Richard Levitte [Thu, 19 Nov 2020 07:37:18 +0000 (08:37 +0100)]
SSL: Change SSLerr() to ERR_raise()
This was probably due to a merge
Fixes #13449
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/13450)
David Carlier [Wed, 18 Nov 2020 10:21:45 +0000 (10:21 +0000)]
Haiku system build fix.
overriding ar and flags from BASE_common mainly.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13438)
Pauli [Wed, 4 Nov 2020 03:05:46 +0000 (13:05 +1000)]
test RNG: set state to uninitialised as part of uninstantiate call.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/13226)
Pauli [Mon, 2 Nov 2020 02:03:31 +0000 (12:03 +1000)]
disassociate test RNG from the DRBGs
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/13226)
Pauli [Fri, 30 Oct 2020 05:54:03 +0000 (15:54 +1000)]
prov: move the entropy source out of the FIPS provider
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/13226)
Pauli [Fri, 30 Oct 2020 05:53:47 +0000 (15:53 +1000)]
test: changes resulting from moving the entropy source out of the FIPS provider
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/13226)
Pauli [Fri, 30 Oct 2020 05:53:22 +0000 (15:53 +1000)]
rand: move the entropy source out of the FIPS provider
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/13226)
Pauli [Fri, 30 Oct 2020 05:39:10 +0000 (15:39 +1000)]
doc: Documentation changes for moving the entropy source out of the fips provider
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/13226)
Matt Caswell [Fri, 6 Nov 2020 11:43:44 +0000 (11:43 +0000)]
Allow multiple nested marks
Previously we only ever allowed one mark to be set against an error in the
statck. If we attempted to nest them, then we would end up clearing all
the errors in the stack when we popped to the mark.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13335)
Pauli [Wed, 11 Nov 2020 11:52:32 +0000 (21:52 +1000)]
Fix some warnings from clang 10 in params.c
clang 10 was emitting warnings similar to the following from params.c:
crypto/params.c:411:40: error: implicit conversion from 'long' to 'double' changes value from 9223372036854775807 to 9223372036854775808 [-Werror,-Wimplicit-int-float-conversion]
if (d >= INT64_MIN && d <= INT64_MAX && d == (int64_t)d) {
Also fixed some other conversion problems when sizeof(double) == 4.
Alternative to #13366
Fixes #13365
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13377)
Pauli [Mon, 16 Nov 2020 02:04:56 +0000 (12:04 +1000)]
Provide side RNG functions renamed to have an ossl_ prefix.
These are: prov_crngt_cleanup_entropy(), prov_crngt_get_entropy(),
prov_pool_acquire_entropy(), prov_pool_add_nonce_data(),
prov_rand_drbg_free() and prov_rand_drbg_new().
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13417)
Matt Caswell [Thu, 22 Oct 2020 12:54:11 +0000 (13:54 +0100)]
Swap to DH_PARAMGEN_TYPE_GENERATOR as the default outside of the FIPS module
The documentation claimed this was already the default but it wasn't. This
was causing the dhparam application to change behaviour when compared to
1.1.1
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13228)
Richard Levitte [Wed, 4 Nov 2020 11:16:35 +0000 (12:16 +0100)]
Simplify util/err-to-raise
There's no need to enumerate the possible {NAME}err, as they have a
consistent pattern. Also, this script should not be used on the
engines, as they have already converted appropriately.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13320)
David Carlier [Mon, 16 Nov 2020 11:02:24 +0000 (11:02 +0000)]
NetBSD build fix.
getentropy shows up wrongly as weak symbol whereas there is no support.
However NetBSD 10.0 will support getrandom.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13408)
Richard Levitte [Sat, 14 Nov 2020 21:38:37 +0000 (22:38 +0100)]
DOC: Fixup the description of the -x509_strict option
POD commands must always be surrounded by blank lines
POD transformers read everything in paragraph mode. The following
lines become *one* command, where the second line becomes part of the
text of the first, including the command itself. In other words,
this:
=item something
=item something else
Translates to this in a man-page:
something =item something else
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/13412)
Shane Lontis [Thu, 12 Nov 2020 07:57:12 +0000 (17:57 +1000)]
Fix dsa securitycheck for fips.
Fixes #12627
Changed security check for DSA verification to match SP800-131Ar2 when
the security strength is < 112.
