Commit Graph

30382 Commits

Author SHA1 Message Date
Bernd Edlinger
64da15c40d Replace the AES-128-CBC-HMAC-SHA1 cipher in e_ossltest.c
This replaces the AES-128-CBC-HMAC-SHA1 cipher with a
non-encrypting version for use the test suite.

[extended tests]

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16693)
2021-10-06 15:18:10 +02:00
Bernd Edlinger
39ed07454d Remove OPENSSL_ia32cap overrides in various test scripts
The removed override was: OPENSSL_ia32cap=~0x200000200000000
which disables AESNI codepaths and PCLMULQDQ (useful for ghash).
It is unclear why this was done, but it probably just hides bugs.

[extended tests]

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16693)
2021-10-06 15:18:09 +02:00
Bernd Edlinger
6f6a5e0c7c Fix a memory leak in the afalg engine
Fixes: #16743

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16744)
2021-10-06 15:09:51 +02:00
Dmitry Belyavskiy
59cd0bc136 Fix for the dasync engine
Fixes: #16724
Fixes: #16735

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16734)
2021-10-06 14:26:14 +02:00
Tianjia Zhang
a596d38a8c obj: Add SM4 GCM/CCM OID
Add the following OID:

  SM4-GCM: 1.2.156.10197.1.104.8
  SM4-CCM: 1.2.156.10197.1.104.9

Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16731)
2021-10-05 12:47:37 +02:00
Mark Fedorov
657d1927c6 RISC-V support for the SHA256
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16710)
2021-10-04 11:27:22 +02:00
Dr. David von Oheimb
34901b0c39 BIO_f_ssl.pod: Make clear where an SSL BIOs are expected as an argument
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16688)
2021-10-04 10:55:39 +02:00
Dr. David von Oheimb
2342d9b650 apps/lib/s_socket.c: Fix mem leak on host name in init_client()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16688)
2021-10-04 10:55:39 +02:00
Dr. David von Oheimb
dce910af3b Fix ssl_free() and thus BIO_free() to respect BIO_NOCLOSE
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16688)
2021-10-04 10:55:39 +02:00
Russ Butler
19e277dd19 aarch64: support BTI and pointer authentication in assembly
This change adds optional support for
- Armv8.3-A Pointer Authentication (PAuth) and
- Armv8.5-A Branch Target Identification (BTI)
features to the perl scripts.

Both features can be enabled with additional compiler flags.
Unless any of these are enabled explicitly there is no code change at
all.

The extensions are briefly described below. Please read the appropriate
chapters of the Arm Architecture Reference Manual for the complete
specification.

Scope
-----

This change only affects generated assembly code.

Armv8.3-A Pointer Authentication
--------------------------------

Pointer Authentication extension supports the authentication of the
contents of registers before they are used for indirect branching
or load.

PAuth provides a probabilistic method to detect corruption of register
values. PAuth signing instructions generate a Pointer Authentication
Code (PAC) based on the value of a register, a seed and a key.
The generated PAC is inserted into the original value in the register.
A PAuth authentication instruction recomputes the PAC, and if it matches
the PAC in the register, restores its original value. In case of a
mismatch, an architecturally unmapped address is generated instead.

With PAuth, mitigation against ROP (Return-oriented Programming) attacks
can be implemented. This is achieved by signing the contents of the
link-register (LR) before it is pushed to stack. Once LR is popped,
it is authenticated. This way a stack corruption which overwrites the
LR on the stack is detectable.

The PAuth extension adds several new instructions, some of which are not
recognized by older hardware. To support a single codebase for both pre
Armv8.3-A targets and newer ones, only NOP-space instructions are added
by this patch. These instructions are treated as NOPs on hardware
which does not support Armv8.3-A. Furthermore, this patch only considers
cases where LR is saved to the stack and then restored before branching
to its content. There are cases in the code where LR is pushed to stack
but it is not used later. We do not address these cases as they are not
affected by PAuth.

There are two keys available to sign an instruction address: A and B.
PACIASP and PACIBSP only differ in the used keys: A and B, respectively.
The keys are typically managed by the operating system.

To enable generating code for PAuth compile with
-mbranch-protection=<mode>:

- standard or pac-ret: add PACIASP and AUTIASP, also enables BTI
  (read below)
- pac-ret+b-key: add PACIBSP and AUTIBSP

Armv8.5-A Branch Target Identification
--------------------------------------

Branch Target Identification features some new instructions which
protect the execution of instructions on guarded pages which are not
intended branch targets.

