The CPACF instruction KMAC provides support for accelerating the HMAC
algorithm on newer machines for HMAC with SHA-224, SHA-256, SHA-384, and
SHA-512.
Preliminary measurements showed performance improvements of up to a factor
of 2, dependent on the message size, whether chunking is used and the size
of the chunks.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25161)
Add defines for new CPACF functions codes, its required MSA levels, and
document how to disable these functions via the OPENSSL_s390xcap environment
variable.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25161)
If fdopen() call fails we need to close the fd. Also
return early as this is most likely some fatal error.
Fixes#25064
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25081)
The passed in reference of a ref-counted object
is free'd by d2i functions in the error handling.
However if it is not the last reference, the
in/out reference variable is not set to null here.
This makes it impossible for the caller to handle
the error correctly, because there are numerous
cases where the passed in reference is free'd
and set to null, while in other cases, where the
passed in reference is not free'd, the reference
is left untouched.
Therefore the passed in reference must be set
to NULL even when it was not the last reference.
Fixes#23713
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22809)
FIPS KAS requires use of ECC CDH.
The EC 'B' and 'K' curves have a cofactor that is not 1, and this
MUST be multiplied by the private key when deriving the shared secret.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25139)
See FIPS 140-3 IG Section 10.3.A Part 11
Indicates ECDSA requires a sign and verify test.
Note 11 states that HashEdDSA is not required to be tested if PureEdDSA is tested.
Note 12 indicates that both ED25519 and X448 need to be tested.
Since ED uses the oneshot interface, additional API's needed to be exposed to the
FIPS provider using #ifdef FIPS_MODULE.
Changed ED25518 and ED448 to use fips=true in the FIPS provider.
Updated documentation for provider lists for EDDSA.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22112)
mingw is complaining on builds about the use of InterlockedExchange on a
uint32_t type, as the input parameter here is expected to be LONG
(defined as signed 32 bit on all versions of windows).
the input value (reader_idx) will never grow larger than the group size
of the lock (nominally 2, but always a reasonably small value), so it
should be safe to just cast it to the appropriate type here.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25015)
The colon is already added in X509V3_EXT_val_prn(). In fact, the other
branches from i2v_GENERAL_NAME() do not include a trailing colon.
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23428)
Sub-OIDs for {iso(1) identified-organization(3) dod(6) internet(1)
private(4) enterprise(1) 45605} are recorded in the document "Wi-SUN
Assigned Value Registry" (WAVR).
OID id-on-hardwareModule is defined in RFC 4108.
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23428)
Move the switch to print a distinguished name inside the
switch by the printed attribute type, otherwise a malformed
attribute will cause a crash.
Updated the fuzz corpora with the testcase
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25087)
If an HRR is sent then it MUST contain supported_versions according to the
RFC. We were sanity checking any supported_versions extension that was sent
but failed to verify that it was actually present.
Fixes#25041
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25068)
Added OSSL_FUNC_keymgmt_gen_get_params() and
OSSL_FUNC_keymgmt_gen_gettable_params()
This will allow a FIPS indicator parameter to be queried after keygen.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24978)
It appears nonstops new threading model defines some level of rwlock
pthread api, but its not working properly. Disable rwlocks for
_KLT_MODEL_ for now
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24969)
Noted that we didn't check return codes of the atomic loads/stores in
the new hashtable, and they can fail
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24969)
To ensure that the value of h->md doesn't get recomputed during a delete
operation use ossl_rcu_deref on it
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24969)
If the implementation of this function falls to using a pthread lock to
update a value, it should be a write lock, not a read lock
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24969)
If the name is not found in namemap, we need
to try to fetch the algorithm and query the
namemap again.
Fixes#19338
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/24940)
This entropy source can be used instead of SEED-SRC. Sample
openssl.cnf configuration is provided. It is built as a separate
provider, because it is likely to require less frequent updates than
fips provider. The same build likely can span multiple generations of
FIPS 140 standard revisions.
Note that rand-instances currently chain from public/private instances
to primary, prior to consuming the seed. Thus currently a unique ESV
needs to be obtained, and resue of jitterentropy.a certificate is not
possible as is. Separately a patch will be sent to allow for
unchaining public/private RAND instances for the purpose of reusing
ESV.
Also I do wonder if it makes sense to create a fips variant of stock
SEED-SRC entropy source, which in addition to using getrandom() also
verifies that the kernel is operating in FIPS mode and thus is likely
a validated entropy source. As in on Linux, check that
/proc/sys/crypto/fips_enabled is set to 1, and similar checks on
Windows / MacOS and so on.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24844)
There is a issue currently related to CMAC TDES, when the new provider
is tested against older branches.
The new strict check caused backwards compatibility issues when
using old branch with the new FIPS provider.
To get around this CMAC now allows TDES by default, but it can be either
enabled via config or a settable. (i.e it uses an indicator)
Where the TDES cipher check can be done turned out to be problematic.
Shifting the check in the TDES cipherout of the init doesnt work because
ciphers can run thru either final or cipher (and checking on every
cipher call seemed bad). This means it needs to stay in the cipher init.
So the check needs to be done in CMAC BEFORE the underlying TDES cipher
does it check.
When using an indicator the TDES cipher needs its "encrypt-check" set
so that needs to be propagated from the CMAC object. This requires
the ability to set the param at the time the cipher ctx is inited.
An internal function was required in order to pass params to CMAC_Init.
Note also that the check was done where it is, because EVP_Q_mac() calls
EVP_MAC_CTX_set_params(ctx, cipher_param)
EVP_MAC_CTX_set_params(ctx, params)
EVP_MAC_init(ctx, key, keylen, params)
Where the second call to set_params would set up "encrypt-check" after
"cipher".
