Commit graph

10511 commits

Author SHA1 Message Date
Shane Lontis
ff8029c189 Added generated files for EVP_KDF changes
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8808)
2019-05-03 17:52:50 +02:00
Shane Lontis
d2ba812343 Added EVP_KDF (similiar to the EVP_MAC)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8808)
2019-05-03 17:52:50 +02:00
Matt Caswell
65a1e917a6 Add some TODO notes into init.c
We should be seeking to move the OPENSSL_init_crypto and OPENSSL_cleanup
processing into OPENSSL_CTX instead.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8857)
2019-05-02 22:42:09 +01:00
Matt Caswell
1aedc35fd6 Instead of global data store it in an OPENSSL_CTX
Various core and property related code files used global data. We should
store all of that in an OPENSSL_CTX instead.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8857)
2019-05-02 22:42:09 +01:00
Matt Caswell
b8fe36fee0 Add support for openssl_ctx_run_once and openssl_ctx_onfree
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8857)
2019-05-02 22:42:09 +01:00
Klotz, Tobias
61783db5b5 Use vxRandLib for VxWorks7
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/8023)
2019-05-02 23:32:44 +02:00
Pauli
39147079fc Structure alignment macro.
Introduce a macro that allows all structure alignment tricks to be rolled up
into a single place.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8845)
2019-05-01 08:37:11 +10:00
Richard Levitte
a39eb84006 Replumbing: give the possibility for the provider to create a context
OSSL_provider_init() gets another output parameter, holding a pointer
to a provider side context.  It's entirely up to the provider to
define the context and what it's being used for.  This pointer is
passed back to other provider functions, typically the provider global
get_params and set_params functions, and also the diverse algorithm
context creators, and of course, the teardown function.

With this, a provider can be instantiated more than once, or be
re-loaded as the case may be, while maintaining instance state.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8848)
2019-04-30 15:34:23 +02:00
Richard Levitte
f79858ac4d Replumbing: make the oneshot proider cipher function like the others
The OP_cipher_final function takes a return output size and an output
buffer size argument.  The oneshot OP_cipher_cipher function should do
the same.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8849)
2019-04-30 15:30:30 +02:00
Dr. Matthias St. Pierre
96384e613a FIPS: Fix compiler errors in rsa_chk.c when building with -DFIPS_MODE
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8843)
2019-04-30 14:02:22 +02:00
Pauli
8094a69458 Squashed commit of the following:
Digest stored entropy for CRNG test.

Via the FIPS lab, NIST confirmed:

    The CMVP had a chance to discuss this inquiry and we agree that
    hashing the NDRNG block does meet the spirit and letter of AS09.42.

    However, the CMVP did have a few questions: what hash algorithm would
    be used in this application? Is it approved? Is it CAVs tested?

SHA256 is being used here and it will be both approved and CAVs tested.

This means that no raw entropy needs to be kept between RNG seedings, preventing
a potential attack vector aganst the randomness source and the DRBG chains.

It also means the block of secure memory allocated for this purpose is no longer
required.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8790)
2019-04-30 13:43:19 +10:00
David Benjamin
d7fcf1feac Copy RSA-PSS saltlen in EVP_PKEY_CTX_dup.
pkey_rsa_copy was missing a field. Test this by repeating the operation
through an EVP_PKEY_CTX_dup copy in evp_test.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8759)
2019-04-26 09:57:07 -05:00
Patrick Steuer
5ee08f45bc s390x assembly pack: remove poly1305 dependency on non-base memnonics
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8181)
2019-04-25 23:07:36 +02:00
Patrick Steuer
302aa3c26d s390x assembly pack: remove chacha20 dependency on non-base memnonics
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8181)
2019-04-25 23:07:36 +02:00
Patrick Steuer
3062468b0a s390x assembly pack: update perlasm module
Add non-base instructions which are used by the chacha20 and
poly1305 modules.

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8181)
2019-04-25 23:07:36 +02:00
Patrick Steuer
11aad86285 s390x assembly pack: allow alignment hints for vector load/store
z14 introduced alignment hints to help vector load/store
performance. For its predecessors, alignment hint defaults
to 0 (no alignment indicated).

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8181)
2019-04-25 23:07:36 +02:00
Guido Vranken
514c9da48b Enforce a strict output length check in CRYPTO_ccm128_tag
Return error if the output tag buffer size doesn't match
the tag size exactly. This prevents the caller from
using that portion of the tag buffer that remains
uninitialized after an otherwise succesfull call to
CRYPTO_ccm128_tag.

