Signed-off-by: Čestmír Kalina <ckalina@redhat.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12256)
Čestmír Kalina [Fri, 2 Dec 2022 11:44:09 +0000 (06:44 -0500)]
e_os2: add ossl_static_assert_type_eq
Add a gcc-only static assertion that a variable is of a specified type.
Signed-off-by: Čestmír Kalina <ckalina@redhat.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12256)
Signed-off-by: Čestmír Kalina <ckalina@redhat.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12256)
Signed-off-by: Čestmír Kalina <ckalina@redhat.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12256)
Signed-off-by: Čestmír Kalina <ckalina@redhat.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12256)
Čestmír Kalina [Tue, 29 Nov 2022 19:20:09 +0000 (14:20 -0500)]
evp_test: add digest xoflen support
Signed-off-by: Čestmír Kalina <ckalina@redhat.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12256)
RISC-V currently only offers a GMULT() callback for accelerated
processing. Let's implement the missing piece to have GHASH()
available as well. Like GMULT(), we provide a variant for
systems with the Zbkb extension (including brev8).
The integration follows the existing pattern for GMULT()
in RISC-V. We keep the C implementation as we need to decide
if we can call an optimized routine at run-time.
The C implementation is the fall-back in case we don't have
any extensions available that can be used to accelerate
the calculation.
Tested with all combinations of possible extensions
on QEMU (limiting the available instructions accordingly).
No regressions observed.
Signed-off-by: Christoph Müllner <christoph.muellner@vrull.eu> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20078)
The existing GCM calculation provides some potential
for further optimizations. Let's use the demo code
from the RISC-V cryptography extension groups
(https://github.com/riscv/riscv-crypto), which represents
the extension architect's intended use of the clmul instruction.
The GCM calculation depends on bit and byte reversal.
Therefore, we use the corresponding instructions to do that
(if available at run-time).
The resulting computation becomes quite compact and passes
all tests.
Note, that a side-effect of this change is a reduced register
usage in .gmult(), which opens the door for an efficient .ghash()
implementation.
Signed-off-by: Christoph Müllner <christoph.muellner@vrull.eu> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20078)
A recent commit introduced a Perl module for common code.
This patch changes the GCM code to use this module, removes duplicated code,
and moves the instruction encoding functions into the module.
Signed-off-by: Christoph Müllner <christoph.muellner@vrull.eu> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20078)
riscv.pm: Add improved error messages to read_reg code
On systems where Devel::StackTrace is available, we can use this module
to create more usable error messages. Further, don't print error
messages in case of official register aliases, but simply accept them.
Signed-off-by: Christoph Müllner <christoph.muellner@vrull.eu> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20078)
riscv: aes: Move reusable Perl code into Perl module
Move helper functions and instruction encoding functions
into a riscv.pm Perl module to avoid pointless code duplication.
Signed-off-by: Christoph Müllner <christoph.muellner@vrull.eu> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20078)
In RISC-V we have multiple extensions, that can be
used to accelerate processing.
The known extensions are defined in riscv_arch.def.
From that file test functions of the following
form are generated: RISCV_HAS_$ext().
In recent commits new ways to define the availability
of these test macros have been defined. E.g.:
#define RV32I_ZKND_ZKNE_CAPABLE \
(RISCV_HAS_ZKND() && RISCV_HAS_ZKNE())
[...]
#define RV64I_ZKND_ZKNE_CAPABLE \
(RISCV_HAS_ZKND() && RISCV_HAS_ZKNE())
This leaves us with two different APIs to test capabilities.
Further, creating the same macros for RV32 and RV64 results
in duplicated code (see example above).
This inconsistent situation makes it hard to integrate
further code. So let's clean this up with the following steps:
* Replace RV32I_* and RV64I_* macros by RICSV_HAS_* macros
* Move all test macros into riscv_arch.h
* Use "AND" and "OR" to combine tests with more than one extension
* Rename include files for accelerated processing (remove extension
postfix).
