| #
0557d6c6 |
| 01-Jul-2024 |
slontis |
Add FIPS indicator callback.
Add a FIPS indicator callback that can be set via
OSSL_INDICATOR_set_callback(). This callback is intended to be run
whenever a non approved algorithm ch
Add FIPS indicator callback.
Add a FIPS indicator callback that can be set via
OSSL_INDICATOR_set_callback(). This callback is intended to be run
whenever a non approved algorithm check has occurred and strict checking
has been disabled.The callback may be used to
log non approved algorithms. The callback is passed a type and
description string as well as the cbarg specified in OSSL_INDICATOR_set_callback.
The return value can be either 0 or 1.
A value of 0 can be used for testing purposes to force an error to occur from the algorithm
that called the callback.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24623)
show more ...
|
| #
dd2b22d8 |
| 06-Jun-2024 |
Neil Horman |
Add defaults api to openssl build
Build time defaults aren't great for windows, in which various macros
(like OPENSSLDIR) are selected at build time, but may be selected
differently
Add defaults api to openssl build
Build time defaults aren't great for windows, in which various macros
(like OPENSSLDIR) are selected at build time, but may be selected
differently at install time. Add an internal defaults api to return the
build time constants on unix systems, but instead query registry keys
for the form:
HLKM\SOFTWARE\OpenSSL-{version}-{wininstallcontext}
Such that each built version of openssl may maintain its own set of
registry keys to identify these locations, and be set administratiely as
appropriate at install or run time
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24450)
show more ...
|
| #
da9342ed |
| 16-May-2024 |
sashan |
Move stack of compression methods from libssl to OSSL_LIB_CTX
The compression methods are now a global variable in libssl.
This change moves it into OSSL library context.
It is
Move stack of compression methods from libssl to OSSL_LIB_CTX
The compression methods are now a global variable in libssl.
This change moves it into OSSL library context.
It is necessary to eliminate atexit call from libssl.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24414)
show more ...
|
| #
cc4ea5e0 |
| 28-Jan-2024 |
Neil Horman |
Introduce new internal hashtable implementation
Create a new hashtable that is more efficient than the existing LHASH_OF
implementation. the new ossl_ht api offers several new features
Introduce new internal hashtable implementation
Create a new hashtable that is more efficient than the existing LHASH_OF
implementation. the new ossl_ht api offers several new features that
improve performance opportunistically
* A more generalized hash function. Currently using fnv1a, provides a
more general hash function, but can still be overridden where needed
* Improved locking and reference counting. This hash table is
internally locked with an RCU lock, and optionally reference counts
elements, allowing for users to not have to create and manage their
own read/write locks
* Lockless operation. The hash table can be configured to operate
locklessly on the read side, improving performance, at the sacrifice
of the ability to grow the hash table or delete elements from it
* A filter function allowing for the retrieval of several elements at a
time matching a given criteria without having to hold a lock
permanently
* a doall_until iterator variant, that allows callers which need to
iterate over the entire hash table until a given condition is met (as
defined by the return value of the iterator callback). This allows
for callers attempting to do expensive cache searches for a small
number of elements to terminate the iteration early, saving cpu cycles
* Dynamic type safety. The hash table provides operations to set and
get data of a specific type without having to define a type at the
instatiation point
* Multiple data type storage. The hash table can store multiple data
types allowing for more flexible usage
* Ubsan safety. Because the API deals with concrete single types
(HT_KEY and HT_VALUE), leaving specific type casting to the call
recipient with dynamic type validation, this implementation is safe
from the ubsan undefined behavior warnings that require additional
thunking on callbacks.
Testing of this new hashtable with an equivalent hash function, I can
observe approximately a 6% performance improvement in the lhash_test
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23671)
show more ...
|
| #
34d36cdc |
| 14-Sep-2023 |
Huiyue Xu |
Do not include sparse_array.o in libssl
sparse_array.o is not needed in libssl at 3.0.x version.
