Commit graph

23603 commits

Author SHA1 Message Date
Jake Massimo
2500c093aa Increase rounds of Miller-Rabin testing DH_check
DH_check is used to test the validity of Diffie-Hellman parameter sets (p, q, g). Among the tests performed are primality tests on p and q, for this BN_is_prime_ex is called with the rounds of Miller-Rabin set as default. This will therefore use the average case error estimates derived from the function BN_prime_checks_for_size based on the bit size of the number tested.

However, these bounds are only accurate on testing random input. Within this testing scenario, where we are checking the validity of a DH parameter set, we can not assert that these parameters are randomly generated. Thus we must treat them as if they are adversarial in nature and increase the rounds of Miller-Rabin performed.

Generally, each round of Miller-Rabin can declare a composite number prime with probability at most (1/4), thus 64 rounds is sufficient in thwarting known generation techniques (even in safe prime settings - see https://eprint.iacr.org/2019/032 for full analysis). The choice of 64 rounds is also consistent with SRP_NUMBER_ITERATIONS_FOR_PRIME 64 as used in srp_Verify_N_and_g in openssl/apps/s_client.c.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8593)
2019-03-27 14:59:25 +00:00
Matt Caswell
48fdeca01d Don't allow SHAKE128/SHAKE256 with HMAC
See discussion in github issue #8563

Fixes #8563

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8584)
2019-03-27 14:32:08 +00:00
Matt Caswell
1783847061 Correctly check the return code of EVP_MAC_ctrl everwhere it is used
EVP_MAC_ctrl is documented to return 0 or -1 on failure. Numerous places
were not getting this check correct.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8584)
2019-03-27 14:31:56 +00:00
Matt Caswell
183f52e29a Fix a memory leak in ARIA GCM
Fixes #8567

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8586)
2019-03-27 10:26:52 +00:00
Matt Caswell
a8274ea351 Tolerate 0 byte input length for Update functions
We treat that as automatic success. Other EVP_*Update functions already do
this (e.g. EVP_EncryptUpdate, EVP_DecryptUpdate etc). EVP_EncodeUpdate is
a bit of an anomoly. That treats 0 byte input length as an error.

Fixes #8576

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8587)
2019-03-27 10:14:03 +00:00
Matt Caswell
1f019cd0ac Fix no-ec
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8588)
2019-03-27 10:09:04 +00:00
Dr. Matthias St. Pierre
fc4e500b03 Fix three identical grammatical errors
Reported by Mak Kolybabi

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8591)
2019-03-27 01:00:57 +01:00
Shane Lontis
866cc2334c style nit fix
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8580)
2019-03-26 15:20:22 +10:00
Hubert Kario
29716a03e8 ts(1): digest option is mandatory
not specifying the digest both on command line and in the config file
will lead to response generation aborting with

140617514493760:error:2F098088:time stamp routines:ts_CONF_lookup_fail: \
    cannot find config variable:crypto/ts/ts_conf.c:106:tsr_test::signer_digest

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8421)
2019-03-25 13:36:40 +01:00
Shane Lontis
f4b4574f4b replaced snprintf with BIO version (for windows builds)
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8571)
2019-03-25 11:37:24 +10:00
Bernd Edlinger
9c0cf214e7 Modify the RSA_private_decrypt functions to check the padding in
constant time with a memory access pattern that does not depend
on secret information.

[extended tests]

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8543)
2019-03-22 14:46:04 +01:00
Bernd Edlinger
94dc53a3f7 Make err_clear_constant_time really constant time
[extended tests]

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8542)
2019-03-22 14:22:11 +01:00
Pauli
b3d113ed29 Cosmetic rand/drbg changes.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8554)
2019-03-22 15:21:59 +10:00
Matt Caswell
fdf6c0b6b7 Document the functions EVP_MD_fetch() and EVP_MD_upref()
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8513)
2019-03-21 09:23:38 +00:00
Matt Caswell
847d0f81bb Add a test for EVP_MD_fetch
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8513)
2019-03-21 09:23:38 +00:00
Matt Caswell
de29ff17a2 Implement SHA256 in the default provider
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8513)
2019-03-21 09:23:38 +00:00
Matt Caswell
8c8cf0d962 Make EVP_Digest* functions provider aware
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8513)
2019-03-21 09:23:38 +00:00
Matt Caswell
3653d0c224 Implement EVP_MD_fetch()
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8513)
2019-03-21 09:23:38 +00:00
Matt Caswell
8a73348be0 Add a skeleton default provider
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8513)
2019-03-21 09:23:38 +00:00
Shane Lontis
df5375b446 fixed mismatching #ifdef cpp
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8544)
2019-03-21 10:22:07 +10:00
Lorinczy Zsigmond
861e45624f Reorganized signature-scheme detection in 'apps/s_cb.c:security_callback_debug' callback-function.
So far, it only handled hash-and-algorithm pairs from TLS1.2,
now it also handles 'schemes' defined in TLS1.3 like 0x0807=ed25519 or
0x0809=rsa_pss_pss_sha256

