Commit graph

23743 commits

Author SHA1 Message Date
Matt Caswell
aab26e6f7b Implement support for AES-256-ECB in the default provider
We also lay the ground work for various of other the basic AES ciphers.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8700)
2019-04-19 09:31:54 +01:00
Matt Caswell
df05f2ce6d Make EVP_Encrypt*/EVP_Decrypt* and EVP_Cipher* provider aware
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8700)
2019-04-19 09:31:54 +01:00
Richard Levitte
1393722af3 ossl_method_store_cache_get(): ensure non-NULL property query
The comparator further down the call stack doesn't tolerate NULL, so
if we got that as input, use the empty string.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8781)
2019-04-19 10:24:16 +02:00
Richard Levitte
bcb5d42171 OPENSSL_LH_flush(): assign NULL after freeing
OPENSSL_LH_flush() frees the linked lists for each slot, but didn't
set the list head to NULL after doing so, with the result that an
operation that affects these lists is likely to cause a crash.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8781)
2019-04-19 10:24:16 +02:00
Richard Levitte
e019da7b6f Fix the generic EVP algorithm fetch to actually cache them
ossl_method_store_cache_get() and ossl_method_store_cache_set() were
called with a NULL argument for store, which means no caching is
done.  Give them a real store instead.

Also, increment the refcount when we do get a method out of the cache.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8781)
2019-04-19 10:23:59 +02:00
Richard Levitte
4f29f3a29b asn1parse: avoid double free
|str| was used for multiple conflicting purposes.  When using
'-strictpem', it's used to uniquely hold a reference to the loaded
payload.  However, when using '-strparse', |str| was re-used to hold
the position from where to start parsing.

So when '-strparse' and '-strictpem' are were together, |str| ended up
pointing into data pointed at by |at|, and was yet being freed, with
the result that the payload it held a reference to became a memory
leak, and there was a double free conflict when both |str| and |at|
were being freed.

The situation is resolved by always having |buf| hold the pointer to
the file data, and always and only use |str| to hold the position to
start parsing from.  Now, we only need to free |buf| properly and not
|str|.

Fixes #8752

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8753)
2019-04-18 19:20:55 +02:00
Simo Sorce
87d9955e8c Add SSHKDF in evp_kdf_test
Signed-off-by: Simo Sorce <simo@redhat.com>

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8774)
2019-04-18 12:38:47 +01:00
Andy Polyakov
86a7ac5e76 chacha/asm/chacha-armv8.pl: replace 3+1 code paths with 4+1.
The change is triggered by ThunderX2 where 3+1 was slower than scalar
code path, but it helps all processors [to handle <512 inputs].

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8776)
2019-04-17 21:31:01 +02:00
Andy Polyakov
d6e4287c97 aes/asm/aesv8-armx.pl: ~20% improvement on ThunderX2.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8776)
2019-04-17 21:30:39 +02:00
Andy Polyakov
6465321e40 ARM64 assembly pack: add ThunderX2 results.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8776)
2019-04-17 21:08:13 +02:00
Pauli
ad7e17dd6c SP 800-56B steps enumerated.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8770)
2019-04-17 14:26:11 +10:00
Tomas Mraz
06add280d9 Add test for the BIO_s_mem rdwr->rdonly->rdwr use-case
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8649)
2019-04-16 10:50:30 +01:00
Tomas Mraz
3d42833d38 Add documentation for the BIO_s_mem pecularities
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8649)
2019-04-16 10:50:30 +01:00
Tomas Mraz
d34bce03ac Add testing of RDONLY memory BIOs
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8649)
2019-04-16 10:50:30 +01:00
Bernd Edlinger
c9dc22bc3d Add test for the BIO_get_mem_ptr() regression
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8649)
2019-04-16 10:50:30 +01:00
Tomas Mraz
b238fb7970 Fix for BIO_get_mem_ptr and related regressions
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8649)
2019-04-16 10:50:30 +01:00
Kurt Roeckx
3e3dcf9ab8 Call RSA generation callback at the correct time.
The callback should be called with 1 when a Miller-Rabin round marked
the candidate as probably prime.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
GH: #8742
2019-04-15 22:37:48 +02:00
Richard Levitte
72eb100f8a Don't use '-z defs' with Clang's sanitizers
The clang documentation in all sanitizers we currently use says this:

    When linking shared libraries, the {flavor}Sanitizer run-time is
    not linked, so -Wl,-z,defs may cause link errors (don’t use it
    with {flavor}Sanitizer)

(in our case, {flavor} is one of Address, Memory, or UndefinedBehavior)

Therefore, we turn off that particular flag specifically when using
the sanitizers.

