Commit Graph

79 Commits

Author SHA1 Message Date
Liu-Ermeng
170620675d fix sm2 encryption implementation bug.
According to the "GB/T 32918.4-2016"
section 6.1 encryption, step A5:
If result of the "KDF" is all zeros, we should go back to
the begin(step A1).

section 7.1 decryption, step B4:
If result of the "KDF" is all zeros, we should raise error and exit.

Signed-off-by: Liu-Ermeng <liuermeng2@huawei.com>

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23210)
2024-05-15 11:17:14 +02:00
Neil Horman
d6a8adeccd Add check for public key presence on sm2 signing
SM2 requires that the public EC_POINT be present in a key when signing.
If its not there we crash on a NULL pointer.  Add a check to ensure that
its present, and raise an error if its not

Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23887)
2024-04-09 20:38:58 +02:00
Richard Levitte
b646179229 Copyright year updates
Reviewed-by: Neil Horman <nhorman@openssl.org>
Release: yes
(cherry picked from commit 0ce7d1f355)

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24034)
2024-04-09 13:43:26 +02:00
Bernd Edlinger
1fa2bf9b18 Fix handling of NULL sig parameter in ECDSA_sign and similar
The problem is, that it almost works to pass sig=NULL to the
ECDSA_sign, ECDSA_sign_ex and DSA_sign, to compute the necessary
space for the resulting signature.
But since the ECDSA signature is non-deterministic
(except when ECDSA_sign_setup/ECDSA_sign_ex are used)
the resulting length may be different when the API is called again.
This can easily cause random memory corruption.
Several internal APIs had the same issue, but since they are
never called with sig=NULL, it is better to make them return an
error in that case, instead of making the code more complex.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23529)
2024-04-02 17:47:29 +02:00
K1
9170cc0398 Optimize the implementation of ec_field_size()
No need to create and copy BIGNUM p, a and b, just call
EC_GROUP_get0_field() instead.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
(Merged from https://github.com/openssl/openssl/pull/23313)
2024-01-31 10:27:51 +00:00
Matt Caswell
da1c088f59 Copyright year updates
Reviewed-by: Richard Levitte <levitte@openssl.org>
Release: yes
2023-09-07 09:59:15 +01:00
Jiasheng Jiang
050dddb061 crypto/sm2/sm2_sign.c: Add BN_CTX_end
To match the BN_CTX_start, it should be better to add
BN_CTX_end in the end of the function.

Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19266)
2023-06-13 13:37:33 +02:00
slontis
4befe81a99 Fix mem leak in ECDSA_sign().
Similiar to the issue found in PR #20553 for DSA_sign().
ECDSA_sign() leaked memory if the signature was NULL
when i2d_ECDSA_SIG was called.

Note that this does not affect the higher level EVP
functions as they correctly handle NULL.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20554)
2023-03-31 14:57:47 -04:00
Richard Levitte
e077455e9e Stop raising ERR_R_MALLOC_FAILURE in most places
Since OPENSSL_malloc() and friends report ERR_R_MALLOC_FAILURE, and
at least handle the file name and line number they are called from,
there's no need to report ERR_R_MALLOC_FAILURE where they are called
directly, or when SSLfatal() and RLAYERfatal() is used, the reason
`ERR_R_MALLOC_FAILURE` is changed to `ERR_R_CRYPTO_LIB`.

There were a number of places where `ERR_R_MALLOC_FAILURE` was reported
even though it was a function from a different sub-system that was
called.  Those places are changed to report ERR_R_{lib}_LIB, where
{lib} is the name of that sub-system.
Some of them are tricky to get right, as we have a lot of functions
that belong in the ASN1 sub-system, and all the `sk_` calls or from
the CRYPTO sub-system.

