required.
And so clean a few useless includes

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19721)
2022-11-23 18:08:25 +01:00
Simo Sorce
2fea568327 Drop explicit check for engines in opt_legacy_okay
The providers indication should always indicate that this is not a
legacy request.
This makes a check for engines redundant as the default return is that
legacy is ok if there are no explicit providers.

Fixes #19662

Signed-off-by: Simo Sorce <simo@redhat.com>

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19671)
2022-11-16 17:05:58 +01:00
Peiwei Hu
9dd009dd51 apps/speed.c: fix the wrong checks
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19678)
2022-11-16 16:43:25 +01:00
GW
93e1271eed apps/ocsp.c: Add missing test if make_ocsp_response failed
CLA: trivial

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19660)
2022-11-15 11:59:30 +01:00