provider_util.c failed to free ENGINE references when clearing a cipher
or a digest. Additionally ciphers and digests were not copied correctly,
which would lead to double-frees if it were not for the previously
mentioned leaks.
Fixes#16845
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16846)
Otherwise commands like openssl req -newkey sm2 fail silently without
reporting any error unless -sm3 option is added.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16833)
The GCM mode of the SM4 algorithm is specifieded by RFC8998.
Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16491)
This is adding robustness to the code. The fix to not mis-set the pointer
is in #16636.
Fixes#16631
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16640)
Since EncryptedPrivateKeyInfo is a recognised structure, it's
reasonable to think that someone might want to specify it.
To be noted is that if someone specifies the structure PrivateKeyInfo
but has also passed a passphrase callback, the result will still
become a EncryptedPrivateKeyInfo structure.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16466)
When the user expects to load a certificate or a CRL through the
OSSL_STORE loading function, the 'file:' implementation sets the
corresponding structure names in the internal decoder context.
This is especially geared for PEM files, which often contain a mix of
objects, and password prompting should be avoided for objects that
need them, but aren't what the caller is looking for.
Fixes#16224
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16466)
The data structure wasn't given for recognised certificates or CRLs.
It's better, though, to specify it for those objects as well, so they
can be used to filter what actually gets decoded, which will be
helpful for our OSSL_STORE 'file:' scheme implementation.
Fixes#16224
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16466)
The x86_64 cross compiler says that 'unsigned long long' isn't the
same as 'unsigned __int64'. Sure, and considering that
providers/implementations/rands/seeding/rand_vms.c is specific VMS
only code, it's easy to just change the type to the exact same as
what's specified in the system headers.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16497)
(cherry picked from commit 1ef526ef42)
Fixes#16457
The ECDSA and DSA signature tests use Pairwise tests instead of KATS.
Note there is a seperate type used by the keygen for conditional Pairwise Tests.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16461)
The AES wrap cipher was return -1 on error from the provider rather than 0.
This is fixed.
There was a problem with the error handling in AES wrap which fell back to a
default "final error". This adds a fix for the error and more specific errors
for the different failure possibilities.
Fixes#16387
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16391)
Previously the length of the SM2 plaintext could be incorrectly calculated.
The plaintext length was calculated by taking the ciphertext length and
taking off an "overhead" value.
The overhead value was assumed to have a "fixed" element of 10 bytes.
This is incorrect since in some circumstances it can be more than 10 bytes.
Additionally the overhead included the length of two integers C1x and C1y,
which were assumed to be the same length as the field size (32 bytes for
the SM2 curve). However in some cases these integers can have an additional
padding byte when the msb is set, to disambiguate them from negative
integers. Additionally the integers can also be less than 32 bytes in
length in some cases.
If the calculated overhead is incorrect and larger than the actual value
this can result in the calculated plaintext length being too small.
Applications are likely to allocate buffer sizes based on this and therefore
a buffer overrun can occur.
CVE-2021-3711
Issue reported by John Ouyang.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Adding KRB5 test vector 'NextIV' values to evp_test data for AES CTS indicated that the CTS decrypt functions incorrectly returned the wrong IV. The returned IV should match the value returned by the encrypt methods.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16286)
The include is added before <CommonCrypto/CommonRandom.h>,
as required by older releases of the macOS developer tools.
Fixes#16248
CLA: trivial
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16258)
encode_key2text.c(689): error C4703: potentially uninitialized local pointer variable 'modulus_label' used
encode_key2text.c(691): error C4703: potentially uninitialized local pointer variable 'exponent_label' used
CLA: trivial
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12845)
The power up known answer test for the TLS 1.3 KDF does just the first step
to derive the "client_early_traffic_secret" using the two modes of the KDF.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16203)
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16203)
This function needs to be power up tested as part of the FIPS validation and
thus it needs to be inside the provider boundary. This is realised by
introducing a new KDF "TLS13-KDF" which does the required massaging of
parameters but is otherwise functionally equivalent to HKDF.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16203)
Ensure we free the OSSL_LIB_CTX on the error path.
