Commit Graph

162 Commits

Author SHA1 Message Date
wangcheng
4c41aa4b33 Add CTX copy function for EVP_MD to optimize the performance of EVP_MD_CTX_copy_ex.
1. Add OSSL_FUNC_digest_copyctx_fn function for EVP_MD, which is used to copy algctx from the old EVP_MD_CTX to the new one.

2. Add implementation of OSSL_FUNC_digest_copyctx_fn function for default providers.

3. Modify EVP_MD_CTX_copy_ex: When the fetched digest is the same in in and out contexts, use the copy function to copy the members in EVP_MD_CTX if the OSSL_FUNC_digest_copyctx_fn function exists. Otherwise, use the previous method to copy.

4. Add documentation for OSSL_FUNC_digest_copyctx function in doc/man7/provider-digest.pod.

5. Add testcase.

Fixes #25703

Signed-off-by: wangcheng <bangwangnj@163.com>

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25726)
2024-11-20 14:12:53 +01:00
Pauli
6f20c6804e fips: continuous random bit generator tests
For FIPS 140-3 the continuous tests specified in SP 800-90B need to be
included on the output of any entropy source.

They are implemented here as a replacement for the primary DRBG in the FIPS
provider.  This results in a setup that looks like this:

               +-------------+
               |             |
               | Seed Source |
               |             |
               +------+------+
                      |
                      |
                      v
               +-------------+
               |             |
               |  CRNG Test  |
               |             |
               ++----------+-+
                |          |
                |          |
                v          v
    +--------------+     +--------------+
    |              |     |              |
    | Public DRBG  |     | Private DRBG |
    |              |     |              |
    +--------------+     +--------------+

An additional benefit, that of avoiding DRBG chains, is also gained.
The current standards do not permit the output of one DRBG to be used
as the input for a second (i.e. a chain).

This also leaves open the future possibility of incorporating a seed
source inside the FIPS boundary.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25415)
2024-09-19 08:44:14 +10:00
Tomas Mraz
7ed6de997f Copyright year updates
Reviewed-by: Neil Horman <nhorman@openssl.org>
Release: yes
2024-09-05 09:35:49 +02:00
Richard Levitte
f68ba38e18 Refactor OpenSSL 'ECDSA' EVP_SIGNATURE to also include ECDSA+hash composites
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24992)
2024-08-30 11:54:13 +02:00
Richard Levitte
bb2be4f066 Refactor OpenSSL 'DSA' EVP_SIGNATURE to also include DSA+hash composites
(in the code, "sigalg" is used to refer to these composite algorithms,
which is a nod to libcrypto and libssl, where that term is commonly used
for composite algorithms)

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24992)
2024-08-30 11:54:13 +02:00
Richard Levitte
1751334f59 Refactor OpenSSL 'EdDSA' EVP_SIGNATURE to allow use with EVP_PKEY functions
Add EVP_PKEY_{sign,verify}_message support for our Ed25519 and Ed448
implementations, including ph and ctx variants.

Tests are added with test_evp stanzas.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24975)
2024-08-29 19:13:06 +02:00
slontis
ea396c7024 Add FIPS KMAC key check
This adds a FIPS indicator for KMAC key size.
Note that 112 bits keys are still smaller than the
sizes required to reach 128 bits for KMAC128 and
256 bits for KMAC256

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25049)
2024-08-21 15:34:58 +02:00
slontis
390f00a1e9 Add HMAC FIPS keysize check.
HMAC has been changed to use a FIPS indicator for its key check.

HKDF and Single Step use a salt rather than a key when using HMAC,
so we need a mechanism to bypass this check in HMAC.

