Commit Graph

36052 Commits

Author SHA1 Message Date
Alexandr Nedvedicky
bbe4571f57 EVP_CIPHER_CTX_get_algor_params() may attempt to access params array
at position -1 (prams[=1]).

The issue has been reported by coverity check.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25303)
2024-09-03 21:18:51 +02:00
Ingo Franzki
c23ce35225 s390x: Fix prehash-by-caller handling for ED25519 and ED448
In case of prehash or prehash-by-caller is set skip the s390x specific
acceleration an fallback to the non-accelerated code path.

Fixes: 6696682774

Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25351)
2024-09-03 21:16:23 +02:00
Ingo Franzki
a75d62637a s390x: Disable HMAC hardware acceleration when an engine is used for the digest
The TLSProxy uses the 'ossltest' engine to produce known output for digests
and HMAC calls. However, when running on a s390x system that supports
hardware acceleration of HMAC, the engine is not used for calculating HMACs,
but the s390x specific HMAC implementation is used, which does produce correct
output, but not the known output that the engine would produce. This causes
some tests (i.e. test_key_share, test_sslextension, test_sslrecords,
test_sslvertol, and test_tlsextms) to fail.

Disable the s390x HMAC hardware acceleration if an engine is used for the
digest of the HMAC calculation. This provides compatibility for engines that
provide digest implementations, and assume that these implementations are also
used when calculating an HMAC.

Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25287)
2024-09-03 21:15:00 +02:00
Tomas Mraz
03b22b4d73 Add CVE-2024-5535 to CHANGES and NEWS
Reviewed-by: Neil Horman <nhorman@openssl.org>
Release: yes
(cherry picked from commit abcb0f83d060eb816503a6a36959ce8498a24111)
2024-09-03 21:06:19 +02:00
Viktor Dukhovni
ca979e854b Updated CHANGES and NEWS for CVE-2024-6119 fix
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(cherry picked from commit cf384d35aa)
2024-09-03 21:04:03 +02:00
Viktor Dukhovni
0890cd13d4 Avoid type errors in EAI-related name check logic.
The incorrectly typed data is read only, used in a compare operation, so
neither remote code execution, nor memory content disclosure were possible.
However, applications performing certificate name checks were vulnerable to
denial of service.

The GENERAL_TYPE data type is a union, and we must take care to access the
correct member, based on `gen->type`, not all the member fields have the same
structure, and a segfault is possible if the wrong member field is read.

The code in question was lightly refactored with the intent to make it more
obviously correct.

Fixes CVE-2024-6119

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
2024-09-03 11:58:40 +02:00
Tomas Mraz
5650289743 Add CHANGES.md and NEWS.md updates for the 3.4 release
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25339)
2024-09-03 11:20:45 +02:00
Brad Smith
01f4b44e07 Add support for elf_aux_info() on OpenBSD
CLA: trivial

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25346)
2024-09-02 16:12:48 +02:00
Theo Buehler
16e7da091c Missing .rodata for AVX2/AVX512 codepaths
This is a follow-up to #23997

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25340)
2024-09-02 10:26:45 +02:00
Adam (ThinLinc team)
c94d13a069 Detect MinGW 32 bit for NO_INTERLOCKEDOR64
Builds using 32 bit MinGW will fail, due to the same reasoning described in commit 2d46a44ff2.

CLA: trivial

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25025)
2024-09-02 10:24:58 +02:00
Ingo Franzki
d5b3c0e24b s390x: Fix HMAC digest detection
Use EVP_MD_is_a() instead of EVP_MD_get_type() to detect the digest
type. EVP_MD_get_type() does not always return the expected NID, e.g.
when running in the FIPS provider, EVP_MD_get_type() returns zero,
causing to skip the HMAC acceleration path.

Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25304)
2024-09-02 10:23:22 +02:00
Viktor Dukhovni
0cd9dd703e Improve base64 BIO correctness and error reporting
Also improve related documentation.