We end up with compile time tests for RV32/RV64 and run-time tests
for available extensions. Adding new routines (e.g. for vector crypto
instructions) should be straightforward.
Testing showed no regressions.
Signed-off-by: Christoph Müllner <christoph.muellner@vrull.eu> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20078)
Andy Bernard [Mon, 13 Mar 2023 15:56:37 +0000 (15:56 +0000)]
Fix documented function return types
The documented return type of the (incorrectly named; see below) OSSL_FUNC_decoder_export_object function signature is wrong; the correct type is int, due to the following line in core_dispatch.h:
OSSL_CORE_MAKE_FUNC(int, decoder_export_object,
Fixes #19543
Per the Github conversation with levitte and t8m for pull request #19964, the following issues are not addressed by this patch:
The macro OSSL_CORE_MAKE_FUNC in core_dispatch.h generates a function, and a corresponding function signature typedef with name ending in "_fn". The typedefed signature is unrelated to the signature of the function.
However, provider-decoder.pod describes typedefed signatures generated by the macro, but uses the names of the functions (lacking "_fn") instead of the typedefed signatures, which is a mismatch.
Also, the documented claim about OSSL_FUNC_decoder_export_object, etc that "None of these are actual functions" is contradicted by the fact that the code actually calls those functions, and calls them specifically by those names. E.g. in decoder_meth.c:
decoder->export_object = OSSL_FUNC_decoder_export_object(fns);
The functions are generated by OSSL_CORE_MAKE_FUNC.
The paragraph "None of these are actual functions"... should be replaced by something more like "These function signatures, generated by the OSSL_CORE_MAKE_FUNC macro, are for functions that are offered via function pointers in OSSL_DISPATCH arrays."
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19964)
Pauli [Tue, 14 Mar 2023 00:33:51 +0000 (11:33 +1100)]
demo: Fix makefile target
The makefile target was incorrect and wouldn't build the rsa_encrypt demo.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20503)
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20306)
Simo Sorce [Thu, 9 Mar 2023 16:45:02 +0000 (11:45 -0500)]
Add a flag so finalised contexts are not reused
The EVP layer should not rely on the underlying low level code to
handle catching incorrect reuse of contexts.
Add a flag to mark a context as finalised as needed and then catch and
immediately error on Update/Final operations if called improperly.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/20375)
Simo Sorce [Mon, 6 Mar 2023 23:38:00 +0000 (18:38 -0500)]
Add test for context duplication failure
This checks that the first operation successfully completes even if
context duplication fails. But follwing operations get errors as
if the context was finlised.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/20375)
Simo Sorce [Fri, 24 Feb 2023 00:51:27 +0000 (19:51 -0500)]
Do not fail if ctx dup does not succeed
If the ctx was *really* needed we'll probably fail later with an error
anyway, so no point in failing immediately.
Document that this behavior is dependent on the provider used to
implement the signature/verification.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/20375)
Tobias Nießen [Mon, 6 Mar 2023 22:51:17 +0000 (22:51 +0000)]
Document remaining obsolete SSL_OP_NETSCAPE_*_BUG
SSL_OP_NETSCAPE_CA_DN_BUG became obsolete in 3c33c6f6b1086435 and
support for SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG was removed by 7a4dadc3a6a487db. The definitions are still listed under "OBSOLETE
OPTIONS retained for compatibility" in ssl.h.in, so this commit adds
them to the list of obsolete options in doc/man3.
Refs: https://github.com/nodejs/node/pull/46954
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20443)
ndossche [Tue, 7 Mar 2023 12:27:15 +0000 (13:27 +0100)]
Add missing assignment to EVP_get_digestbynid()
The assignment of the result of EVP_get_digestbynid() did not happen
which made the fallback not actually perform the fallback.
