Commit Graph

35626 Commits

Author SHA1 Message Date
slontis
05681e0e3e Add FIPS Indicator for ECDH cofactor.
FIPS KAS requires use of ECC CDH.

The EC 'B' and 'K' curves have a cofactor that is not 1, and this
MUST be multiplied by the private key when deriving the shared secret.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25139)
2024-08-15 19:48:15 +02:00
Andreas Treichel
0813ffee2f apps/cms.c, apps/smime.c: Fix -crlfeol help messages
CLA: trivial

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24434)
2024-08-15 19:45:20 +02:00
David Benjamin
2ec4e95014 Fix SSL_CTX_set1_groups documentation on preference orders
The documentation currently describes SSL_CTX_set1_groups as a
preference order, but this does not match the typical interpretation of
"preference order" in OpenSSL and TLS. Typically, an application can
order more secure options ahead of less secure ones and pick up TLS's
usual downgrade protection guarantees.

TLS 1.3 servers need to balance an additional consideration: some
options will perform worse than others due to key share prediction. The
prototypical selection procedure is to first select the set of more
secure options, then select the most performant among those.

OpenSSL follows this procedure, but it *unconditionally* treats all
configured curves as equivalent security. Per discussion on GitHub,
OpenSSL's position is that this is an intended behavior.

While not supported by built-in providers, OpenSSL now documents that
external providers can extend the group list and CHANGES.md explicitly
cites post-quantum as a use case. With post-quantum providers, it's
unlikely that application developers actually wanted options to be
equivalent security. To avoid security vulnerabilities arising from
mismatched expectations, update the documentation to clarify the server
behavior.

Per the OTC decision in
https://github.com/openssl/openssl/issues/22203#issuecomment-1744465829,
this documentation fix should be backported to stable branches.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23776)
2024-08-15 19:42:50 +02:00
Bhaskar Metiya
1d2cbd9b5a apps/req.c: No warning reading from stdin if redirected
CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25179)
2024-08-15 17:59:28 +02:00
Bhaskar Metiya
02b8b7b836 Return SSL_AD_DECRYPT_ERROR alert on PSK binder validation failure (RFC 8446)
CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25176)
2024-08-15 11:21:24 +02:00
Dimitri John Ledkov
8945f406a7 fips: allow to customize provider vendor name
FIPS providers need to specify identifiable names and versions. Allow
to customize the fips provider name prefix, via VERSION.dat which
already allows to customize version & buildinfo. With this patch
in-place it removes the need of patching code to set customized
provider name.

E.g. echo FIPS_VENDOR=ACME >> VERSION.dat, results in

```
$ OPENSSL_CONF=fips-and-base.cnf ../util/wrap.pl ../apps/openssl list -providers --verbose
Providers:
  base
    name: OpenSSL Base Provider
    version: 3.4.0
    status: active
    build info: 3.4.0-dev
    gettable provider parameters:
      name: pointer to a UTF8 encoded string (arbitrary size)
      version: pointer to a UTF8 encoded string (arbitrary size)
      buildinfo: pointer to a UTF8 encoded string (arbitrary size)
      status: integer (arbitrary size)
  fips
    name: ACME FIPS Provider for OpenSSL
    version: 3.4.0
    status: active
    build info: 3.4.0-dev
    gettable provider parameters:
      name: pointer to a UTF8 encoded string (arbitrary size)
      version: pointer to a UTF8 encoded string (arbitrary size)
      buildinfo: pointer to a UTF8 encoded string (arbitrary size)
      status: integer (arbitrary size)
      security-checks: integer (arbitrary size)
      tls1-prf-ems-check: integer (arbitrary size)
      drbg-no-trunc-md: integer (arbitrary size)
```

