The keytype number will only be -1 when control commands are used for
more than one key type. Sometimes, they share the same underlying
structure, and sometimes not.
Some of the RSA control commands that are using only with the keytype
EVP_PKEY_RSA we misplaced to be handled with the keytype -1.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11329)
Old files from the SSLeay 0.8.1b import that aren't used and don't seem to be
installed.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11314)
They were claimed to be the SKIP primes but they are really two of the
MODP Diffie-Hellman groups for IKE.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11314)
The first field was called 'pad', but not for the reason one might
think. It was really a padding int that was always zero, and was
placed first on purpose. This is to pick up programming errors where
an RSA pointer was passed when an EVP_PKEY pointer should have been,
an makes it look like an EVP_PKEY structure with type EVP_PKEY_NONE,
which effectively avoids any further processing (and unintended
corruption of the RSA structure).
This is only relevant for legacy structure and EVP_PKEY_METHODs. With
providers, EVP_PKEYs aren't passed to the backend anyway.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11315)
This target gave '-pie' as a C flag when it should be a linker flag.
Additionally, we add '-fPIE' as C flag for binaries.
Fixes#11237
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11238)
According to forum discussions with NDK developers, ANDROID_NDK_HOME
is used for something else.
Fixes#11205
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11206)
The TLS (pre-1.3) ChangeCipherState message is usually used to indicate
the switch from the unencrypted to encrypted part of the handshake.
However, it can also be used in cases where there is an existing
session (such as during resumption handshakes) or when changing from
one cipher to a different one (such as during renegotiation when the
cipher list offered by the client has changed). This test serves
to exercise such situations, allowing us to detect whether session
objects are being modified in cases when they must remain immutable
for thread-safety purposes.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10943)
The server-side ChangeCipherState processing stores the new cipher
in the SSL_SESSION object, so that the new state can be used if
this session gets resumed. However, writing to the session is only
thread-safe for initial handshakes, as at other times the session
object may be in a shared cache and in use by another thread at the
same time. Reflect this invariant in the code by only writing to
s->session->cipher when it is currently NULL (we do not cache sessions
with no cipher). The code prior to this change would never actually
change the (non-NULL) cipher value in a session object, since our
server enforces that (pre-TLS-1.3) resumptions use the exact same
cipher as the initial connection, and non-abbreviated renegotiations
have produced a new session object before we get to this point.
Regardless, include logic to detect such a condition and abort the
handshake if it occurs, to avoid any risk of inadvertently using
the wrong cipher on a connection.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10943)
TLS 1.3 maintains a separate keys chedule in the SSL object, but
was writing to the 'master_key_length' field in the SSL_SESSION
when generating the per-SSL master_secret. (The generate_master_secret
SSL3_ENC_METHOD function needs an output variable for the master secret
length, but the TLS 1.3 implementation just uses the output size of
the handshake hash function to get the lengths, so the only natural-looking
thing to use as the output length was the field in the session.
This would potentially involve writing to a SSL_SESSION object that was
in the cache (i.e., resumed) and shared with other threads, though.
The thread-safety impact should be minimal, since TLS 1.3 requires the
hash from the original handshake to be associated with the resumption
PSK and used for the subsequent connection. This means that (in the
resumption case) the value being written would be the same value that was
previously there, so the only risk would be on architectures that can
produce torn writes/reads for aligned size_t values.
Since the value is essentially ignored anyway, just provide the
address of a local dummy variable to generate_master_secret() instead.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10943)
The generated macros are TYPE_get_ex_new_index() (to match
CRYPTO_get_ex_new_index()), not TYPE_get_new_ex_index(), even though
the latter spelling seems more natural.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10943)
Generally modernize the language.
Refer to TLS instead of SSL/TLS, and try to have more consistent
usage of commas and that/which.
Reword some descriptions to avoid implying that a list of potential
reasons for behavior is an exhaustive list.
Clarify how get_session_cb() is only called on servers (i.e., in general,
and that it's given the session ID proposed by the client).
Clarify the semantics of the get_cb()'s "copy" argument.
The behavior seems to have changed in commit
8876bc0548, though the behavior prior
to that commit was not to leave the reference-count unchanged if
*copy was not written to -- instead, libssl seemed to assume that the
callback already had incremented the reference count.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10943)
CLA: trivial
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11299)
There was a misunderstanding what it should return. It should return
0 on internal error, but 1 even if the thing it tests fails (the error
is determined by |t->err|).
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10289)
The following functions are added:
EVP_PKEY_gen_set_params(), replacing the older EVP_PKEY_CTX_ctrl()
EVP_PKEY_gen(), replacing both EVP_PKEY_keygen() and EVP_PKEY_paramgen()
These functions are made to work together with already existing domparams
and key generation functionality: EVP_PKEY_CTX_new_provided(),
EVP_PKEY_paramgen_init(), EVP_PKEY_keygen_init(), etc.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10289)
We introduce these dispatched functions:
- OP_keymgmt_gen_init() to initialize the key object generation.
