Andy Polyakov [Sun, 5 May 2019 16:30:55 +0000 (18:30 +0200)]
Configure: use ELFv2 ABI on some ppc64 big endian systems
If _CALL_ELF is defined to be 2, it's an ELFv2 system.
Conditionally switch to the v2 perlasm scheme.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8883)
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8883)
Richard Levitte [Tue, 3 Dec 2019 18:41:05 +0000 (19:41 +0100)]
Move providers/common/{ciphers,digests}/* to providers/implementations
The idea to have all these things in providers/common was viable as
long as the implementations was spread around their main providers.
This is, however, no longer the case, so we move the common blocks
closer to the source that use them.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10564)
Rich Salz [Mon, 18 Nov 2019 10:29:21 +0000 (05:29 -0500)]
Remove handling of outdated macro's
DECLARE_STACK_OF was renamed to DEFINE_STACK_OF in commit 8588571.
Expanded the only use of TYPEDEF_{D2I,I2D,D2I2D}_OF, so that they can
easily be removed in a future release
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10464)
Richard Levitte [Mon, 25 Nov 2019 16:13:10 +0000 (17:13 +0100)]
test/memleaktest.c: Modify for use with address/leak sanitizer
Detects if leak sanitizing is on, and directs the exit code accordingly.
Note that this program is designed to fail when leaking, as that's
expected, so to make it easy for wrapper scripts, we also make it look
like it fails when sanitizing isn't on.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9294)
Richard Levitte [Tue, 2 Jul 2019 14:23:27 +0000 (16:23 +0200)]
Use leak sanitizer instead of internal mdebug to check for memory leaks
The leak sanitizer gives better reports (complete stack traces) and
works as a wrapper around the application instead of relying on
cooperative enabling and disabling calls (which are too easy to get
unbalanced).
Related to #8322
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9294)
avas [Thu, 5 Dec 2019 14:14:44 +0000 (06:14 -0800)]
Move U64 macro from sha.h to sha512.c
Summary:
U64 is too common name for macro, being in public header sha.h it
conflicts with other projects (WAVM in my case). Moving macro from
public header to the only .c file using it.
CLA: trivial
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10579)
FdaSilvaYY [Wed, 9 May 2018 20:27:27 +0000 (22:27 +0200)]
apps/speed: replace list of #define by enums declarations.
it simplifies some pieces of code.
Improve internal assertions
Tag a few #endif with OPENSSL_NO_EC to mark its ending.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10078)
FdaSilvaYY [Tue, 15 Oct 2019 21:33:02 +0000 (23:33 +0200)]
apps/speed: factorize ec test curves declarations
remove 'test' prefix from variable names.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10078)
FdaSilvaYY [Sat, 19 Oct 2019 15:55:36 +0000 (17:55 +0200)]
apps/speed: improve sm2 failure code.
attach the new objects sooner, so error handling is simplified.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10078)
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10078)
FdaSilvaYY [Tue, 5 Jun 2018 17:44:42 +0000 (19:44 +0200)]
apps/speed: initialize key material only when its algo is selected.
Remove some duplicate key data declarations.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10078)
FdaSilvaYY [Sat, 19 Oct 2019 17:37:01 +0000 (19:37 +0200)]
apps/speed: remove a shared global variable
replace |save_count| by the right c[D_EVP(_xxx)] variable.
this may shared a value between various algorithm.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10078)
FdaSilvaYY [Sat, 19 Oct 2019 15:58:07 +0000 (17:58 +0200)]
apps/speed: discard useless protoypes as these methods are defines before being used.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10078)
FdaSilvaYY [Sat, 19 Oct 2019 14:38:21 +0000 (16:38 +0200)]
apps/speed: allow to continue tests after any init failure handling.
previouly the exit(1) call was aborting the whole execution.
Improve error message.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10078)
Difference between EVP_CipherInit and EVP_CipherInit_ex
Fixes #10455
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10550)
Bernd Edlinger [Wed, 4 Dec 2019 11:57:41 +0000 (12:57 +0100)]
Improve the overflow handling in rsaz_512_sqr
We have always a carry in %rcx or %rbx in range 0..2
from the previous stage, that is added to the result
of the 64-bit square, but the low nibble of any square
can only be 0, 1, 4, 9.
Therefore one "adcq $0, %rdx" can be removed.
Likewise in the ADX code we can remove one
"adcx %rbp, $out" since %rbp is always 0, and carry is
also zero, therefore that is a no-op.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10574)
Andy Polyakov [Wed, 4 Dec 2019 11:48:21 +0000 (12:48 +0100)]
Fix an overflow bug in rsaz_512_sqr
There is an overflow bug in the x64_64 Montgomery squaring procedure used in
exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis
suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a
result of this defect would be very difficult to perform and are not believed
likely. Attacks against DH512 are considered just feasible. However, for an
attack the target would have to re-use the DH512 private key, which is not
recommended anyway. Also applications directly using the low level API
BN_mod_exp may be affected if they use BN_FLG_CONSTTIME.
