Commit Graph

30354 Commits

Author SHA1 Message Date
Pauli
722fe8edf2 kdf: Add PVK KDF to providers.
Add PIN Verification Key key derevation function to providers.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15968)
2021-09-28 18:08:41 +10:00
Mingjun.Yang
8ba65c35ea Add sm2 encryption test case from GM/T 0003.5-2012
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16511)
2021-09-28 09:15:14 +03:00
Mattias Ellert
29a84567fb Fix variable name mis-match in example code
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16676)
2021-09-28 11:05:58 +10:00
Mattias Ellert
ce0502ce12 EVP_PKEY_keygen_init has no argument named pkey
int EVP_PKEY_keygen_init(EVP_PKEY_CTX *ctx);

So it should not mention it in the man page description.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16675)
2021-09-28 10:18:11 +10:00
Tianjia Zhang
8b6a7da304 ssl: Correct filename in README
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16671)
2021-09-27 09:39:17 +10:00
Pauli
a16ba5f375 ci: add additional operating system specific builds
These are an attempt to cover off on older OS versions that the main CIs
do not cover.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16669)
2021-09-27 08:40:38 +10:00
Pauli
63d0f4d2b0 Add changes entry indicating that the OBJ_* calls are now thread safe
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15713)
2021-09-25 10:41:02 +10:00
Pauli
0855591e1f test: add threading test for object creation
In addition, rework the multi tests to use common code.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15713)
2021-09-25 10:39:20 +10:00
Pauli
b66b024cf7 doc: add note to indicate that the OBJ_ functions were not thread safe in 3.0
Also remove OBJ_thread from the list of non-threadsafe functions.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15713)
2021-09-25 10:39:20 +10:00
Pauli
06394a6cc7 doc: Document that the OBJ creation functions are now thread safe.
With the OBJ_ thread locking in place, these documentation changes are not
required.

This reverts commit 0218bcdd3f.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15713)
2021-09-25 10:39:20 +10:00
Pauli
c568900c9a obj: add locking to the OBJ sigid calls
This is done using a single global lock.  The premise for this is that new
objects will most frequently be added at start up and never added subsequently.
Thus, the locking will be for read most of the time.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15713)
2021-09-25 10:39:20 +10:00
Pauli
29c80c6004 obj: make new NIDs use tsan if possible
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15713)
2021-09-25 10:39:20 +10:00
Pauli
397065c621 obj: make the OBJ_ calls thread safe
This is done using a single global lock.  The premise for this is that new
objects will most frequently be added at start up and never added subsequently.
Thus, the locking will be for read most of the time.

This does, however, introduce the overhead of taking an uncontested read lock
when accessing the object database.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15713)
2021-09-25 10:39:20 +10:00
Pauli
b0b456f8c8 tsan: add an addition macro
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15713)
2021-09-25 10:39:20 +10:00
Dr. David von Oheimb
75cce8ddee 80-test_cmp_http.t: Remove -certout option where not needed
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16052)
2021-09-24 16:35:05 +02:00
Dr. David von Oheimb
574246ae02 cmp_client_test.c: Remove needless dependency on NDEBUG
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16052)
2021-09-24 16:35:05 +02:00
Dmitry Belyavskiy
a5d8a2f8f1 FIPS and KTLS may interfere
New Linux kernels (>= 5.11) enable KTLS CHACHA which is not
FIPS-suitable.

Fixes #16657

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16658)
2021-09-24 11:06:51 +02:00
Dominic Letz
aa58071e4b Update 15-ios.conf
CLA: trivial

I assume this has been an error in the initial ios conf file. In order to build for ios the shared engine library, needs to be disabled because iOS doesn't have the concept of shared libraries. But instead of only disabling `dynamic-engine` (or like in this commit disabled the `shared`) option the previous config did disable `engine` and with that the `static-engine` compilation as well. This restores the `static-engine` option being enabled by default, but keeping compilation going on iOS.

Cheers!

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16659)
2021-09-24 11:03:09 +02:00
Pauli
e07102220a tls/ccm8: reduce the cipher strength for CCM8 ciphers to 64 bits
This is the length of the tag they use and should be considered an upper bound
on their strength.