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20447)
afshinpir [Wed, 8 Mar 2023 03:42:00 +0000 (16:42 +1300)]
Segmentation fault in parent rng cleanup
CLA: trivial
When `cleanup_entropy()` is called to cleanup parent by calling
provided `OSSL_FUNC_rand_clear_seed_fn` method, incorrect random
context is passed to the method. So accessing that context creates
a segmentation fault. Parent context should be passed rather than
DRBG's own context.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20454)
afshinpir [Wed, 8 Mar 2023 07:31:54 +0000 (20:31 +1300)]
Updated `rsa_has()` for correct validation
CLA: trivial
In RSA, `(n,e)` and `(n,d)` identify public key and private key.
Modulus `n` is the common part. So I updated `rsa_has()` to validate
these pairs correctly. `OSSL_KEYMGMT_SELECT_KEYPAIR` is common part
for both public and private key, so I changed it to check `n` of
RSA and for `OSSL_KEYMGMT_SELECT_PUBLIC_KEY`, `e` is checked. Before
this change, if `selection` was `OSSL_KEYMGMT_SELECT_PRIVATE_KEY` and
only `e` and `d` was in the RSA structure, the function returns 1
while it was incorrect.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20455)
Kornel Dulęba [Wed, 8 Mar 2023 10:28:41 +0000 (11:28 +0100)]
aes/asm/bsaes-armv7.pl: Replace adrl with add
"adrl" is a pseudo-instruction used to calculate an address relative
to PC. It's not recognized by clang resulting in a compilation error.
I've stumbled upon it when trying to integrate the bsaes-armv7 assmebly
logic into FreeBSD kernel, which uses clang as it's default compiler.
Note that this affect the build only if BSAES_ASM_EXTENDED_KEY is
defined, which is not the default option in OpenSSL.
The solution here is to replace it with an add instruction.
This mimics what has already been done in !BSAES_ASM_EXTENDED_KEY logic.
Because of that I've marked this as trivial CLA.
CLA: trivial Signed-off-by: Kornel Dulęba <mindal@semihalf.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20458)
zhangzhilei [Sun, 12 Mar 2023 07:39:34 +0000 (15:39 +0800)]
Remove duplicate code
since this code is also under GCM_HW_SET_KEY_CTR_FN macro
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/20491)
Pauli [Wed, 8 Mar 2023 22:59:25 +0000 (09:59 +1100)]
Add missing copyright header
This file was only recently introduced and the missing header slipped through
the review process.
Fixes #20461
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20470)
Pauli [Tue, 7 Mar 2023 23:09:11 +0000 (10:09 +1100)]
doc: document that prediction resistance comes with a hidden cost
In the default setup, using prediction resistance cascades to a reseeding
of all DRBGs. The cost for this will be excessive for highly threaded
applications.
Fixes #20414
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/20452)
apps/x509 etc.: allow private key input when public key is expected
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19076)
test/smime-certs/{mksmime-certs.sh,ca.cnf}: simplify and speed up cert generation
Also remove inconsistent key usages from non-RSA certs.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19076)
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19076)
Richard Levitte [Wed, 1 Mar 2023 15:27:50 +0000 (16:27 +0100)]
Fix util/wrap.pl.in for VMS usage
In the name of consistency, make sure that this same script is used
across more platforms, in this case VMS. This removes the need for
util/local_shlib.com.in and util/unlocal_shlib.com.in, which were
under-used anyway.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20415)
Kurt Roeckx [Wed, 8 Feb 2023 17:48:30 +0000 (18:48 +0100)]
Run the punycode-test over the fuzz corpora during test.
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20246)
Clemens Lang [Fri, 3 Mar 2023 11:22:03 +0000 (12:22 +0100)]
fips: Use salt >= 16 bytes in PBKDF2 selftest
NIST SP 800-132 [1] section 5.1 says "[t]he length of the
randomly-generated portion of the salt shall be at least
128 bits", which implies that the salt for PBKDF2 must be at least 16
bytes long (see also Appendix A.2.1).
The FIPS 140-3 IG [2] section 10.3.A requires that "the lengths and the
properties of the Password and Salt parameters, as well as the desired
length of the Master Key used in a CAST shall be among those supported
by the module in the approved mode."
