Commit Graph

141 Commits

Author SHA1 Message Date
Pauli
d753cc333d Fix coverity 1452084
Fix coverity 1452083

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9470)
2019-07-30 18:57:35 +10:00
Richard Levitte
8b84b075ff Adapt DH to use with KEYMGMT
The biggest part in this was to move the key->param builder from EVP
to the DH ASN.1 method, and to implement the KEYMGMT support in the
provider DH.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9394)
2019-07-23 19:43:09 +02:00
Matt Caswell
76ca35e724 Fix no-dh
The recent move of the DH code into the default provider broke no-dh. This
adds back in various missing guards.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9399)
2019-07-19 17:33:35 +01:00
Pauli
4bd8b24045 remove end of line spaces
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
(Merged from https://github.com/openssl/openssl/pull/9397)
2019-07-16 20:35:42 +10:00
Matt Caswell
35aca9eccb Add the ability to set PKCS#3 DH padding in providers
This also adds the ability to set arbitrary parameters on key exchange
algorithms. The ability to pad the output is one such parameter for DH.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9266)
2019-07-16 10:16:32 +01:00
Matt Caswell
89e291742f Implement PKCS#3 DH Key Exchange in the default provider
We add the capability for the default provider to perform PKCS#3
Diffie-Hellman key exchange. At this point the implementation is not used
because libcrypto still uses legacy handling for Diffie-Hellman.

Note X9.42 DH is not touched by this commit.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9266)
2019-07-16 10:16:32 +01:00
Rich Salz
cbfa5b0398 Regenerate mkerr files
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9058)
2019-07-16 05:26:28 +02:00
Shane Lontis
459b15d451 Add Common shared code needed to move aes ciphers to providers
Custom aes ciphers will be placed into multiple new files
(instead of the monolithic setup used in the e_aes.c legacy code)
so it makes sense to have a header for the platform specific
code that needs to be shared between files.
modes_lcl.h has also moved to modes_int.h to allow sharing with the
provider source.
Code that will be common to AEAD ciphers has also been added. These
will be used by seperate PR's for GCM, CCM & OCB.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9301)
2019-07-16 09:46:14 +10:00
Richard Levitte
06c8331c51 Adapt the provider AES for more use of OSSL_PARAM
The cipher context IV was a bit interesting.  EVP_CIPHER_CTX_iv()
returns a pointer to the live IV, while EVP_CIPHER_CTX_ctrl() with the
type EVP_CTRL_GET_IV gets a copy of the live IV.  To support both, we
support getting it with both the OSSL_PARAM_OCTET_STRING and
OSSL_PARAM_OCTET_PTR datatypes.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9328)
2019-07-11 07:27:02 +02:00
Patrick Steuer
f690ef151c s390x assembly pack: fix various aes modes performance regression
which was introduced with 64adf9aac7.

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9271)
2019-07-02 17:33:29 +02:00
Matt Caswell
4cecf7a127 Add a nid 2 algorithm name mapping capability
Providers that link against libcrypto can just use OBJ_nid2sn() to look
up the name of an algorithm given a NID. However that doesn't work for the
FIPS provider because OBJ_nid2sn() is not available there (due to the
reliance of the code on ASN.1 types). Therefore we provider a new function
to do this mapping. For providers linking against libcrypto the new function
just wraps OBJ_nid2sn(). For the FIPS provider it has a look up for all the
NIDs known there.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/9035)
2019-06-28 10:22:21 +01:00
Patrick Steuer
be1dc984e1 Fix s390x build errors and warnings
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9236)
2019-06-25 00:10:20 +02:00
Pauli
4e7991b497 Change OSSL_PARAM return size to not be a pointer.
Instead of referencing the return size from the OSSL_PARAM structure, make the
size a field within the structure.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9135)
2019-06-24 14:43:55 +10:00
Matt Caswell
da747958c5 Tell the FIPS provider about thread stop events
The RAND code needs to know about threads stopping in order to cleanup
local thread data. Therefore we add a callback for libcrypto to tell
providers about such events.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9040)
2019-06-17 16:19:44 +01:00
Richard Levitte
bb751e1108 Replumbing: Adapt the FIPS module to use the library context upcall
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9160)
2019-06-17 11:38:11 +02:00
Shane Lontis
83b4a24384 Make EVP_MD_CTX_ctrl() work for legacy use cases (ssl3).
This is still required currently by engines and digestsign/digestverify.
This PR contains merged in code from Richard Levitte's PR #9126.