Now it prints information in one of these formats:

... Algorithm scheme=ecdsa_secp256r1_sha256, security bits=128 ... TLS1.3
... Algorithm digest=SHA384, algorithm=DSA, security bits=192  ... TLS1.2
... Algorithm scheme=unknown(0x0e01), security bits=128        ... unhandled case

To implement this added three new lookup-tables: signature_tls13_scheme_list,
signature_tls12_alg_list, signature_tls12_hash_list.

Also minor changes in 'security_callback_debug', eg adding variable 'show_nm'
to indicate if we should show 'nm'.

Also coding-styles fixes from matcaswell

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8445)
2019-03-20 13:44:02 +00:00
Richard Levitte
905c9a72a7 OPENSSL_config(): restore error agnosticism
Great effort has been made to make initialization more configurable.
However, the behavior of OPENSSL_config() was lost in the process,
having it suddenly generate errors it didn't previously, which is not
how it's documented to behave.

A simple setting of default flags fixes this problem.

Fixes #8528

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8533)
2019-03-20 14:24:46 +01:00
Shane Lontis
138ef774fe Updated doc for BN_clear, BN_CTX_end when param is NULL
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8532)
2019-03-20 10:29:51 +01:00
David von Oheimb
ce9b996409 replace 'OpenSSL license' by 'Apache License 2.0'
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/8527)
2019-03-20 10:33:39 +02:00
Shane Lontis
a12864a5de removed BN_clear NULL checks
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8507)
2019-03-20 09:17:42 +10:00
Richard Levitte
c41f3ae0d9 Replumbing: Add a mechanism to pre-populate the provider store
OpenSSL will come with a set of well known providers, some of which
need to be accessible from the start.  These are typically built in
providers, or providers that will work as fallbacks.

We do this when creating a new provider store, which means that this
will happen in every library context, regardless of if it's the global
default one, or an explicitely created one.

We keep the data about the known providers we want to make accessible
this way in crypto/provider_predefined.h, which may become generated.
For now, though, we make it simple and edited manually.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8480)
2019-03-19 14:06:58 +01:00
Richard Levitte
e55008a9f2 Replumbing: add fallback provider capability
To ensure that old applications aren't left without any provider, and
at the same time not forcing any default provider on applications that
know how to deal with them, we device the concept of fallback
providers, which are automatically activated if no other provider is
already activated.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8480)
2019-03-19 14:06:58 +01:00
Matt Caswell
6a6d9ecd1d Update pkeyutl documentation about the digest option
DSA can accept other digests other than SHA1. EC ignores the digest option
altogether.

Fixes #8425

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8432)
2019-03-19 11:40:53 +00:00
Shane Lontis
9537fe5757 Single step kdf implementation
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8230)
2019-03-19 11:03:45 +00:00
Rich Salz
6098b69e58 Move ASN1_BROKEN macros
They're only used in one place, and only for a legacy datatype.

Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8302)
2019-03-19 12:01:24 +01:00
Dmitry Belyavskiy
770dfe8dfa EVP_PKEY_get0_engine documentation
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8329)
2019-03-19 10:42:35 +00:00
Dmitry Belyavskiy
229f7b38f0 Providing missing accessor to EVP_PKEY.engine
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8329)
2019-03-19 10:42:33 +00:00
Vitezslav Cizek
f5c9916742 apps/speed.c: properly address NO_EC2M on systems without SIGALRM
The ecdh_c array is allocated of the same size as ecdh_choices,
whose size depends on whether the support for binary curves is enabled
or not.  (The same goes for ecdsa_c).
On systems without SIGALRM, ecdh_c is indexed by predefined constants
intended for representing the index of the ciphers in the ecdh_choices
array.
However, in case of NO_EC2M some of the #defined constants won't match
and would actually access the ecdh_c out-of-bounds.

Use enum instead of a macro to define the curve indexes so they're
within the bounds of the ecdh_c array.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8422)
2019-03-19 10:24:39 +00:00
Vitezslav Cizek
d61f489b5a apps/speed.c: skip binary curves when compiling with OPENSSL_NO_EC2M
openssl speed doesn't take into account that the library could be
compiled without the support for the binary curves and happily uses
them, which results in EC_GROUP_new_by_curve_name() errors.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8422)
2019-03-19 10:23:48 +00:00
Pauli
d7b2124a42 Add documentation for the -sigopt option.
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
(Merged from https://github.com/openssl/openssl/pull/8520)
2019-03-19 18:25:02 +10:00
Dr. Matthias St. Pierre
84f32c8451 Configure: untabify indentation
The indentation in the Configure file is currently very strange when
    viewed in an editor with a tab width of four spaces, because it has
    mixed tab-and-whitespace indentation, which was apparently done with
    a tab width of eight spaces.