If Armv8.5-A is supported by the hardware, execution of an instruction
changes the value of PSTATE.BTYPE field. If an indirect branch
lands on a guarded page the target instruction must be one of the
BTI <jc> flavors, or in case of a direct call or jump it can be any
other instruction. If the target instruction is not compatible with the
value of PSTATE.BTYPE a Branch Target Exception is generated.

In short, indirect jumps are compatible with BTI <j> and <jc> while
indirect calls are compatible with BTI <c> and <jc>. Please refer to the
specification for the details.

Armv8.3-A PACIASP and PACIBSP are implicit branch target
identification instructions which are equivalent with BTI c or BTI jc
depending on system register configuration.

BTI is used to mitigate JOP (Jump-oriented Programming) attacks by
limiting the set of instructions which can be jumped to.

BTI requires active linker support to mark the pages with BTI-enabled
code as guarded. For ELF64 files BTI compatibility is recorded in the
.note.gnu.property section. For a shared object or static binary it is
required that all linked units support BTI. This means that even a
single assembly file without the required note section turns-off BTI
for the whole binary or shared object.

The new BTI instructions are treated as NOPs on hardware which does
not support Armv8.5-A or on pages which are not guarded.

To insert this new and optional instruction compile with
-mbranch-protection=standard (also enables PAuth) or +bti.

When targeting a guarded page from a non-guarded page, weaker
compatibility restrictions apply to maintain compatibility between
legacy and new code. For detailed rules please refer to the Arm ARM.

Compiler support
----------------

Compiler support requires understanding '-mbranch-protection=<mode>'
and emitting the appropriate feature macros (__ARM_FEATURE_BTI_DEFAULT
and __ARM_FEATURE_PAC_DEFAULT). The current state is the following:

-------------------------------------------------------
| Compiler | -mbranch-protection | Feature macros     |
+----------+---------------------+--------------------+
| clang    | 9.0.0               | 11.0.0             |
+----------+---------------------+--------------------+
| gcc      | 9                   | expected in 10.1+  |
-------------------------------------------------------

Available Platforms
------------------

Arm Fast Model and QEMU support both extensions.

https://developer.arm.com/tools-and-software/simulation-models/fast-models
https://www.qemu.org/

Implementation Notes
--------------------

This change adds BTI landing pads even to assembly functions which are
likely to be directly called only. In these cases, landing pads might
be superfluous depending on what code the linker generates.
Code size and performance impact for these cases would be negligible.

Interaction with C code
-----------------------

Pointer Authentication is a per-frame protection while Branch Target
Identification can be turned on and off only for all code pages of a
whole shared object or static binary. Because of these properties if
C/C++ code is compiled without any of the above features but assembly
files support any of them unconditionally there is no incompatibility
between the two.

Useful Links
------------

To fully understand the details of both PAuth and BTI it is advised to
read the related chapters of the Arm Architecture Reference Manual
(Arm ARM):
https://developer.arm.com/documentation/ddi0487/latest/

Additional materials:

"Providing protection for complex software"
https://developer.arm.com/architectures/learn-the-architecture/providing-protection-for-complex-software

Arm Compiler Reference Guide Version 6.14: -mbranch-protection
https://developer.arm.com/documentation/101754/0614/armclang-Reference/armclang-Command-line-Options/-mbranch-protection?lang=en

Arm C Language Extensions (ACLE)
https://developer.arm.com/docs/101028/latest

Addional Notes
--------------

This patch is a copy of the work done by Tamas Petz in boringssl. It
contains the changes from the following commits:

aarch64: support BTI and pointer authentication in assembly
    Change-Id: I4335f92e2ccc8e209c7d68a0a79f1acdf3aeb791
    URL: https://boringssl-review.googlesource.com/c/boringssl/+/42084
aarch64: Improve conditional compilation
    Change-Id: I14902a64e5f403c2b6a117bc9f5fb1a4f4611ebf
    URL: https://boringssl-review.googlesource.com/c/boringssl/+/43524
aarch64: Fix name of gnu property note section
    Change-Id: I6c432d1c852129e9c273f6469a8b60e3983671ec
    URL: https://boringssl-review.googlesource.com/c/boringssl/+/44024

Change-Id: I2d95ebc5e4aeb5610d3b226f9754ee80cf74a9af

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16674)
2021-10-01 09:35:38 +02:00
Amit Kulkarni
ce28929409 doc: crypto(7) - fix typo
CLA: trivial

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16695)
2021-10-01 09:33:53 +02:00
Viktor Dukhovni
a8cc0efe0d Fully initialise cipher/digest app handles
This avoids a crash in e.g. `openssl chacha20` as reported by
Steffen Nurpmeso on openssl-users.

