Commit Graph

29532 Commits

Author SHA1 Message Date
Jon Spillett
e3c7595521 Fix up encoder/decoder issues caused by not passing a library context to the PKCS8 encrypt/decrypt
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14587)
2021-06-01 12:16:27 +02:00
Jon Spillett
169eca602c Enhance the encoder/decoder tests to allow testing with a non-default library context and configurable providers
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14587)
2021-06-01 12:16:27 +02:00
Pauli
8ee66a092c req: fix Coverity 1485137 Explicit null dereference
Add a check for a non-existent file name when specifying params via file.
Add a check for a failure to determine key type.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15534)
2021-06-01 18:46:44 +10:00
Pauli
28cab20916 crypto: updates to pass size_t to RAND_bytes_ex()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15540)
2021-06-01 18:13:56 +10:00
Pauli
dfefa4c164 ssl: ass size_t to RAND_bytes_ex()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15540)
2021-06-01 18:13:36 +10:00
Pauli
528685fe77 rand: use size_t for size argument to RAND_bytes_ex()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15540)
2021-06-01 18:13:36 +10:00
Shane Lontis
f7c1b472bf Move provider der_XXX.h.in files to the include directory.
Fixes #15506

The .in and generated .h files are now in the same directory.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15544)
2021-06-01 15:31:06 +10:00
Shane Lontis
3c15d67705 Fix error stack for some fetch calls.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15532)
2021-06-01 15:28:18 +10:00
Shane Lontis
9ff4b7b0c7 Migration guide updates for flags and controls.
Provided a section that links to the ctrl/flags mappings to parameters
for digests and ciphers.

Added "EVP_CIPHER_CTX_set_flags() ordering" to changes section.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15496)
2021-06-01 15:22:30 +10:00
Shane Lontis
7f9537d57a Document Settable EVP_CIPHER_CTX parameter "use-bits"
Added docs for EVP_CIPHER_CTX_set_flags(),
EVP_CIPHER_CTX_clear_flags() and EVP_CIPHER_CTX_test_flags().

Added section for "FLAGS" to show parameter mappings.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15496)
2021-06-01 15:22:30 +10:00
Shane Lontis
17b209da49 Fix param indentation in ciphercommon_hw.c
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15496)
2021-06-01 15:22:30 +10:00
Shane Lontis
e2311445bb Fix aes cfb1 so that it can operate in bit mode.
The code to handle the cipher operation was already in the provider.
It just needed a OSSL_PARAM in order to set this into the algorithm.
EVP_CIPHER_CTX_set_flags() has been modified to pass the OSSL_PARAM.

Issue reported by Mark Powers from Acumen.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15496)
2021-06-01 15:22:30 +10:00
Pauli
d11dd381c5 add some cross compilation builds
Add some cross compiling builds to test things aren't broken.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15535)
2021-06-01 15:04:05 +10:00
Pauli
64fac96de8 sparc: fix cross compile build
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15535)
2021-06-01 15:04:05 +10:00
Pauli
a7981653ea ppc: fix ambiguous if if else statement
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15535)
2021-06-01 15:04:05 +10:00
Richard Levitte
e378be2a29 Add .asn1 dependencies for files generated from providers/common/der/*.in
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15533)
2021-05-31 06:21:53 +02:00
Jan Lana
691e2efa62 Update solaris64-sparcv9-cc build target cflags
Fixes #15507