Fixes#16163
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16168)
Word from the lab is:
The use of the derivation function is optional if either an approved
RBG or an entropy source provides full entropy output when entropy
input is requested by the DRBG mechanism. Otherwise, the derivation
function shall be used.
So our disallowing it's use was more than required.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16096)
The flag_allow_md prevents setting a digest in params however
this is unnecessarily strict. If the digest is the same as the
one already set, we do not return an error.
Fixes#16071
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16076)
Fix memory leak if legacy test is skipped.
Using EVP_KDF_CTX_get_params() to get OSSL_KDF_PARAM_SIZE will now
return 0 if the returned size is 0.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15977)
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15974)
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15974)
The 'file:' store loader only understood DER natively. With all the
whatever to key decoders gone, direct support for other binary file
formats are gone, and we need to recreate them for this store loader.
With these changes, it now also understands MSBLOB and PVK files.
As a consequence, any store loader that handles some form of open file
data (such as a PEM object) can now simply pass that data back via
OSSL_FUNC_store_load()'s object callback. As long as libcrypto has
access to a decoder that can understand the data, the appropriate
OpenSSL object will be generated for it, even if the store loader sits
in a different provider than any decoder or keymgmt.
For example, an LDAP store loader, which typically finds diverse PEM
formatted blobs in the database, can simply pass those back via the
object callback, and let libcrypto do the rest of the work.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15981)
This makes the 'file:' store loader only read the file, and only decode
down to a base level binary format, and simply pass that blob of data
back to the OSSL_FUNC_store_load() object callback.
This offloads the decoding into specific OpenSSL types to libcrypto,
which takes away the issue of origins, which provider is it that holds
the key (or other future types of objects).
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15981)
When decoding a key and asking the keymgmt to import the key data, it
was told that the key data includes everything. This may not be true,
since the user may have specified a different selection, and some
keymgmts may want to be informed.
Our key decoders' export function, on the other hand, didn't care
either, and simply export anything they could, regardless.
In both cases, the selection that was specified by the user is now
passed all the way.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15934)
This is to avoid creating confusion where other PEM decoder
implementations may know better what PEM names that are unknown to us
actually mean.
Fixes#15929
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15930)
This is a request from the lab that changes the AES_GCM test back to perform both a encrypt and
decrypt. (This makes no logical sense since this is not an inverse cipher).
I have left the AES_ECB decrypt test in (although it may not be needed)
since it is actually testing the inverse cipher case.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15844)
Fixes#15804
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15807)
They're impossible to use in a FIPS environment, so they shouldn't be flagged
as compatible.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15782)
Previously all the SubjectPublicKeyInfo decoders were specific to a key
type. We would iterate over all them until a match was found for the correct
key type. Each one would fully decode the key before then testing whether
it was a match or not - throwing it away if not. This was very inefficient.
Instead we introduce a generic SubjectPublicKeyInfo decoder which figures
out what type of key is contained within it, before subsequently passing on
the data to a key type specific SubjectPublicKeyInfo decoder.
Fixes#15646
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15662)
This has us switch from the 'structure' "pkcs8" to "PrivateKeyInfo",
which is sensible considering we already have "SubjectPublicKeyInfo".
We also add "EncryptedPrivateKeyInfo", and use it for a special decoder
that detects and decrypts an EncryptedPrivateKeyInfo structured DER
blob into a PrivateKeyInfo structured DER blob and passes that on to
the next decoder implementation.
The result of this change is that PKCS#8 decryption should only happen
once per decoding instead of once for every expected key type.
Furthermore, this new decoder implementation sets the data type to the
OID of the algorithmIdentifier field, thus reducing how many decoder
implementations are tentativaly run further down the call chain.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15498)
Allocate at least one byte to distinguish a zero length key
from an unset key.
Fixes#15632
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15643)
Systems such as Tru64 ship with broken headers that
have _POSIX_TIMERS defined but empty.
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15598)
The entry point needs the option 'binitfini', but it was not being
added since the perl code to detect the match did not work.
The entry point for AIX is no longer static - so a wrapper has been
added to call the static version.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15636)
Fixes#15531
DES and TDES set this flag which could possibly be used by applications.
The gettable cipher param OSSL_CIPHER_PARAM_HAS_RAND_KEY has been added.