Resolves: #16713

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16714)
2021-10-01 11:03:46 +10:00
Dr. Matthias St. Pierre
f8dd5869bc doc/man3/SSL_set_fd.pod: add note about Windows compiler warning
According to an old stackoverflow thread [1], citing an even older comment by
Andy Polyakov (1875e6db29, Pull up Win64 support from 0.9.8., 2005-07-05),
a cast of 'SOCKET' (UINT_PTR) to 'int' does not create a problem, because although
the documentation [2] claims that the upper limit is INVALID_SOCKET-1 (2^64 - 2),
in practice the socket() implementation on Windows returns an index into the kernel
handle table, the size of which is limited to 2^24 [3].

Add this note to the manual page to avoid unnecessary roundtrips to StackOverflow.

[1] https://stackoverflow.com/questions/1953639/is-it-safe-to-cast-socket-to-int-under-win64
[2] https://docs.microsoft.com/en-us/windows/win32/winsock/socket-data-type-2
[3] https://docs.microsoft.com/en-us/windows/win32/sysinfo/kernel-objects

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16699)
2021-09-30 14:03:16 +02:00
marcfedorow
611685adc0 RISC-V support for the SHA512
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16638)
2021-09-30 20:45:17 +10:00
Erik Lax
0865200fe5 Update manual to reference the IANA TLS Cipher Suites Registry
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16179)
2021-09-30 12:20:01 +02:00
Erik Lax
d1b26ddbf6 Allow cipher strings to be given using its standard name
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16179)
2021-09-30 12:20:01 +02:00
Tomas Mraz
398ae82316 BIO_ctrl: Avoid spurious error being raised on NULL bio parameter
Some of the functions are being called on NULL bio with the
expectation that such call will not raise an error.

Fixes #16681

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16686)
2021-09-28 12:12:32 +02:00
Tianjia Zhang
c2ee608a23 providers: Add SM4 GCM implementation
The GCM mode of the SM4 algorithm is specifieded by RFC8998.

Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>

Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16491)
2021-09-28 19:27:58 +10:00
Peiwei Hu
d8f6c533cf Fix return value of BIO_free
CLA: trivial

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16682)
2021-09-28 19:25:30 +10:00
Peiwei Hu
9efdf4ad6b Fix some documentation errors
CLA: trivial

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16684)
2021-09-28 18:16:39 +10:00
Tianjia Zhang
105af0ad92 ssl: Correct comment for ssl3_read_bytes()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16680)
2021-09-28 18:13:53 +10:00
Pauli
2d34e5b2ec test: add some PVK KDF unit test cases
These cases were generated using OpenSSL.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15968)
2021-09-28 18:08:42 +10:00
Pauli
c8ffd2201b changes: note that PVK KDF has moved to the legacy provider
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15968)
2021-09-28 18:08:42 +10:00
Pauli
5fae7b432e doc: note that these KDFs require the legacy provider to be available
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15968)
2021-09-28 18:08:42 +10:00
Pauli
4eb27149f0 doc: include PVK KDFdocumentation in build.info
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15968)
2021-09-28 18:08:42 +10:00
Pauli
4667b0f073 include PVK KDF in legacy provider algorithm list
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15968)
2021-09-28 18:08:41 +10:00
Pauli
fc9eda53bc doc: add page for PVK KDF
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15968)
2021-09-28 18:08:41 +10:00
Pauli
1ffac6ca17 pvk: use PVK KDF
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15968)
2021-09-28 18:08:41 +10:00
Pauli
722fe8edf2 kdf: Add PVK KDF to providers.
Add PIN Verification Key key derevation function to providers.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15968)
2021-09-28 18:08:41 +10:00
Mingjun.Yang
8ba65c35ea Add sm2 encryption test case from GM/T 0003.5-2012
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16511)
2021-09-28 09:15:14 +03:00
Mattias Ellert
29a84567fb Fix variable name mis-match in example code
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16676)
2021-09-28 11:05:58 +10:00
Mattias Ellert
ce0502ce12 EVP_PKEY_keygen_init has no argument named pkey
int EVP_PKEY_keygen_init(EVP_PKEY_CTX *ctx);