As a consequence, the salt length in the self test must be at least 16
bytes long for FIPS 140-3 compliance. Switch the self test to use the
only test vector from RFC 6070 that uses salt that is long enough to
fulfil this requirement. Since RFC 6070 does not provide expected
results for PBKDF2 with HMAC-SHA256, use the output from [3], which was
generated with python cryptography, which was tested against the RFC
6070 vectors with HMAC-SHA1.
Signed-off-by: Clemens Lang <cllang@redhat.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20429)
Juergen Christ [Fri, 3 Mar 2023 13:36:08 +0000 (14:36 +0100)]
S390X: Accelerate keccak XOF
The keccak XOF used for KMAC can be simplified by using klmd. This speeds up
XOF processing in cases where more than one result block is needed.
Signed-off-by: Juergen Christ <jchrist@linux.ibm.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20431)
Richard Levitte [Tue, 7 Mar 2023 14:21:16 +0000 (15:21 +0100)]
test//bio_dgram_test.c: Skip test when BIO_bind() fails
This test isn't supposed to test BIO_bind() itself, so we can be a bit
sloppy and assume that it fails because the attempted binding is not
supported on the platform where this is run. For example, BIO_bind()
fails when it's given an IPv6 address and the platform where this is
run doesn't support that address family.
In a case like this, it's sensible enough to simply skip the test when
BIO_bind() fails.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20449)
Richard Levitte [Tue, 7 Mar 2023 14:18:18 +0000 (15:18 +0100)]
bss_dgram.c: Use BIO_ADDR_sockaddr() and BIO_ADDR_sockaddr_size()
Especially, it's important to use BIO_ADDR_sockaddr_size() instead of
taking sizeof(addr), as BIO_ADDR is a union of several sockaddr variants
with different sizes, and some sendto() implementations are very picky
that the size is correct for the indicated sockaddr family.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20449)
Tomas Mraz [Wed, 1 Mar 2023 09:28:58 +0000 (10:28 +0100)]
stream_frame_new(): Add missing allocation check
Reported by Marc Schönefeld.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19794)
Tomas Mraz [Tue, 28 Feb 2023 19:25:53 +0000 (20:25 +0100)]
test_rstream_random(): Test adding final empty frame
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19794)
Tomas Mraz [Mon, 5 Dec 2022 19:52:14 +0000 (20:52 +0100)]
Test new ossl_quic_rstream API calls
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19794)
Tomas Mraz [Wed, 30 Nov 2022 18:30:30 +0000 (19:30 +0100)]
Improve the QUIC_RSTREAM implementation
Add API calls to avoid copying data when reading
These are ossl_quic_rstream_get_record() and
ossl_quic_rstream_release_record().
Add side storage for the stream frame data.
When there are too many packets referenced by the
receiving stream the function ossl_quic_rstream_move_to_rbuf()
can be called to move the data to a ring buffer.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19794)
Richard Levitte [Mon, 6 Mar 2023 07:55:34 +0000 (08:55 +0100)]
VMS knows POSIX threads too!
include/internal/thread_arch.h didn't indicate this, now it does.
This also removes ossl_crypto_mem_barrier(), because we isn't used
anywhere, and doesn't build with compilers that don't support the GNU
extension __asm__.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/20440)
Matt Caswell [Wed, 1 Mar 2023 11:14:25 +0000 (11:14 +0000)]
Improve the performance of EVP_PKCS82PKEY_ex
We can easily find out the keytype which should significantly improve
the performance of this function because we don't have to try every loaded
decoder.
Partial fix for #20399
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20412)
Matt Caswell [Mon, 27 Feb 2023 18:38:03 +0000 (18:38 +0000)]
Test that there are no errors on the stack for rejected early data
If we reject early data then it is normal for decryption operations to
fail. We should ensure there are no spurious errors on the stack in that
case. This adds a test for that scenario.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20401)
Matt Caswell [Mon, 27 Feb 2023 18:43:20 +0000 (18:43 +0000)]
Remove spurious error queue entries on early data
Early data decryption is expected to fail sometimes. If it does we should
not leave spurious error entries on the queue.