Note that EVP_CIPHER_CTX_rand_key() uses this flag.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15606)
Fixes#15548
Document OSSL_PKEY_PARAM_EC_PUB_X, OSSL_PKEY_PARAM_EC_PUB_Y and OSSL_PKEY_PARAM_DEFAULT_DIGEST
Added a section related to parameters for SM2.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15601)
Various different initialization sequences led to bugs on s390x due to caching
and processing during key setting. Since, e.g., the direction does not
necessarily have to be correct during initialization, this produced bugs in
s390x which were not present on other architectures. Fix this by recomputing
the function codes on the fly during updates and final operations.
Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15521)
They aren't needed at all any more, since the properties contain the
same information.
This also drops the parameter names OSSL_ENCODER_PARAM_OUTPUT_TYPE
and OSSL_ENCODER_PARAM_OUTPUT_STRUCTURE
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15570)
This was a poor substitute for using the name of the decoder implementation,
and since there is functionality to get the latter now, this parameter
can be dropped.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15570)
They aren't needed at all any more, since the properties contain the
same information.
This also drops the parameter names OSSL_DECODER_PARAM_INPUT_TYPE
and OSSL_DECODER_PARAM_INPUT_STRUCTURE.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15570)
This nicely reduces the number of files considered as fips
provider sources.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15609)
Fixes#15552
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15566)
For functions that exist in 1.1.1 provide a simple aliases via #define.
Fixes#15236
Functions with OSSL_DECODER_, OSSL_ENCODER_, OSSL_STORE_LOADER_,
EVP_KEYEXCH_, EVP_KEM_, EVP_ASYM_CIPHER_, EVP_SIGNATURE_,
EVP_KEYMGMT_, EVP_RAND_, EVP_MAC_, EVP_KDF_, EVP_PKEY_,
EVP_MD_, and EVP_CIPHER_ prefixes are renamed.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15405)
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14587)
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14587)
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14587)
The code to handle the cipher operation was already in the provider.
It just needed a OSSL_PARAM in order to set this into the algorithm.
EVP_CIPHER_CTX_set_flags() has been modified to pass the OSSL_PARAM.
Issue reported by Mark Powers from Acumen.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15496)
We have this in all other .in files, so these should have that as well.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15524)
Currently we explicitly downgrade an EVP_PKEY to an EC_KEY and ask
the EC_KEY directly whether it was decoded from explicit parameters or not.
Instead we teach EVP_PKEYs to respond to a new parameter for this purpose.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15526)
They need to be set once the provider will definitely be loading. If they
are set earlier, a double free results on a failure.
Fixes#15452
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15492)
Only field multiplication and squaring (but not reduction) show a
significant improvement. This is enabled on Power ISA >= 3.0.
On a Power 9 CPU an average 10% performance improvement is seen (ECHDE:
14%, ECDSA sign: 6%, ECDSA verify 10%), compared to existing code.
On an upcoming Power 10 CPU we see an average performance improvement
of 26% (ECHDE: 38%, ECDSA sign: 16%, ECDSA verify 25%), compared to
existing code.
Signed-off-by: Amitay Isaacs <amitay@ozlabs.org>
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15401)
First of all, we have concluded that we can calculate the integrity
checksum with a simple perl script.
Second, having the production of providers/fipsmodule.cnf as a
dependency for run_tests wasn't quite right. What we really want is
to generate it as soon as a new providers/fips.so is produced. That
required a small bit of fiddling with how diverse dependencies are
made.
Fixes#15166
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15436)
The new names are ossl_err_load_xxx_strings.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15446)
Also add a C++ constructor as per note 7 of IG 9.10 if no DEP is available and
C++ is being used.
Fixes#15322
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15324)
provider/fips/fipsprov.c contains a number of symbols that get used by
anything that's included in libfips.a, at least on Unix.
Unfortunately, there are platforms that do not support resolving
symbols to things that are already included in the end product (module
in this case) being built; they only support resolving symbols with
what comes next in the linking process.
The offending symbols in this case are FIPS_security_check_enabled,
c_thread_start and ossl_fips_intern_provider_init.
We resolve this by placing provider/fips/fipsprov.c in libfips.a along
with everything else there. That takes care of the offending symbols.