A seperate 'internal' query table has been added to the FIPS provider
for MACS. Giving HMAC a seprate dispatch table allows KDF's to ignore
the key check. If a KDF requires the key check then it must do the
check itself. The normal MAC dipatch table is used if the user fetches
HMAC directly.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25049)
2024-08-21 15:34:40 +02:00
Richard Levitte
572a8371ab Refactor OpenSSL 'RSA' EVP_SIGNATURE to also include RSA+hash composites
(in the code, "sigalg" is used to refer to these composite algorithms,
which is a nod to libcrypto and libssl, where that term is commonly used
for composite algorithms)

To make this implementation possible, wrappers were added around the hash
function itself, allowing the use of existing hash implementations through
their respective OSSL_DISPATCH tables, but also retaining the dynamic fetch
of hash implementations when the digest_sign / digest_verify functionality
is used.  This wrapper allows implementing the RSA+hash composites through
simple initializer function and a custom OSSL_DISPATCH table for each.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23416)
2024-08-21 08:21:06 +02:00
Dimitri John Ledkov
f8c510cd20 JITTER: implement error handling from jitter library
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24844)
2024-07-31 14:44:51 +10:00
Dimitri John Ledkov
b28b312804 jitter: add a new provider containing a jitter entropy source alone
This entropy source can be used instead of SEED-SRC. Sample
openssl.cnf configuration is provided. It is built as a separate
provider, because it is likely to require less frequent updates than
fips provider. The same build likely can span multiple generations of
FIPS 140 standard revisions.

Note that rand-instances currently chain from public/private instances
to primary, prior to consuming the seed. Thus currently a unique ESV
needs to be obtained, and resue of jitterentropy.a certificate is not
possible as is. Separately a patch will be sent to allow for
unchaining public/private RAND instances for the purpose of reusing
ESV.

Also I do wonder if it makes sense to create a fips variant of stock
SEED-SRC entropy source, which in addition to using getrandom() also
verifies that the kernel is operating in FIPS mode and thus is likely
a validated entropy source. As in on Linux, check that
/proc/sys/crypto/fips_enabled is set to 1, and similar checks on
Windows / MacOS and so on.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24844)
2024-07-31 14:44:51 +10:00
Dimitri Papadopoulos
1cf2f8231e Remove trailing whitespace
Found by running the checkpatch.pl Linux script to enforce coding style.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22097)
2024-07-22 06:55:35 -04:00
наб
6d1e730a1e Implement BLAKE2s with the same macro as BLAKE2b
This avoids code duplication and provides variable-size support
for BLAKE2s like 786b9a8

Test data obtained with libb2 with the following programs:

	==> b2.c <==
	#include <blake2.h>
	#include <unistd.h>

	int main() {
		char buf[16] = {};
		blake2s(buf, 0, 0, 16, 0, 0);
		write(1, buf, 16);
	}

	==> b3.c <==
	#include <blake2.h>
	#include <unistd.h>

	int main() {
		char buf[10] = {};
		blake2s(buf, "\x61", 0, 10, 1, 0);
		write(1, buf, 10);
	}

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22444)
2023-11-08 09:42:13 +01:00
Tomas Mraz
3a95d1e41a update/final: Return error if key is not set
Also make sure the key is not set if the key
length is changed on the context after the key was
set previously.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22590)
2023-11-03 13:36:13 +01:00
Tomas Mraz
6a0ae393dd Blake2b: Use OSSL_DIGEST_PARAM_SIZE as settable instead of XOFLEN
BLAKE2 is not really an extensible output function unlike SHAKE
as the digest size must be set during the context initialization.
Thus it makes no sense to use OSSL_DIGEST_PARAM_XOFLEN.

We also need to adjust EVP_DigestFinal_ex() to query the
OSSL_DIGEST_PARAM_SIZE as gettable ctx param for the size.

Fixes #22488

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22491)
2023-10-25 20:13:39 +01:00
Tomas Mraz
143ca66cf0 Avoid another copy of key schedule pointer in PROV_GCM_CTX
This copy would need an update on dupctx but
rather than doing it just remove the copy.

This fixes failures of evp_test on Windows with
new CPUs.

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22384)
2023-10-16 12:12:36 +02:00
Richard Levitte
df9ecd2ef3 Have legacy blake2 EVP structure use base blake2 implementation
For some reason, the code here was made to got through the provider
specific init functions.  This is very very dangerous if the provider
specific functions were to change in any way (such as changes to the
implementation context structure).