CVE-2019-1551
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/10574)
Matt Caswell [Mon, 11 Nov 2019 15:54:33 +0000 (15:54 +0000)]
Move constant time RSA code out of libssl
Server side RSA key transport code in a Client Key Exchange message
currently uses constant time code to check that the RSA decrypt is
correctly formatted. The previous commit taught the underlying RSA
implementation how to do this instead, so we use that implementation and
remove this code from libssl.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10411)
Matt Caswell [Mon, 11 Nov 2019 14:37:02 +0000 (14:37 +0000)]
Teach the RSA implementation about TLS RSA Key Transport
In TLSv1.2 a pre-master secret value is passed from the client to the
server encrypted using RSA PKCS1 type 2 padding in a ClientKeyExchange
message. As well as the normal formatting rules for RSA PKCA1 type 2
padding TLS imposes some additional rules about what constitutes a well
formed key. Specifically it must be exactly the right length and
encode the TLS version originally requested by the client (as opposed to
the actual negotiated version) in its first two bytes.
All of these checks need to be done in constant time and, if they fail,
then the TLS implementation is supposed to continue anyway with a random
key (and therefore the connection will fail later on). This avoids
padding oracle type attacks.
This commit implements this within the RSA padding code so that we keep
all the constant time padding logic in one place. A later commit will
remove it from libssl.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10411)
Fangming.Fang [Mon, 2 Dec 2019 02:44:21 +0000 (02:44 +0000)]
Fix exit issue in travisci
Ungraceful 'exit' probably causes unexpeced error on background activity.
So replace 'exit' with recommended 'travis_terminate'. Also see
https://travis-ci.community/t/exit-0-cannot-exit-successfully-on-arm/5731/4
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10561)
Matt Caswell [Fri, 29 Nov 2019 12:02:54 +0000 (12:02 +0000)]
Deprecate the AES_ige_*() functions
These functions were already partially deprecated. Now we do it fully.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10558)
Matt Caswell [Fri, 29 Nov 2019 12:01:18 +0000 (12:01 +0000)]
Add the ability to supress deprecation warnings
We add a new macro OPENSSL_SUPRESS_DEPRECATED which enables applications
to supress deprecation warnings where necessary.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10558)
zero [Tue, 3 Dec 2019 09:50:52 +0000 (19:50 +1000)]
Update NOTES.ANDROID for newer NDK versions + small fixes.
Fixes #8941
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10478)
Richard Levitte [Mon, 18 Nov 2019 00:56:22 +0000 (01:56 +0100)]
PROV SERIALIZER: add support for writing RSA keys
This also adds the missing accessor RSA_get0_pss_params(), so those
parameters can be included in the PKCS#8 data structure without
needing to know the inside of the RSA structure.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10394)
OSSL_SERIALIZER_CTX_new_by_EVP_PKEY() selects a suitable serializer
for the given EVP_PKEY, and sets up the OSSL_SERIALIZER_CTX to
function together with OSSL_SERIALIZER_to_bio() and
OSSL_SERIALIZER_to_fp().
OSSL_SERIALIZER_CTX_set_cipher() indicates what cipher should be used
to produce an encrypted serialization of the EVP_PKEY. This is passed
directly to the provider using OSSL_SERIALIZER_CTX_set_params().
OSSL_SERIALIZER_CTX_set_passphrase() can be used to set a pass phrase
to be used for the encryption. This is passed directly to the
provider using OSSL_SERIALIZER_CTX_set_params().
OSSL_SERIALIZER_CTX_set_passphrase_cb() and
OSSL_SERIALIZER_CTX_set_passphrase_ui() sets up a callback to be used
to prompt for a passphrase. This is stored in the context, and is
called via an internal intermediary at the time of serialization.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10394)
OSSL_SERIALIZER_to_bio() and OSSL_SERIALIZER_to_fp() work as wrapper
functions, and call an internal "do_output" function with the given
serializer context and a BIO to output the serialized result to.
The internal "do_output" function must have intimate knowledge of the
object being output. This will defined independently with context
creators for specific OpenSSL types.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10394)
Richard Levitte [Mon, 18 Nov 2019 00:29:06 +0000 (01:29 +0100)]
SERIALIZER: New API for serialization of objects through providers
Serialization is needed to be able to take a provider object (such as
the provider side key data) and output it in PEM form, DER form, text
form (for display), and possibly other future forms (XML? JSON? JWK?)
The idea is that a serializer should be able to handle objects it has
intimate knowledge of, as well as object data in OSSL_PARAM form. The
latter will allow libcrypto to serialize some object with a different
provider than the one holding the data, if exporting of that data is
allowed and there is a serializer that can handle it.
