Commit Graph

1501 Commits

Author SHA1 Message Date
Čestmír Kalina
6dfa998f7e providers: add Argon2 KDF
https://datatracker.ietf.org/doc/rfc9106/

Signed-off-by: Čestmír Kalina <ckalina@redhat.com>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12256)
2023-03-17 11:12:47 +11:00
Richard Levitte
aa2d7e0ee1 Use $config{build_file} instead of $target{build_file}
If the user specifies an alternative build file than the default, this
alternative is recorded in $config{build_file}, not $target{build_file}.
Therefore, the former should be used, leaving the latter as a mere default.

This is a bug.  While fixing it, document it better too.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20173)
2023-02-01 08:30:04 +01:00
Hugo Landau
f71ae05a4d QUIC: Dummy Handshake Layer for Prototyping
This disables -Wtype-limits /
-Wtautological-constant-out-of-range-compare. Since it generates
warnings for valid and reasonable code, IMO this actually encourages
people to write worse code.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19703)
2023-01-13 13:20:09 +00:00
Todd Short
59d21298df Convert ZLIB defines to OPENSSL_NO_ZLIB
Use the normal OPENSSL_NO_ prefix to enable/disable ZLIB
Make `BIO_f_zlib()` always available.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18186)
2022-10-18 09:30:21 -04:00
Todd Short
caf9317d7d Add ZSTD compression support (RFC8478bis)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18186)
2022-10-18 09:30:21 -04:00
Todd Short
12e96a2360 Add brotli compression support (RFC7924)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18186)
2022-10-18 09:30:18 -04:00
Čestmír Kalina
4574a7fd8d crypto: add preemptive threading support
Some primitives are designed to be used in a multi-threaded environment,
if supported, e.g., Argon2.

This patch adds support for preemptive threading and basic synchronization
primitives for platforms compliant with POSIX threads or Windows CRT.
Native functions are wrapped to provide a common (internal) API.

Threading support can be disabled at compile time. If enabled, threading
is disabled by default and needs to be explicitly enabled by the user.

Thread enablement requires an explicit limit on the number of threads that
OpenSSL may spawn (non-negative integer/infinity). The limit may be changed.

Signed-off-by: Čestmír Kalina <ckalina@redhat.com>

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12255)
2022-10-17 09:45:39 +01:00
Čestmír Kalina
fdb11e1bcb Configure: add thread-pool and default-thread-pool
Signed-off-by: Čestmír Kalina <ckalina@redhat.com>

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12255)
2022-10-17 09:42:07 +01:00
Tomas Mraz
9b25f52a44 Fix detection of ktls support in cross-compile environment on Linux
Fixes #19212

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19213)
2022-09-19 11:50:13 +02:00
Hugo Landau
606e0426a1 Add support for loading root CAs from Windows crypto API
Fixes #18020.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18070)
2022-09-14 14:10:18 +01:00
Tomas Mraz
83529f07ca Always automatically add -DPEDANTIC with enable-ubsan
To avoid reports like: #19028

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19029)
2022-08-23 10:16:06 +10:00
Richard Levitte
54a84f0299 Don't try to make configuration leaner
This partially reverts Github PR #16378:
commit 764cf5b263, titled "Configuration:
only produce a new configdata.pm if it has changed contents"

Unfortunately, the attempt to make configuration leaner didn't take
into account all the files that may or may not affect the outcome of
`configdata.pm`, and most of all, didn't take into account that `Makefile`
has clauses of its own to determined when a reconfiguration is needed, all
based on time stamps.

Something as simple as a changed `Configurations/10-main.conf`, where the
change doesn't affect the resulting `configdata.pm` gets `make` into a
reconfiguration loop, because `configdata.pm` is older than `10-main.conf`.

The lesson to remember is not to try to outsmart `make` in cases like this.