Some extra adaptation was necessary where there were custom OPENSSL_malloc()
wrappers, and some bugs are fixed alongside these changes.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19301)
2022-10-05 14:02:03 +02:00
JHH20
e257d3e76f Remove duplicated #include headers
CLA: trivial

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18220)
2022-05-04 13:46:10 +10:00
Mingjun.Yang
e81c81c9af Add missing check according to SM2 Digital Signature generation algorithm
The process should be conforming to clause 6.1 and 6.2 of GMT 0003.2-2012.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16931)
2021-11-02 12:02:56 +01:00
x2018
1287dabd0b fix some code with obvious wrong coding style
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16918)
2021-10-28 13:10:46 +10:00
Pauli
2576b70d43 sm2: fix error raise to not fail make update
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16411)
2021-08-25 10:12:17 +10:00
Matt Caswell
ad1ca777f9 Check the plaintext buffer is large enough when decrypting SM2
Previously there was no check that the supplied buffer was large enough.
It was just assumed to be sufficient. Instead we should check and fail if
not.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
2021-08-24 14:22:07 +01:00
Matt Caswell
36cf45ef3b Correctly calculate the length of SM2 plaintext given the ciphertext
Previously the length of the SM2 plaintext could be incorrectly calculated.
The plaintext length was calculated by taking the ciphertext length and
taking off an "overhead" value.

The overhead value was assumed to have a "fixed" element of 10 bytes.
This is incorrect since in some circumstances it can be more than 10 bytes.
Additionally the overhead included the length of two integers C1x and C1y,
which were assumed to be the same length as the field size (32 bytes for
the SM2 curve). However in some cases these integers can have an additional
padding byte when the msb is set, to disambiguate them from negative
integers. Additionally the integers can also be less than 32 bytes in
length in some cases.

If the calculated overhead is incorrect and larger than the actual value
this can result in the calculated plaintext length being too small.
Applications are likely to allocate buffer sizes based on this and therefore
a buffer overrun can occur.

CVE-2021-3711

Issue reported by John Ouyang.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
2021-08-24 14:22:07 +01:00
Tomas Mraz
ed576acdf5 Rename all getters to use get/get0 in name
For functions that exist in 1.1.1 provide a simple aliases via #define.

Fixes #15236

Functions with OSSL_DECODER_, OSSL_ENCODER_, OSSL_STORE_LOADER_,
EVP_KEYEXCH_, EVP_KEM_, EVP_ASYM_CIPHER_, EVP_SIGNATURE_,
EVP_KEYMGMT_, EVP_RAND_, EVP_MAC_, EVP_KDF_, EVP_PKEY_,
EVP_MD_, and EVP_CIPHER_ prefixes are renamed.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15405)
2021-06-01 12:40:00 +02:00
Pauli
5cbd2ea3f9 add zero strenght arguments to BN and RAND RNG calls
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15513)
2021-05-29 17:17:12 +10:00
Pauli
b93f6c2db9 err: rename err_load_xxx_strings_int functions
The new names are ossl_err_load_xxx_strings.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15446)
2021-05-26 13:01:47 +10:00
Jon Spillett
d11f644ba5 Fix up issues found when running evp_extra_test with a non-default library context
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14478)
2021-03-17 17:51:16 +10:00
Matt Caswell
8020d79b40 Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14512)
2021-03-11 13:27:36 +00:00
Shane Lontis
32ab57cbb4 Fix external symbols related to ec & sm2 keys
Partial fix for #12964

This adds ossl_ names for the following symbols:

ec_*, ecx_*, ecdh_*, ecdsa_*, sm2_*

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14231)
2021-02-26 10:53:01 +10:00
Richard Levitte
4333b89f50 Update copyright year
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13999)
2021-01-28 13:54:57 +01:00
Shane Lontis
5b5eea4b60 Deprecate EC_KEY + Update ec apps to use EVP_PKEY
Co-author: Richard Levitte <levitte@openssl.org>
Co-author: Tomas Mraz <tmraz@openssl.org>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13139)
2021-01-26 15:22:14 +01:00
Nicola Tuveri
9e49aff2aa Add SM2 private key range validation
According to the relevant standards, the valid range for SM2 private
keys is [1, n-1), where n is the order of the curve generator.