We will provide serializers for the types of objects we know about,
which should be useful together with any other provider that provides
implementations of the same type of object.
Serializers are selected by method name and a couple of additional
properties:
- format used to tell what format the output should be in.
Possibilities could include "format=text",
"format=pem", "format=der", "format=pem-pkcs1"
(traditional), "format=der-pkcs1" (traditional)
- type used to tell exactly what type of data should be
output, for example "type=public" (the public part of
a key), "type=private" (the private part of a key),
"type=domainparams" (domain parameters).
This also adds a passphrase callback function type,
OSSL_PASSPHRASE_CALLBACK, which is a bit like OSSL_CALLBACK, but it
takes a few extra arguments to place the result in.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10394)
Richard Levitte [Tue, 19 Nov 2019 08:55:56 +0000 (09:55 +0100)]
CORE: pass the full algorithm definition to the method constructor
So far, the API level method constructors that are called by
ossl_method_construct_this() were passed the algorithm name string and
the dispatch table and had no access to anything else.
This change gives them access to the full OSSL_ALGORITHM item, thereby
giving them access to the property definition.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10394)
Richard Levitte [Fri, 8 Nov 2019 23:18:05 +0000 (00:18 +0100)]
CORE: ossl_namemap_add_names(): new function to add multiple names
This was originally the private add_names_to_namemap() in
crypto/evp/evp_fetch.c, but made more generally useful.
To make for more consistent function naming, ossl_namemap_add() and
ossl_namemap_add_n() are renamed to ossl_namemap_add_name() and
ossl_namemap_add_name_n().
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10394)
Matt Caswell [Thu, 19 Sep 2019 10:52:45 +0000 (11:52 +0100)]
Disable mem leak checking for the self test lock
The fips self test lock is deallocated in platform specific ways that may
occur after we do mem leak checking. If we don't know how to free it for
a particular platform then we just leak it deliberately. So we
temporarily disable the mem leak checking while we allocate the lock.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9939)
Matt Caswell [Wed, 18 Sep 2019 16:27:10 +0000 (17:27 +0100)]
Make sure we only run the self tests once
Fixes #9909
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9939)
Matt Caswell [Tue, 26 Nov 2019 17:15:20 +0000 (17:15 +0000)]
Check the return from OPENSSL_buf2hexstr()
The function OPENSSL_buf2hexstr() can return NULL if it fails to allocate
memory so the callers should check its return value.
Fixes #10525
Reported-by: Ziyang Li (@Liby99) Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10526)
Matt Caswell [Tue, 26 Nov 2019 17:14:08 +0000 (17:14 +0000)]
Check that OPENSSL_zalloc was successful when creating EVP types
We were missing a NULL check in a few very similar places following an
OPENSSL_zalloc() call.
Reported-by: Ziyang Li (@Liby99) Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10526)
Matt Caswell [Fri, 31 May 2019 13:32:55 +0000 (14:32 +0100)]
Add a test for NULL chunks in encrypt/decrypt
Issue #8675 describes a problem where calling EVP_DecryptUpdate() with an
empty chunk causes the result to be different compared to if you do not
use an empty chunk. This adds a test for that case.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10530)
Matt Caswell [Wed, 27 Nov 2019 16:06:34 +0000 (16:06 +0000)]
Make sure we handle input NULL with length 0
If we call EVP_EncryptUpdate/EVP_DecryptUpdate with length 0 we should
be able to handle it. Most importantly we shouldn't get different
results if we do this compared to if we don't!
An exception is made for CCM mode which has special handling for this in
the low level cipher function.
Fixes #8675
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10530)
moehuster [Tue, 12 Nov 2019 11:28:51 +0000 (19:28 +0800)]
Fix L<EVP_MD_CTX_set_pkey_ctx> links
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10420)
Ard Biesheuvel [Thu, 21 Nov 2019 17:13:41 +0000 (18:13 +0100)]
chacha/asm/chacha-armv8.pl: preserve FP registers d8 and d9 correctly
Depending on the size of the input, we may take different paths through
the accelerated arm64 ChaCha20 routines, each of which use a different
subset of the FP registers, some of which need to be preserved and
restored, as required by the AArch64 calling convention (AAPCS64)
In some cases, (e.g., when the input size is 640 bytes), we call the 512
byte NEON path followed directly by the scalar path, and in this case,
we preserve and restore d8 and d9, only to clobber them again
immediately before handing over to the scalar path which does not touch
the FP registers at all, and hence does not restore them either.
Fix this by moving the restoration of d8 and d9 to a later stage in the
512 byte routine, either before calling the scalar path, or when exiting
the function.