Bug found by OSS-Fuzz.

Fix suggested by Kurt Roeckx.

Signed-off-by: Guido Vranken <guidovranken@gmail.com>

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8810)
2019-04-25 10:44:18 +01:00
Richard Levitte
0109e030db Add a way for the application to get OpenSSL configuration data
OpenSSL_version(OPENSSL_DIR) gives you a nicely formatted string for
display, but if all you really want is the directory itself, you were
forced to parsed the string.

This introduces a new function to get diverse configuration data from
the library, OPENSSL_info().  This works the same way as
OpenSSL_version(), but has its own series of types, currently
including:

OPENSSL_INFO_CONFIG_DIR         returns OPENSSLDIR
OPENSSL_INFO_ENGINES_DIR        returns ENGINESDIR
OPENSSL_INFO_MODULES_DIR        returns MODULESDIR
OPENSSL_INFO_DSO_EXTENSION      returns DSO_EXTENSION

OPENSSL_INFO_DIR_FILENAME_SEPARATOR     returns directory/filename separator
OPENSSL_INFO_LIST_SEPARATOR             returns list separator

For scripting purposes, this also adds the command 'openssl info'.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8709)
2019-04-23 15:51:39 +02:00
Richard Levitte
47ca833835 Add the possibility to display and use MODULESDIR
This adds the flag OPENSSL_MODULES_DIR for OpenSSL_version(), and the
flag '-m' for 'openssl version'.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8709)
2019-04-23 15:50:35 +02:00
Matt Caswell
33b40a1027 If key or iv is NULL set the respective length to 0
[extended tests]

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/8794)
2019-04-23 10:48:59 +01:00
Matt Caswell
361ecb1d1a Fix EVP_CIPHER_CTX_rand_key()
Make sure we use the the correct key length in EVP_CIPHER_CTX_rand_key().
Now that ciphers may come from providers we need to make sure we ask the
provider for the value if appropriate.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/8794)
2019-04-23 10:48:59 +01:00
Pauli
b8621bdde7 Fix bug in entropy gathering.
This only impacts FIPS mode or someone who has enabled the FIPS 140.2
4.9.2 Conditional Tests.  i.e. nobody currently.

Fix a significant issue in the entropy gathering for the continuous RNG
testing.  The impact is using an uninitialised buffer instead of the gathered
entropy.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/8789)
2019-04-21 09:22:57 +10:00
Matt Caswell
6caf7f3aec Create provider errors and use them
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8700)
2019-04-19 09:31:54 +01:00
Matt Caswell
dcd446f100 Make implementation of blocksize, iv_length and key_length mandatory
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8700)
2019-04-19 09:31:54 +01:00
Matt Caswell
3b94944cf2 Add a maximum output length to update and final calls
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8700)
2019-04-19 09:31:54 +01:00
Matt Caswell
344cfa34e5 Add iv length and key length params to the cipher init calls
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8700)
2019-04-19 09:31:54 +01:00
Matt Caswell
819a7ae9fc Implement AES CTR ciphers in the default provider
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8700)
2019-04-19 09:31:54 +01:00
Matt Caswell
75dd6d64f1 Implement AES CFB ciphers in the default provider
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8700)
2019-04-19 09:31:54 +01:00
Matt Caswell
ed98df51c6 Implement AES OFB ciphers in the default provider
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8700)
2019-04-19 09:31:54 +01:00
Matt Caswell
718b133a53 Implement AES CBC ciphers in the default provider
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8700)
2019-04-19 09:31:54 +01:00
Matt Caswell
f4a129bb8d Add support in the default provider for 192/128 bit AES ECB
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8700)
2019-04-19 09:31:54 +01:00
Matt Caswell
aab26e6f7b Implement support for AES-256-ECB in the default provider
We also lay the ground work for various of other the basic AES ciphers.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8700)
2019-04-19 09:31:54 +01:00
Matt Caswell
df05f2ce6d Make EVP_Encrypt*/EVP_Decrypt* and EVP_Cipher* provider aware
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8700)
2019-04-19 09:31:54 +01:00
Richard Levitte
1393722af3 ossl_method_store_cache_get(): ensure non-NULL property query
The comparator further down the call stack doesn't tolerate NULL, so
if we got that as input, use the empty string.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8781)
2019-04-19 10:24:16 +02:00
Richard Levitte
bcb5d42171 OPENSSL_LH_flush(): assign NULL after freeing
OPENSSL_LH_flush() frees the linked lists for each slot, but didn't
set the list head to NULL after doing so, with the result that an
operation that affects these lists is likely to cause a crash.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8781)
2019-04-19 10:24:16 +02:00
Richard Levitte
e019da7b6f Fix the generic EVP algorithm fetch to actually cache them
ossl_method_store_cache_get() and ossl_method_store_cache_set() were
called with a NULL argument for store, which means no caching is
done.  Give them a real store instead.

