Commit Graph

108 Commits

Author SHA1 Message Date
Shane Lontis
8bbeaaa4fc Added X963KDF API
X963 KDF is used for CMS ec keyagree Recipient Info.
The X963 KDF that is used by CMS EC Key Agreement has been moved
into a EVP_KDF object. This KDF is almost identical to the the SSKDF
hash variant, so it has been implemented inside the SSKDF code with
its own method table.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8902)
2019-05-16 11:43:41 +10:00
Tobias Nießen
67c81ec311 Allow specifying the tag after AAD in CCM mode
This change allows to pass the authentication tag after specifying
the AAD in CCM mode. This is already true for the other two supported
AEAD modes (GCM and OCB) and it seems appropriate to match the
behavior.

GCM and OCB also support to set the tag at any point before the call
to `EVP_*Final`, but this won't work for CCM due to a restriction
imposed by section 2.6 of RFC3610: The tag must be set before
actually decrypting data.

This commit also adds a test case for setting the tag after supplying
plaintext length and AAD.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7243)
2019-05-08 10:57:59 +01:00
Simo Sorce
4679345149 Change the digest string from "md" to "digest"
Conform to other modules which were changed at the last minute and this
discrepancy was not noticed.
Retain "md" as an alias so not to break 3rd party backports/tests scripts.

Signed-off-by: Simo Sorce <simo@redhat.com>

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8783)
2019-05-03 23:47:43 +02:00
Matt Caswell
a595b10d34 Add some more test vectors for ChaCha20
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8780)
2019-04-19 09:37:47 +01:00
Pauli
3538b0f7ad Move the AES-XTS mode duplicated key check into the init_key function rather
than the update call.  The means an earlier error return at the cost of some
duplicated code.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8625)
2019-04-05 10:55:40 +10:00
Matt Caswell
48fdeca01d Don't allow SHAKE128/SHAKE256 with HMAC
See discussion in github issue #8563

Fixes #8563

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8584)
2019-03-27 14:32:08 +00:00
Matt Caswell
183f52e29a Fix a memory leak in ARIA GCM
Fixes #8567

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8586)
2019-03-27 10:26:52 +00:00
Shane Lontis
9537fe5757 Single step kdf implementation
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8230)
2019-03-19 11:03:45 +00:00
Matt Caswell
a4f0b50eaf Test an overlong ChaCha20-Poly1305 nonce
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8406)
2019-03-06 13:25:21 +00:00
Simo Sorce
8d76481b18 Implement SSH KDF
SSH's KDF is defined in RFC 4253 in Section 7.2

Signed-off-by: Simo Sorce <simo@redhat.com>

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7290)
2019-02-27 11:02:54 +00:00
David Makepeace
5a285addbf Added new EVP/KDF API.
Changed PKEY/KDF API to call the new API.
Added wrappers for PKCS5_PBKDF2_HMAC() and EVP_PBE_scrypt() to call the new EVP KDF APIs.
Documentation updated.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6674)
2019-02-13 12:11:49 +01:00
Antoine Salon
b215db236c blake2: add evpmac test vectors
Signed-off-by: Antoine Salon <asalon@vmware.com>

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7726)
2019-02-06 09:24:28 +00:00
Todd Short
b1ceb439f2 Add RFC5297 AES-SIV support
Based originally on github.com/dfoxfranke/libaes_siv

This creates an SIV128 mode that uses EVP interfaces for the CBC, CTR
and CMAC code to reduce complexity at the cost of perfomance. The
expected use is for short inputs, not TLS-sized records.

Add multiple AAD input capacity in the EVP tests.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/3540)
2018-12-12 08:16:10 +10:00
Matt Caswell
6de98b4fb6 Add an Ed448 malleability test
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/7748)
2018-12-11 11:53:55 +00:00
Richard Levitte
909f1a2e51 Following the license change, modify the boilerplates in test/
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7767)
2018-12-06 14:19:22 +01:00
Matt Caswell
e65a79d2aa Add an Ed25519 signature maleability test
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7697)
2018-12-03 14:21:05 +00:00
Shane Lontis
6e624a6453 KMAC implementation using EVP_MAC
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7597)
2018-11-14 07:01:09 +10:00
Richard Levitte
425036130d Fix SipHash init order.
Setting the SipHash hash size and setting its key is done with two
independent functions...  and yet, the internals depend on both.

Unfortunately, the function to change the size wasn't adapted for the
possibility that the key was set first, with a different hash size.