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25022)
In FIPS 140-3, RSA Signing with X9.31 padding is not approved,
but verification is allowed for legacy purposes. An indicator has been added
for RSA signing with X9.31 padding.
A strict restriction on the size of the RSA modulus has been added
i.e. It must be 1024 + 256 * s (which is part of the ANSI X9.31 spec).
Added implementation comments to the X9.31 padding code
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24021)
Coverity flagged an overflow warning here that can occur if BIO_write
returns an error.
The overflow itself is a bit of a non-issue, but if BIO_write returns
< 0, then the return from i2a_ASN1_OBJECT will be some odd value
representing whatever the offset from the error code to the number of
bytes the dump may or may not have written (or some larger negative
error code if both fail.
So lets fix it. Only do the dump if the BIO_write call returned 0 or
greaater.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
(Merged from https://github.com/openssl/openssl/pull/24976)
In OpenSSL, it's actually OSSL_NELEM() in "internal/nelem.h".
Found by running the checkpatch.pl Linux script to enforce coding style.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22097)
Found by running the checkpatch.pl Linux script to enforce coding style.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22097)
Found by running the checkpatch.pl Linux script to enforce coding style.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22097)
Found by running the checkpatch.pl Linux script to enforce coding style.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22097)
Fixes Coverity 1604638
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/24930)
utility function to give us sane checking on strtoul conversions
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24861)
Improve code consistency between threads_pthread.c and threads_win.c
threads_pthread.c has good comments, let's copy them to threads_win.c
In many places uint64_t or LONG int was used, and assignments were
performed between variables with different sizes.
Unify the code to use uint32_t. In 32 bit architectures it is easier
to perform 32 bit atomic operations. The size is large enough to hold
the list of operations.
Fix result of atomic_or_uint_nv improperly casted to int *
instead of int.
Note:
In general size_t should be preferred for size and index, due to its
descriptive name, however it is more convenient to use uint32_t for
consistency between platforms and atomic calls.
READER_COUNT and ID_VAL return results that fit 32 bit. Cast them to
uint32_t to save a few CPU cycles, since they are used in 32 bit
operations anyway.
TODO:
In struct rcu_lock_st, qp_group can be moved before id_ctr
for better alignment, which would save 8 bytes.
allocate_new_qp_group has a parameter count of type int.
Signed values should be avoided as size or index.
It is better to use unsigned, e.g uint32_t, even though
internally this is assigned to a uint32_t variable.
READER_SIZE is 16 in threads_pthread.c, and 32 in threads_win.c
Using a common size for consistency should be prefered.
Signed-off-by: Georgi Valkov <gvalkov@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24803)
This fixes a build error regression on mingw64 introduced by me in
16beec98d2
In get_hold_current_qp, uint32_t variables were improperly
used to hold the value of reader_idx, which is defined as long int.
So I used CRYPTO_atomic_load_int, where a comment states
On Windows, LONG is always the same size as int
There is a size confusion, because
Win32 VC x86/x64: LONG, long, long int are 32 bit
MingW-W64: LONG, long, long int are 32 bit
cygwin64: LONG is 32 bit, long, long int are 64 bit
Fix:
- define reader_idx as uint32_t
- edit misleading comment, to clarify:
On Windows, LONG (but not long) is always the same size as int.
Fixes the following build error, reported in [1].
crypto/threads_win.c: In function 'get_hold_current_qp':
crypto/threads_win.c:184:32: error: passing argument 1 of 'CRYPTO_atomic_load_int' from incompatible pointer type [-Wincompatible-pointer-types]
184 | CRYPTO_atomic_load_int(&lock->reader_idx, (int *)&qp_idx,
| ^~~~~~~~~~~~~~~~~
| |
| volatile long int *
[1] https://github.com/openssl/openssl/pull/24405#issuecomment-2211602282
Signed-off-by: Georgi Valkov <gvalkov@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24803)
Coverity recently flaged an error in which the return value for
EVP_MD_get_size wasn't checked for negative values prior to use, which
can cause underflow later in the function.
Just add the check and error out if get_size returns an error.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24896)
Fixes#8038: Previously, line continuation logic did not account for the 'again' flag, which could cause incorrect removal of a backslash character in the middle of a line. This fix ensures that line continuation is correctly handled only when 'again' is false, thus improving the reliability of the configuration parser.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24890)
We can do just the quick check if cofactor == 1 as the
fact that the point is on the curve already implies
that order * point = infinity.
Fixes#21833
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24816)
oss-fuzz noted this issue:
https://oss-fuzz.com/testcase-detail/5363002606419968
Which reports a heap buffer overflow during ossl_method_cache_flush_some
Its occuring because we delete items from the hash table while inside
its doall iterator
The iterator in lhash.c does a reverse traversal of all buckets in the
hash table, and at some point a removal during an iteration leads to the
hash table shrinking, by calling contract. When that happens, the
bucket index becomes no longer valid, and if the index we are on is
large, it exceeds the length of the list, leading to an out of band
reference, and the heap buffer overflow report.
Fix it by preventing contractions from happening during the iteration,
but setting the down_load factor to 0, and restoring it to its initial
value after the iteration is done
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24867)
Follow the coding style to place variable definitions before code
Fixes a build error on Windows 2003 with VS2010 introduced in [1]
crypto\o_fopen.c(45) : error C2143: syntax error : missing ';' before 'type'
crypto\o_fopen.c(46) : error C2275: 'DWORD' : illegal use of this type as an expression
E:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\include\windef.h(152) : see declaration of 'DWORD'
crypto\o_fopen.c(46) : error C2146: syntax error : missing ';' before identifier 'flags'
crypto\o_fopen.c(46) : error C2065: 'flags' : undeclared identifier
[1] 917f37195a
Signed-off-by: Georgi Valkov <gvalkov@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24853)
