Add sslkeylog config option and implementation

Add a config option for sslkeylog (disabled by default)

When enabled, SSL_CTX_new[_ex] becomes sensitive to the SSLKEYLOGFILE
envi

Add sslkeylog config option and implementation

Add a config option for sslkeylog (disabled by default)

When enabled, SSL_CTX_new[_ex] becomes sensitive to the SSLKEYLOGFILE
environment variable. It records keylog callback messages to the file
specified in the environment variable according to the format specified
in https://www.ietf.org/archive/id/draft-thomson-tls-keylogfile-00.html

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Hugo Landau <hlandau@devever.net>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25297)

show more ...

Add configuration option to allow the FIPS provider to use the jitter source internally

Enabling this breaks FIPS compliance unless an entropy assessment and a revalidation
are undertake

Add configuration option to allow the FIPS provider to use the jitter source internally

Enabling this breaks FIPS compliance unless an entropy assessment and a revalidation
are undertaken.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25498)

show more ...

Add debuginfo build target

In the webinar we are currently producing on debugging openssl
applications, we talk about ways to allow debugable binaries without
having to ship all the

Add debuginfo build target

In the webinar we are currently producing on debugging openssl
applications, we talk about ways to allow debugable binaries without
having to ship all the debug DWARF information to production systems.

Add an optional target to do that DWARF separation to aid users

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25174)

show more ...

fips: allow to customize provider vendor name

FIPS providers need to specify identifiable names and versions. Allow
to customize the fips provider name prefix, via VERSION.dat which

fips: allow to customize provider vendor name

FIPS providers need to specify identifiable names and versions. Allow
to customize the fips provider name prefix, via VERSION.dat which
already allows to customize version & buildinfo. With this patch
in-place it removes the need of patching code to set customized
provider name.

E.g. echo FIPS_VENDOR=ACME >> VERSION.dat, results in

```
$ OPENSSL_CONF=fips-and-base.cnf ../util/wrap.pl ../apps/openssl list -providers --verbose
Providers:
base
name: OpenSSL Base Provider
version: 3.4.0
status: active
build info: 3.4.0-dev
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
fips
name: ACME FIPS Provider for OpenSSL
version: 3.4.0
status: active
build info: 3.4.0-dev
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
security-checks: integer (arbitrary size)
tls1-prf-ems-check: integer (arbitrary size)
drbg-no-trunc-md: integer (arbitrary size)
```

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24368)

show more ...

Add "no-fips-post" configure option.

Using this option disables the OpenSSL FIPS provider
self tests.
This is intended for debugging purposes only,
as it breaks FIPS compliance.

Add "no-fips-post" configure option.

Using this option disables the OpenSSL FIPS provider
self tests.
This is intended for debugging purposes only,
as it breaks FIPS compliance.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25063)

show more ...

JITTER: implement error handling from jitter library

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/op

JITTER: implement error handling from jitter library

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24844)

show more ...

JITTER: excercise all tests in CI with JITTER seed source under certain build configuration

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>

JITTER: excercise all tests in CI with JITTER seed source under certain build configuration

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24844)

show more ...

jitter: add a new provider containing a jitter entropy source alone

This entropy source can be used instead of SEED-SRC. Sample
openssl.cnf configuration is provided. It is built as a se

jitter: add a new provider containing a jitter entropy source alone

This entropy source can be used instead of SEED-SRC. Sample
openssl.cnf configuration is provided. It is built as a separate
provider, because it is likely to require less frequent updates than
fips provider. The same build likely can span multiple generations of
FIPS 140 standard revisions.

Note that rand-instances currently chain from public/private instances
to primary, prior to consuming the seed. Thus currently a unique ESV
needs to be obtained, and resue of jitterentropy.a certificate is not
possible as is. Separately a patch will be sent to allow for
unchaining public/private RAND instances for the purpose of reusing
ESV.

Also I do wonder if it makes sense to create a fips variant of stock
SEED-SRC entropy source, which in addition to using getrandom() also
verifies that the kernel is operating in FIPS mode and thus is likely
a validated entropy source. As in on Linux, check that
/proc/sys/crypto/fips_enabled is set to 1, and similar checks on
Windows / MacOS and so on.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24844)

show more ...

Configure: Remove -Wswitch-default from strict warnings

Also move -Wno-tautological-constant-out-of-range-compare to
clang-specific options as it is not supported by gcc.

Review

Configure: Remove -Wswitch-default from strict warnings

Also move -Wno-tautological-constant-out-of-range-compare to
clang-specific options as it is not supported by gcc.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24758)

(cherry picked from commit 3d9c6b16d8b8e75b73e2fd34849e930e2792f3a4)

show more ...

Add aix-clang and aix64-clang configuration

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org

Add aix-clang and aix64-clang configuration

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24609)

show more ...

Configure: make absolutedir() use rel2abs() on Windows too

perl's realpath() seems to be buggy on Windows, so we turn to rel2abs()
there as well.