This changes the hash setting function to fix the internal values
(which is easy, fortunately) according to the hash size.

evpmac.txt value for digestsize:8 is also corrected.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7613)
2018-11-12 07:15:55 +01:00
Paul Yang
c1da4b2afe Add poly1305 MAC support
This is based on the latest EVP MAC interface introduced in PR #7393.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7459)
2018-11-05 13:07:07 +08:00
Pauli
afc580b9b0 GMAC implementation
Remove GMAC demo program because it has been superceded by the EVP MAC one

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7548)
2018-11-05 08:09:41 +10:00
Richard Levitte
9f2e18111e Have a couple of SipHash test uses the EVP_PKEY method
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7494)
2018-10-30 08:09:07 +01:00
Richard Levitte
c89d9cdab1 EVP_MAC: Add SipHash implementation
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7494)
2018-10-30 08:09:07 +01:00
Richard Levitte
388de53c27 Make sure at least one HMAC test still uses the EVP_PKEY method
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7483)
2018-10-30 05:51:01 +01:00
Richard Levitte
56adb7d937 Make sure at least one CMAC test still uses the EVP_PKEY method
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7484)
2018-10-30 05:34:50 +01:00
Richard Levitte
ce5d64c79c test/evp_test.c: don't misuse pkey_test_ctrl() in mac_test_run()
pkey_test_ctrl() was designed for parsing values, not for using in
test runs.  Relying on its returned value when it returned 1 even for
control errors made it particularly useless for mac_test_run().

Here, it gets replaced with a MAC specific control function, that
parses values the same way but is designed for use in a _run() rather
than a _parse() function.

This uncovers a SipHash test with an invalid control that wasn't
caught properly.  After all, that stanza is supposed to test that
invalid control values do generate an error.  Now we catch that.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7500)
2018-10-29 17:29:30 +01:00
Pauli
95eda4f09a FIPS 140-2 IG A.9 XTS key check.
Add a check that the two keys used for AES-XTS are different.

One test case uses the same key for both of the AES-XTS keys.  This causes
a failure under FIP 140-2 IG A.9.  Mark the test as returning a failure.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7120)
2018-09-12 08:40:47 +10:00
Matt Caswell
1212818eb0 Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7176)
2018-09-11 13:45:17 +01:00
Richard Levitte
2725232132 TESTS: add SipHash tests with digestsize controls
Confirms #7143

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7154)
2018-09-09 01:47:56 +02:00
Pauli
e0810e3502 Fix HMAC SHA3-224 and HMAC SHA3-256.
Added NIST test cases for these two as well.

Additionally deprecate the public definiton of HMAC_MAX_MD_CBLOCK in 1.2.0.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6972)
2018-09-04 08:09:12 +10:00
Pauli
fc196a5eb9 Make OBJ_NAME case insensitive.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7089)
2018-09-04 07:35:45 +10:00
Billy Brumley
bfb10b9758 [test] throw error from wrapper function instead of an EC_METHOD specific one
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7028)
2018-09-03 20:25:41 +02:00
Billy Brumley
30c41bfb15 [test] ECC: make sure negative tests pass for the right reasons
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7028)
2018-09-03 20:25:41 +02:00
Nicola Tuveri
5d92b853f6 Replace GFp ladder implementation with ladd-2002-it-4 from EFD
The EFD database does not state that the "ladd-2002-it-3" algorithm
assumes X1 != 0.
Consequently the current implementation, based on it, fails to compute
correctly if the affine x coordinate of the scalar multiplication input
point is 0.

We replace this implementation using the alternative algorithm based on
Eq. (9) and (10) from the same paper, which being derived from the
additive relation of (6) does not incur in this problem, but costs one
extra field multiplication.

The EFD entry for this algorithm is at
https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#ladder-ladd-2002-it-4
and the code to implement it was generated with tooling.

Regression tests add one positive test for each named curve that has
such a point. The `SharedSecret` was generated independently from the
OpenSSL codebase with sage.

This bug was originally reported by Dmitry Belyavsky on the
openssl-users maling list:
https://mta.openssl.org/pipermail/openssl-users/2018-August/008540.html

Co-authored-by: Billy Brumley <bbrumley@gmail.com>

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7000)
2018-08-21 09:51:18 +01:00
Dr. Matthias St. Pierre
95c91cb3fc test/recipes/30-test_evp_data: fix two typos
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7001)
2018-08-18 06:57:42 +02:00
Pauli
58094ab60f Add SHA3 HMAC test vectors from NIST.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6963)
2018-08-15 11:43:34 +10:00
Andy Polyakov
dfd5fb0950 test/.../evppkey.txt: X25519 regression test vectors.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6699)
2018-07-15 19:05:50 +02:00
Pauli
a9f3f1ccbb Tests for MD5-SHA1 combined digest.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6642)
2018-07-04 08:07:02 +10:00
Billy Brumley
249330de02 More EVP ECC testing: positive and negative
1. For every named curve, two "golden" keypair positive tests.
2. Also two "golden" stock ECDH positive tests.
3. For named curves with non-trivial cofactors, additionally two "golden"
   ECC CDH positive tests.
4. For named curves with non-trivial cofactors, additionally two negative
   tests.

There is some overlap with existing EVP tests, especially for the NIST
curves (for example, positive testing ECC CDH KATs for NIST curves).