This lowers their security strength to level 0.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16652)
2021-09-24 17:38:39 +10:00
Pauli
56ffcce492 doc: document the change to the security level of CCM8 cipher suites
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16652)
2021-09-24 17:38:23 +10:00
Pauli
1a473d1cc6 tls: reduce the strength of CCM_8 ciphers due to their short IV.
Fixes #16154

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16652)
2021-09-24 17:38:23 +10:00
slontis
c3b5fa4ab7 Change TLS RC4 cipher strength check to be data driven.
This is a same pattern as used in PR #16652

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16656)
2021-09-23 14:17:33 +02:00
Kelvin Lee
eeb612021e Explicitly #include <synchapi.h> is unnecessary
The header is already included by <windows.h> for WinSDK 8 or later.
Actually this causes problem for WinSDK 7.1 (defaults for VS2010) that
it does not have this header while SRW Locks do exist for Windows 7.

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16603)
2021-09-23 14:07:18 +02:00
Tavis Ormandy
415e6ac804 increase x509 code coverage metrics
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16651)
2021-09-23 14:04:43 +02:00
Ulrich Müller
524f126110 Add default provider support for Keccak 224, 256, 384 and 512
Fixes issue openssl#13033

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16594)
2021-09-23 12:07:57 +10:00
Pauli
50aba7ffde doc: Fix include syntax
Internal headers should be included using "" instead of <>.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16647)
2021-09-22 18:55:34 +10:00
Mattias Ellert
c249f48778 Remove extra comma in man page example code
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16643)
2021-09-22 18:25:28 +10:00
Pauli
caf569a5b3 rand: don't free an mis-set pointer on error
This is adding robustness to the code.  The fix to not mis-set the pointer
is in #16636.

Fixes #16631

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16640)
2021-09-22 18:01:12 +10:00
Pauli
57cd10dd1e doc: remove end of line whitespace
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16641)
2021-09-22 16:22:50 +10:00
Dmitry Belyavskiy
52dcc01119 Avoid double-free on unsuccessful getting PRNG seeding
Fixes #16631

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16636)
2021-09-21 18:37:14 +02:00
Dmitry Belyavskiy
6923d261b8 Update the default value for the -nameopt option - documentation
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16583)
2021-09-21 14:08:41 +02:00
Dmitry Belyavskiy
537976defe NEWS and CHANGES are updated about switching to utf8
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16583)
2021-09-21 14:08:41 +02:00
Dmitry Belyavskiy
7e399f0382 Tests adjustments for default output change
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16583)
2021-09-21 14:08:41 +02:00
Dmitry Belyavskiy
7a27bdbdce Update gost-engine to match new default nameopt
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16583)
2021-09-21 14:08:41 +02:00
Dmitry Belyavskiy
86cfd132ff Use -nameopt utf8 by default
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16583)
2021-09-21 14:08:41 +02:00
Richard Levitte
dc18f036f1 Fix util/mkpod2html.pl to call pod2html with absolute paths
It turns out that on VMS, pod2html only recognises VMS directory
specifications if they contain a device name, which is accomplished by
making them absolute.  Otherwise, a VMS build that includes building
the document HTML files ends up with an error like this:

    $ perl [---.downloads.openssl-3_0-snap-20210916.util]mkpod2html.pl -i [---.downloads.openssl-3_0-snap-20210916.doc.man1]CA.pl.pod -o [.DOC.HTML.MAN1]CA.PL.HTML -t "CA.pl" -r "[---.downloads.openssl-3_0-snap-20210916.doc]"
    [---.downloads.openssl-3_0-snap-20210916.util]mkpod2html.pl: error changing to directory -/-/-/downloads/openssl-3_0-snap-20210916/doc/: no such file or directory
    %SYSTEM-F-ABORT, abort