Fixes #8735

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8749)
2019-04-15 16:47:25 +02:00
Richard Levitte
f2dbb71cb6 providers/common/digests/sha2.c: forward declare all dispatched functions
Forward declare the dispatched functions using typedefs from
core_numbers.h.  This will ensure that they have correct signatures.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8747)
2019-04-15 10:46:09 +02:00
Richard Levitte
0ad50b4dee Providers: for the digest_final operation, pass a output buffer size
This allows the provider digest_final operation to check that it
doesn't over-run the output buffer.

The EVP_DigestFinal_ex function doesn't take that same parameter, so
it will have to assume that the user provided a properly sized buffer,
but this leaves better room for future enhancements of the public API.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8747)
2019-04-15 10:46:09 +02:00
David Benjamin
15972296af Fix calling convention bug in ecp_nistz256_ord_sqr_mont
The rep parameter takes an int in C, but the assembly implementation
looks at the upper bits. While it's unlikely to happen here, where all
calls pass a constant, in other scenarios x86_64 compilers will leave
arbitrary values in the upper half.

Fix this by making the C prototype match the assembly. (This aspect of
the calling convention implies smaller-than-word arguments in assembly
functions should be avoided. There are far fewer things to test if
everything consistently takes word-sized arguments.)

This was found as part of ABI testing work in BoringSSL.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/8108)
2019-04-14 12:55:53 +02:00
Bernd Edlinger
3051bf2afa Don't use coordinate blinding when scalar is group order
This happens in ec_key_simple_check_key and EC_GROUP_check.
Since the the group order is not a secret scalar, it is
unnecessary to use coordinate blinding.

Fixes: #8731

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8734)
2019-04-14 11:24:08 +02:00
Joshua Lock
938e82f622 Further harmonisation of manual page HISTORY sections
A couple of minor tweaks to match the style introduced in #7854:
- BIO_connect: remove line break to make more grep friendly
- SSL_CTX_new: harmoise the format of the HISTORY section

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8729)
2019-04-12 15:50:23 +02:00
Joshua Lock
b5c4bbbe54 Update various man pages to place HISTORY section after SEE ALSO
SEE ALSO before HISTORY is the more common pattern in OpenSSL manual
pages and seems to be the prevalent order based on sampling my system
manual pages.

Fixes #8631

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8729)
2019-04-12 15:50:13 +02:00
Joshua Lock
573ac8f222 Add a check for history section location to find-doc-nits
Check that the HISTORY section is located after the SEE ALSO section,
this is a much more frequent order in OpenSSL manual pages (and UNIX
manual pages in general).

Also check that SEE ALSO comes after EXAMPLES, so that the tool can
ensure the correct manual section sequence.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8729)
2019-04-12 15:50:02 +02:00
Joshua Lock
95f92d5775 Make check_example_location() in find-doc-nits generic
Change to check_section_location(), a generic function to ensure that
section SECTION appears before section BEFORE in the man pages.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8729)
2019-04-12 15:49:47 +02:00
Matt Caswell
fd367b4ce3 Deprecate AES_ige_encrypt() and AES_bi_ige_encrypt()
These undocumented functions were never integrated into the EVP layer
and implement the AES Infinite Garble Extension (IGE) mode and AES
Bi-directional IGE mode. These modes were never formally standardised
and usage of these functions is believed to be very small. In particular
AES_bi_ige_encrypt() has a known bug. It accepts 2 AES keys, but only
one is ever used. The security implications are believed to be minimal,
but this issue was never fixed for backwards compatibility reasons.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8710)
2019-04-12 14:22:41 +01:00
Bernd Edlinger
9bba2c4c97 Add CMAC speed measurements
usage: openssl speed -cmac aes128

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8721)
2019-04-12 13:52:43 +02:00
Pauli
6517516324 Add prediction resistance capability to the DRBG reseeding process.
Refer to NIST SP 800-90C section 5.4 "Prediction Resistance.l"

This requires the seed sources to be approved as entropy sources, after
which they should be considered live sources as per section 5.3.2 "Live
Entropy Source Availability."

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8647)
2019-04-12 18:16:20 +10:00
Shane Lontis
5173cdde7d ec key validation checks updated
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8564)
2019-04-11 20:37:13 +10:00
Shane Lontis
37f03b9881 doc fixups
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8555)
2019-04-11 12:05:38 +03:00
Nicola Tuveri
ac2b52c6ad Separate the lookup test
This fixes the "verifying the alias" case.
Actually, while working on it, I realized that conceptually we were
testing the 2 different behaviours of `EC_GROUP_check_named_curve()` at
the same time, and actually not in the proper way.

I think it's fair to assume that overwriting the curve name for an
existing group with `NID_undef` could lead to the unexpected behaviour
we were observing and working around.
Thus I decided to separate the lookup test in a dedicated simpler test
that does what the documentation of `EC_GROUP_check_named_curve()`
suggests: the lookup functionality is meant to find a name for a group
generated with explicit parameters.