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15509)
2021-05-31 09:49:40 +10:00
Matt Caswell
99be8ed331 Fix cert creation in the store
When we create a cert in the store, make sure we do so with the libctx
and propq associated.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15523)
2021-05-31 09:40:50 +10:00
Richard Levitte
e43dc9b243 Add the usual autowarn perl snippet in providers/common/der/*.in
We have this in all other .in files, so these should have that as well.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15524)
2021-05-31 09:34:34 +10:00
Matt Caswell
3bcc933ec4 Teach EVP_PKEYs to say whether they were decoded from explicit params
Currently we explicitly downgrade an EVP_PKEY to an EC_KEY and ask
the EC_KEY directly whether it was decoded from explicit parameters or not.
Instead we teach EVP_PKEYs to respond to a new parameter for this purpose.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15526)
2021-05-31 09:23:39 +10:00
Matt Caswell
0a4e660a27 Update check_sig_alg_match() to work with provided keys
Use EVP_PKEY_is_a() to check whether an EVP_PKEY is compatible with the
given signature.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15528)
2021-05-31 09:16:47 +10:00
Matt Caswell
3811e0019a Special case SM2 when decoding
SM2 abuses the EC oid by reusing it - but an EC key is different to an SM2
key. Therefore we have to special case SM2 during decoding. If we encounter
the EC OID then we have to try both algorithms.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15522)
2021-05-31 09:13:19 +10:00
Jon Spillett
3068a183ae Fixes #14103 & #14102. Update AES demos with error handling and EVP fetch
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15081)
2021-05-31 09:05:43 +10:00
Shane Lontis
f505161e62 Fix PKCS7_verify to not have an error stack if it succeeds.
Revert a change in behavior to BIO_write(). If a NULL BIO
is passed, no error is raised and the return value is 0. There are
many places where the return code from the write was not checked,
resulting in an error stack with no error status being returned.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15493)
2021-05-31 08:45:58 +10:00
Pauli
43dbe3b72d fips: set the library context and handle later
They need to be set once the provider will definitely be loading.  If they
are set earlier, a double free results on a failure.

Fixes #15452

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15492)
2021-05-29 20:46:11 +10:00
Richard Levitte
f839361e3e make update-fips-checksums
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15514)
2021-05-29 11:06:44 +02:00
Richard Levitte
57bd5fc728 Rearrange the check of providers/fips.so dependencies
The mechanism had special cases to guess when something was generated
from a .in file.  It's better, though, to use the knowledge in
configdata.pm, especially when the generated file is in a different
location than its source.

Cleanups are added, and we change the use of sed to a use of perl
when cleaning up paths with 'something/../' in them, since perl has
more powerful tools for this sort of thing.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15514)
2021-05-29 11:03:53 +02:00
Richard Levitte
32eebfa27f Make providers/fips.module.sources.new depend on configdata.pm
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15514)
2021-05-29 11:02:37 +02:00
Richard Levitte
e653b04bd2 configdata.pm: Allow extra arguments when --query is given.
That allows operations like this:

    ./configdata.pm --query 'get_sources(@ARGV)' file1 file2 file3

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15514)
2021-05-29 11:02:37 +02:00
Pauli
5cbd2ea3f9 add zero strenght arguments to BN and RAND RNG calls
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15513)
2021-05-29 17:17:12 +10:00
Pauli
965fa9c080 prov: add zero strenght arguments to BN and RAND RNG calls
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15513)
2021-05-29 17:17:12 +10:00
Pauli
0f8815aace ssl: add zero strenght arguments to BN and RAND RNG calls
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15513)
2021-05-29 17:17:12 +10:00
Pauli
23e97567be test: add zero strenght arguments to BN and RAND RNG calls
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15513)
2021-05-29 17:17:12 +10:00
Pauli
508258caa0 rand: add a strength argument to the BN and RAND RNG calls
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15513)
2021-05-29 17:17:12 +10:00
Pauli
e587bccdf9 doc: document the strength arugments to the RNG functions
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15513)
2021-05-29 17:17:12 +10:00
Rich Salz
83058e810b Make undef'd counts zero by default.
Fixes #15409

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15467)
2021-05-29 16:09:08 +10:00
Amitay Isaacs
30691da1ba ec: Add PPC64 vector assembly version of p521 field operations
Only field multiplication and squaring (but not reduction) show a
significant improvement.  This is enabled on Power ISA >= 3.0.

On a Power 9 CPU an average 10% performance improvement is seen (ECHDE:
14%, ECDSA sign: 6%, ECDSA verify 10%), compared to existing code.

