Commit Graph

30336 Commits

Author SHA1 Message Date
Pauli
e07102220a tls/ccm8: reduce the cipher strength for CCM8 ciphers to 64 bits
This is the length of the tag they use and should be considered an upper bound
on their strength.

This lowers their security strength to level 0.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16652)
2021-09-24 17:38:39 +10:00
Pauli
56ffcce492 doc: document the change to the security level of CCM8 cipher suites
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16652)
2021-09-24 17:38:23 +10:00
Pauli
1a473d1cc6 tls: reduce the strength of CCM_8 ciphers due to their short IV.
Fixes #16154

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16652)
2021-09-24 17:38:23 +10:00
slontis
c3b5fa4ab7 Change TLS RC4 cipher strength check to be data driven.
This is a same pattern as used in PR #16652

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16656)
2021-09-23 14:17:33 +02:00
Kelvin Lee
eeb612021e Explicitly #include <synchapi.h> is unnecessary
The header is already included by <windows.h> for WinSDK 8 or later.
Actually this causes problem for WinSDK 7.1 (defaults for VS2010) that
it does not have this header while SRW Locks do exist for Windows 7.

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16603)
2021-09-23 14:07:18 +02:00
Tavis Ormandy
415e6ac804 increase x509 code coverage metrics
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16651)
2021-09-23 14:04:43 +02:00
Ulrich Müller
524f126110 Add default provider support for Keccak 224, 256, 384 and 512
Fixes issue openssl#13033

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16594)
2021-09-23 12:07:57 +10:00
Pauli
50aba7ffde doc: Fix include syntax
Internal headers should be included using "" instead of <>.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16647)
2021-09-22 18:55:34 +10:00
Mattias Ellert
c249f48778 Remove extra comma in man page example code
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16643)
2021-09-22 18:25:28 +10:00
Pauli
caf569a5b3 rand: don't free an mis-set pointer on error
This is adding robustness to the code.  The fix to not mis-set the pointer
is in #16636.

Fixes #16631

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16640)
2021-09-22 18:01:12 +10:00
Pauli
57cd10dd1e doc: remove end of line whitespace
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16641)
2021-09-22 16:22:50 +10:00
Dmitry Belyavskiy
52dcc01119 Avoid double-free on unsuccessful getting PRNG seeding
Fixes #16631

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16636)
2021-09-21 18:37:14 +02:00
Dmitry Belyavskiy
6923d261b8 Update the default value for the -nameopt option - documentation
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16583)
2021-09-21 14:08:41 +02:00
Dmitry Belyavskiy
537976defe NEWS and CHANGES are updated about switching to utf8
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16583)
2021-09-21 14:08:41 +02:00
Dmitry Belyavskiy
7e399f0382 Tests adjustments for default output change
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16583)
2021-09-21 14:08:41 +02:00
Dmitry Belyavskiy
7a27bdbdce Update gost-engine to match new default nameopt
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16583)
2021-09-21 14:08:41 +02:00
Dmitry Belyavskiy
86cfd132ff Use -nameopt utf8 by default
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16583)
2021-09-21 14:08:41 +02:00
Richard Levitte
dc18f036f1 Fix util/mkpod2html.pl to call pod2html with absolute paths
It turns out that on VMS, pod2html only recognises VMS directory
specifications if they contain a device name, which is accomplished by
making them absolute.  Otherwise, a VMS build that includes building
the document HTML files ends up with an error like this:

    $ perl [---.downloads.openssl-3_0-snap-20210916.util]mkpod2html.pl -i [---.downloads.openssl-3_0-snap-20210916.doc.man1]CA.pl.pod -o [.DOC.HTML.MAN1]CA.PL.HTML -t "CA.pl" -r "[---.downloads.openssl-3_0-snap-20210916.doc]"
    [---.downloads.openssl-3_0-snap-20210916.util]mkpod2html.pl: error changing to directory -/-/-/downloads/openssl-3_0-snap-20210916/doc/: no such file or directory
    %SYSTEM-F-ABORT, abort