- The BIO_FLAGS_BASE64_NO_NL flag did not behave as advertised, only
  leading and trailing, but not internal, whitespace was supported:

      $ echo 'AA AA' | openssl base64 -A -d | wc -c
      0

- Switching from ignored leading input to valid base64 input misbehaved
  when the length of the skipped input was one more than the length of
  the second and subsequent valid base64 lines in the internal 1k
  buffer:

    $ printf '#foo\n#bar\nA\nAAA\nAAAA\n' | openssl base64 -d | wc -c
    0

- When the underlying BIO is retriable, and a read returns less than
  1k of data, some of the already buffered input lines that could have
  been decoded and returned were retained internally for a retry by the
  caller.  This is somewhat surprising, and the new code decodes as many
  of the buffered lines as possible.  Issue reported by Michał Trojnara.

- After all valid data has been read, the next BIO_read(3) should
  return 0 when the input was all valid or -1 if an error was detected.
  This now occurs in more consistently, but further tests and code
  refactoring may be needed to ensure this always happens.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25253)
2024-08-30 15:09:10 +02:00
Richard Levitte
d1c2c054a4 fix: ossl_digest_get_approved_nid() returns NID_undef on invalid digest
We checked using 'md_nid < 0', which is faulty.

Impact: DSA and ECDSA signature provider implementations

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24992)
2024-08-30 11:54:13 +02:00
Richard Levitte
f68ba38e18 Refactor OpenSSL 'ECDSA' EVP_SIGNATURE to also include ECDSA+hash composites
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24992)
2024-08-30 11:54:13 +02:00
Richard Levitte
bb2be4f066 Refactor OpenSSL 'DSA' EVP_SIGNATURE to also include DSA+hash composites
(in the code, "sigalg" is used to refer to these composite algorithms,
which is a nod to libcrypto and libssl, where that term is commonly used
for composite algorithms)

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24992)
2024-08-30 11:54:13 +02:00
Pauli
c6c6af18ea endecode_test.c: Fix !fips v3.0.0 check
The fips_provider_version_* functions return true if the FIPS provider isn't
loaded.  This is somewhat counterintuitive and the fix in #25327 neglected
this nuance resulting in not running the SM2 tests when the FIPS provider
wasn't being loaded.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25331)
2024-08-30 11:42:40 +02:00
Richard Levitte
15b748496f exporters for pkg-config: align with the changes for CMake
The latest CMake exporter changes reworked the the variables in builddata.pm
and installdata.pm.  Unfortunately, the pkg-config exporter templates were
forgotten in that effort.

Fixes #25299

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25308)
2024-08-30 05:20:48 +02:00
Tomas Mraz
0b97a5505e endecode_test.c: Avoid running the SM2 tests with 3.0.0 FIPS provider
Fixes #25326

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25327)
2024-08-29 19:45:47 +02:00
Viktor Dukhovni
b4e4bf29ba Check for excess data in CertificateVerify
As reported by Alicja Kario, we ignored excess bytes after the
signature payload in TLS CertificateVerify Messages.  These
should not be present.

Fixes: #25298

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25302)
2024-08-29 19:32:00 +02:00
Joerg Schmidbauer
25f5d7b85f s390x: support CPACF sha3/shake performance improvements
On newer machines the SHA3/SHAKE performance of CPACF instructions KIMD and KLMD
can be enhanced by using additional modifier bits. This allows the application
to omit initializing the ICV, but also affects the internal processing of the
instructions. Performance is mostly gained when processing short messages.

The new CPACF feature is backwards compatible with older machines, i.e. the new
modifier bits are ignored on older machines. However, to save the ICV
initialization, the application must detect the MSA level and omit the ICV
initialization only if this feature is supported.

Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25235)
2024-08-29 19:26:06 +02:00
Clemens Lang
6772c2ab1b doc: Document properties param for Argon2 KDF
The Argon2 KDF uses OSSL_KDF_PARAM_PROPERTIES to fetch implementations
of blake2bmac and blake2b512 if ctx->mac and ctx->md are NULL. This
isn't documented in the manpage, so users that might, for example, want
to fetch an instance of Argon2 with the -fips property query to obtain
a working Argon2 KDF even though the default property query requires
fips=yes are left wondering why this fails.

Fortunately, EVP_KDF(3)/PARAMETERS already explains what the properties
are used for, so we really just need to add a single line.

Signed-off-by: Clemens Lang <cllang@redhat.com>

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25306)
2024-08-29 19:20:05 +02:00
erbsland-dev
80008d4a94 Refactor and Enhance Compression Field Testing
Fixes #7940: Enhances the existing test for compression methods in the ClientHello message, aligning with RFC 8446 specifications.

Refactored the test code to improve modularity and maintainability, making it easier to extend and modify in the future.

Added checks for the appropriate alerts, ensuring that `SSL_AD_ILLEGAL_PARAMETER` or `SSL_AD_DECODE_ERROR` are correctly triggered as per the RFC 8446 guidelines.

Expanded Test Coverage: Introduced additional test cases to cover scenarios involving:
- Lists of unknown compression methods
- Absence of any compression method
- Validation of a single null compression method, which should always succeed.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25255)
2024-08-29 19:16:38 +02:00
erbsland-dev
c026101be0 Correct Alert Handling for Missing Compression Methods
Fixes #7940: Updated the compression check logic to improve protocol compliance. The code now returns `SSL_AD_DECODE_ERROR` when no compression method is provided in the ClientHello message. It returns `SSL_AD_ILLEGAL_PARAMETER` if the “null” compression method (0x00) is missing.

Additionally, refactored the related test code for enhanced readability and maintainability.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25255)
2024-08-29 19:16:38 +02:00
Richard Levitte
6696682774 Add ED25519 and ED448 support for EVP_PKEY_{sign,verify}_init_ex2()
In this mode, only the ph instances are supported, and must be set
explicitly through a parameter.  The caller is assumed to pass a
prehash to EVP_PKEY_{sign,verify}().

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24975)
2024-08-29 19:13:07 +02:00
Richard Levitte
1751334f59 Refactor OpenSSL 'EdDSA' EVP_SIGNATURE to allow use with EVP_PKEY functions
Add EVP_PKEY_{sign,verify}_message support for our Ed25519 and Ed448
implementations, including ph and ctx variants.

Tests are added with test_evp stanzas.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24975)
2024-08-29 19:13:06 +02:00
Zhiqing Xie
d20cf21b20 Fix compile err when building VC-CLANG-WIN64-CLANGASM-ARM target
The error happens with MSVC v143,C++ Clang Compiler for Windows(16.0.5)

Error is "brackets expression not supported on this target" in libcrypto-shlib-bsaes-armv8.obj.asm

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25293)
2024-08-29 15:38:57 +02:00
Jamie Cui
25bd0c77bf Fix decoder error on SM2 private key
Added sm2 testcases to endecode_test.c.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25266)
2024-08-29 15:28:27 +02:00
slontis
14c45338e9 EVP_MD_size() updates
For SHAKE algorithms we now return 0 from EVP_MD_size().
So all the places that check for < 0 needed to change to <= 0
(Otherwise the behaviour will be to digest nothing in most cases).

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25285)
2024-08-29 10:29:53 +02:00
slontis
976dd3581a Update code to use EVP_MD_xof()
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25285)
2024-08-29 10:29:53 +02:00
slontis
c48e56874c XOF / EVP_MD_size() changes.
Added the function EVP_MD_CTX_get_size_ex() which checks for XOF and
does a ctx get rather than just returning EVP_MD_size().
SHAKE did not have a get_ctx_params() so that had to be added to return the xoflen.

Added a helper function EVP_MD_xof()
EVP_MD_CTX_size() was just an aliased macro for EVP_MD_size(), so to
keep it the same I added an extra function.