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24368)
2024-08-15 08:33:48 +10:00
Tomas Mraz
ca112fccdd Apply the FIPS_eddsa_no_verify_digested indicator on prehash EdDSA only
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25188)
2024-08-14 14:52:47 -04:00
Matt Caswell
096a54ee45 Don't compile in support for DSA speed testing if not needed
If there is no DSA support in the library we should not compile in support
for speed testing of DSA. We should skip it in much the same way that we
do for other algorithms.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25153)
2024-08-14 18:22:10 +02:00
Matt Caswell
8e82304adb Fix a memory leak in the speed app
Make sure we free the ecdsa_key object after we have finished using it.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25153)
2024-08-14 18:22:10 +02:00
Matt Caswell
509022ddf8 Add a test recipe for testing the speed command
Previously there was no test for the speed command. We just do some simple
testing, running the command with various options to confirm that it doesn't
crash or report errors. We use the new -testmode option to ensure that this
happens quickly and doesn't really run full speed tests.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25153)
2024-08-14 18:22:10 +02:00
Matt Caswell
1867aac808 Document the new -testmode option to the speed command
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25153)
2024-08-14 18:21:28 +02:00
Matt Caswell
9309b0b8c7 Add a test mode to the speed app
We add a testmode option to the speed app which simply runs 1 iteration of
any speed tests. If anything fails along the way the app returns an error
code.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25153)
2024-08-14 18:21:28 +02:00
Shih-Yi Chen
dbe8059edf Update krb5 to latest master to pick up CVE fixes
CLA: trivial

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25131)

(cherry picked from commit 099a71b48b)
2024-08-14 17:57:43 +02:00
slontis
5f04124aab Add EDDSA FIPS self tests.
See FIPS 140-3 IG Section 10.3.A Part 11
Indicates ECDSA requires a sign and verify test.
Note 11 states that HashEdDSA is not required to be tested if PureEdDSA is tested.
Note 12 indicates that both ED25519 and X448 need to be tested.

Since ED uses the oneshot interface, additional API's needed to be exposed to the
FIPS provider using #ifdef FIPS_MODULE.

Changed ED25518 and ED448 to use fips=true in the FIPS provider.
Updated documentation for provider lists for EDDSA.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22112)
2024-08-14 16:17:47 +02:00
Dmitry Belyavskiy
12ba471c29 Improve the EVP_PKEY_CTX_set_kem_op() documentation
Fixes #25142

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25164)
2024-08-14 11:05:11 +02:00
Pauli
21bcae6561 test: Improve coverage for the PBKDF2 unit tests
Fixes #25136

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25160)
2024-08-14 08:17:45 +10:00
Dmitry Belyavskiy
bd3b24c3af Encap/decap in pkeyutl - tests
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25127)
2024-08-13 11:03:11 +02:00
Dmitry Belyavskiy
14fa2f5f47 Encap/decap in pkeyutl - documentation
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25127)
2024-08-13 11:03:11 +02:00
Dmitry Belyavskiy
12b2e5552b Support of en/decapsulation in the pkeyutl command
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25127)
2024-08-13 11:03:11 +02:00
Michael Baentsch
38a7183102 adds TLS signature algorithms list feature
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24821)
2024-08-13 11:48:54 +10:00
pohsingwu
f3c03be3ad Restrict salt length for RSA-PSS in the FIPS provider
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25115)
2024-08-13 09:55:36 +10:00
pohsingwu
878f74eb08 Setup padding mode correctly in acvp_test
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25115)
2024-08-12 10:26:42 +08:00
Pauli
2f33265039 fipsmodule.cnf: set the signature digest checks option on installation
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25020)
2024-08-12 09:30:50 +10:00
Pauli
fc5c86b8c1 fips: support signature-digest-checks in FIPS provider
Fixes #24936