What remains is to ensure that there is an entry point in an object
file used directly when linking the module, providers/fips/fips_entry.c
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15370)
Every inclusion directory related to a library we build need these two
files. That signals to any other module using anything from these
libraries what to expect in terms of case sensitivity as well as how
long symbol names are dealt with.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15341)
Using OSSL_STORE is too heavy and breaks things.
There were also needed various fixes mainly for missing proper
handling of the SM2 keys in the OSSL_DECODER.
Fixes#14788
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15045)
An extra field got added to the ffc flags related to FIPS-186-2 key validation, but this field was
not handled by the export/import since the flags were done as string combinations.
To keep this consistent with other object flags they are now passed as seperate OSSL_PARAM fields.
Fixes 'no-cached-fetch' build which uses export/import.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15210)
Remove a TODO that is no longer relevant and
drop some more non-fips sources from the fips checksums.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15191)
Where an object has multiple ex_data associated with it, then we free that
ex_data in order of priority (high priority first).
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14991)
Add EVP_PKEY_gen(), EVP_PKEY_Q_gen(), EVP_RSA_gen(), and EVP_EC_gen().
Also export auxiliary function OSSL_EC_curve_nid2name()
and improve deprecation info on RSA and EC key generation/management functions.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14695)
This commit sets the error mark before calling d2i_X509_SIG
and clear it if that function call is successful.
The motivation for this is that if d2i_X509_SIG returns NULL then the
else clause will be entered and d2i_PKCS8_PRIV_KEY_INFO will be
called. If d2i_X509_SIG raised any errors those error will be on the
error stack when d2i_PKCS8_PRIV_KEY_INFO gets called, and even if it
returns successfully those errors will still be on the error stack.
We ran into this issue when upgrading Node.js to 3.0.0-alpha15.
More details can be found in the ref links below.
Refs: https://github.com/nodejs/node/issues/38373
Refs: https://github.com/danbev/learning-libcrypto/blob/master/notes/wrong-tag-issue2.md
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/15067)
Also add hints to SHA256_Init.pod and CHANGES.md how to replace SHA256() etc.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14741)
This helps compensating for deprecated functions such as HMAC()
and reduces clutter in the crypto lib, apps, and tests.
Also fixes memory leaks in generate_cookie_callback() of apps/lib/s_cb.c.
and replaces 'B<...>' by 'I<...>' where appropriate in HMAC.pod
Partially fixes#14628.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14664)
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15167)
Overall improvement for p384 of ~18% on Power 9, compared to existing
Power assembling code. See comment in code for more details.
Multiple unrolled versions could be generated for values other than
6. However, for TLS 1.3 the only other ECC algorithms that might use
Montgomery Multiplication are p256 and p521, but these have custom
algorithms that don't use Montgomery Multiplication. Non-ECC
algorithms are likely to use larger key lengths that won't fit into
the n <= 10 length limitation of this code.
Signed-off-by: Amitay Isaacs <amitay@ozlabs.org>
Signed-off-by: Alastair D'Silva <alastair@d-silva.org>
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15175)
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15130)
libimplementations.a was a nice idea, but had a few flaws:
1. The idea to have common code in libimplementations.a and FIPS
sensitive helper functions in libfips.a / libnonfips.a didn't
catch on, and we saw full implementation ending up in them instead
and not appearing in libimplementations.a at all.
2. Because more or less ALL algorithm implementations were included
in libimplementations.a (the idea being that the appropriate
objects from it would be selected automatically by the linker when
building the shared libraries), it's very hard to find only the
implementation source that should go into the FIPS module, with
the result that the FIPS checksum mechanism include source files
that it shouldn't
To mitigate, we drop libimplementations.a, but retain the idea of
collecting implementations in static libraries. With that, we not
have:
libfips.a
Includes all implementations that should become part of the FIPS
provider.
liblegacy.a
Includes all implementations that should become part of the legacy
provider.
libdefault.a
Includes all implementations that should become part of the
default and base providers.
With this, libnonfips.a becomes irrelevant and is dropped.
libcommon.a is retained to include common provider code that can be
used uniformly by all providers.
Fixes#15157
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15171)
It was discovered that eddsa.c exist in two places, here and in
crypto/ec/curve448/, which would result in a file name clash if they
ever end up in the same library.