In case an alternative alias is returned by the lookup instead of the
expected nid, to avoid doing comparisons between `EC_GROUP`s with
different `EC_METHOD`s, the workaround is to retrieve the `ECPARAMETERS`
of the "alias group" and create a new explicit parameters group to use
in `EC_GROUP_cmp()`.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8555)
2019-04-11 12:05:38 +03:00
Nicola Tuveri
8d4f150f70 EC_GROUP_set_curve() might fail for arbitrary params
Setting arbitrary `p`, `a` or `b` with `EC_GROUP_set_curve()` might fail
for some `EC_GROUP`s, depending on the internal `EC_METHOD`
implementation, hence the block of tests verifying that
`EC_GROUP_check_named_curve()` fails when any of the curve parameters is
changed is modified to run only if the previous `EC_GROUP_set_curve()`
call succeeds.

`ERR_set_mark()` and `ERR_pop_to_mark()` are used to avoid littering the
thread error stack with unrelated errors happened during
`EC_GROUP_set_curve()`.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8555)
2019-04-11 12:05:38 +03:00
Shane Lontis
8402cd5f75 added code to validate EC named curve parameters
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8555)
2019-04-11 12:05:38 +03:00
Shane Lontis
4660bdea07 Added Test::ok_nofips, Test::is_nofips & Test::isnt_nofips methods.
Used to check that a test fails in fips mode i.e. ok_nofips(run(...))

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8661)
2019-04-11 09:47:12 +10:00
Pauli
6c7d80ab3b Reseeding without derivation function is not supported in FIPS mode.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8648)
2019-04-11 08:52:22 +10:00
Shane Lontis
3a86f1db28 Fixed linux_x86_icc compiler errors in EC code related to __uint128_t/__int128_t
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8697)
2019-04-11 08:40:40 +10:00
Bernd Edlinger
491360e7ab Avoid creating invalid rsa pss params
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8621)
2019-04-10 20:21:57 +02:00
Jakub Wilk
ee215c7eea Fix typos
CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8714)
2019-04-10 12:00:20 +02:00
Richard Levitte
dcb982d792 EVP_*Update: ensure that input NULL with length 0 isn't passed
Even with custome ciphers, the combination in == NULL && inl == 0
should not be passed down to the backend cipher function.  The reason
is that these are the values passed by EVP_*Final, and some of the
backend cipher functions do check for these to see if a "final" call
is made.

Fixes #8675

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8676)
2019-04-10 07:52:55 +02:00
Paul Yang
ccf453610f Make X509_set_sm2_id consistent with other setters
This commit makes the X509_set_sm2_id to 'set0' behaviour, which means
the memory management is passed to X509 and user doesn't need to free
the sm2_id parameter later. API name also changes to X509_set0_sm2_id.

Document and test case are also updated.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8626)
2019-04-09 20:44:42 +08:00
Richard Levitte
bbcaef6324 test/params_test.c : Adjust tests to check utf8_ptr sizes
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8703)
2019-04-09 14:10:23 +02:00
Richard Levitte
f55ed701a4 Params API: {utf8,octet}_ptr need to know the data size
When the purpose is to pass parameters to a setter function, that
setter function needs to know the size of the data passed.  This
remains true for the pointer data types as well.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8703)
2019-04-09 14:10:23 +02:00
Matt Caswell
b926f9deb3 Fix crash in X509_STORE_CTX_get_by_subject
If using a custom X509_LOOKUP_METHOD then calls to
X509_STORE_CTX_get_by_subject may crash due to an incorrectly initialised
X509_OBJECT being passed to the callback get_by_subject function.

Fixes #8673

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8698)
2019-04-09 10:26:44 +01:00
Matt Caswell
d030892312 Add a legacy provider and put MD2 in it
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8541)
2019-04-09 10:24:43 +01:00
Matt Caswell
dc46e3dde5 Use the right NID when putting a method in the store
When we attempt to fetch a method with a given NID we will ask the
providers for it if we don't already know about it. During that process
we may be told about other methods with a different NID. We need to
make sure we don't confuse the two.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8541)
2019-04-09 10:24:43 +01:00
Richard Levitte
68ca1737ce Configurations/10-main.conf: Don't inherit assembler in Cygwin-common
The targets Cygwin-x86 and Cygwin-x86_64 are the ones that should do
this.

Fixes #8684

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8685)
2019-04-09 11:19:26 +02:00
Richard Levitte
195852fefc Params: add OSSL_PARAM_construct_end()
OSSL_PARAM_END is a macro that can only be used to initialize an
OSSL_PARAM array, not to assign an array element later on.  For
completion, we add an end constructor to facilitate that kind of
assignment.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8704)
2019-04-09 11:18:26 +02:00
Shane Lontis
bb315ca716 EC keygen updates + changed ecdsa_sign to use BN_secure_new
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8557)
2019-04-09 03:44:13 +03:00
Shane Lontis
97cc9c9b01 Coverity: hkdf ENV_MD_size() is an int that can be negative
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8692)
2019-04-09 09:02:59 +10:00