For this reason we cannot reuse the EC validation function as it is, and
we introduce a new internal function `sm2_key_private_check()`.

Partially fixes https://github.com/openssl/openssl/issues/8435

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13359)
2021-01-08 23:59:02 +02:00
Richard Levitte
14a6c6a4e1 ERR: Rebuild all generated error headers and source files
This is the result of 'make errors ERROR_REBUILD=-rebuild'

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13390)
2020-11-24 15:22:33 +01:00
Richard Levitte
9311d0c471 Convert all {NAME}err() in crypto/ to their corresponding ERR_raise() call
This includes error reporting for libcrypto sub-libraries in surprising
places.

This was done using util/err-to-raise

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13318)
2020-11-13 09:35:02 +01:00
Matt Caswell
eec0ad10b9 Update copyright year
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13144)
2020-10-15 14:10:06 +01:00
Dr. Matthias St. Pierre
b425001010 Rename OPENSSL_CTX prefix to OSSL_LIB_CTX
Many of the new types introduced by OpenSSL 3.0 have an OSSL_ prefix,
e.g., OSSL_CALLBACK, OSSL_PARAM, OSSL_ALGORITHM, OSSL_SERIALIZER.

The OPENSSL_CTX type stands out a little by using a different prefix.
For consistency reasons, this type is renamed to OSSL_LIB_CTX.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12621)
2020-10-15 11:59:53 +01:00
Matt Caswell
989684227b Remove some dead SM2 code
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12913)
2020-09-25 11:13:53 +01:00
Shane Lontis
0ecec0fa08 Fix missing propq in sm2
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12944)
2020-09-23 17:31:40 +10:00
Paul Yang
b3d267caac Address review comments
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12536)
2020-09-22 08:18:09 +01:00
Paul Yang
d0b79f8631 Add SM2 signature algorithm to default provider
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12536)
2020-09-22 08:18:09 +01:00
Shane Lontis
5ccada09aa Add evp_test fixes.
Changed many tests so they also test fips (and removed 'availablein = default' from some tests).
Seperated the monolithic evppkey.txt file into smaller maintainable groups.
Changed the availablein option so it must be first - this then skips the entire test before any fetching happens.
Changed the code so that all the OPENSSL_NO_XXXX tests are done in code via methods such as is_cipher_disabled(alg),
before the fetch happens.
Added missing libctx's found by adding a libctx to test_evp.
Broke up large data files for cipher, kdf's and mac's into smaller pieces so they no longer need 'AvailableIn = default'
Added missing algorithm aliases for cipher/digests to the providers.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12236)
2020-08-07 14:29:00 +10:00
Matt Caswell
33388b44b6 Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11616)
2020-04-23 13:55:52 +01:00
Richard Levitte
123c2fef14 SM2: Make the EVP_PKEY_METHOD ctrl_str function listen to distid
Because we start using Distinguished ID, we also define the key name
"distid", possibly prefixed with "hex", but keep "sm2_id" and
"sm2_hex_id" for compatibility with GmSSL.

Fixes #11293

Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
(Merged from https://github.com/openssl/openssl/pull/11302)
2020-03-15 19:42:04 +01:00
Pauli
99b9aa95c4 Remove unused OSSL_PARAM_construct_from_text() function.
This function is recently introduced and never called by the library or tests.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11053)
2020-02-12 19:45:42 +10:00
Pauli
579422c85c Deprecate the ECDSA and EV_KEY_METHOD functions.
Use of the low level ECDSA and EC_KEY_METHOD functions has been informally discouraged for a
long time. We now formally deprecate them.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10960)
2020-02-04 20:02:55 +10:00
Richard Levitte
0943d5dd61 Add SM2 specific parameter and key generation
This makes it possible to generate SM2 parameters and keys like this:

    EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_SM2);
    EVP_PKEY *pkey = EVP_PKEY_new();

    EVP_PKEY_keygen_init(pctx);
    EVP_PKEY_keygen(pctx, pkey);

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/10942)
2020-02-02 12:04:00 +01:00
Dr. Matthias St. Pierre
25f2138b0a Reorganize private crypto header files
Currently, there are two different directories which contain internal
header files of libcrypto which are meant to be shared internally:

While header files in 'include/internal' are intended to be shared
between libcrypto and libssl, the files in 'crypto/include/internal'
are intended to be shared inside libcrypto only.