So it should not mention it in the man page description.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16675)
2021-09-28 10:18:11 +10:00
Tianjia Zhang
8b6a7da304 ssl: Correct filename in README
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16671)
2021-09-27 09:39:17 +10:00
Pauli
a16ba5f375 ci: add additional operating system specific builds
These are an attempt to cover off on older OS versions that the main CIs
do not cover.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16669)
2021-09-27 08:40:38 +10:00
Pauli
63d0f4d2b0 Add changes entry indicating that the OBJ_* calls are now thread safe
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15713)
2021-09-25 10:41:02 +10:00
Pauli
0855591e1f test: add threading test for object creation
In addition, rework the multi tests to use common code.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15713)
2021-09-25 10:39:20 +10:00
Pauli
b66b024cf7 doc: add note to indicate that the OBJ_ functions were not thread safe in 3.0
Also remove OBJ_thread from the list of non-threadsafe functions.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15713)
2021-09-25 10:39:20 +10:00
Pauli
06394a6cc7 doc: Document that the OBJ creation functions are now thread safe.
With the OBJ_ thread locking in place, these documentation changes are not
required.

This reverts commit 0218bcdd3f.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15713)
2021-09-25 10:39:20 +10:00
Pauli
c568900c9a obj: add locking to the OBJ sigid calls
This is done using a single global lock.  The premise for this is that new
objects will most frequently be added at start up and never added subsequently.
Thus, the locking will be for read most of the time.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15713)
2021-09-25 10:39:20 +10:00
Pauli
29c80c6004 obj: make new NIDs use tsan if possible
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15713)
2021-09-25 10:39:20 +10:00
Pauli
397065c621 obj: make the OBJ_ calls thread safe
This is done using a single global lock.  The premise for this is that new
objects will most frequently be added at start up and never added subsequently.
Thus, the locking will be for read most of the time.

This does, however, introduce the overhead of taking an uncontested read lock
when accessing the object database.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15713)
2021-09-25 10:39:20 +10:00
Pauli
b0b456f8c8 tsan: add an addition macro
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15713)
2021-09-25 10:39:20 +10:00
Dr. David von Oheimb
75cce8ddee 80-test_cmp_http.t: Remove -certout option where not needed
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16052)
2021-09-24 16:35:05 +02:00
Dr. David von Oheimb
574246ae02 cmp_client_test.c: Remove needless dependency on NDEBUG
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16052)
2021-09-24 16:35:05 +02:00
Dmitry Belyavskiy
a5d8a2f8f1 FIPS and KTLS may interfere
New Linux kernels (>= 5.11) enable KTLS CHACHA which is not
FIPS-suitable.

Fixes #16657

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16658)
2021-09-24 11:06:51 +02:00
Dominic Letz
aa58071e4b Update 15-ios.conf
CLA: trivial

I assume this has been an error in the initial ios conf file. In order to build for ios the shared engine library, needs to be disabled because iOS doesn't have the concept of shared libraries. But instead of only disabling `dynamic-engine` (or like in this commit disabled the `shared`) option the previous config did disable `engine` and with that the `static-engine` compilation as well. This restores the `static-engine` option being enabled by default, but keeping compilation going on iOS.

Cheers!

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16659)
2021-09-24 11:03:09 +02:00
Pauli
e07102220a tls/ccm8: reduce the cipher strength for CCM8 ciphers to 64 bits
This is the length of the tag they use and should be considered an upper bound
on their strength.

This lowers their security strength to level 0.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16652)
2021-09-24 17:38:39 +10:00
Pauli
56ffcce492 doc: document the change to the security level of CCM8 cipher suites
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16652)
2021-09-24 17:38:23 +10:00
Pauli
1a473d1cc6 tls: reduce the strength of CCM_8 ciphers due to their short IV.
Fixes #16154

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16652)
2021-09-24 17:38:23 +10:00
slontis
c3b5fa4ab7 Change TLS RC4 cipher strength check to be data driven.
This is a same pattern as used in PR #16652

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16656)
2021-09-23 14:17:33 +02:00