Also improve related documentation.
- The BIO_FLAGS_BASE64_NO_NL flag did not behave as advertised, only
leading and trailing, but not internal, whitespace was supported:
$ echo 'AA AA' | openssl base64 -A -d | wc -c
0
- Switching from ignored leading input to valid base64 input misbehaved
when the length of the skipped input was one more than the length of
the second and subsequent valid base64 lines in the internal 1k
buffer:
$ printf '#foo\n#bar\nA\nAAA\nAAAA\n' | openssl base64 -d | wc -c
0
- When the underlying BIO is retriable, and a read returns less than
1k of data, some of the already buffered input lines that could have
been decoded and returned were retained internally for a retry by the
caller. This is somewhat surprising, and the new code decodes as many
of the buffered lines as possible. Issue reported by Michał Trojnara.
- After all valid data has been read, the next BIO_read(3) should
return 0 when the input was all valid or -1 if an error was detected.
This now occurs in more consistently, but further tests and code
refactoring may be needed to ensure this always happens.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25253)
Added the function EVP_MD_CTX_get_size_ex() which checks for XOF and
does a ctx get rather than just returning EVP_MD_size().
SHAKE did not have a get_ctx_params() so that had to be added to return the xoflen.
Added a helper function EVP_MD_xof()
EVP_MD_CTX_size() was just an aliased macro for EVP_MD_size(), so to
keep it the same I added an extra function.
EVP_MD_size() always returns 0 for SHAKE now, since it caches the value
of md_size at the time of an EVP_MD_fetch(). This is probably better
than returning the incorrect initial value it was before e.g (16 for
SHAKE128) and returning tht always instead of the set xoflen.
Note BLAKE2B uses "size" instead of "xoflen" to do a similar thing.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25285)
I realised that any application that passes AlgorithmIdentifier parameters
to and from a provider may also be interested in the full AlgorithmIdentifier
of the implementation invocation.
Likewise, any application that wants to get the full AlgorithmIdentifier
from an implementation invocation may also want to pass AlgorithmIdentifier
parameters to that same implementation invocation.
These amendments should be useful to cover all intended uses of the legacy
ctrls for PKCS7 and CMS:
- EVP_PKEY_CTRL_PKCS7_ENCRYPT
- EVP_PKEY_CTRL_PKCS7_DECRYPT
- EVP_PKEY_CTRL_PKCS7_SIGN
- EVP_PKEY_CTRL_CMS_ENCRYPT
- EVP_PKEY_CTRL_CMS_DECRYPT
- EVP_PKEY_CTRL_CMS_SIGN
It should also cover a number of other cases that were previously implemented
through EVP_PKEY_ASN1_METHOD, as well as all sorts of other cases where the
application has had to assemble a X509_ALGOR on their own.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25000)
The following API groups are extended with a new init function, as well
as an update and final function, to allow the use of explicitly fetched
signature implementations for any composite signature algorithm, like
"sha1WithRSAEncryption":
- EVP_PKEY_sign
- EVP_PKEY_verify
- EVP_PKEY_verify_recover
To support this, providers are required to add a few new functions, not
the least one that declares what key types an signature implementation
supports.
While at this, the validity check in evp_signature_from_algorithm() is
also refactored; the SIGNATURE provider functionality is too complex for
counters. It's better, or at least more readable, to check function
combinations.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23416)
Add defines for new CPACF functions codes, its required MSA levels, and
document how to disable these functions via the OPENSSL_s390xcap environment
variable.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25161)
internally.
This is not using a strict check since there may be applications that
require the IV to be generated externally (e.g. java).
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25178)
The documentation currently describes SSL_CTX_set1_groups as a
preference order, but this does not match the typical interpretation of
"preference order" in OpenSSL and TLS. Typically, an application can
order more secure options ahead of less secure ones and pick up TLS's
usual downgrade protection guarantees.
TLS 1.3 servers need to balance an additional consideration: some
options will perform worse than others due to key share prediction. The
prototypical selection procedure is to first select the set of more
secure options, then select the most performant among those.
OpenSSL follows this procedure, but it *unconditionally* treats all
configured curves as equivalent security. Per discussion on GitHub,
OpenSSL's position is that this is an intended behavior.
While not supported by built-in providers, OpenSSL now documents that
external providers can extend the group list and CHANGES.md explicitly
cites post-quantum as a use case. With post-quantum providers, it's
unlikely that application developers actually wanted options to be
equivalent security. To avoid security vulnerabilities arising from
mismatched expectations, update the documentation to clarify the server
behavior.
Per the OTC decision in
https://github.com/openssl/openssl/issues/22203#issuecomment-1744465829,
this documentation fix should be backported to stable branches.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23776)
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24821)
Added OSSL_FUNC_keymgmt_gen_get_params() and
OSSL_FUNC_keymgmt_gen_gettable_params()
This will allow a FIPS indicator parameter to be queried after keygen.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24978)
Avoid using a fetched cipher that is decrypt-only
which is the case for 3DES from the fips provider.
Add a decrypt-only parameter to the EVP_CIPHER and test it
in libssl when fetching.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25028)
This leaves 3DES with the FIPS query "FIPS=yes", which allows
Triple-DES to be used for Decryption by default.