Signed-off-by: Huiyue Xu <xuhuiyue@huawei.com>
Reviewed-by: Matt Caswell <m
Do not include sparse_array.o in libssl
sparse_array.o is not needed in libssl at 3.0.x version.
Signed-off-by: Huiyue Xu <xuhuiyue@huawei.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22111)
(cherry picked from commit a31cd07af1ca34cdbbd2b077a933208d447ed0b2)
show more ...
|
| #
e84b5fcc |
| 05-May-2023 |
Pauli |
params: provide a faster TRIE based param lookup.
The separate file is a Perl script that generates the appropriate define
directives for inclusion in core_names.h. By having this separ
params: provide a faster TRIE based param lookup.
The separate file is a Perl script that generates the appropriate define
directives for inclusion in core_names.h. By having this separation it
will be possible to prebuild data structures to give faster access when
looking up parameters by name.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20935)
show more ...
|
| #
6c091ca9 |
| 13-Mar-2023 |
Hugo Landau |
Refactor build.info
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20348)
|
| #
1dd04a0f |
| 22-Feb-2023 |
Hugo Landau |
QUIC Thread Assisted Mode: Support Windows XP
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl
QUIC Thread Assisted Mode: Support Windows XP
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20348)
show more ...
|
| #
cd870db1 |
| 08-Feb-2023 |
Richard Levitte |
Use of sparse_array.c only in the shared libssl
Conditioning it on $disabled{shared} isn't right, it will still end up
in the static variant of the library. It's better to use SHARED_SO
Use of sparse_array.c only in the shared libssl
Conditioning it on $disabled{shared} isn't right, it will still end up
in the static variant of the library. It's better to use SHARED_SOURCE
for these sorts of things.
Fixes #20238
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20240)
show more ...
|
| #
25624c90 |
| 11-Nov-2022 |
Tomas Mraz |
Rationalize FIPS sources
Avoid including QUIC related stuff in the FIPS sources.
Also avoid including libssl headers in ssl3_cbc.c.
Reviewed-by: Paul Dale <pauli@openssl.org>
Rationalize FIPS sources
Avoid including QUIC related stuff in the FIPS sources.
Also avoid including libssl headers in ssl3_cbc.c.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19658)
show more ...
|
| #
aea9b0e4 |
| 27-Jan-2023 |
Tomas Mraz |
Do not include sparse_array.o in libssl with no-shared
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl
Do not include sparse_array.o in libssl with no-shared
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20137)
show more ...
|
| #
f3090fc7 |
| 15-Jul-2022 |
slontis |
Implement deterministic ECDSA sign (RFC6979)
This PR is based off the contributions in PR #9223 by Jemmy1228.
It has been modified and reworked to:
(1) Work with providers
(
Implement deterministic ECDSA sign (RFC6979)
This PR is based off the contributions in PR #9223 by Jemmy1228.
It has been modified and reworked to:
(1) Work with providers
(2) Support ECDSA and DSA
(3) Add a KDF HMAC_DRBG implementation that shares code with the RAND HMAC_DRBG.
A nonce_type is passed around inside the Signing API's, in order to support any
future deterministic algorithms.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18809)
show more ...
|
| #
4574a7fd |
| 27-Sep-2021 |
Čestmír Kalina |
crypto: add preemptive threading support
Some primitives are designed to be used in a multi-threaded environment,
if supported, e.g., Argon2.
This patch adds support for preempt
crypto: add preemptive threading support
Some primitives are designed to be used in a multi-threaded environment,
if supported, e.g., Argon2.
This patch adds support for preemptive threading and basic synchronization
primitives for platforms compliant with POSIX threads or Windows CRT.
Native functions are wrapped to provide a common (internal) API.
Threading support can be disabled at compile time. If enabled, threading
is disabled by default and needs to be explicitly enabled by the user.
Thread enablement requires an explicit limit on the number of threads that
OpenSSL may spawn (non-negative integer/infinity). The limit may be changed.