We retain the other parts of the PR mentioned, as they are still valid.

needed to be taken into account (all the Configurations/*.conf
as well as all the build.info)

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/18832)
2022-07-24 04:08:46 +02:00
Tomas Mraz
30b013291a Configure: Add disablable for QUIC, disabled by default
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18307)
2022-06-03 12:07:17 +10:00
Richard Levitte
4d02d500aa Building: For the FIPS module checksum, keep track of configuration,h
The FIPS module checksum needs to know that configuration.h is
generated from configuration.h.in, so that information is conserved.
To make this possible, it's now possible to have attributes with the
GENERATE keyword, and the attribute "skip" is added to make a keyword
a no-op, which makes it informative only.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/16378)
2022-05-22 17:33:08 +02:00
Richard Levitte
2522889620 Configuration: produce include/openssl/configuration.h when configuring
The goal is to avoid having too much of the OpenSSL source rebuilt
because include/openssl/configuration.h, or even because it was a
Makefile target that was called upon (some make implementations
consider the use of a target as an update of that target, even if it
wasn't really updated).

To resolve this, we move the production of include/openssl/configuration.h
to configdata.pm, and only update it if there were any actual changes.

Fixes #16377

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/16378)
2022-05-22 17:33:08 +02:00
Richard Levitte
764cf5b263 Configuration: only produce a new configdata.pm if it has changed contents
The goal is to avoid having too much of the OpenSSL source rebuilt
because configdata.pm got a new time stamp.  The conditions for
updating configdata.pm are now:

1.  its time stamp is older than Configure's, or...
2.  its contents has changed.

Fixes #16377

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/16378)
2022-05-22 17:33:08 +02:00
Matt Caswell
fecb3aae22 Update copyright year
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Release: yes
2022-05-03 13:34:51 +01:00
Ross Burton
9e1a54f4a1 Configure: don't try to be clever when configuring afalgeng
If the afalgeng is enabled then Configure tries to be clever but fails,
by only actually building afalgeng if it isn't being cross-compiled and
if the current kernel is 4.1+.

This means that everyone cross compiling, or whose builder machines are
running older kernels (not uncommon for build farms), can't enable
afalgeng.

Instead remove the cleverness and simply enable/disable as requested.

Fixes #7687

CLA: trivial

Signed-off-by: Ross Burton <ross.burton@arm.com>
Change-Id: I023b6cb535d5b5811823d4814fa939de3f304886

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7688)
2022-03-22 14:08:15 +01:00
Todd Short
a3e53d5683 Add TFO support to socket BIO and s_client/s_server
Supports Linux, MacOS and FreeBSD
Disabled by default, enabled via `enabled-tfo`
Some tests

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8692)
2022-03-10 10:42:43 -05:00
Dimitris Apostolou
e304aa87b3 Fix typos
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17392)
2022-01-05 12:37:20 +01:00
Alexandros Roussos
a595e3286a Fix Configure variable spill
* Evaluating code-refs in Configure can sometimes set the default
variable `$_`
* Prevent spillage influencing the target property by using named
variable in loop

CLA: trivial

Fixes gh-17321

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17322)
2021-12-23 12:31:33 +11:00
pkubaj
f5485b97b6 Add support for BSD-ppc, BSD-ppc64 and BSD-ppc64le configurations
OpenSSL assumes AT_HWCAP = 16 (as on Linux), but on FreeBSD AT_HWCAP = 25
Switch to using AT_HWCAP, and setting it to 16 if it is not defined.

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17090)
2021-12-09 16:07:14 +11:00
Rich Salz
ecb09bafad Replace CONFIG_NOWAIT env var with -w option
And document the -w option

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16325)
2021-08-20 10:32:35 +10:00
Pauli
c3c00c7acd config: enable ACVP test case if FIPS is enabled.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16095)
2021-07-17 17:51:08 +10:00
Richard Levitte
86ff7cf2a6 Configure: Reflect that We don't build loader_attic when dynamic-engine is disabled
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15858)
2021-06-23 18:06:59 +02:00
Richard Levitte
4a73938756 Configure: Allow spaces around '=' in all build.info statements
This was allowed already for some statements, but not consistently for all.