Instead, use the init functions from the base blake2 implementations
directly.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22079)
2023-09-14 09:07:29 +10:00
Neil Horman
0239fb3db7 Add dupctx support to aead ciphers
Add dupctx method support to to ciphers implemented with IMPLEMENT_aead_cipher
This includes:
aes-<kbits>-gcm
aria-<kbits>-ccm
aria-<kbits>-gcm
sm4-<kibs>-gcm

Fixes #21887

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21933)
2023-09-12 15:59:11 +02:00
Matt Caswell
da1c088f59 Copyright year updates
Reviewed-by: Richard Levitte <levitte@openssl.org>
Release: yes
2023-09-07 09:59:15 +01:00
Pauli
7599d17d93 prov(legacy): update to structure based atomics
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21260)
2023-07-01 21:18:25 +10:00
Fergus Dall
81bafac5cb Add support for SHA256/192
This is defined in NIST SP 800-208 as the truncation to 192 bits of
SHA256. Unlike other truncated hashes in the SHA2 suite, this variant
doesn't have a different initial state, it is just a pure truncation
of the output.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21180)
2023-06-28 08:00:43 +10:00
Yi Li
4032cd9a14 configure: introduce no-ecx to remove ECX related feature
This can effectively reduce the binary size for platforms
that don't need ECX feature(~100KB).

Signed-off-by: Yi Li <yi1.li@intel.com>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20781)
2023-06-14 13:06:22 +10:00
Irak Rigia
1e6bd31e58 Replaced '{ 0, NULL }' with OSSL_DISPATCH_END in OSSL_DISPATCH arrays
Fixes #20710

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20745)
2023-04-21 16:19:11 +02:00
Čestmír Kalina
6dfa998f7e providers: add Argon2 KDF
https://datatracker.ietf.org/doc/rfc9106/

Signed-off-by: Čestmír Kalina <ckalina@redhat.com>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12256)
2023-03-17 11:12:47 +11:00
Čestmír Kalina
786b9a8d3f providers: add XOF support to blake2b
Signed-off-by: Čestmír Kalina <ckalina@redhat.com>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12256)
2023-03-17 11:12:45 +11:00
slontis
f3090fc710 Implement deterministic ECDSA sign (RFC6979)
This PR is based off the contributions in PR #9223 by Jemmy1228.

It has been modified and reworked to:
(1) Work with providers
(2) Support ECDSA and DSA
(3) Add a KDF HMAC_DRBG implementation that shares code with the RAND HMAC_DRBG.

A nonce_type is passed around inside the Signing API's, in order to support any
future deterministic algorithms.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18809)
2022-11-30 07:31:53 +00:00
Xu Yizhou
2788b56f0c providers: Add SM4 XTS implementation
Signed-off-by: Xu Yizhou <xuyizhou1@huawei.com>

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19619)
2022-11-29 16:17:30 +01:00
Pauli
da7db83cc4 rand: remove the ossl_rand_pool_add_additional_data() function.
This function isn't called from anywhere and cannot easily be used
by the current RNG infrastructure.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/19493)
2022-10-27 09:23:00 +11:00
slontis
78c44b0594 Add HPKE DHKEM provider support for EC, X25519 and X448.
The code is derived from @sftcd's work in PR #17172.
This PR puts the DHKEM algorithms into the provider layer as
KEM algorithms for EC and ECX.

This PR only implements the DHKEM component of HPKE as specified in
RFC 9180.

crypto/hpke/hpke_util.c has been added for fuctions that will
be shared between DHKEM and HPKE.

API's for EVP_PKEY_auth_encapsulate_init() and EVP_PKEY_auth_decapsulate_init()
have been added to support authenticated encapsulation. auth_init() functions
were chosen rather that a EVP_PKEY_KEM_set_auth() interface to support
future algorithms that could possibly need different init functions.