Signed-off-by: Čestmír Kalina <ckalina@redhat.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12255)
show more ...
|
| #
7f2d6188 |
| 29-Sep-2022 |
zhuchen |
Add LoongArch64 cpuid and OPENSSL_loongarchcap_P
Loongarch64 architecture defines 128 bit vector extension lsx and 256 bit
vector extension lasx. The cpucfg instruction can be used to ob
Add LoongArch64 cpuid and OPENSSL_loongarchcap_P
Loongarch64 architecture defines 128 bit vector extension lsx and 256 bit
vector extension lasx. The cpucfg instruction can be used to obtain whether
the CPU has a corresponding extension. This part of code is added to prepare
for the subsequent addition of corresponding vector instruction optimization.
Signed-off-by: zhuchen <zhuchen@loongson.cn>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19364)
show more ...
|
| #
82d28c6b |
| 03-Oct-2022 |
Richard Levitte |
Rename ossl_sleep() to OSSL_sleep() and make it public
ossl_sleep() was implemented as a static inline function in internal/e_os.h,
using usleep() on Unix and Sleep() on Windows. So far
Rename ossl_sleep() to OSSL_sleep() and make it public
ossl_sleep() was implemented as a static inline function in internal/e_os.h,
using usleep() on Unix and Sleep() on Windows. So far well and good.
However, it also has a fallback implementation for systems that do not have
usleep() or Sleep(), and that implementation happens to use ossl_time_now(),
which is a normal function, private to libcrypto, and is judged to be too
complex to sanely make into a static inline function.
This fallback creates a problem, because we do use ossl_sleep() in apps/ and
a few test programs in test/, and when they are linked with libcrypto in
shared library form, ossl_time_now() can't be found, since it's not publicly
exposed.
Something needs to give, and the easiest, and hopefully sanest answer is to
make ossl_sleep() a publicly exposed function, which requires a slight name
change.
Documentation and 'make update' result included.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/19330)
show more ...
|
| #
78c44b05 |
| 26-Aug-2022 |
slontis |
Add HPKE DHKEM provider support for EC, X25519 and X448.
The code is derived from @sftcd's work in PR #17172.
This PR puts the DHKEM algorithms into the provider layer as
KEM algorit
Add HPKE DHKEM provider support for EC, X25519 and X448.
The code is derived from @sftcd's work in PR #17172.
This PR puts the DHKEM algorithms into the provider layer as
KEM algorithms for EC and ECX.
This PR only implements the DHKEM component of HPKE as specified in
RFC 9180.
crypto/hpke/hpke_util.c has been added for fuctions that will
be shared between DHKEM and HPKE.
API's for EVP_PKEY_auth_encapsulate_init() and EVP_PKEY_auth_decapsulate_init()
have been added to support authenticated encapsulation. auth_init() functions
were chosen rather that a EVP_PKEY_KEM_set_auth() interface to support
future algorithms that could possibly need different init functions.
Internal code has been refactored, so that it can be shared between the DHKEM
and other systems. Since DHKEM operates on low level keys it needs to be
able to do low level ECDH and ECXDH calls without converting the keys
back into EVP_PKEY/EVP_PKEY_CTX form. See ossl_ecx_compute_key(),
ossl_ec_public_from_private()
DHKEM requires API's to derive a key using a seed (IKM). This did not sit
well inside the DHKEM itself as dispatch functions. This functionality
fits better inside the EC and ECX keymanagers keygen, since
they are just variations of keygen where the private key is generated
in a different manner. This should mainly be used for testing purposes.
See ossl_ec_generate_key_dhkem().
It supports this by allowing a settable param to be passed to keygen
(See OSSL_PKEY_PARAM_DHKEM_IKM).
The keygen calls code within ec and ecx dhkem implementation to handle this.
See ossl_ecx_dhkem_derive_private() and ossl_ec_dhkem_derive_private().
These 2 functions are also used by the EC/ECX DHKEM implementations to generate
the sender ephemeral keys.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19068)
show more ...
|
| #
02d0f87a |
| 29-Aug-2022 |
Pauli |
time: move OSSL_TIME to libcrypto
Keep building it for libssl without exposing any symbols.