Fixes #15684

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15691)
2021-06-11 15:45:06 +02:00
Arran Cudbard-Bell
726f92e016 Enable ssl-trace by default
There doesn't appear to be a good reason to omit protocol message tracing by default.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15665)
2021-06-10 09:42:12 +01:00
Richard Levitte
7058b4db82 Configure: variable expand GENERATE values too
Internal documentation doesn't allow for any exception...  Therefore,
even GENERATE values should be variable expanded.

(there are historical reasons why GENERATE was excepted from variable
expansion, that aren't applicable any more)

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15554)
2021-06-02 08:18:47 +02:00
Rich Salz
a935791d54 Rework and make DEBUG macros consistent.
Remove unused -DCONF_DEBUG and -DBN_CTX_DEBUG.

Rename REF_PRINT to REF_DEBUG for consistency, and add a new
tracing category and use it for printing reference counts.

Rename -DDEBUG_UNUSED to -DUNUSED_RESULT_DEBUG

Fix BN_DEBUG_RAND so it compiles and, when set, force DEBUG_RAND to
be set also.

Rename engine_debug_ref to be ENGINE_REF_PRINT also for consistency.

Fixes #15357

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15353)
2021-05-28 10:04:31 +02:00
Tom Cosgrove
0221b080ce Fix -static builds on master
Pull in Todd Short's fix cfd7225fbb from 1.1.1, which moves the disabling
of pic, threads and statics to before they are checked.

Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15214)
2021-05-26 17:34:01 +10:00
Richard Levitte
4b2981f13e Make it possible to disable the loader_attic engine
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15320)
2021-05-22 14:12:51 +02:00
Pauli
d594d2e121 configure: build list of image files
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15399)
2021-05-22 15:33:53 +10:00
Matt Caswell
cc9f9b9899 Clean up the "fips" option to Configure
Don't die if someone says "fips" instead of "enable-fips"

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15346)
2021-05-21 10:07:49 +10:00
Richard Levitte
dd05c7938d build.info: Make it possible to set attributes on SOURCE / SHARED_SOURCE stmts
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15332)
2021-05-19 19:03:16 +02:00
Richard Levitte
2660b7cfba Rework how a build file (Makefile, ...) is produced
The memory footprint of how we produced the Makefile was quite...
important, because we have all the processing in one perl snippet, and
generate the details of the build file by appending to the "magic"
variable $OUT.  The result is that this variable gets to hold the
majority of the build file text, and depending on memory reallocation
strategies for strings, the heap may hold multiple (possibly not just
a few) copies of this string, almost all of them "freed" but still
taking up space.  This has resulted in memory exhaustion.

We therefore change strategy, and generate the build file in two
phases, where the first phase generates the full template using small
perl snippets for each detail, and the second phase processes this
template.  This is much kinder to process memory.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15310)
2021-05-19 10:13:02 +02:00
Rich Salz
d0364dcc42 Add --banner config option
Use it in the automated workflows.

Fixes: #15247

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15248)
2021-05-14 08:35:11 +02:00
Pauli
d1a770414a acvp-test: disable the ACVP testing code by default
It's only useful for the FIPS lab and shouldn't be in production.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15092)
2021-05-02 17:13:45 +10:00
Pauli
38230e3011 acvp: fix the no-acvp_test build
A pair of the disabled string checks were incorrect.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15082)
2021-04-30 17:51:44 +10:00
Dr. Matthias St. Pierre
b2d8c7b6a3 Configure: disable fips mode by default
Building the fips provider in addition to the default provider
effectively doubles the build time. Since many users will not
need fips support, it is now disabled by default.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13684)
2021-04-29 11:26:58 +02:00
Dr. Matthias St. Pierre
afa0a13c1a Configure: sort the disablables alphabetically
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13684)
2021-04-29 11:26:58 +02:00
Richard Levitte
2e535eb50a Configuration: rework how dependency making is handled
Previously, we had dependency making pretty much hard coded in the
build file templates, with a bit of an exception for Unix family
platforms, where we had different cases depending on what dependency
making program was found.

With the Embarcadero C++ builder, a separate scheme appeared, with a
different logic.