Fixes #10470
CLA: trivial
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10497)
Rich Salz [Thu, 21 Nov 2019 23:14:12 +0000 (18:14 -0500)]
Use option/parameter consistently.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10135)
Rich Salz [Wed, 9 Oct 2019 19:45:12 +0000 (15:45 -0400)]
Document more env var stuff, fix some typo's
Add openssl-env.pod
Also fix up many other environment page formatting nits.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10135)
Shane Lontis [Mon, 18 Nov 2019 00:32:36 +0000 (10:32 +1000)]
Cache constants for fetched EVP_cipher
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com>
(Merged from https://github.com/openssl/openssl/pull/10461)
OpenSSL 1.1.1 introduced a new CSPRNG with an improved seeding
mechanism, which makes it dispensable to define a RANDFILE for
saving and restoring randomness. This commit removes the RANDFILE
declarations from our own configuration files and adds documentation
that this option is not needed anymore and retained mainly for
compatibility reasons.
Fixes #10433
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10436)
Matus Kysel [Fri, 22 Nov 2019 09:44:02 +0000 (10:44 +0100)]
Remove deadlock that was caused by calling pthread_rwlock_wrlock() on same thread twice. This can be reproduce only with musl.
CLA: trivial
Signed-off-by: Matus Kysel <mkysel@tachyum.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10501)
Benjamin Kaduk [Wed, 13 Nov 2019 17:42:19 +0000 (09:42 -0800)]
Fix a race condition in SNI handling
As was done for ciphers, supported groups, and EC point formats in
https://github.com/openssl/openssl/pull/9162, only write the negotiated
SNI hostname value to the session object when not resuming, even for
TLS 1.3 resumptions. Otherwise, when using a stateful session cache
(as is done by default when 0-RTT data is enabled), we can have multiple
SSLs active using the same in-memory session object, which leads to
double-frees and similar race conditions in the SNI handler prior
to this commit.
Fortunately, since draft-ietf-tls-tls13-22, there is no requirement
that the SNI hostname be preserved across TLS 1.3 resumption, and thus
not a need to continually update the session object with the "current"
value (to be used when producing session tickets, so that the subsequent
resumption can be checked against the current value). So we can just
relax the logic and only write to the session object for initial handshakes.
This still leaves us in a somewhat inconsistent state, since if the SNI value
does change across handshakes, the session object will continue to record
the initial handshake's value, even if that bears no relation to the
current handshake. The current SSL_get_servername() implementation
prefers the value from the session if s->hit, but a more complete fix
for that and related issues is underway in
https://github.com/openssl/openssl/pull/10018; there is no need to wait
for the complete fix for SNI name handling in order to close the
race condition and avoid runtime crashes.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10441)
Richard Levitte [Thu, 23 May 2019 01:27:37 +0000 (03:27 +0200)]
Replumbing: pre-populate the EVP namemap with commonly known names
This adds ossl_namemap_empty(), to detect if a namemap is empty and
can thereby be pre-populated.
This also affects the way legacy NIDs are looked up in
evp_cipher_from_dispatch() and evp_md_from_dispatch(). Instead of
trying to find the NID directly, look up the legacy method structure
and grab the NID from there. The reason is that NIDs can be aliases
for other NIDs, which looks like a clash even if wasn't really one.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8984)
Patrick Steuer [Fri, 1 Nov 2019 23:02:47 +0000 (00:02 +0100)]
Allow specifying the tag after AAD in CCM mode (2)
In addition to 67c81ec3 which introduced this behavior in CCM mode
docs but only implemented it for AES-CCM.
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10331)
Patrick Steuer [Fri, 1 Nov 2019 13:58:36 +0000 (14:58 +0100)]
Dont pass zero length input to asm modules for ciphers
The asm modules may assume an input length > 0.
Fixes: #9262 Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10323)
Add documentation for all commands that have parameters.
Fix a couple of minor doc and programming bugs, too.
Fixes #10313
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10371)
Matt Caswell [Fri, 15 Nov 2019 14:15:09 +0000 (14:15 +0000)]
Add test for non-default sized keys in variable key size ciphers
Various ciphers have the ability to support varaible length keys.
This adds some test cases for algorithms where we did not test a key
length other than the default size.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10449)
Matt Caswell [Thu, 14 Nov 2019 16:05:19 +0000 (16:05 +0000)]
EVP_CIPHER_CTX_set_keylen should not succeed if a bad keylen is passed
EVP_CIPHER_CTX_set_keylen() was succeeding even though a bad key length
is passed to it. This is because the set_ctx_params() were all accepting
this parameter and blindly changing the keylen even though the cipher did
not accept a variable key length. Even removing this didn't entirely
resolve the issue because set_ctx_params() functions succeed even if
passed a parameter they do not recognise.
This should fix various issues found by OSSfuzz/Cryptofuzz.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10449)