- OP_keymgmt_gen_set_template() to set a template for key object
generation. The template is another key object, for example one
with domain parameters.
- OP_keymgmt_gen_set_params() to set other key object generation
parameters.
- OP_keymgmt_gen_settable_params() to find out what settable
parameters there are.
- OP_keymgmt_gen() to perform the key object generation.
- OP_keymgmt_gen_cleanup() to clean up the key object generation.
Internal function for easy and consistent use of these ddispatched
functions are added.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10289)
Note: This PR has not attempted to move the curves into the provider dispatch table.
Mappings between the curve name / nid have been added to the inbuilt curve table.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11133)
The code was assuming that a serializer would always be found - but this
may not be the case.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11271)
Optimize the the AES-based implementation of the CTR_DRBG
construction, see 10.2.1 in [1].
Due to the optimizations, the code may deviate (more) from the
pseudocode in [1], but it is functional equivalence being decisive
for compliance:
"All DRBG mechanisms and algorithms are described in this document
in pseudocode, which is intended to explain functionality.
The pseudocode is not intended to constrain real-world
implementations." [9 in [1]].
The following optimizations are done:
- Replace multiple plain AES encryptions by a single AES-ECB
encryption of a corresponding pre-initialized buffer, where
possible.
This allows platform-specific AES-ECB support to
be used and reduces the overhead of multiple EVP calls.
- Replace the generate operation loop (which is a counter
increment followed by a plain AES encryption) by a
loop which does a plain AES encryption followed by
a counter increment. The latter loop is just a description
of AES-CTR, so we replace it by a single AES-CTR
encryption.
This allows for platform-specific AES-CTR support to be used
and reduces the overhead of multiple EVP calls.
This change, that is, going from a pre- to a post- counter
increment, requires the counter in the internal state
to be kept at "+1" (compared to the pseudocode in [1])
such that it is in the correct state, when a generate
operation is called.
That in turn also requires all other operations to be
changed from pre- to post-increment to keep functional
equivalence.
[1] NIST SP 800-90A Revision 1
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10457)
Certificate Management Protocol (CMP, RFC 4210) extension to OpenSSL
Also includes CRMF (RFC 4211) and HTTP transfer (RFC 6712).
Adds the CMP and CRMF API to libcrypto and the "cmp" app to the CLI.
Adds extensive documentation and tests.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11142)
EVP_MD_CTX_ctrl() translates some known control commands when faced
with a fetched EVP_MD, so we need to document it.
This also ensures that we don't drop the information on the "micalg"
parameter entirely.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11270)
These lines will be taken away as documentation moves from diverse
provider operation interface manuals to implementation specific docs.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11270)
The provider- manuals are meant to describe the general interface for
their respective operation. This is not the place to describe
implementation specific details.
This change creates a number of doc/man7/EVP_MD manuals, one for each
algorithm or set of algorithms, as well as doc/man7/EVP_MD-common.pod
to describe what's common to them all.
While we're at it, correct the SHA3 settable context params array to
match what's actually settable.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11270)
This adds doc/man7/OSSL_PROVIDER-default.pod and OSSL_PROVIDER-legacy.pod,
and fills in currently implemented operations and algorithms in them, as
well as in doc/man7/OSSL_PROVIDER-FIPS.pod, with links to documentation to
come.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11270)
aims at checking most of https://www.openssl.org/policies/codingstyle.html
and various requirements not yet explicitly stated there - see also #10725
add util/check-format.pl and its self-tests in
util/check-format-test-{positives,negatives}.c
remove util/openssl-format-source
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/10363)
This should have been publically present a long time ago, to be
consistent with the RSA, DSA and EC_KEY APIs. However, since we've
now deprecated that kind of function for the other key types, there's
no point in adding a public function, but we still need it internally.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11193)
The EVP_PKEY_ASN1_METHOD function export_to() must check that the key
we're trying to export has a known libcrypto method, i.e. is a built
in RSA_METHOD, DSA_METHOD, etc. Otherwise, the method may be defined
by the calling application, by an engine, by another library, and we
simply cannot know all the quirks hidden behind that method, if we
have access to the key data, or much anything.
Such keys are simply deemed impossible to export to provider keys,
i.e. have export_to() return 0. This cascades back to functions like
evp_pkey_export_to_provider() and evp_pkey_upgrade_to_provider() and
their callers. In most cases, this is fine, but if these get mixed in
with provider side keys in any function, that function will fail.
Fixes#11179Fixes#9915
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11193)
CLA: trivial
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11253)
Acting on EXE_SHELL was a bit over the top, especially in light of
instructions like this (from NOTES.VALGRIND):
EXE_SHELL="`/bin/pwd`/util/wrap.pl valgrind --error-exitcode=1 --leak-check=full -q"
Fixes#11255
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11258)
Fetch once and just pass the global ex_data to the "get_and_lock" static
function.
Removed a redundant null pointer check within the "get_and_lock" static
function (control already performed by the caller).
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11152)