To make things complicated, the include search path is set up in such
a way that the directive #include "internal/file.h" could refer to
a file in either of these two directoroes. This makes it necessary
in some cases to add a '_int.h' suffix to some files to resolve this
ambiguity:

  #include "internal/file.h"      # located in 'include/internal'
  #include "internal/file_int.h"  # located in 'crypto/include/internal'

This commit moves the private crypto headers from

  'crypto/include/internal'  to  'include/crypto'

As a result, the include directives become unambiguous

  #include "internal/file.h"       # located in 'include/internal'
  #include "crypto/file.h"         # located in 'include/crypto'

hence the superfluous '_int.h' suffixes can be stripped.

The files 'store_int.h' and 'store.h' need to be treated specially;
they are joined into a single file.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9333)
2019-09-28 20:26:34 +02:00
Patrick Steuer
19bd1fa1ef s390x assembly pack: accelerate X25519, X448, Ed25519 and Ed448
using PCC and KDSA instructions.

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10004)
2019-09-25 15:53:53 +02:00
Richard Levitte
0cd1b144f9 util/mkerr.pl: make it not depend on the function code
The output C code was made to use ERR_func_error_string() to see if a
string table was already loaded or not.  Since this function returns
NULL always, this check became useless.

Change it to use ERR_reason_error_string() instead, as there's no
reason to believe we will get rid of reason strings, ever.

To top it off, we rebuild all affected C sources.

Fixes #9756

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9756)
2019-09-12 17:59:52 +02:00
Paul Yang
a45eb7e891 Support parsing of SM2 ID in hexdecimal
The current EVP_PEKY_ctrl for SM2 has no capability of parsing an ID
input in hexdecimal.

The newly added ctrl string is called: sm2_hex_id

Test cases and documentation are updated.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9584)
2019-08-22 10:29:28 +08:00
Rich Salz
cbfa5b0398 Regenerate mkerr files
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9058)
2019-07-16 05:26:28 +02:00
Antoine Cœur
c2969ff6e7 Fix Typos
CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/9288)
2019-07-02 14:22:29 +02:00
杨洋
8267becb8b Support SM2 certificate verification
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8321)
2019-03-13 15:29:39 +08:00
David von Oheimb
9fdcc21fdc constify *_dup() and *i2d_*() and related functions as far as possible, introducing DECLARE_ASN1_DUP_FUNCTION
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8029)
2019-03-06 16:10:09 +00:00
Paul Yang
a7cef52f9b Support raw input data in apps/pkeyutl
Some signature algorithms require special treatment for digesting, such
as SM2. This patch adds the ability of handling raw input data in
apps/pkeyutl other than accepting only pre-hashed input data.

Beside, SM2 requries an ID string when signing or verifying a piece of data,
this patch also adds the ability for apps/pkeyutil to specify that ID
string.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8186)
2019-02-27 10:05:17 +08:00
Richard Levitte
f9f859adc6 Following the license change, modify the boilerplates in crypto/smN/
[skip ci]

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7818)
2018-12-06 15:24:52 +01:00
Antoine Salon
ffd89124bd EVP module documentation pass
Replace ECDH_KDF_X9_62() with internal ecdh_KDF_X9_63()

Signed-off-by: Antoine Salon <asalon@vmware.com>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/7345)
2018-10-17 13:22:14 +03:00
Richard Levitte
88ea3685e4 crypto/sm2/sm2_sign.c: ensure UINT16_MAX is properly defined
Fixes #7186

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7193)
2018-09-12 02:06:26 +02:00