Fixed compilation error when using config opt 'no-fips-securitychecks'
Removed TODO's from 20-test_cli_fips.t - there is no longer an TODO error.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13387)
Daniel Bevenius [Thu, 12 Nov 2020 08:51:14 +0000 (09:51 +0100)]
REF_PRINT: cast pointer to void to avoid warnings
Currently, when configuring OpenSSL and specifying the --strict-warnings
option there are failures like the following one:
crypto/bio/bio_lib.c: In function 'BIO_up_ref':
include/internal/refcount.h:169:25: error: format '%p' expects argument
of type 'void *', but argument 3 has type 'BIO *'
{aka 'struct bio_st *'} [-Werror=format=]
169 | fprintf(stderr, "%p:%4d:%s\n", b, b->references, a)
| ^~~~~~~~~~~~~
crypto/bio/bio_lib.c:185:5:
note: in expansion of macro'REF_PRINT_COUNT'
185 | REF_PRINT_COUNT("BIO", a);
| ^~~~~~~~~~~~~~~
include/internal/refcount.h:169:27: note: format string is defined here
169 | fprintf(stderr, "%p:%4d:%s\n", b, b->references, a)
| ~^
| |
| void *
cc1: all warnings being treated as errors
This commit adds casts to avoid the warnings.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13389)
Richard Levitte [Fri, 13 Nov 2020 10:05:47 +0000 (11:05 +0100)]
Fix SUPPORT.md for better readability
Most of the text was duplicated, and the second copy had better
section titles that made the intent more prominent.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/13398)
Rich Salz [Thu, 12 Nov 2020 00:10:22 +0000 (19:10 -0500)]
Remove -C option from x509 command
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13384)
Rich Salz [Wed, 11 Nov 2020 23:03:38 +0000 (18:03 -0500)]
Remove -C from dhparam,dsaparam,ecparam
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13384)
Richard Levitte [Wed, 4 Nov 2020 15:14:00 +0000 (16:14 +0100)]
CRYPTO: refactor ERR_raise()+ERR_add_error_data() to ERR_raise_data()
This is not done absolutely everywhere, as there are places where
the use of ERR_add_error_data() is quite complex, but at least the
simple cases are done.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13318)
Richard Levitte [Fri, 25 Sep 2020 18:02:56 +0000 (20:02 +0200)]
EVP: Adapt EVP_PKEY2PKCS8() to better handle provider-native keys
It doesn't downgread the keys to legacy any more. Instead, it uses
OSSL_ENCODER to encode the key to DER, and d2i_PKCS8_PRIV_KEY_INFO()
to make a PKCS8_PRIV_KEY_INFO structure from that.
Fixes #12990
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12995)
These were added when the EVP_MAC work was being done.
I dont think these lightweight wrappers are required, and it seems better to remove them,
rather than adding documentation.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13372)
Nicola Tuveri [Wed, 4 Nov 2020 13:39:42 +0000 (15:39 +0200)]
[test/recipes] Split test_fuzz into separate recipes
When using `HARNESS_JOBS` to run the tests in parallel, no matter the
level of parallelism that can be used, the monolithic `test_fuzz` takes
a long time to run, conditioning the duration of the whole build.
This commit splits the single `test_fuzz` recipe into separate recipes
for each fuzzer.
The previous mechanism to select individual fuzz tests using the
`FUZZ_TESTS` environment variable is also dropped (and documentation
updated).
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13307)
XiaokangQian [Fri, 13 Mar 2020 03:27:34 +0000 (03:27 +0000)]
Optimize AES-XTS mode in OpenSSL for aarch64
Aes-xts mode can be optimized by interleaving cipher operation on
several blocks and loop unrolling. Interleaving needs one ideal
unrolling factor, here we adopt the same factor with aes-cbc,
which is described as below:
If blocks number > 5, select 5 blocks as one iteration,every
loop, decrease the blocks number by 5.
If left blocks < 5, treat them as tail blocks.
Detailed implementation has a little adjustment for squeezing
code space.
With this way, for small size such as 16 bytes, the performance is
similar as before, but for big size such as 16k bytes, the performance
improves a lot, even reaches to 2x uplift, for some arches such as A57,
the improvement even reaches more than 2x uplift. We collect many
performance datas on different micro-archs such as thunderx2,
ampere-emag, a72, a75, a57, a53 and N1, all of which reach 0.5-2x uplift.
The following table lists the encryption performance data on aarch64,
take a72, a75, a57, a53 and N1 as examples. Performance value takes the
unit of cycles per byte, takes the format as comparision of values.
List them as below:
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11399)
Pauli [Wed, 4 Nov 2020 12:34:52 +0000 (22:34 +1000)]
apps/passwd: remove the -crypt option.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13313)
Richard Levitte [Sat, 17 Oct 2020 06:34:47 +0000 (08:34 +0200)]
PROV: Re-implement all the keypair encoders
The base functionality to implement the keypair encoders doesn't
change much, but this results in a more massive amount of
OSSL_DISPATCH and OSSL_ALGORITHM arrays, to support a fine grained
selection of implementation based on what parts of the keypair
structure (combinations of key parameters, public key and private key)
should be output, the output type ("TEXT", "DER" or "PEM") and the
outermost output structure ("pkcs8", "SubjectPublicKeyInfo", key
type specific structures, ...).
We add support for the generic structure name "type-specific", to
allow selecting that without knowing the exact name of that structure.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13167)
Richard Levitte [Sat, 17 Oct 2020 06:23:43 +0000 (08:23 +0200)]
ENCODER: Add output structure support for EVP_PKEY encoding
OSSL_ENCODER_CTX_new_by_EVP_PKEY() takes one more argument to express
the desired outermost structure for the output.
This also adds OSSL_ENCODER_CTX_prune_encoders(), which is used to
reduce the stack of encoders found according to criteria formed from
the combination of desired selection, output type and output
structure.
squash! ENCODER: Add output structure support for EVP_PKEY encoding
Replace the paragraph talking about OSSL_ENCODER_CTX_prune_encoders() with:
The encoding processor encoder_process() is enhanced with better
analysis of the stack of encoder implementations. To avoid having to
keep an on the side array of information, it uses recursion.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13167)
Richard Levitte [Sat, 17 Oct 2020 06:17:41 +0000 (08:17 +0200)]
ENCODER: Add support for OSSL_FUNC_encoder_does_selection()
OSSL_FUNC_encoder_does_selection() is a dispatchable encoder implementation
function that should return 1 if the given |selection| is supported by an
encoder implementation and 0 if not. This can be used by libcrypto
functionality to figure out if an encoder implementation should be
considered or not.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13167)