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Richard Levitte <levitte@ope
time: move OSSL_TIME to libcrypto
Keep building it for libssl without exposing any symbols.
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19082)
show more ...
|
| #
61170642 |
| 13-May-2022 |
Hongren (Zenithal) Zheng |
Add RISC-V 32 cpuid support
Mainly from #17640
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl
Add RISC-V 32 cpuid support
Mainly from #17640
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18308)
show more ...
|
| #
5067c189 |
| 17-May-2022 |
Pauli |
Add sparse array to libssl
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18345)
|
| #
416d0a63 |
| 23-May-2022 |
Hugo Landau |
QUIC wire format support
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18382)
|
| #
9968c775 |
| 19-May-2022 |
Sebastian Andrzej Siewior |
Rename x86-32 assembly files from .s to .S.
Rename x86-32 assembly files from .s to .S. While processing the .S file
gcc will use the pre-processor whic will evaluate macros and ifdef. T
Rename x86-32 assembly files from .s to .S.
Rename x86-32 assembly files from .s to .S. While processing the .S file
gcc will use the pre-processor whic will evaluate macros and ifdef. This
is turn will be used to enable the endbr32 opcode based on the __CET__
define.
Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18353)
show more ...
|
| #
360f6dcc |
| 28-Jan-2022 |
Henry Brausen |
Add basic RISC-V cpuid and OPENSSL_riscvcap
RISC-V cpuid implementation allows bitmanip extensions Zb[abcs] to
be enabled at runtime using OPENSSL_riscvcap environment variable.
Add basic RISC-V cpuid and OPENSSL_riscvcap
RISC-V cpuid implementation allows bitmanip extensions Zb[abcs] to
be enabled at runtime using OPENSSL_riscvcap environment variable.
For example, to specify 64-bit RISC-V with the G,C,Zba,Zbb,Zbc
extensions, one could write: OPENSSL_riscvcap="rv64gc_zba_zbb_zbc"
Architecture string parsing is still very primitive, but can be
expanded in the future. Currently, only bitmanip extensions Zba, Zbb,
Zbc and Zbs are supported.
Includes implementation of constant-time CRYPTO_memcmp in riscv64 asm,
as well as OPENSSL_cleanse. Assembly implementations are written using
perlasm.
Reviewed-by: Philipp Tomsich <philipp.tomsich@vrull.eu>
Signed-off-by: Henry Brausen <henry.brausen@vrull.eu>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17640)
show more ...
|
| #
7ee992a5 |
| 23-Dec-2021 |
Matt Caswell |
Statically link the legacy provider to endecode_test
We already statically link libcrypto to endecode_test even in a "shared"
build. This can cause problems on some platforms with tests
Statically link the legacy provider to endecode_test
We already statically link libcrypto to endecode_test even in a "shared"
build. This can cause problems on some platforms with tests that load the
legacy provider which is dynamically linked to libcrypto. Two versions of
libcrypto are then linked to the same executable which can lead to crashes.
Fixes #17059
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17345)
show more ...
|
| #
50360c1a |
| 04-Jun-2021 |
Richard Levitte |
FIPS: don't include crypto/passphrase.c in libfips.a
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/op
FIPS: don't include crypto/passphrase.c in libfips.a
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15615)
show more ...
|
|
Revision tags: openssl-3.0.0-alpha17 |
|
| #
c7978e50 |
| 10-May-2021 |
Xiaofei Bai |
Fix missing $CPUIDDEF in libdefault.a
This fixes a build error caused by missing $CPUIDDEF when
compiling libdefault.a, and some functions(like armv8_aes_gcm_encrypt)
become undefine
Fix missing $CPUIDDEF in libdefault.a
This fixes a build error caused by missing $CPUIDDEF when
compiling libdefault.a, and some functions(like armv8_aes_gcm_encrypt)
become undefined.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15215)
show more ...
|