To mitigate, we rename the copy in providers/implementations/signatures
to have '_sig' in the file name, and do the same with all other source
files in this directory, for consistency.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15171)
Add OSSL_STORE_PARAM_INPUT_TYPE and make it possible to be
set when OSSL_STORE_open_ex() or OSSL_STORE_attach() is called.
The input type format is enforced only in case the file
type file store is used.
By default we use FORMAT_UNDEF meaning the input type
is not enforced.
Fixes#14569
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15100)
Setting an output length higher than 8191 was causing a buffer overflow.
This was reported by Acumen (FIPS lab).
The max output size has increased to ~2M and it now checks this during set_parameters.
The encoder related functions now pass in the maximum size of the output buffer so they
can correctly check their size. kmac_bytepad_encode_key() calls bytepad twice in
order to calculate and check the length before encoding.
Note that right_encode() is currently only used in one place but this
may change if other algorithms are supported (such as TupleHash).
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15106)
This adds the following scripts:
util/lang-compress.pl:
Compress source code, which language is determined by the first argument.
For the moment, we know 'perl' (perlasm source code), 'C' (C source code)
and 'S' (Assembler with C preprocessor directives).
This removes comments and empty lines, and compresses series of horizontal
spaces to one single space in the languages where that's appropriate.
util/fips-checksums.sh:
Takes source file names as arguments, pushes them through
util/lang-compress.pl and unifdef with FIPS_MODE defined, and calculates
the checksum on the result.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8871)
In the provider file: scheme loader implementation, the OSSL_DECODER_CTX
was set up with all sorts of implementations, even if the caller has
declared a limited expectation on what should be loaded, which means
that even though a certificate is expected, all the diverse decoders
to produce an EVP_PKEY are added to the decoding change.
This optimization looks more closely at the expected type, and only
adds the EVP_PKEY related decoder implementations to the chain if
there is no expectation, or if the expectation is one of
OSSL_STORE_INFO_PARAMS, OSSL_STORE_INFO_PUBKEY, OSSL_STORE_INFO_PKEY.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15066)
Fixes#15056
The dependency for fipsinstall was being added to the makefile regardless of
it being used. This means that a subsequent `make test` would fail if the
command line application wasn't present. Rather than fix the instance in question,
it is better to leave out this part of the makefile if the tests cannot be
run.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15057)
Fix dh_rfc5114 option in genpkey.
Fixes#14145Fixes#13956Fixes#13952Fixes#13871Fixes#14054Fixes#14444
Updated documentation for app to indicate what options are available for
DH and DHX keys.
DH and DHX now have different keymanager gen_set_params() methods.
Added CHANGES entry to indicate the breaking change.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14883)
We do here like in all other decoder implementations, drop all errors
that were caused by a failing asn1_d2i_read_bio(), as it's most likely
to mean that the input isn't DER, and another decoder implementation,
if there is any left, should have a go.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/15008)
This includes the special decoder used in our STOREMGMT 'file:' implementation
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14834)
The OIDs were extracted with the help of libcrypto's ASN1 OID database.
While doing this, we move all the names strings to macro definitions,
to avoid duplication and conflicting names declarations. Those macros
are all in providers/implementations/include/prov/names.h
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14498)
Change:
EVP_RAND_gettable_ctx_params -> EVP_RAND_CTX_gettable_params
EVP_RAND_settable_ctx_params -> EVP_RAND_CTX_settable_params
Which brings them in line with the other similar functions for other algorithm
types.
Fixes#14880
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14893)
When we store references to up-calls for future reference we run a sanity
check to make sure we either previously haven't set these values or they
are the same as last time. We don't support the scenario where an
application is linked against multiple versions of libcrypto but using a
shared fips.so file. This would result in different up-calls for different
calls to OSSL_provider_init(), which we currently can't handle.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14814)
We had some FIPS global variables that were based on values from the
config file. In theory if two instances of the fips module are loaded
they could be based on different config files which would cause this to
fail. Instead we store them in the FIPS_GLOBAL structure.
Fixes#14364
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14814)
To avoid mutating key data add OSSL_FUNC_KEYMGMT_DUP function
to the provider API and implement it for all asym-key key
managements.
