>=20% faster than present code.
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8560)
The naming of generated assembler wasn't done quite right. There are
assembler files that are generated from a perl script, and there are
those who are not. Only the former must be renamed to the platform
specific asm extension.
Furthermore, we need to make sure that 'OSSL_provider_init' isn't case
sensitive on VMS, to allow for the least surprise for provider
builders.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8529)
The initialisation was also flawed, failing to account for padding and
alignment bytes.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8611)
When 'openssl dgst' is called with a MD alias (such as sha256) and no
further arguments (i.e. input is taken from stdin), the MD name wasn't
shown.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8609)
If the structures have empty padding bytes, ensure they are zeroed.
These structures are added to seed pools as complete blocks including
any padding and alignment bytes.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8610)
Revert win32_pathbyaddr() which is used in DSO_dsobyaddr().
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8596)
Replace it with InitializeCriticalSection()
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8596)
Refer to FIPS 140-2 section 4.9.2 Conditional Tests for details.
The check is fairly simplistic, being for the entropy sources to not feed
the DRBG the same block of seed material twice in a row. Only the first
DRBG in a chain is subject to this check, latter DRBGs are assumed to be
safely seeded via the earlier DRBGs.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8599)
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8569)
/usr/include/bits/waitstatus.h includes endian.h under some libc's.
This clashes with the new test header file, so rename the latter.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8600)
DH_check is used to test the validity of Diffie-Hellman parameter sets (p, q, g). Among the tests performed are primality tests on p and q, for this BN_is_prime_ex is called with the rounds of Miller-Rabin set as default. This will therefore use the average case error estimates derived from the function BN_prime_checks_for_size based on the bit size of the number tested.
However, these bounds are only accurate on testing random input. Within this testing scenario, where we are checking the validity of a DH parameter set, we can not assert that these parameters are randomly generated. Thus we must treat them as if they are adversarial in nature and increase the rounds of Miller-Rabin performed.
Generally, each round of Miller-Rabin can declare a composite number prime with probability at most (1/4), thus 64 rounds is sufficient in thwarting known generation techniques (even in safe prime settings - see https://eprint.iacr.org/2019/032 for full analysis). The choice of 64 rounds is also consistent with SRP_NUMBER_ITERATIONS_FOR_PRIME 64 as used in srp_Verify_N_and_g in openssl/apps/s_client.c.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8593)
EVP_MAC_ctrl is documented to return 0 or -1 on failure. Numerous places
were not getting this check correct.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8584)
We treat that as automatic success. Other EVP_*Update functions already do
this (e.g. EVP_EncryptUpdate, EVP_DecryptUpdate etc). EVP_EncodeUpdate is
a bit of an anomoly. That treats 0 byte input length as an error.
Fixes#8576
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8587)
not specifying the digest both on command line and in the config file
will lead to response generation aborting with
140617514493760:error:2F098088:time stamp routines:ts_CONF_lookup_fail: \
cannot find config variable:crypto/ts/ts_conf.c:106:tsr_test::signer_digest
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8421)
constant time with a memory access pattern that does not depend
on secret information.
[extended tests]
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8543)
So far, it only handled hash-and-algorithm pairs from TLS1.2,
now it also handles 'schemes' defined in TLS1.3 like 0x0807=ed25519 or
0x0809=rsa_pss_pss_sha256
Now it prints information in one of these formats:
... Algorithm scheme=ecdsa_secp256r1_sha256, security bits=128 ... TLS1.3
... Algorithm digest=SHA384, algorithm=DSA, security bits=192 ... TLS1.2
... Algorithm scheme=unknown(0x0e01), security bits=128 ... unhandled case
To implement this added three new lookup-tables: signature_tls13_scheme_list,
signature_tls12_alg_list, signature_tls12_hash_list.
Also minor changes in 'security_callback_debug', eg adding variable 'show_nm'
to indicate if we should show 'nm'.
Also coding-styles fixes from matcaswell
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8445)
Great effort has been made to make initialization more configurable.
However, the behavior of OPENSSL_config() was lost in the process,
having it suddenly generate errors it didn't previously, which is not
how it's documented to behave.
A simple setting of default flags fixes this problem.
Fixes#8528
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8533)