Fixes #20377
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20401)
Todd Short [Tue, 28 Feb 2023 23:42:56 +0000 (18:42 -0500)]
Add "make help" option
Based on kubernetes controller Makefile help.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20407)
HansHoogerwerf [Wed, 1 Mar 2023 09:02:37 +0000 (10:02 +0100)]
Fix typo in base provider example code
CLA: trivial
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20411)
Pauli [Mon, 27 Feb 2023 00:05:48 +0000 (11:05 +1100)]
Include supported branches in coveralls
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20383)
slontis [Fri, 17 Feb 2023 03:00:12 +0000 (13:00 +1000)]
Remove ossl_rsa_pss_params_30_set_maskgenalg().
This is an unused internal function. It should be added back
in if there is a need to set this value to something other than
NID_mgf1 (which is not likely).
Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20321)
Pauli [Mon, 27 Feb 2023 08:31:58 +0000 (19:31 +1100)]
Update AES documentation excluding AES SIV from the FIPS provider
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20386)
Pauli [Mon, 27 Feb 2023 08:20:53 +0000 (19:20 +1100)]
Remove AES SIV ciphers from the FIPS provider
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20386)
Pauli [Mon, 27 Feb 2023 08:29:58 +0000 (19:29 +1100)]
Don't do AES SIV tests with the FIPS provider
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20386)
Matt Caswell [Mon, 27 Feb 2023 11:54:29 +0000 (11:54 +0000)]
Ensure we use a non-zero time for tickets in early data
Our tests run so quickly that the ticket age is virtually zero. This may
not show up problems in the age calculations, so we artificially add some
age to the tickets in some runs.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20387)
Matt Caswell [Mon, 27 Feb 2023 11:18:26 +0000 (11:18 +0000)]
Fix early_data age calculation
The ticket_age/age_add values use ms granualarity. We were incorrectly
treating them as seconds and so the ticket was always being rejected for
early data. We also clarify a comment which could have been the source of
the confusion.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20387)
slontis [Mon, 27 Feb 2023 06:35:41 +0000 (16:35 +1000)]
Fix FFC mdprop setting bugs.
Coverage testing showed that ossl_ffc_params_fromdata() was not setting
OSSL_PKEY_PARAM_FFC_DIGEST_PROPS.
Adding a negative test also showed that ossl_ffc_params_copy() did not
do a shallow copy of the digest or digest property.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20385)
slontis [Mon, 27 Feb 2023 03:48:24 +0000 (13:48 +1000)]
Fix infinite loops in DSA sign code.
Fixes #20268
Values such as q=1 or priv=0 caused infinite loops when calling
DSA_sign() without these changes.
There are other cases where bad domain parameters may have caused
infinite loops where the retry counter has been added. The simpler case
of priv=0 also hits this case. q=1 caused an infinite loop in the setup.
The max retry value has been set to an arbitrary value of 8 (it is
unlikely to ever do a single retry for valid values).
The minimum q bits was set to an arbitrary value of 128 (160 is still
used for legacy reasons when using 512 bit keys).
Thanks @guidovranken for detecting this, and @davidben for his
insightful analysis.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20384)
Robin Lee [Sun, 26 Feb 2023 05:56:14 +0000 (13:56 +0800)]
ec: Use .machine "any" explicitly in ecp_nistp521-ppc64
Since GCC commit e154242724b084380e3221df7c08fcdbd8460674 the flag "-many"
is sometimes not passed to the assembler. Use .machine "any" just like
ecp_nistz256-ppc64 to prevent compile errors when built with some
configurations of GCC.
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20378)
ndossche [Thu, 9 Feb 2023 08:49:47 +0000 (09:49 +0100)]
Fix incomplete error check on RSA_public_decrypt()
According to the documentation and my analysis tool RSA_public_decrypt()
can return -1 on error, but this is not checked. Fix it by changing the
error condition.
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20250)
ndossche [Thu, 9 Feb 2023 10:39:58 +0000 (11:39 +0100)]
Fix incomplete error check on ASN1_item_i2d()
According to the documentation and my analysis tool
ASN1_item_i2d() can return a negative value on error,
but this is not checked. Fix it by changing the error check condition.