Internal code has been refactored, so that it can be shared between the DHKEM
and other systems. Since DHKEM operates on low level keys it needs to be
able to do low level ECDH and ECXDH calls without converting the keys
back into EVP_PKEY/EVP_PKEY_CTX form. See ossl_ecx_compute_key(),
ossl_ec_public_from_private()

DHKEM requires API's to derive a key using a seed (IKM). This did not sit
well inside the DHKEM itself as dispatch functions. This functionality
fits better inside the EC and ECX keymanagers keygen, since
they are just variations of keygen where the private key is generated
in a different manner. This should mainly be used for testing purposes.
See ossl_ec_generate_key_dhkem().
It supports this by allowing a settable param to be passed to keygen
(See OSSL_PKEY_PARAM_DHKEM_IKM).
The keygen calls code within ec and ecx dhkem implementation to handle this.
See ossl_ecx_dhkem_derive_private() and ossl_ec_dhkem_derive_private().
These 2 functions are also used by the EC/ECX DHKEM implementations to generate
the sender ephemeral keys.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19068)
2022-09-23 09:24:47 +01:00
Hugo Landau
606e0426a1 Add support for loading root CAs from Windows crypto API
Fixes #18020.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18070)
2022-09-14 14:10:18 +01:00
K1
08ae9fa627 Support decode SM2 parameters
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18819)
2022-08-23 11:08:11 +10:00
Pauli
709d4be78f Limit the size of various MAXCHUNK definitions
The current code has issues when sizeof(long) <> sizeof(size_t).  The two
types are assumed to be interchangeable and them being different will
cause crashes and endless loops.

This fix limits the maximum chunk size for many of the symmetric ciphers
to 2^30 bytes.  This chunk size limits the amount of data that will
be encrypted/decrypted in one lump.  The code internally handles block
of data later than the chunk limit, so this will present no difference
to the caller.  Any loss of efficiency due to limiting the chunking to
1Gbyte rather than more should be insignificant.

Fixes Coverity issues:
    1508498, 1508500 - 1508505, 1508507 - 1508527, 1508529 - 1508533,
    1508535 - 1508537, 1508539, 1508541 - 1508549, 1508551 - 1508569 &
    1508571 - 1508582.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18997)
2022-08-19 17:26:12 +10:00
Todd Short
0113ec8460 Implement AES-GCM-SIV (RFC8452)
Fixes #16721

This uses AES-ECB to create a counter mode AES-CTR32 (32bit counter, I could
not get AES-CTR to work as-is), and GHASH to implement POLYVAL. Optimally,
there would be separate polyval assembly implementation(s), but the only one
I could find (and it was SSE2 x86_64 code) was not Apache 2.0 licensed.

This implementation lives only in the default provider; there is no legacy
implementation.

The code offered in #16721 is not used; that implementation sits on top of
OpenSSL, this one is embedded inside OpenSSL.

Full test vectors from RFC8452 are included, except the 0 length plaintext;
that is not supported; and I'm not sure it's worthwhile to do so.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18693)
2022-07-29 08:32:16 -04:00
Tomas Mraz
7a9e93dda5 Fix regression in default key length for Blowfish CFB and OFB ciphers
Fixes #18359

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18362)
2022-05-23 08:50:42 +02:00
Hongren (Zenithal) Zheng
2787a709c9 Make IV/buf in prov_cipher_ctx_st aligned
Make IV/buf aligned will drastically improve performance
as some architecture performs badly on misaligned memory
access.

Ref to
https://gist.github.com/ZenithalHourlyRate/7b5175734f87acb73d0bbc53391d7140#file-2-openssl-long-md
Ref to
openssl#18197

Signed-off-by: Hongren (Zenithal) Zheng <i@zenithal.me>

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18267)
2022-05-11 15:10:07 +02:00
Matt Caswell
fecb3aae22 Update copyright year
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Release: yes
2022-05-03 13:34:51 +01:00
Weiguo Li
3d27ac8d92 Add define guards to avoid multi-inclusion
This header files are included by multiple other headers.
It's better to add define guards to prevent multi-inclusion.
Adhere to the coding style, all preprocessor directives inside
the guards gain a space.

Signed-off-by: Weiguo Li <liwg06@foxmail.com>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/17666)
2022-02-16 16:11:56 +01:00
Tomas Mraz
bef9b48e50 Add null digest implementation to the default provider
This is necessary to keep compatibility with 1.1.1.