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25020)
2024-08-12 09:30:50 +10:00
Pauli
db9eb0f96c test: add unit tests for disallowed XOF digests
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25020)
2024-08-12 09:30:43 +10:00
Pauli
5ab9f7e249 signatures: disallow XOF digests when doing signatures
Except for Ed448 and RSA PSS where they are mandatory and allow respectively.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25020)
2024-08-12 09:30:43 +10:00
Pauli
d8783a1807 fipsinstall: use correct macro for no drbg trunc digest option
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25020)
2024-08-12 09:30:43 +10:00
Pauli
fcf8390503 test: update fipsinstall tests to cover signature_digest_check option
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25020)
2024-08-12 09:30:43 +10:00
Pauli
c613f080ca Add signature digest check option to fipsinstall
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25020)
2024-08-12 09:30:43 +10:00
Pauli
5d6e692c36 doc: document -signature_digest_check option to fipsinstall
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25020)
2024-08-12 09:30:42 +10:00
Neil Horman
a46abbd66e Fix typing on call to interlockedExchange for windows
mingw is complaining on builds about the use of InterlockedExchange on a
uint32_t type, as the input parameter here is expected to be LONG
(defined as signed 32 bit on all versions of windows).

the input value (reader_idx) will never grow larger than the group size
of the lock (nominally 2, but always a reasonably small value), so it
should be safe to just cast it to the appropriate type here.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25015)
2024-08-11 08:23:19 -04:00
Dmitry Belyavskiy
d7b659e185 Fix PBMAC1 MAC verification in FIPS mode
The check for fetchability PKCS12KDF doesn't make sense when we have a
different MAC mechanism

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25144)
2024-08-11 10:11:33 +02:00
Pauli
3416c0bff9 test: add error reasons to KBKDF tests
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25135)
2024-08-10 16:36:03 +10:00
Pauli
fb51e4f611 test: add positive FIPS indicator failure tests for DRBGs
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25135)
2024-08-10 16:36:03 +10:00
Pauli
dc16db61f1 test: add error reasons to TLS 1 PRF tests
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25135)
2024-08-10 16:35:54 +10:00
Pauli
90f64d064e test: add error reasons to X9.63 test
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25135)
2024-08-10 16:35:54 +10:00
Pauli
0acf9f8934 test: add error reasons to X9.42 test
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25135)
2024-08-10 16:35:54 +10:00
Pauli
41a9aeb672 test: add error reasons to TLS 1.3 KDF tests
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25135)
2024-08-10 16:35:54 +10:00
Pauli
a969c466b1 test: add error reasons to TLS 1.2 PRF tests
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25135)
2024-08-10 16:35:54 +10:00
Pauli
3cccd17eed test: add error reasons to Single Step KDF tests
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25135)
2024-08-10 16:35:54 +10:00
Pauli
20284908c4 test: add error reasons to SSHKDF tests
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25135)
2024-08-10 16:35:54 +10:00
Pauli
bb3b3abfd5 test: add error reasons to PBKDF2 tests
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25135)
2024-08-10 16:35:54 +10:00
Pauli
8c24acda18 test: add error reasons to HKDF tests
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25135)
2024-08-10 16:35:54 +10:00
Pauli
77915ae8eb test: add error reasons to KMAC tests
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25135)
2024-08-10 16:35:53 +10:00
Pauli
068c9bee37 test: add error reasons to RSA tests
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25135)
2024-08-10 16:35:53 +10:00
Pauli
8e316edd71 fips: change from function call to macro in rsa_enc.c
Use of the function instead of the macro for the indicator unapproved check was
noted in: https://github.com/openssl/openssl/pull/25070#discussion_r1706564363
Fix things to use the macro properly.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25134)
2024-08-10 16:34:51 +10:00
Neil Horman
11adb943ab amend! fixup! limit bignums to 512 bytes
fixup! limit bignums to 512 bytes

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25013)
2024-08-09 07:59:03 -04:00
Neil Horman
f0768376e1 limit bignums to 128 bytes
Keep us from spinning forever doing huge amounts of math in the fuzzer

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25013)
2024-08-09 07:59:03 -04:00
slontis
250a7adbea Add "no-fips-post" configure option.
Using this option disables the OpenSSL FIPS provider
self tests.
This is intended for debugging purposes only,
as it breaks FIPS compliance.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25063)
2024-08-09 09:12:45 +10:00
slontis
ea3888a397 Fix FIPS indicator defines for larger indicies.
A newer PR is using setable3 now so these indicies should be fixed.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25118)
2024-08-09 07:16:29 +10:00