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16626)
2021-09-21 11:05:53 +02:00
Pauli
08d8c2d87e ci: add copyright header to CI scripts
There is quite a bit of creative effort in these and even more trouble-
shooting effort.  I.e. they are non-trivial from a copyright perspective.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16628)
2021-09-21 18:02:58 +10:00
Arne Schwabe
d270a6c9ea Add missing mention of mandatory function OSSL_FUNC_keymgmt_has
The manual page provider-keymgmt.pod is missing the mention of the
required function OSSL_FUNC_keymgmt_has. The function
keymgmt_from_algorithm raise EVP_R_INVALID_PROVIDER_FUNCTIONS
if keymgmt->has == NULL

CLA: trivial
Signed-off-by: Arne Schwabe <arne@rfc2549.org>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16621)

(cherry picked from commit 56b8f434c7)
2021-09-21 10:52:21 +10:00
slontis
8d257d0dc6 Document that the openssl fipsinstall self test callback may not be used.
Fixes #16260

If the user autoloads a fips module from a config file, then it will run the self tests early (before the self test callback is set),
and they may not get triggered again during the fipsinstall process.
In order for this to happen there must already be a valid fips config file.
As the main purpose of the application is to generate the fips config file, this case has just been documented.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16475)
2021-09-20 09:32:07 +02:00
Tianjia Zhang
e396c114eb apps/s_client: Add ktls option
From openssl-3.0.0-alpha15, KTLS is turned off by default, even if
KTLS feature in compilation, which makes it difficult to use KTLS
through s_server/s_client, so a parameter option 'ktls' is added
to enable KTLS through cmdline.

Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>

Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16609)
2021-09-19 07:39:15 +10:00
Tianjia Zhang
e2ef7f1265 apps/s_server: Add ktls option
From openssl-3.0.0-alpha15, KTLS is turned off by default, even if
KTLS feature in compilation, which makes it difficult to use KTLS
through s_server/s_client, so a parameter option 'ktls' is added
to enable KTLS through cmdline.

At the same time, SSL_sendfile() depends on KTLS feature to work
properly, make parameters sendfile depend on parameters ktls.

Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>

Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16609)
2021-09-19 07:39:15 +10:00
Richard Levitte
bfbb62c3b0 Configurations/platform/Unix.pm: account for variants in sharedlib_simple()
OpenSSL 1.1.1 links the simple libcrypto.so to libcrypto_variant.so,
this was inadvertently dropped.

Fixes #16605

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16608)
2021-09-18 08:12:28 +02:00
Bernd Edlinger
a7f58bdc1a Fix the parameter type of gf_serialize
It is better to use array bounds for improved
gcc warning checks.

While "uint8_t*" allows arbitrary pointer arithmetic
using "uint8_t[SER_BYTES]" limits the pointer arithmetic
to the range 0..SER_BYTES.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16376)
2021-09-17 14:44:41 +02:00
Matt Caswell
9e51f87793 Clarify what SSL_get_session() does on the server side in TLSv1.3
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16582)
2021-09-17 14:33:23 +02:00
Matt Caswell
4603b782e6 Correct the documentation for SSL_set_num_tickets()
The behaviour for what happens in a resumption connection was not quite
described correctly.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16582)
2021-09-17 14:33:23 +02:00
Dr. David von Oheimb
39a8d4e132 APPS/cmp.c: Move warning on overlong section name to make it effective again
Fixes #16585

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16586)
2021-09-17 10:02:52 +02:00
Tomas Mraz
e59bfbaa2d providers: Do not use global EVP_CIPHERs and EVP_MDs
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16600)
2021-09-15 14:07:55 +02:00
Dr. David von Oheimb
1ed3249f25 80-test_cmp_http.t: Fix handling of empty HTTP proxy string
Fixes #16546

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16593)
2021-09-14 15:01:00 +02:00
lprimak
24cdb1bfec MacOS prior to 10.12 does not support random API correctly
Fixes #16517

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16592)
2021-09-14 14:50:39 +02:00
Viktor Szakats
ea0d79db9b convert tabs to spaces in two distributed Perl scripts
Also fix indentation in c_rehash.in to 4 spaces, where a mixture of 4 and 8
spaces was used before, in addition to tabs.

CLA: trivial

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16459)
2021-09-14 07:21:22 +10:00