Fixes #23593

Reviewed-

Configure: make absolutedir() use rel2abs() on Windows too

perl's realpath() seems to be buggy on Windows, so we turn to rel2abs()
there as well.

Fixes #23593

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24569)

show more ...

rand: remove unimplemented librandom stub code

Clean up of unsuable / no-op code.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merg

rand: remove unimplemented librandom stub code

Clean up of unsuable / no-op code.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24465)

show more ...

Add support for integrity-only cipher suites for TLS v1.3

- add test vectors for tls1_3 integrity-only ciphers
- recmethod_local.h: add new member for MAC
- tls13_meth.c: add MAC onl

Add support for integrity-only cipher suites for TLS v1.3

- add test vectors for tls1_3 integrity-only ciphers
- recmethod_local.h: add new member for MAC
- tls13_meth.c: add MAC only to tls 1.3
- tls13_enc.c: extend function to add MAC only
- ssl_local.h: add ssl_cipher_get_evp_md_mac()
- s3_lib.c: add the new ciphers and add #ifndef OPENSSL_NO_INTEGRITY_ONLY_CIPHERS
- ssl_ciph.c : add ssl_cipher_get_evp_md_mac() and use it
- tls13secretstest.c: add dummy test function
- Configure: add integrity-only-ciphers option
- document the new ciphers

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22903)

show more ...

Security hardening: Expose Build flags for Position Independed Execution (PIE)

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged fr

Security hardening: Expose Build flags for Position Independed Execution (PIE)

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22596)

show more ...

disable http3 demo on windows

The external nghttp3 library seems to have a linking issue on windows
(several missing symbols). Disable that build in windows for now until
its fixed

disable http3 demo on windows

The external nghttp3 library seems to have a linking issue on windows
(several missing symbols). Disable that build in windows for now until
its fixed

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24047)

show more ...

fix all the warnings in our demos and make them enableable

Fix up the warnings in the demos and make them configurable with
enable-demos

Reviewed-by: Nicola Tuveri <nic.tuv@gmai

fix all the warnings in our demos and make them enableable

Fix up the warnings in the demos and make them configurable with
enable-demos

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24047)

show more ...

Copyright year updates

Reviewed-by: Neil Horman <nhorman@openssl.org>
Release: yes
(cherry picked from commit 0ce7d1f355c1240653e320a3f6f8109c1f05f8c0)

Reviewed-by: Hugo Lan

Copyright year updates

Reviewed-by: Neil Horman <nhorman@openssl.org>
Release: yes
(cherry picked from commit 0ce7d1f355c1240653e320a3f6f8109c1f05f8c0)

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24034)

show more ...

Enable qlog support by default

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23744)

Configure: Fix ordering bug when processing split DEPENDs

Configure was recently made to process this sort of line:

DEPEND[generated]=util/perl|OpenSSL/something.pm

Unf

Configure: Fix ordering bug when processing split DEPENDs

Configure was recently made to process this sort of line:

DEPEND[generated]=util/perl|OpenSSL/something.pm

Unfortunately, in processing such lines, the order in which paths
were recomputed caused some resulting paths to be faulty under some
circumstances. This change fixes that.

Fixes #22853

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23500)

(cherry picked from commit 64cae4064405384cf7fe130a1e0189725db5e877)

show more ...

QLOG: Editorial fixes (QLOG is spelled 'qlog')

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/ope

QLOG: Editorial fixes (QLOG is spelled 'qlog')

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22037)

show more ...

Configure: Add warning when enabling QLOG

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/

Configure: Add warning when enabling QLOG

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22037)

show more ...

QLOG: Configuration

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22037)

Add atexit configuration option to using atexit() in libcrypto at build-time.

This fixes an issue with a mix of atexit() usage in DLL and statically linked
libcrypto that came out in the

Add atexit configuration option to using atexit() in libcrypto at build-time.

This fixes an issue with a mix of atexit() usage in DLL and statically linked
libcrypto that came out in the test suite on NonStop, which has slightly
different DLL unload processing semantics compared to Linux. The change
allows a build configuration to select whether to register OPENSSL_cleanup()
with atexit() or not, so avoid situations where atexit() registration causes
SIGSEGV.

INSTALL.md and CHANGES.md have been modified to include and describe this
option.

The no-atexit option has been added to .github/workflows/run-checker-daily.yml.

Fixes: #23135

Signed-of-by: Randall S. Becker <randall.becker@nexbridge.ca>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/23394)

show more ...

Fail the Configure script with no Configurations

* Print a message about why the failure is
happening.
* Send the usage information.

Reviewed-by: Richard Levitte <levitte@op

Fail the Configure script with no Configurations

* Print a message about why the failure is
happening.
* Send the usage information.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22855)

show more ...

Configure: Refuse to make directories in the source tree

Fixes #22907

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from ht

Configure: Refuse to make directories in the source tree

Fixes #22907

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/22908)

show more ...