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20251)
slontis [Wed, 22 Feb 2023 23:09:57 +0000 (09:09 +1000)]
Document the list of RAND algorithms in the default and fips providers.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20361)
slontis [Wed, 22 Feb 2023 00:11:33 +0000 (10:11 +1000)]
Add provider pre-fetching documentation
Clearly document that implicit fetching is slower when using providers,
and explain prefetching. Added to crypto.pod and migration_guide.pod
links to it.
Add a link to EVP_default_properties_enable_fips() in crypto.pod.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20354)
util/find-doc-nits: improve error diagnostics on missing man section numbers in links
Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20369)
CMS_add0_cert.pod: add missing man section numbers in recently added L<fun()> refs
Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20369)
Ingo Franzki [Wed, 8 Feb 2023 16:26:20 +0000 (17:26 +0100)]
Add OSSL_FUNC_keymgmt_im/export_types function that gets the provider context
The provider functions OSSL_FUNC_keymgmt_import_types() and
OSSL_FUNC_keymgmt_export_types() do not get the provider context passed.
This makes it difficult for providers to implement these functions unless
its a static implementation returning a truly constant OSSL_PARAM array.
Some providers may have a need to return an OSSL_PARAM array that is
dependent on the provider configuration, or anything else that is contained
in its provider context.
Add extended variants of these functions that get the provider context passed.
The functions should still return a static and constant OSSL_PARAM array, but
may use the provider context to select the array to return dependent on its
context. The returned array must be constant at least until the provider is
unloaded.
Providers can implement only the original functions, or only the extended
functions, or both. Implementing at least one of those functions is required
if also the respective OSSL_FUNC_keymgmt_import() or OSSL_FUNC_keymgmt_export()
function is implemented. If an extended function is available, it is called by
evp_keymgmt_import_types() or evp_keymgmt_export_types(), otherwise the original
function is called.
This makes the code backward compatible. Existing providers will only implement
the original functions, so these functions will continued to be called.
Newer providers can choose to implement the extended functions, and thus can
benefit from the provider context being passed to the implementation.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20255)
CMS_add0_cert: if cert already present, do not throw error but ignore it
Also add checks on failing cert/CRL up_ref calls; improve coding style.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19199)
CMS_add1_crl(): prevent double free on failure of CMS_add0_crl()
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19199)
slontis [Thu, 15 Dec 2022 02:13:55 +0000 (12:13 +1000)]
Add help for pkeyopt values for the genpkey commandline app.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/19931)
olszomal [Tue, 21 Feb 2023 13:20:24 +0000 (14:20 +0100)]
Skip subdirectories in SSL_add_dir_cert_subjects_to_stack()
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20312)
Jeeban Sethi [Tue, 21 Feb 2023 16:01:43 +0000 (21:31 +0530)]
Fixes #20278: Fixed double free bug in crypto/http/http_client.c
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20351)
Matt Caswell [Thu, 26 Jan 2023 17:53:30 +0000 (17:53 +0000)]
Don't send ciphersuites twice in QUIC
QUIC TLS was sending some ciphersuites twice in the ClientHello. This
was due to us declaring some TLSv1.3 ciphersuites in the list intended to
describe the TLSv1.2 ciphersuites supported by the SSL_METHOD.
Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20148)
Sam James [Tue, 21 Feb 2023 00:37:57 +0000 (00:37 +0000)]
CI: add Clang 16
Clang 16 will be released shortly (beginning of March).
Signed-off-by: Sam James <sam@gentoo.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20346)
Matt Caswell [Thu, 26 Jan 2023 14:55:28 +0000 (14:55 +0000)]
Ensure calling BIO_recvmmsg() with a dgram pair reports errors
When calling BIO-recvmmsg() and using a dgram pair we were failing to
raise an error in the case that a problem occurs. This means that the
reason behind a failure cannot be detected and all problems are treated
as fatal even if they may not be.
Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20030)