Use it when copying everything to an empty EVP_PKEY
which is the case with EVP_PKEY_dup().
Fixes#14658
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14793)
Fixes#14808
Validation checks were moved into EVP_PKEY_derive_set_peer() which broke
an external negative test. Originally the old code was semi working by checking the peers public key was in the range of other parties p. It was not actually ever
checking that the domain parameters were consistent between the 2
parties. It now checks the parameters match as well as validating the
peers public key.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14823)
Fixes#14807
Compliance with IG 9.4 requires that an inverse cipher function be
tested if one is implemented. Just running AES_GCM encrypt/decrypt does not meet this
requirement (Since only ECB, CBC, XTS, KW, KWP support the inverse
function during decryption mode).
Added a mode to the cipher test so that the AES_GCM only does an encrypt
and AES_ECB only does a decrypt. TDES still does both.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14825)
This is necessary to keep compatibility with 1.1.1 implementation
of the CBC, OFB, and CFB mode ciphers.
Fixes#14704
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14811)
Previously there was an off by two error allowing a stack buffer overrun.
Avoided this by allocating a correct sized buffer on the stack. A side effect
is that the maximum size of the customisation string can be increased.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14810)
As ossl_cipher_generic dosen't support to set key length, and
"openssl speed aes-(128|192|256)-cbc" tests fail. A small fix by
adding OSSL_CIPHER_PARAM_KEYLEN params.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14777)
Improve the ossl_rsa_check_key() to prevent non-signature
operations with PSS keys.
Do not invoke the EVP_PKEY controls for CMS and PKCS#7 anymore
as they are not needed anymore and deprecate them.
Fixes#14276
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/14760)
With new provided algorithms added, we'd rather rely on the names and
descriptions that we get from the providers.
Specifically with the 'openssl list' command, we now display the
description of all algorithms. For '-public-key-algorithms', we
additionally print key type information a bit more like we do for
legacy methods.
We also add descriptions to all our keymgmt functions, because the
built in EVP_PKEY_ASN1_METHODs had them.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14656)
This corresponds to the |info| field in EVP_PKEY_ASN1_METHOD, as well
as the generic use of OBJ_nid2ln() as a one line description.
We also add the base functionality to make use of this field.
Fixes#14514
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14656)
The parameter makes the dsa key encoder to skip saving the DSA
key parameters similarly to what the legacy dsa key encoder did.
Fixes#14362
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14746)
We've encountered some scenarios that need to use more than 1 kB of
data as the HKDF-Expand() "info" argument (which, per RFC 5869,
contains "optional context and application specific information").
Since HKDF_MAXBUF is used to size an array in the HKDF_PKEY_CTX
structure, this adds 1 kB of memory footprint to each EVP_PKEY_CTX
used for HKDF.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14649)
In 1.1.1 the ctrl EVP_PKEY_CTRL_RSA_KEYGEN_BITS would fail immediately
if the number of bits was too small. In 3.0 it always succeeds, and only
fails later during the key generation stage.
We fix that so that it fails early like it used to in 1.1.1.
Note that in 1.1.1 it fails with a -2 return code. That is not the case
in 3.0 and has not been addressed here (see #14442)
Fixes#14443
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14702)
Fixes#14481
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14684)
The legacy implementation would print the ASN.1 value of the trailerfield,
except when it wasn't set (i.e. is default).
For better consistency, we now always print the ASN.1 value, both in the
legacy and the provided implementation.
Fixes#14363
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14676)
If -out is not specified, send output to stdout.
Fix documentation errors.
Remove "-out -" from an invocation.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14623)
To make this cleaner, decoder_ms2key.c is split into decoder_msblob2key.c
and decoder_pvk2key.c.
This required a great deal of refactoring of crypto/pem/pvkfmt.c, to
make cleaner internal functions that our decoder implementations can
use.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14314)
This required refactoring a number of functions from the diverse
EVP_PKEY_ASN1_METHOD implementations to become shared backend
functions. It also meant modifying a few of them to return pointers
to our internal RSA / DSA/ DH / EC_KEY, ... structures instead of
manipulating an EVP_PKEY pointer directly, letting the caller do the
latter.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14314)
The OSSL_FUNC_KEYMGMT_LOAD function for both plain RSA and RSA-PSS
keys now also check that the key to be loaded is the correct type,
and refuse to load it if it's not.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14314)
This makes it possible to use d2i_<TYPE>_PUBKEY instead of the generic
d2i_PUBKEY()
This required adding a number of new d2i_<TYPE>_PUBKEY functions.