Disallow CMAC using Triple-DES in FIPS.
This does not use a FIPS indicator.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24960)
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/24927)
utility function to give us sane checking on strtoul conversions
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24861)
Fixes#7941: Update the `EVP_EncryptUpdate` documentation to specify that in-place encryption is guaranteed only if the context does not contain incomplete data from previous operations.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24887)
The "max_request" string is defined via the OSSL_RAND_PARAM_MAX_REQUEST
macro.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24863)
The introduction of a deprecation notice between the header include
line and the function prototypes left the inclusion in the previous
block. Move the #include to after the deprecation notice to ensure
that the headers is included together with the corresponding MDX_y*
functions.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24864)
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24858)
Add documentation for the internal flags `EVP_MD_CTX_FLAG_CLEANED` and
`EVP_MD_CTX_FLAG_REUSE`, explicitly stating that these flags are for
internal use only and must not be used in user code.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24829)
Add a FIPS indicator callback that can be set via
OSSL_INDICATOR_set_callback(). This callback is intended to be run
whenever a non approved algorithm check has occurred and strict checking
has been disabled.The callback may be used to
log non approved algorithms. The callback is passed a type and
description string as well as the cbarg specified in OSSL_INDICATOR_set_callback.
The return value can be either 0 or 1.
A value of 0 can be used for testing purposes to force an error to occur from the algorithm
that called the callback.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24623)
Fixes#5537
Added a note that the error check for `BN_mask_bits()` depends
on the internal representation that depends on the platform's word size.
Included a reference to the `BN_num_bits()` function for precise bit checking.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24812)
Added SSL_set_block_padding_ex() and SSL_CTX_set_block_padding_ex()
to allow separate padding block size values for handshake messages
and application data messages.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24796)
Fixes#5539: Create a new manual page `CMAC_CTX.pod` documenting the deprecated `CMAC_CTX` functions and add the necessary build dependencies. This page includes function descriptions, usage details, and replacement suggestions with the `EVP_MAC` interface.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24814)
Mark the existing `TS_VERIFY_CTX_set_certs` function as deprecated in the
documentation.
Add missing documentation for the deprecated functions `TS_VERIFY_CTX_set_data`,
`TS_VERIFY_CTX_set_imprint`, and `TS_VERIFY_CTX_set_store`.
Write missing documentation for the following functions:
- `TS_VERIFY_CTX_new`
- `TS_VERIFY_CTX_init`
- `TS_VERIFY_CTX_free`
- `TS_VERIFY_CTX_cleanup`
- `TS_VERIFY_CTX_set_flags`
- `TS_VERIFY_CTX_add_flags`
- `TS_VERIFY_CTX_set0_data`
- `TS_VERIFY_CTX_set0_imprint`
- `TS_VERIFY_CTX_set0_store`
- `TS_VERIFY_CTX_set0_certs`
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24701)
Remove superfluous "the" from sentence.
CLA: trivial
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24790)
Addressing issue (#24517):
Updated the example in CRYPTO_THREAD_run_once.pod to reflect that an unlock call should not be made if a write_lock failed.
Updated BIO_lookup_ex in bio_addr.c and ossl_engine_table_select in eng_table.c to not call unlock if the lock failed.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/24779)
InterlockedAnd64 and InterlockedAdd64 are not available on VS2010 x86.
We already have implemented replacements for other functions, such as
InterlockedOr64. Apply the same approach to fix the errors.
A CRYPTO_RWLOCK rw_lock is added to rcu_lock_st.
Replace InterlockedOr64 and InterlockedOr with CRYPTO_atomic_load and
CRYPTO_atomic_load_int, using the existing design pattern.
Add documentation and tests for the new atomic functions
CRYPTO_atomic_add64, CRYPTO_atomic_and
Fixes:
libcrypto.lib(libcrypto-lib-threads_win.obj) : error LNK2019: unresolved external symbol _InterlockedAdd64 referenced in function _get_hold_current_qp
libcrypto.lib(libcrypto-lib-threads_win.obj) : error LNK2019: unresolved external symbol _InterlockedOr referenced in function _get_hold_current_qp
libcrypto.lib(libcrypto-lib-threads_win.obj) : error LNK2019: unresolved external symbol _InterlockedAnd64 referenced in function _update_qp
libcrypto.lib(libcrypto-lib-threads_win.obj) : error LNK2019: unresolved external symbol _InterlockedOr64 referenced in function _ossl_synchronize_rcu
Signed-off-by: Georgi Valkov <gvalkov@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24405)
Explicitly documents that *_free(NULL) does nothing.
Fixes two cases where that wasn't true.
Fixes#24675.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Sasa Nedvedicky <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24735)
We clarify the input preconditions and the expected behaviour in the event
of no overlap.
Follow on from CVE-2024-5535
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24716)
Added tests for SDA and AI extensions.
Added internal function ossl_print_attribute_value() with documentation.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24669)
Bulk editing had history wrongly specify current functions as deprecated,
among other small errors.
Fixes#24678
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24680)
