This applies to the base, default and FIPS providers, could be added in
principle also to the legacy provider, but there's no compelling reason
to do that at the moment.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26530)
Use mac_gen_cleanup() instead of just freeing the gctx.
Fixes Coverity 1638702
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/26500)
Otherwise doublefree happens with further usage.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/26488)
It took a parameter 'evp_type', which isn't used. The comment describing
it mentions a future refactoring, but it appears that this has already
happened.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26360)
Currently direct call to ossl_ec_check_security_strength is used,
instead of ossl_fips_ind_ec_key_check() like in all other places.
Make keymgmt do the same check as ecdh_exch and ecdsa_sig do.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25748)
At the moment the provider context is only available to
encoders that encrypt, but it is useful more generally.
A similar change has already been merged to "master" on the
decoder side, this is the mirror change for encoders. The
only significant difference is that PEM_ASN1_write_bio needed
to be "extended" (cloned) to allow it to pass the provider context
down to the `k2d` function it uses to encode the data.
I had to "hold my nose" and live with the random "20" added to the data
size in order to accomodate encryption with padding, which may produce
one more cipher block than the input length. This really should ask
the EVP layer about the block length of the cipher, and allocate the
right amount. This should be a separate fix for both the old
PEM_ASN1_write_bio() and the new PEM_ASN1_write_bio_ctx().
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/26475)
Parent DRBG can be seed source (os or jitter) and thus able to provide
unlimited entropy.
get_entropy is documented to provide at least the request amount of
entropy. If requested amount of entropy is same as, or less than
drbg->strength, everything is compliant. However, if requested entropy
is more than drbg->strength (unlikely, but possible), the returned
amount of entropy will be insufficient and additional repeated calls
to get_entropy will be required.
Reading history of refactors, it seems to me that this function call
previouslly had assumptions and usecases that couldn't ever request or
require more than strength amount of entropy.
If entropy is set, request that amount, otherwise request
drbg->strength amount.
Reviewed-by: Hugo Landau <hlandau@devever.net>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25850)
Simplify some decoder/encoder internals to facilitate upcoming support
for ML-KEM and ML-DSA.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26355)
This makes `ikmlen` have a length of at least `Nsk`.
Closes#26213
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26254)
Fixes Coverity 1636676
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26154)
It will be just xor-ed over the existing entropy
in the pool.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26128)
By adding the additional input directly to the pool
we were using just the additional input.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26112)
FreeBSD has supported both getrandom(2) and getentropy(3) since 12.0.
The last version which did *not* have these went EoL in September 2021.
Use getrandom(2) unconditionally and fallback to sysctl kern.arandom if
we do happen to have a FreeBSD that old.
This is generally a necessary step for FreeBSD's _FORTIFY_SOURCE
implementation, which needs to do some symbol renaming tricks with the
getentropy declaration that would otherwise add some platform-specific
hacks here to accommodate. getentropy(3) uses getrandom(2) internally
on FreeBSD, so we just cut out the middleman.
While we're here, it doesn't seem to make sense to ever prefer the
sysctl on FreeBSD or NetBSD. For both platforms, it's limited to 256
bytes in a single request while getrandom(2) will generally use the same
backend but service the entire request in one shot, even for larger
amounts of entropy, modulo the EINTR possibility that presents itself
with larger requests.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24903)
Free the stack return value `dsa` on each early exit.
Fixes#25905
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25948)
With fips-jitter build time option, jitter can be inside FIPS
boundary.
Calls to jent_read_entropy() can return permanent failures for
Repetitive Count Test (RTC), Adaptive Proportion Test (APT), LAG
prediction test.
Ensure the module enters error state upon permanent jitter failures.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25957)
When ecx_gen_set_params() returns 0, it could have duplicated the memory
for the parameter OSSL_KDF_PARAM_PROPERTIES already in gctx->propq,
leading to a memory leak.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26015)
FIPS 140-2 IG D.9 has become FIPS 140-3 D.G (see "Mapping FIPS 140-2
IGs to FIPS 140-3" in the FIPS 140-3 IG).
The requirements w.r.t. RSA KATs have now been relaxed, meaning that
existing full-message RSA signature verification (which is performed
separately) is sufficient to meet KAT requirements for all RSA
usecases (KEM/Encrypt/Decrypt/Sign/Verify).
Dropping this KAT is very useful, because it is large/expensive on
module startup, but also because it enables in the future to block RSA
Encrypt/Decrypt operations with paddings other than OAEP, which are
legacy or deprecated by either current or draft algorithm transition
SP.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25988)
At least this is done on module startup only.
To satisfy ISO/IEC 19790:2012/Cor.1:2015(E) Section 7.5 [05.10]
requirement.
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25945)
1. Add OSSL_FUNC_digest_copyctx_fn function for EVP_MD, which is used to copy algctx from the old EVP_MD_CTX to the new one.
2. Add implementation of OSSL_FUNC_digest_copyctx_fn function for default providers.
3. Modify EVP_MD_CTX_copy_ex: When the fetched digest is the same in in and out contexts, use the copy function to copy the members in EVP_MD_CTX if the OSSL_FUNC_digest_copyctx_fn function exists. Otherwise, use the previous method to copy.