These are all kept internal.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14314)
The decoding of DER into keys with keytype specific routines depended
entirely on the absence of the generic algo specific C type from
EVP_PKEYs. That is not necessary, and may even prove to be a bit of a
disadvantage, depending on what libcrypto has to offer in terms of
type specific d2i functionality for different kinds of input
structures.
To remedy, we try with all available type specific functions first,
and only turn to the general d2i functions (those that return an
EVP_PKEY) as a last resort.
Furthermore, there are cases where the decoder might not get the key
type it expected. This may happen when certain key types that share
the same OpenSSL structure may be mixed up somehow. The known cases
are EC vs SM2 and RSA vs RSA-PSS.
To remedy, we add the possibility to specify a checking function that
can check if the key that was decoded meets decoder expectations.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14314)
This requires changing semantics of the keymgmt_has()
function a little in the sense that it now returns 1
if the selection has no meaning for the key type. It
was already doing so for ECX keys for example.
The keymgmt_validate function semantics is changed
similarly to allow passing validation on the same
selection that the key returns 1 for.
Fixes#14509
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14511)
All 3 files that included crypto/siphash.h also included siphash_local.h,
and no other files included siphash_local.h independently. They probably
should be just one header file.
Fixes#14360
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14558)
RSA keys have no parameters and pass EVP_PKEY_param_check(). Previously,
ECX keys had no parammeters and failed EVP_PKEY_param_check(). We should
be consistent. It makes more sense to always pass, and therefore this
commit implements that behaviour.
Fixes#14482
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14485)
Fixes#14480
An internal flag that is set during param gen was not being tested, so
the wrong type was used to select the dsa domain param validation method.
In the default provider - if no gen_type is set then by default the fips186_4 gentype
will be selected when pbits >=2048 otherwise it selects fips186_2.
The fips provider ignores the gen_type and always uses fips186_4.
Before this change dsa used fips186_2 by default in the default
provider.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14508)
Some functions that lock things are void, so we just return early.
Also make ossl_namemap_empty return 0 on error. Updated the docs, and added
some code to ossl_namemap_stored() to handle the failure, and updated the
tests to allow for failure.
Fixes: #14230
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14238)
It is not needed anymore and it causes leaks because
it is called when the FIPS provider libctx is not yet
properly set up.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14497)
This is in gmac_final(), where the cipher is known to be fetched.
It's more suitable to use OSSL_PARAMs than _ctrl functions, as the
latter are expected to become obsolete.
Fixes#14359
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14484)
Providers (particularly the FIPS provider) needs access to BIOs from libcrypto.
Libcrypto is allowed to change the internal format of the BIO structure and it
is still expected to work with providers that were already built. This means
that the libcrypto BIO must be distinct from and not castable to the provider
side OSSL_CORE_BIO.
Unfortunately, this requirement was broken in both directions. This fixes
things by forcing the two to be different and any casts break loudly.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14419)
Fixes#13185Fixes#13352
Removed the existing code in file_store that was trying to figure out the
input type.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14407)
providers/fipsmodule.cnf is generated using 'openssl fipsinstall' with
the openssl program in the build directory.
Fixes#14315
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14320)
The FIPS provider no longer has seeding sources inside the boundary, the
related conditional code can therefore be removed.
Fixes#14358
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14382)
This allows making the signature operations return different
settable params when the context is initialized with
EVP_DigestSign/VerifyInit.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14338)
Those TODOs do not really apply to 3.0 as the legacy internal
keys will stay.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14367)
Added some error reporting in dh_exch.c and unified error reporting
with it in other key exchange methods.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14367)
Those TODOs are not relevant anymore as the headers
are now in providers.
Also make the header guard defines better reflect the
header placement.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14367)
The DER writing errors can be ignored safely.
Document that the EVP_MAX_MD_SIZE is a hardcoded limit
for digest sizes.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14367)