On an upcoming Power 10 CPU we see an average performance improvement
of 26% (ECHDE: 38%, ECDSA sign: 16%, ECDSA verify 25%), compared to
existing code.

Signed-off-by: Amitay Isaacs <amitay@ozlabs.org>
Signed-off-by: Martin Schwenke <martin@meltin.net>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15401)
2021-05-29 16:07:15 +10:00
Martin Schwenke
1036749883 ec: Add run time code selection for p521 field operations
This is only used if ECP_NISTP521_ASM is defined and this currently
only occurs on PPC64.

This simply chooses the C reference implementation, which will be the
default when custom code is available for certain CPUs.

Only the multiplication and squaring operations are handled, since the
upcoming assembly code only contains those.  This scheme can be easily
extended to handle reduction too.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Signed-off-by: Amitay Isaacs <amitay@ozlabs.org>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15401)
2021-05-29 16:07:15 +10:00
Martin Schwenke
3363a2c3d6 ec: Rename reference p521 field operations and use them via macros
This will allow clean addition of assembly versions of these operations.

Signed-off-by: Martin Schwenke <martin@meltin.net>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15401)
2021-05-29 16:07:15 +10:00
Martin Schwenke
7711227059 perlasm/ppc-xlate.pl: Handle rewriting of vector registers
Power has 2 numbering systems for vector registers:

* VR: Vector Registers are numbered from 0 to 31
* VSR: Vector-Scalar registers are numbers from 32 to 63

These refer to the same registers.  Some instructions use VR numbering
for their operands, while others use VSR numbering.

When using Perl to provide a meaningful name for a register it makes
sense to use the same variable for both VR and VSR instructions.  This
makes the code more readable.

However, providing a VSR number (i.e. >=32) to an instruction that
expects a VR number will cause an assembler error.

So, for instructions that require VR numbering, map VSR numbers
(i.e. >=32) to VR numbers.  This also allows existing code that uses
VR numbering to remain unchanged.

Signed-off-by: Martin Schwenke <martin@meltin.net>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15401)
2021-05-29 16:07:15 +10:00
Dr. David von Oheimb
24c07e5055 BIO acpt_state(): Allow retrying addresses (e.g., using IPv6 vs. IPv4) on creating accept socket
Fixes #15386

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15417)
2021-05-29 07:47:03 +02:00
Dr. David von Oheimb
a7014122ac BIO_s_accept.pod: Add missing documentation for BIO_{get,set}_accept_ip_family()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15417)
2021-05-29 07:47:03 +02:00
Dr. David von Oheimb
f4706b165a apps/ocsp: Allow -port 0
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15417)
2021-05-29 07:47:03 +02:00
Dr. David von Oheimb
d318fc9545 DOC: Slightly improve the documentation of BIO_lookup() and related functions
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15417)
2021-05-29 07:47:03 +02:00
Dr. David von Oheimb
d357dd51cb apps/lib/s_socket.c and 80-test_cmp_http.t: Make ACCEPT port reporting more robust
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15417)
2021-05-29 07:47:03 +02:00
Shane Lontis
189c4759eb Fix intermittent CI failure in evp_kdf_test for non_caching build.
Fixes #15515

Another case of the order that tests run in causes a failure.
A new test was loading "legacy" into the default lib ctx. If it
ran first then everything fails. The test now has its own lib ctx.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15516)
2021-05-29 07:20:01 +10:00
Shane Lontis
b6b3694c90 Fix incorrect gettable OSSL_CIPHER_PARAM_TLS_MAC parameter
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15416)
2021-05-28 14:29:13 +02:00
Shane Lontis
37115f6512 Fix incorrect OSSL_CIPHER_PARAM_SPEED get_ctx_params
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15416)
2021-05-28 14:29:13 +02:00
Shane Lontis
f5d0c02cdc Add missing EVP_CTRL_CCM_SET_L control
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15416)
2021-05-28 14:29:13 +02:00
Shane Lontis
b9098d4edd Add Docs for EVP_CIPHER-*
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15416)
2021-05-28 14:29:13 +02:00