4. Add documentation for OSSL_FUNC_digest_copyctx function in doc/man7/provider-digest.pod.
5. Add testcase.
Fixes#25703
Signed-off-by: wangcheng <bangwangnj@163.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25726)
FIPS provider correctly supports no-des build time option and doesn't
advertise DES related algorithms. However KAT test for DES is still
attempted to be executed and fails.
This prevents configuring FIPS provider without legacy behaviour as
defined in SP 800-131Arev2. Also see #25761 internal docs.
Fix `enable-fips no-des` build option, and add a daily checker for
"legacy-free" (as much as currently feasible) FIPS configuration.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25762)
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25640)
fix https://github.com/openssl/openssl/issues/25112
As defined in the C standard:
In all cases the argument is an int, the value of which shall
be representable as an unsigned char or shall equal the value
of the macro EOF. If the argument has any other value, the
behavior is undefined.
This is because they're designed to work with the int values returned
by getc or fgetc; they need extra work to handle a char value.
If EOF is -1 (as it almost always is), with 8-bit bytes, the allowed
inputs to the ctype.h functions are:
{-1, 0, 1, 2, 3, ..., 255}.
However, on platforms where char is signed, such as x86 with the
usual ABI, code like
char *p = ...;
... isspace(*p) ...
may pass in values in the range:
{-128, -127, -126, ..., -2, -1, 0, 1, ..., 127}.
This has two problems:
1. Inputs in the set {-128, -127, -126, ..., -2} are forbidden.
2. The non-EOF byte 0xff is conflated with the value EOF = -1, so
even though the input is not forbidden, it may give the wrong
answer.
Casting char inputs to unsigned char first works around this, by
mapping the (non-EOF character) range {-128, -127, ..., -1} to {128,
129, ..., 255}, leaving no collisions with EOF. So the above
fragment needs to be:
char *p = ...;
... isspace((unsigned char)*p) ...
This patch inserts unsigned char casts where necessary. Most of the
cases I changed, I compile-tested using -Wchar-subscripts -Werror on
NetBSD, which defines the ctype.h functions as macros so that they
trigger the warning when the argument has type char. The exceptions
are under #ifdef __VMS or #ifdef _WIN32. I left alone calls where
the input is int where the cast would obviously be wrong; and I left
alone calls where the input is already unsigned char so the cast is
unnecessary.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25113)
Changed all provider implementations that have a set_ctx_params()
to call this function instead of just testing (params == NULL).This
detects the case wherean OSSL_PARAM array contains just a terminator
entry.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25499)
Document the fact that we now require unwrappedlen/wrappedlen to be set
to the size of the unwrapped/wrapped buffers
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25522)
Outlen was never validated in this function prior to use, nor is it set
to the decrypted value on sucess. Add both of those operations
Fixes#25509
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25522)
Signed-off-by: lan1120 <lanming@huawei.com>
Reviewed-by: Hugo Landau <hlandau@devever.net>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23094)
This keeps the code consistent with the changes done for other
algorithms that support sigalg_set_ctx_params().
set_ctx_params() should always return 1 if the parameter is unknown.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25570)
Self tests no longer use the EVP_DigestSign/Verify API's.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25570)
After rudimentary analysis, it appears the below functions can
potentially produce output, whilst the provider is in error state.
These functions were detected using this method:
```
CFLAGS='-save-temps' ./Configure enable-fips --debug
make -j10
find . -name '*.i' | xargs git add -f
git grep --cached -p ossl_prov_is_running | grep libfips-lib > ossl_prov_is_running.txt
git grep --cached -p 'return' | grep libfips-lib > return.txt
grep '\.i=' return.txt > func-with_return.txt
grep '\.i=' ossl_prov_is_running.txt > func-with-ossl_prov_is_running.txt
grep --fixed-strings --line-regexp --file=func-with-ossl_prov_is_running.txt return.txt > func-without-ossl_prov_is_running.txt
grep -e newctx -e initctx -e dupctx func-without-ossl_prov_is_running.txt | grep -v ossl_prov_is_running
```
And from there doing manual inspection, as the list was short at that
point.
As in compile with keeping pre-processed source code; and use `git
grep --cached -p` to find these preprocessed files, and scan for calls
to return or opssl_prov_is_running, with function name printed. And
then exclude one from the other, to hopefully get a list of all the
functions that do not check for ossl_prov_is_running.
As number of functions without "func-without-ossl_prov_is_running"
check is large, I do wonder which other functions are "interesting" to
check for. I think I'm not scanning for _update functions
correctly. Any tips on improving above analysis will help with
maintaining such checks going forward.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25580)
In this function the salt can be either a zero buffer of exactly mdlen
length, or an arbitrary salt of prevsecretlen length.
Although in practice OpenSSL will always pass in a salt of mdlen size
bytes in the current TLS 1.3 code, the openssl kdf command can pass in
arbitrary values (I did it for testing), and a future change in the
higher layer code could also result in unmatched lengths.
If prevsecretlen is > mdlen this will cause incorrect salt expansion, if
prevsecretlen < mdlen this could cause a crash or reading random
information. Inboth case the generated output would be incorrect.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25579)