    This commit converts all tabs to spaces using expand(1) with default
	settings. To verify that there are only whitespace changes, use

       git show --ignore-space-change  <this commit>

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8492)
2019-03-19 09:14:27 +01:00
Pauli
5d677186e9 Fix resource leak coverity 1443711.
Free the allocated pointer on error.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8503)
2019-03-19 17:42:05 +10:00
Hua Zhang
1b9c5f2e2f Fix compiling error for mips32r6 and mips64r6
There are some compiling errors for mips32r6 and mips64r6:

crypto/bn/bn-mips.S:56: Error: opcode not supported on this processor: mips2 (mips2) `mulu $1,$12,$7'
crypto/mips_arch.h: Assembler messages:
crypto/mips_arch.h:15: Error: junk at end of line, first unrecognized character is `&'

Signed-off-by: Hua Zhang <hua.zhang1974@hotmail.com>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8464)
2019-03-19 07:36:21 +01:00
Richard Levitte
2864df8f9d Add missing '.text' in crypto/bn/asm/ppc.pl
Fixes #8495

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8496)
2019-03-19 07:33:28 +01:00
Richard Levitte
93b1e74cbe Fix no-posix-io
'openssl pkeyutl' uses stat() to determine the file size when signing using
Ed25519/Ed448, and this was guarded with OPENSSL_NO_POSIX_IO.

It is however arguable if stat() is a POSIX IO function, considering
that it doesn't use file descriptors, and even more so since we use
stat() elsewhere without that guard.

This will allow test/recipes/20-test_pkeyutl.t to be able to do its
work for Ed25519/Ed448 signature tests.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8498)
2019-03-19 07:31:42 +01:00
Shane Lontis
ce1415ed2c Added NULL check to BN_clear() & BN_CTX_end()
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8518)
2019-03-19 07:25:48 +01:00
Benjamin Kaduk
226f2bf191 Fix strict-warnings build on FreeBSD
The 'key' member of the (system-defined!) struct session op is of
type c_caddr_t, which can be (signed) char, so inter-casting with the
unsigned char* input to cipher_init() causes -Wpointer-sign errors, and we
can't change the signature of cipher_init() due to the function pointer
type required by EVP_CIPHER_meth_set_init().

As the least-bad option, introduce a void* cast to quell the following
warning:
engines/e_devcrypto.c:356:36: error: passing 'c_caddr_t' (aka 'const char *') to
      parameter of type 'const unsigned char *' converts between pointers to integer
      types with different sign [-Werror,-Wpointer-sign]
        return cipher_init(to_ctx, cipher_ctx->sess.key, EVP_CIPHER_CTX_iv(ctx),
                                   ^~~~~~~~~~~~~~~~~~~~
engines/e_devcrypto.c:191:66: note: passing argument to parameter 'key' here
static int cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8509)
2019-03-19 07:19:41 +01:00
Richard Levitte
16bfe6cee0 doc/man3/OSSL_PARAM_TYPE.pod: modify Example 2 to allow unspecified params
A parameter requestor is never obligated to ask for all available
parameters on an object.  Unfortunately, Example 2 showed a code
pattern that introduced such an obligation, and therefore needed a
small adjustment.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8523)
2019-03-19 07:08:47 +01:00
David von Oheimb
529586085e Add -new and -subj options to x509 app for direct cert generation
Complete and improve error output of parse_name() in apps/apps.c

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8193)
2019-03-19 09:35:03 +10:00
Bernd Edlinger
8a74bb5c7b Clear the point S before freeing in ec_scalar_mul_ladder
The secret point R can be recovered from S using the equation R = S - P.
The X and Z coordinates should be sufficient for that.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8504)
2019-03-18 22:39:55 +01:00
Bernd Edlinger
1ff2c992c2 Clear the secret point in ecdh_simple_compute_key
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8501)
2019-03-18 22:27:56 +01:00
David von Oheimb
5743d1268d add 'Signature Value:' line and correct indentation when printing X.509 signature value
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6226)
2019-03-18 17:20:23 +00:00
David von Oheimb
0742eb9f66 update reference output of test_x509 in test/certs/cyrillic.*
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6226)
2019-03-18 17:20:23 +00:00
David von Oheimb
86afd005fb remove 'keyid:' when printing simple X509 authority keyID (without issuer and serial)
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6226)
2019-03-18 17:20:23 +00:00
David von Oheimb
a4c467c96a remove needless empty lines when printing certificates
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6226)
2019-03-18 17:17:55 +00:00