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16626)
2021-09-21 11:05:53 +02:00
Pauli
08d8c2d87e ci: add copyright header to CI scripts
There is quite a bit of creative effort in these and even more trouble-
shooting effort.  I.e. they are non-trivial from a copyright perspective.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16628)
2021-09-21 18:02:58 +10:00
Arne Schwabe
d270a6c9ea Add missing mention of mandatory function OSSL_FUNC_keymgmt_has
The manual page provider-keymgmt.pod is missing the mention of the
required function OSSL_FUNC_keymgmt_has. The function
keymgmt_from_algorithm raise EVP_R_INVALID_PROVIDER_FUNCTIONS
if keymgmt->has == NULL

CLA: trivial
Signed-off-by: Arne Schwabe <arne@rfc2549.org>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16621)

(cherry picked from commit 56b8f434c7)
2021-09-21 10:52:21 +10:00
slontis
8d257d0dc6 Document that the openssl fipsinstall self test callback may not be used.
Fixes #16260

If the user autoloads a fips module from a config file, then it will run the self tests early (before the self test callback is set),
and they may not get triggered again during the fipsinstall process.
In order for this to happen there must already be a valid fips config file.
As the main purpose of the application is to generate the fips config file, this case has just been documented.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16475)
2021-09-20 09:32:07 +02:00
Tianjia Zhang
e396c114eb apps/s_client: Add ktls option
From openssl-3.0.0-alpha15, KTLS is turned off by default, even if
KTLS feature in compilation, which makes it difficult to use KTLS
through s_server/s_client, so a parameter option 'ktls' is added
to enable KTLS through cmdline.

Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>

Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16609)
2021-09-19 07:39:15 +10:00
Tianjia Zhang
e2ef7f1265 apps/s_server: Add ktls option
From openssl-3.0.0-alpha15, KTLS is turned off by default, even if
KTLS feature in compilation, which makes it difficult to use KTLS
through s_server/s_client, so a parameter option 'ktls' is added
to enable KTLS through cmdline.

At the same time, SSL_sendfile() depends on KTLS feature to work
properly, make parameters sendfile depend on parameters ktls.

Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>

Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16609)
2021-09-19 07:39:15 +10:00
Richard Levitte
bfbb62c3b0 Configurations/platform/Unix.pm: account for variants in sharedlib_simple()
OpenSSL 1.1.1 links the simple libcrypto.so to libcrypto_variant.so,
this was inadvertently dropped.

Fixes #16605

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16608)
2021-09-18 08:12:28 +02:00
Bernd Edlinger
a7f58bdc1a Fix the parameter type of gf_serialize
It is better to use array bounds for improved
gcc warning checks.

While "uint8_t*" allows arbitrary pointer arithmetic
using "uint8_t[SER_BYTES]" limits the pointer arithmetic
to the range 0..SER_BYTES.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16376)
2021-09-17 14:44:41 +02:00
Matt Caswell
9e51f87793 Clarify what SSL_get_session() does on the server side in TLSv1.3
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16582)
2021-09-17 14:33:23 +02:00
Matt Caswell
4603b782e6 Correct the documentation for SSL_set_num_tickets()
The behaviour for what happens in a resumption connection was not quite
described correctly.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16582)
2021-09-17 14:33:23 +02:00
Dr. David von Oheimb
39a8d4e132 APPS/cmp.c: Move warning on overlong section name to make it effective again
Fixes #16585

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16586)
2021-09-17 10:02:52 +02:00
Tomas Mraz
e59bfbaa2d providers: Do not use global EVP_CIPHERs and EVP_MDs
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16600)
2021-09-15 14:07:55 +02:00
Dr. David von Oheimb
1ed3249f25 80-test_cmp_http.t: Fix handling of empty HTTP proxy string
Fixes #16546

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16593)
2021-09-14 15:01:00 +02:00
lprimak
24cdb1bfec MacOS prior to 10.12 does not support random API correctly
Fixes #16517

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16592)
2021-09-14 14:50:39 +02:00
Viktor Szakats
ea0d79db9b convert tabs to spaces in two distributed Perl scripts
Also fix indentation in c_rehash.in to 4 spaces, where a mixture of 4 and 8
spaces was used before, in addition to tabs.

CLA: trivial

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16459)
2021-09-14 07:21:22 +10:00
Richard Levitte
6d56fcd86a Fix the build file templates where uplink matters
We changed the manner in which a build needing applink is detected,
but forgot to change the installation targets accordingly.