[extended tests]

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9103)
2019-06-11 20:25:33 +10:00
Shane Lontis
56e840fe2d rename the digest provider files to avoid any name clashes with other folders
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9083)
2019-06-06 10:26:40 +10:00
Shane Lontis
d5e5e2ffaf Move digests to providers
Move digest code into the relevant providers (fips, default, legacy).
The headers are temporarily moved to be internal, and will be moved
into providers after all external references are resolved. The deprecated
digest code can not be removed until EVP_PKEY (signing) is supported by
providers. EVP_MD data can also not yet be cleaned up for the same reasons.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8763)
2019-06-04 12:09:50 +10:00
Matt Caswell
41525ed628 Ensure we get all the right defines for AES assembler in FIPS module
There are various C macro definitions that are passed via the compiler
to enable AES assembler optimisation. We need to make sure that these
defines are also passed during compilation of the FIPS module.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9038)
2019-06-03 12:56:53 +01:00
Matt Caswell
66ad63e801 Make basic AES ciphers available from within the FIPS providers
These ciphers were already provider aware, and were available from the
default provider. We move them into the FIPS provider too.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9038)
2019-06-03 12:56:53 +01:00
Pauli
39147079fc Structure alignment macro.
Introduce a macro that allows all structure alignment tricks to be rolled up
into a single place.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8845)
2019-05-01 08:37:11 +10:00
Richard Levitte
a39eb84006 Replumbing: give the possibility for the provider to create a context
OSSL_provider_init() gets another output parameter, holding a pointer
to a provider side context.  It's entirely up to the provider to
define the context and what it's being used for.  This pointer is
passed back to other provider functions, typically the provider global
get_params and set_params functions, and also the diverse algorithm
context creators, and of course, the teardown function.

With this, a provider can be instantiated more than once, or be
re-loaded as the case may be, while maintaining instance state.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8848)
2019-04-30 15:34:23 +02:00
Richard Levitte
f79858ac4d Replumbing: make the oneshot proider cipher function like the others
The OP_cipher_final function takes a return output size and an output
buffer size argument.  The oneshot OP_cipher_cipher function should do
the same.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8849)
2019-04-30 15:30:30 +02:00
Matt Caswell
6caf7f3aec Create provider errors and use them
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8700)
2019-04-19 09:31:54 +01:00
Matt Caswell
64adf9aac7 Fix the S390X support for the basic AES ciphers
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8700)
2019-04-19 09:31:54 +01:00
Matt Caswell
3a7b15e484 Add forward declarations of the AES dispatch table functions
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8700)
2019-04-19 09:31:54 +01:00
Matt Caswell
3b94944cf2 Add a maximum output length to update and final calls
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8700)
2019-04-19 09:31:54 +01:00
Matt Caswell
344cfa34e5 Add iv length and key length params to the cipher init calls
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8700)
2019-04-19 09:31:54 +01:00
Matt Caswell
819a7ae9fc Implement AES CTR ciphers in the default provider
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8700)
2019-04-19 09:31:54 +01:00
Matt Caswell
75dd6d64f1 Implement AES CFB ciphers in the default provider
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8700)
2019-04-19 09:31:54 +01:00
Matt Caswell
ed98df51c6 Implement AES OFB ciphers in the default provider
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8700)
2019-04-19 09:31:54 +01:00
Matt Caswell
718b133a53 Implement AES CBC ciphers in the default provider
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8700)
2019-04-19 09:31:54 +01:00
Matt Caswell
f4a129bb8d Add support in the default provider for 192/128 bit AES ECB
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8700)
2019-04-19 09:31:54 +01:00
Matt Caswell
861b8f8747 Add the provider_algs.h internal header file
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8700)
2019-04-19 09:31:54 +01:00
Matt Caswell
aab26e6f7b Implement support for AES-256-ECB in the default provider
We also lay the ground work for various of other the basic AES ciphers.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8700)
2019-04-19 09:31:54 +01:00
Matt Caswell
df05f2ce6d Make EVP_Encrypt*/EVP_Decrypt* and EVP_Cipher* provider aware
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8700)
2019-04-19 09:31:54 +01:00
Richard Levitte
f2dbb71cb6 providers/common/digests/sha2.c: forward declare all dispatched functions
Forward declare the dispatched functions using typedefs from
core_numbers.h.  This will ensure that they have correct signatures.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8747)
2019-04-15 10:46:09 +02:00
Richard Levitte
0ad50b4dee Providers: for the digest_final operation, pass a output buffer size
This allows the provider digest_final operation to check that it
doesn't over-run the output buffer.

The EVP_DigestFinal_ex function doesn't take that same parameter, so
it will have to assume that the user provided a properly sized buffer,
but this leaves better room for future enhancements of the public API.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8747)
2019-04-15 10:46:09 +02:00
Matt Caswell
9efa0ae0b6 Create a FIPS provider and put SHA256 in it
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8537)
2019-04-04 23:09:47 +01:00
Matt Caswell
7556b9df59 Support EVP_MD_block_size() with providers
Fixes #8565

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8604)
2019-04-03 15:50:13 +01:00
Matt Caswell
de29ff17a2 Implement SHA256 in the default provider
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8513)
2019-03-21 09:23:38 +00:00