Fixes #16660

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17016)
2021-11-15 09:25:42 +01:00
Tianjia Zhang
c2ee608a23 providers: Add SM4 GCM implementation
The GCM mode of the SM4 algorithm is specifieded by RFC8998.

Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>

Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16491)
2021-09-28 19:27:58 +10:00
Pauli
722fe8edf2 kdf: Add PVK KDF to providers.
Add PIN Verification Key key derevation function to providers.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15968)
2021-09-28 18:08:41 +10:00
Ulrich Müller
524f126110 Add default provider support for Keccak 224, 256, 384 and 512
Fixes issue openssl#13033

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16594)
2021-09-23 12:07:57 +10:00
Richard Levitte
0195cdd28f ENCODER PROV: Add encoders with EncryptedPrivateKeyInfo output
Since EncryptedPrivateKeyInfo is a recognised structure, it's
reasonable to think that someone might want to specify it.

To be noted is that if someone specifies the structure PrivateKeyInfo
but has also passed a passphrase callback, the result will still
become a EncryptedPrivateKeyInfo structure.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16466)
2021-09-05 21:34:51 +02:00
Shane Lontis
7f5a9399d2 Add support for camellia cbc cts mode
Fixes #16276

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16286)
2021-08-18 08:38:40 +10:00
Pauli
f7d998a206 tls/prov: move the TLS 1.3 KDF code to providers
This function needs to be power up tested as part of the FIPS validation and
thus it needs to be inside the provider boundary.  This is realised by
introducing a new KDF "TLS13-KDF" which does the required massaging of
parameters but is otherwise functionally equivalent to HKDF.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16203)
2021-08-05 15:43:59 +10:00
Pauli
c55c7d0292 Remove lower limit on GCM mode ciphers
Fixes #16057

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16064)
2021-07-14 12:02:03 +02:00
Pauli
56cd5dc78b provider: use #define for PBKDF1 algorithm name
This seems to be standard practice so bringing PBKDF1 into line.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15967)
2021-07-05 11:49:42 +10:00
Matt Caswell
38fc02a708 Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15801)
2021-06-17 13:24:59 +01:00
Matt Caswell
8c7c1c84cb Add a generic SubjectPublicKeyInfo decoder
Previously all the SubjectPublicKeyInfo decoders were specific to a key
type. We would iterate over all them until a match was found for the correct
key type. Each one would fully decode the key before then testing whether
it was a match or not - throwing it away if not. This was very inefficient.

Instead we introduce a generic SubjectPublicKeyInfo decoder which figures
out what type of key is contained within it, before subsequently passing on
the data to a key type specific SubjectPublicKeyInfo decoder.

Fixes #15646

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15662)
2021-06-14 09:43:01 +01:00
Richard Levitte
6a2b8ff392 Decoding PKCS#8: separate decoding of encrypted and unencrypted PKCS#8
This has us switch from the 'structure' "pkcs8" to "PrivateKeyInfo",
which is sensible considering we already have "SubjectPublicKeyInfo".
We also add "EncryptedPrivateKeyInfo", and use it for a special decoder
that detects and decrypts an EncryptedPrivateKeyInfo structured DER
blob into a PrivateKeyInfo structured DER blob and passes that on to
the next decoder implementation.

The result of this change is that PKCS#8 decryption should only happen
once per decoding instead of once for every expected key type.
Furthermore, this new decoder implementation sets the data type to the
OID of the algorithmIdentifier field, thus reducing how many decoder
implementations are tentativaly run further down the call chain.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15498)
2021-06-09 17:00:10 +02:00
Shane Lontis
f41fd10d90 Add a gettable for provider ciphers to return the EVP_CIPH_RAND_KEY flag
Fixes #15531

DES and TDES set this flag which could possibly be used by applications.
The gettable cipher param OSSL_CIPHER_PARAM_HAS_RAND_KEY has been added.

Note that EVP_CIPHER_CTX_rand_key() uses this flag.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15606)
2021-06-08 15:16:06 +10:00