Fixes #16570

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16577)

(cherry picked from commit de36ce47bf)
2021-09-13 09:54:01 +02:00
Tomas Mraz
7ea01f521d linux-x86-clang target: Add -latomic
Fixes #16572

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16578)
2021-09-13 09:35:20 +02:00
Nikita Ivanov
485d0790ac Fix nc_email to check ASN1 strings with NULL byte in the middle
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16524)
2021-09-13 17:02:37 +10:00
Dr. David von Oheimb
cc0d1b03a9 openssl-x509.pod.in: Reflect better that -signkey is an alias for -key option
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16440)
2021-09-11 22:59:56 +02:00
Dr. David von Oheimb
611ef4f373 APPS/{x509,req}: Fix description and diagnostics of -key, -in, etc. options
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16440)
2021-09-11 22:59:56 +02:00
Tomas Mraz
85efdaab4d install_fips: Create the OPENSSLDIR as it might not exist
Fixes #16564

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16569)
2021-09-10 14:08:31 +02:00
Richard Levitte
9e1b6f3cdc Fix 'openssl speed' information printout
Most of all, this reduces the following:

    built on: built on: Wed Sep  8 19:41:55 2021 UTC

to:

    built on: Wed Sep  8 19:41:55 2021 UTC

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16563)

(cherry picked from commit c1dc3536a8)
2021-09-10 12:16:12 +02:00
Richard Levitte
2f9ded524c VMS: Fix descrip.mms template
away the use of $(DEFINES), which does get populated with defines
given through configuration.  This makes it impossible to configure
with extra defines on VMS.  Uncommenting and moving $(DEFINES) to a
more proper spot gives the users back that ability.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16561)

(cherry picked from commit 1dc15a3330)
2021-09-10 12:10:47 +02:00
Tomas Mraz
cf1a231d44 dh_ameth: Fix dh_cmp_parameters to really compare the params
This is legacy DH PKEY only code.

Fixes #16562

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16568)
2021-09-10 12:07:01 +02:00
astraujums
e82fc27bcd Fixed state transitions for the HTML version of the life_cycle-kdf.pod.
The MAN version was fine and so are kdf.dot and lifecycles.ods from doc/life-cycles

CLA: trivial

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16559)
2021-09-10 18:02:05 +10:00
Richard Levitte
435981cbad OpenSSL::Ordinals::set_version() should only be given the short version
This function tried to shave off the pre-release and build metadata
text from the the version number it gets, but didn't do that quite
right.  Since this isn't even a documented behaviour, the easier, and
arguably more correct path is for that function not to try to shave
off anything, and for the callers to feed it the short version number,
"{MAJOR}.{MINOR}.{PATCH}", nothing more.

The build file templates are adjusted accordingly.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16556)
2021-09-09 12:07:33 +02:00
Richard Levitte
2fe2279d1f Enhance the srctop, bldtop, data and result functions to check the result
This affects bldtop_dir, bldtop_file, srctop_dir, srctop_file,
data_dir, data_file, result_dir, and result_file.  They are all
enhanced to check that the resulting path really is a directory or a
file.  They only do this if the path exists.

This allows the tests to catch if these functions are used
incorrectly, even on systems where the syntax for directories and
files is the same.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16523)
2021-09-09 11:25:18 +02:00
PW Hu
5ecf10a0d2 Fix some documentation errors
CLA: trivial

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16553)
2021-09-09 09:32:05 +02:00
Pauli
81280137a1 Fix the example SSH KDF code.
A salt was being set instead of a session ID.

Fixes #16525

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16550)
2021-09-09 16:39:28 +10:00
Richard Levitte
c6ee5d5b42 Fix test/recipes/90-test_fipsload.t to use bldtop_file for the FIPS module
It used bldtop_dir(), which is incorrect for files.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16532)
2021-09-08 16:33:33 +02:00
Richard Levitte
116799ff6a DOCS: Update the page for 'openssl passwd' to not duplicate some info
The options -1 and -apr1 were mentioned in DESCRIPTION, not mentioning
any other options or even mentioning that there are more algorithms.
The simple fix is to remove that sentence and let the OPTIONS section
speak for itself.

Fixes #16529

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16531)
2021-09-08 16:26:55 +02:00
Zengit
994fa5f986 Socket now displays what address it is connecting to
CLA: trivial

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16392)
2021-09-08 13:31:51 +10:00
PW Hu
a04b06573e crypto/bio/bss_bio.c/bio_write: improve border check
CLA:trivial

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16503)
2021-09-07 16:01:53 +02:00