Also, increment the refcount when we do get a method out of the cache.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8781)
2019-04-19 10:23:59 +02:00
Andy Polyakov
86a7ac5e76 chacha/asm/chacha-armv8.pl: replace 3+1 code paths with 4+1.
The change is triggered by ThunderX2 where 3+1 was slower than scalar
code path, but it helps all processors [to handle <512 inputs].

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8776)
2019-04-17 21:31:01 +02:00
Andy Polyakov
d6e4287c97 aes/asm/aesv8-armx.pl: ~20% improvement on ThunderX2.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8776)
2019-04-17 21:30:39 +02:00
Andy Polyakov
6465321e40 ARM64 assembly pack: add ThunderX2 results.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8776)
2019-04-17 21:08:13 +02:00
Pauli
ad7e17dd6c SP 800-56B steps enumerated.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8770)
2019-04-17 14:26:11 +10:00
Tomas Mraz
d34bce03ac Add testing of RDONLY memory BIOs
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8649)
2019-04-16 10:50:30 +01:00
Tomas Mraz
b238fb7970 Fix for BIO_get_mem_ptr and related regressions
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8649)
2019-04-16 10:50:30 +01:00
Kurt Roeckx
3e3dcf9ab8 Call RSA generation callback at the correct time.
The callback should be called with 1 when a Miller-Rabin round marked
the candidate as probably prime.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
GH: #8742
2019-04-15 22:37:48 +02:00
Richard Levitte
0ad50b4dee Providers: for the digest_final operation, pass a output buffer size
This allows the provider digest_final operation to check that it
doesn't over-run the output buffer.

The EVP_DigestFinal_ex function doesn't take that same parameter, so
it will have to assume that the user provided a properly sized buffer,
but this leaves better room for future enhancements of the public API.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8747)
2019-04-15 10:46:09 +02:00
David Benjamin
15972296af Fix calling convention bug in ecp_nistz256_ord_sqr_mont
The rep parameter takes an int in C, but the assembly implementation
looks at the upper bits. While it's unlikely to happen here, where all
calls pass a constant, in other scenarios x86_64 compilers will leave
arbitrary values in the upper half.

Fix this by making the C prototype match the assembly. (This aspect of
the calling convention implies smaller-than-word arguments in assembly
functions should be avoided. There are far fewer things to test if
everything consistently takes word-sized arguments.)

This was found as part of ABI testing work in BoringSSL.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/8108)
2019-04-14 12:55:53 +02:00
Bernd Edlinger
3051bf2afa Don't use coordinate blinding when scalar is group order
This happens in ec_key_simple_check_key and EC_GROUP_check.
Since the the group order is not a secret scalar, it is
unnecessary to use coordinate blinding.

Fixes: #8731

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8734)
2019-04-14 11:24:08 +02:00
Matt Caswell
fd367b4ce3 Deprecate AES_ige_encrypt() and AES_bi_ige_encrypt()
These undocumented functions were never integrated into the EVP layer
and implement the AES Infinite Garble Extension (IGE) mode and AES
Bi-directional IGE mode. These modes were never formally standardised
and usage of these functions is believed to be very small. In particular
AES_bi_ige_encrypt() has a known bug. It accepts 2 AES keys, but only
one is ever used. The security implications are believed to be minimal,
but this issue was never fixed for backwards compatibility reasons.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8710)
2019-04-12 14:22:41 +01:00
Pauli
6517516324 Add prediction resistance capability to the DRBG reseeding process.
Refer to NIST SP 800-90C section 5.4 "Prediction Resistance.l"

This requires the seed sources to be approved as entropy sources, after
which they should be considered live sources as per section 5.3.2 "Live
Entropy Source Availability."

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8647)
2019-04-12 18:16:20 +10:00
Shane Lontis
5173cdde7d ec key validation checks updated
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8564)
2019-04-11 20:37:13 +10:00
Shane Lontis
37f03b9881 doc fixups
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8555)
2019-04-11 12:05:38 +03:00