EVP_MD_size() always returns 0 for SHAKE now, since it caches the value
of md_size at the time of an EVP_MD_fetch(). This is probably better
than returning the incorrect initial value it was before e.g (16 for
SHAKE128) and returning tht always instead of the set xoflen.

Note BLAKE2B uses "size" instead of "xoflen" to do a similar thing.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25285)
2024-08-29 10:29:53 +02:00
sashan
6dacee485f RSA decoder should check also sanity of p, q, e, d ... with respect to n
This issue has been discovered by osss-fuzzer [1]. The test function decodes
RSA key created by fuzzer and calls EVP_PKEY_pairwise_check() which
proceeds to ossl_bn_miller_rabin_is_prime() check which takes too long
exceeding timeout (45secs).

The idea is to fix OSSL_DECODER_from_data() code path so invalid
RSA keys will be refused.

[1] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=69134

Test case generated by the fuzzer is added.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25190)
2024-08-28 16:50:46 +02:00
slontis
f6a296c386 Cleanups for FIPS options..
The options in fipsprov.c are now generated using macros with fips_indicator_params.inc.
This should keep the naming consistent.

Some FIPS related headers have moved to providers/fips/include so that
they can use fips_indicator_params.inc.
securitycheck.h now includes fipsindicator.h, and fipsindicator.h includes
fipscommon.h.

fipsinstall.c uses OSSL_PROV_PARAM_ for the configurable FIPS options rather than
using OSSL_PROV_FIPS_PARAM_* as this was confusing as to which one should be used.
fips_names.h just uses aliases now for existing public names.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25162)
2024-08-28 14:46:16 +02:00
Richard Levitte
accd835f8d fix: for exporters to work for build config, there may be two include dirs
For CMake / pkg-config configuration files to be used for an uninstalled
build, the include directory in the build directory isn't enough, if that
one is separate from the source directory.  The include directory in the
source directory must be accounted for too.

This includes some lighter refactoring of util/mkinstallvars.pl, with the
result that almost all variables in builddata.pm and installdata.pm have
become arrays, even though unnecessarily for most of them; it was simpler
that way.  The CMake / pkg-config templates are adapted accordingly.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24918)
2024-08-27 17:20:12 +02:00
Richard Levitte
a82d9e572c fix: exporters/cmake/OpenSSLConfig.cmake.in to work for build config
This template file is made to make both:

1. OpenSSLConfig.cmake (CMake config used when building a CMake package
   against an uninstalled OpenSSL build)
2. exporters/OpenSSLConfig.cmake (CMake config that's to be installed
   alongside OpenSSL, and is used when building a CMake package against
   an OpenSSL installation).

Variant 1 was unfortunately getting the internal '_ossl_prefix' variable
wrong, which is due to how the perl snippet builds the command(s) to figure
out its value.  That needed some correction.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24918)
2024-08-27 17:20:12 +02:00
Jonathan M. Wilbur
0acb32052a test: issuedOnBehalfOf X.509v3 extension
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25241)
2024-08-27 16:48:57 +02:00
Jonathan M. Wilbur
254693280d feat: add support for issuedOnBehalfOf X.509v3 extension
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25241)
2024-08-27 16:48:57 +02:00
Richard Levitte
873f269697 fix coding style
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25000)
2024-08-27 13:56:28 +02:00
Richard Levitte
9524ca1bf4 doc: Document EVP_{TYPE}_CTX_get_algor etc
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25000)
2024-08-27 13:56:28 +02:00
Richard Levitte
033dcce2ba feat: Implement EVP_PKEY_CTX_{set,get}_algor_params() and EVP_PKEY_CTX_get_algor()
This should be sufficient to cover the intent with the following legacy ctrls:

- EVP_PKEY_CTRL_PKCS7_ENCRYPT (through EVP_ASYM_CIPHER implementations)
- EVP_PKEY_CTRL_PKCS7_DECRYPT (through EVP_ASYM_CIPHER implementations)
- EVP_PKEY_CTRL_PKCS7_SIGN (through EVP_SIGNATURE implementations)
- EVP_PKEY_CTRL_CMS_ENCRYPT (through EVP_ASYM_CIPHER implementations)
- EVP_PKEY_CTRL_CMS_DECRYPT (through EVP_ASYM_CIPHER implementations)
- EVP_PKEY_CTRL_CMS_SIGN (through EVP_SIGNATURE implementations)

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25000)
2024-08-27 13:56:28 +02:00
Richard Levitte
258aaa97b8 feat: Implement EVP_CIPHER_CTX_{set,get}_algor_params() and EVP_CIPHER_CTX_get_algor()
EVP_CIPHER_CTX_set_algor_params() and EVP_CIPHER_CTX_set_algor_params() can
be used instead of EVP_CIPHER_asn1_to_param() and EVP_CIPHER_param_to_asn1().

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25000)
2024-08-27 13:56:28 +02:00
Richard Levitte
3b1ea04650 fix: in RC2 implementation, handle both old and new AID.params keys
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25000)
2024-08-27 13:56:28 +02:00
Richard Levitte
0941666728 Amend the design of AlgorithmIdentifier parameter passing
I realised that any application that passes AlgorithmIdentifier parameters
to and from a provider may also be interested in the full AlgorithmIdentifier
of the implementation invocation.

Likewise, any application that wants to get the full AlgorithmIdentifier
from an implementation invocation may also want to pass AlgorithmIdentifier
parameters to that same implementation invocation.

These amendments should be useful to cover all intended uses of the legacy
ctrls for PKCS7 and CMS:

- EVP_PKEY_CTRL_PKCS7_ENCRYPT
- EVP_PKEY_CTRL_PKCS7_DECRYPT
- EVP_PKEY_CTRL_PKCS7_SIGN
- EVP_PKEY_CTRL_CMS_ENCRYPT
- EVP_PKEY_CTRL_CMS_DECRYPT
- EVP_PKEY_CTRL_CMS_SIGN

It should also cover a number of other cases that were previously implemented
through EVP_PKEY_ASN1_METHOD, as well as all sorts of other cases where the
application has had to assemble a X509_ALGOR on their own.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25000)
2024-08-27 13:56:20 +02:00
cx
c07a34e18b Return SSL_AD_UNEXPECTED_MESSAGE alert when receiving any other change_cipher_spec value(RFC 8446)
Fixes: #25086

CLA: trivial

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25257)
2024-08-26 10:58:10 +01:00
Jonathan M. Wilbur
91432b9ea0 fix: alias auditEntity OID
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24754)
2024-08-26 10:38:44 +01:00
Jonathan M. Wilbur
dbd3d65d7c test: auditIdentity X.509v3 extension decoding and display
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24754)
2024-08-26 10:38:44 +01:00
Jonathan M. Wilbur
9216859f7b feat: support auditIdentity X.509v3 extension
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24754)
2024-08-26 10:38:44 +01:00
Jonathan M. Wilbur
bce3a8d57e fix: wrong name for OID -> auditIdentity
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24754)
2024-08-26 10:25:23 +01:00
slontis
8e7f39e883 Cleanups for FIPS indicator documentation
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25195)
2024-08-26 08:28:44 +10:00
slontis
5139b51cea Add FIPS indicator documentation
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25195)
2024-08-26 08:28:44 +10:00
slontis
c37e21763b Add FIPS indicators to X25519 and X448.
X25519 and X448 are unapproved in FIPS 140-3
So always trigger the indicator callback if these Keys are used,
and add "fips-indicator" getters that return 0.

This has been added to keygen and key exchange.
(KEM will also require it if ever becomes a FIPS algorithm).

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25246)
2024-08-25 10:50:05 +10:00