"Golden" here means all the values are independent from OpenSSL's ECC
code. I used sage to calculate them. What comes from OpenSSL is:

1. The OIDs (parsed by tooling)
2. The curve parameters (parsing ecparam output with tooling)

The values inside the PEMs (private keys, public keys) and shared keys
are from sage. The PEMs themselves are the output of asn1parse, with
input taken from sage.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6608)
2018-06-29 12:29:12 +02:00
Billy Brumley
a766aab93a [crypto/ec] don't assume points are of order group->order
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6535)
2018-06-21 13:33:42 +02:00
Jack Lloyd
ddb634fe6f Move SM2 algos to SM2 specific PKEY method
Use EVP_PKEY_set_alias_type to access

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6443)
2018-06-19 11:29:44 +01:00
Nicola Tuveri
22f0c72b92 [SM2_sign] add minimal EVP_PKEY functionality testing
The actual functionality of generating signatures through the `EVP_PKEY`
API is completely untested.
Current tests under the `EVP_PKEY` API
(`test/recipes/30-test_evp_data/evppkey.txt`) only cover `Verify` and
`Decrypt`, while encryption and signature generation are tested with
ad-hoc clients (`test/sm2crypttest.c`, `test/sm2signtest.c`) that do not
call the `EVP_PKEY` interface at all but soon-to-be private functions
that bypass it (cf. PR#5895 ).

It is my opinion that an ideal solution for the future would consist on
enhancing the `test/evp_pkey` facility and syntax to allow tests to take
control of the PRNG to inject known nonces and validate the results of
`EVP_PKEY` implementations against deterministic known answer tests, but
it is probably too late to work on this feature in time for next release.

Given that commit b5a85f70d8 highlights some critical bugs in the hook
between the `EVP_PKEY` interface and SM2 signature generation and that
these defects escaped testing and code review, I think that at least for
now it is beneficial to at least add the kind of "bogus" testing
provided by this patch:
this is a "fake" test as it does only verify that the SM2 `EVP_PKEY`
interface is capable of creating a signature without failing, but it
does not say anything about the generated signature being valid, nor
does it test the functional correctness of the cryptosystem.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6066)
2018-04-25 10:24:43 +01:00
Matt Caswell
b0edda11cb Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5689)
2018-03-20 13:08:46 +00:00
Jack Lloyd
dceb99a5fb Support SM2 ECIES scheme via EVP
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4793)
2018-03-19 14:33:25 +01:00
Jack Lloyd
3d328a445c Add SM2 signature and ECIES schemes
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4793)
2018-03-19 14:33:25 +01:00
Matt Caswell
66a925ea8c Fix no-ec
Raw private/public key loading may fail for X25519/X448 if ec has been
disabled.

Also fixed a missing blank line in evppkey.txt resulting in a warning in
the test output.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5664)
2018-03-19 12:34:29 +00:00
Matt Caswell
0f987bdab8 Add some test vectors for testing raw 448/25519 keys
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5520)
2018-03-15 12:47:27 +00:00
Matt Caswell
92521a3ae7 Add test vectors for X448 and Ed448
This adds the Ed448 test vectors from RFC8032 and the X448 test vectors
from RFC7748.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/5481)
2018-03-02 10:14:31 +00:00
Pauli
4bed94f0c1 SHA512/224 and SHA512/256
Support added for these two digests, available only via the EVP interface.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5093)
2018-01-24 07:09:46 +10:00
Jack Lloyd
a0c3e4fa90 SM3: Add SM3 hash function
SM3 is a secure hash function which is part of the Chinese
"Commercial Cryptography" suite of algorithms which use is
required for certain commercial applications in China.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4616)
2017-11-06 07:21:11 +08:00
Ronald Tse
f19a5ff9ab SM4: Add SM4 block cipher to EVP
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4552)
2017-10-31 15:19:14 +10:00
Dr. Stephen Henson
dcb7e48209 Add RFC7919 tests.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4485)
2017-10-12 02:40:30 +01:00
Jon Spillett
bc32673869 Implement Aria GCM/CCM Modes and TLS cipher suites
AEAD cipher mode implementation is based on that used for AES:

  https://tools.ietf.org/html/rfc5116

TLS GCM cipher suites as specified in:

  https://tools.ietf.org/html/rfc6209

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4287)
2017-08-30 12:33:53 +02:00
Andy Polyakov
bbde4740eb Wire SHAKE to EVP.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4137)
2017-08-12 12:20:56 +02:00
Johannes Bauer
cefa762ee5 Add interface to the scrypt KDF by means of PKEY_METHOD
Add an interface that allows accessing the scrypt KDF as a PKEY_METHOD.
This fixes #4021 (at least for the scrypt portion of the issue).

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Stephen Henson <steve@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4026)
2017-08-08 15:44:49 +01:00
Dr. Stephen Henson
b15d5ab617 Allow use of long name for KDFs
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4079)
2017-08-03 02:18:44 +01:00
Andy Polyakov
e4adad92b3 Wire SHA3 EVPs and add tests.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3943)
2017-07-25 21:40:30 +02:00
Dr. Stephen Henson
d76f646ade Add keygen test data
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3920)
2017-07-19 14:02:20 +01:00
Richard Levitte
c537e74ba3 Move bn and evp test programs input data to their respective data dir
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3472)
2017-06-15 19:46:24 +02:00