This change merges the two, and introduces two config target
attributes:

    makedepcmd          The program to use, where this is relevant.
                        This replaces the earlier configuration
                        attribute 'makedepprog'.
    makedep_scheme      This is a keyword that can be used by build
                        files templates to produce different sorts of
                        commands, but most importantly, to pass as
                        argument to util/add-depend.pl, which uses
                        this keyword as a "producer" for the
                        dependency lines.

If the config target doesn't define the 'makedep_scheme' attribute,
Configure tries to figure it out by looking for GCC compatible
compilers or for the 'makedepend' command.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/15006)
2021-04-28 21:35:26 +02:00
Pauli
9c11e8ec1f Runchecker: fix failure with no-autoalginit option by disabling FIPS
With this option, the openssl command line tool is not created.  Without that
it is impossible to create the fipsmodule.cnf file that the tests would
otherwise depend upon.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14979)
2021-04-23 11:23:37 +02:00
Matt Caswell
cd28d129b6 Avoid the need for Configure time 128-bit int detection
We just detect this at compile time instead.

This avoids cross-compilation problems where the host platform supports
128-bit ints, but the target platform does not (or vice versa). This was
causing a problem on some platforms where, dependent on the CFLAGS, 128 bit
ints were either supported or not.

Fixes #14804

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14941)
2021-04-22 08:31:26 +01:00
Tanzinul Islam
16f2a44435 Generate dependency information
The Clang-based `bcc32c.exe` doesn't implement the `-Hp` option, so we
have to use [`cpp32.exe`][1] instead.  Therefore, change the dependency-
emitting command to use `$(CPP)` instead of `$(CC)`, which which also
uncovered the [existing bug of `2>&1` before `> $dep`][2].  Also
C++Builder's `make.exe` doesn't implement `2>&1` in its command runner,
so wrap the whole line in a `cmd /C`.

[1]: http://docwiki.embarcadero.com/RADStudio/Sydney/en/CPP32.EXE,_the_C_Compiler_Preprocessor
[2]: https://ss64.com/nt/syntax-redirection.html

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13540)
2021-04-19 11:05:55 +02:00
Amitay Isaacs
a72da9eceb Configure: Check if 128-bit integers are supported by compiler
Add a config variable "use_int128" to indicate if 128-bit integers are
supported or not at the configure time.  This makes it easier to
automatically select 64-bit versus 32-bit implementation for curve448.

Signed-off-by: Amitay Isaacs <amitay@ozlabs.org>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14784)
2021-04-08 12:18:10 +01:00
Randall S. Becker
ccdfcf07d9 Disable fips-securitychecks if no-fips is configured.
Fixes: #14629

Signed-off-by: Randall S. Becker <rsbecker@nexbridge.com>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14634)
2021-03-23 16:19:44 +00:00
Richard Levitte
2d101b0f49 Configure: check all DEPEND values against GENERATE, not just .h files
All files that are given to DEPEND statements in build.info files are
being checked against GENERATE statements, to see if it's reasonable
to look for them in the source tree or not.  This was only done for .h
files, for reasons that are lost in history.  We now change that check
to look at all files instead.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14598)
2021-03-19 16:44:46 +01:00
Richard Levitte
79f47ef507 build.info: Make it possible to use compiled programs as generators
Our goal is to be able to produce fipsmodule.cnf with the help of
'openssl fipsinstall', using the openssl program that we build.

This refactors the generatesrc code in all the build file templates to
replace $generator and $generator_incs with $gen0, $gen_args and $gen_incs,
which makes it easier and more consistent to manipulate different bits
of the generator command, and also keeps the variable names consistent
while not overly long.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14320)
2021-03-03 14:47:01 +01:00
Richard Levitte
3f399e3787 build.info: Add the possibility to add dependencies on raw targets
We need to add something for the 'tests' target to depend on, so a
special syntax for those is introduced:

    DEPEND[|tests|]=fipsmodule.cnf

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14320)
2021-03-03 14:47:01 +01:00
Matt Caswell
6d2a1eff55 Deprecate the low level SRP APIs
The OTC decided that all low level APIs should be deprecated. This extends
to SRP, even though at the current time there is no "EVP" interface to it.
This could be added in a future release.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14132)
2021-02-12 08:47:32 +00:00