Richard Levitte [Tue, 19 Nov 2019 08:55:56 +0000 (09:55 +0100)]
CORE: pass the full algorithm definition to the method constructor
So far, the API level method constructors that are called by
ossl_method_construct_this() were passed the algorithm name string and
the dispatch table and had no access to anything else.
This change gives them access to the full OSSL_ALGORITHM item, thereby
giving them access to the property definition.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10394)
Richard Levitte [Fri, 8 Nov 2019 23:18:05 +0000 (00:18 +0100)]
CORE: ossl_namemap_add_names(): new function to add multiple names
This was originally the private add_names_to_namemap() in
crypto/evp/evp_fetch.c, but made more generally useful.
To make for more consistent function naming, ossl_namemap_add() and
ossl_namemap_add_n() are renamed to ossl_namemap_add_name() and
ossl_namemap_add_name_n().
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10394)
Matt Caswell [Thu, 19 Sep 2019 10:52:45 +0000 (11:52 +0100)]
Disable mem leak checking for the self test lock
The fips self test lock is deallocated in platform specific ways that may
occur after we do mem leak checking. If we don't know how to free it for
a particular platform then we just leak it deliberately. So we
temporarily disable the mem leak checking while we allocate the lock.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9939)
Matt Caswell [Wed, 18 Sep 2019 16:27:10 +0000 (17:27 +0100)]
Make sure we only run the self tests once
Fixes #9909
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9939)
Matt Caswell [Tue, 26 Nov 2019 17:15:20 +0000 (17:15 +0000)]
Check the return from OPENSSL_buf2hexstr()
The function OPENSSL_buf2hexstr() can return NULL if it fails to allocate
memory so the callers should check its return value.
Fixes #10525
Reported-by: Ziyang Li (@Liby99) Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10526)
Matt Caswell [Tue, 26 Nov 2019 17:14:08 +0000 (17:14 +0000)]
Check that OPENSSL_zalloc was successful when creating EVP types
We were missing a NULL check in a few very similar places following an
OPENSSL_zalloc() call.
Reported-by: Ziyang Li (@Liby99) Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10526)
Matt Caswell [Fri, 31 May 2019 13:32:55 +0000 (14:32 +0100)]
Add a test for NULL chunks in encrypt/decrypt
Issue #8675 describes a problem where calling EVP_DecryptUpdate() with an
empty chunk causes the result to be different compared to if you do not
use an empty chunk. This adds a test for that case.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10530)
Matt Caswell [Wed, 27 Nov 2019 16:06:34 +0000 (16:06 +0000)]
Make sure we handle input NULL with length 0
If we call EVP_EncryptUpdate/EVP_DecryptUpdate with length 0 we should
be able to handle it. Most importantly we shouldn't get different
results if we do this compared to if we don't!
An exception is made for CCM mode which has special handling for this in
the low level cipher function.
Fixes #8675
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10530)
moehuster [Tue, 12 Nov 2019 11:28:51 +0000 (19:28 +0800)]
Fix L<EVP_MD_CTX_set_pkey_ctx> links
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10420)
Ard Biesheuvel [Thu, 21 Nov 2019 17:13:41 +0000 (18:13 +0100)]
chacha/asm/chacha-armv8.pl: preserve FP registers d8 and d9 correctly
Depending on the size of the input, we may take different paths through
the accelerated arm64 ChaCha20 routines, each of which use a different
subset of the FP registers, some of which need to be preserved and
restored, as required by the AArch64 calling convention (AAPCS64)
In some cases, (e.g., when the input size is 640 bytes), we call the 512
byte NEON path followed directly by the scalar path, and in this case,
we preserve and restore d8 and d9, only to clobber them again
immediately before handing over to the scalar path which does not touch
the FP registers at all, and hence does not restore them either.
Fix this by moving the restoration of d8 and d9 to a later stage in the
512 byte routine, either before calling the scalar path, or when exiting
the function.
Fixes #10470
CLA: trivial
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10497)
Rich Salz [Thu, 21 Nov 2019 23:14:12 +0000 (18:14 -0500)]
Use option/parameter consistently.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10135)
Rich Salz [Wed, 9 Oct 2019 19:45:12 +0000 (15:45 -0400)]
Document more env var stuff, fix some typo's
Add openssl-env.pod
Also fix up many other environment page formatting nits.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10135)
Shane Lontis [Mon, 18 Nov 2019 00:32:36 +0000 (10:32 +1000)]
Cache constants for fetched EVP_cipher
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com>
(Merged from https://github.com/openssl/openssl/pull/10461)
OpenSSL 1.1.1 introduced a new CSPRNG with an improved seeding
mechanism, which makes it dispensable to define a RANDFILE for
saving and restoring randomness. This commit removes the RANDFILE
declarations from our own configuration files and adds documentation
that this option is not needed anymore and retained mainly for
compatibility reasons.
Fixes #10433
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10436)
Matus Kysel [Fri, 22 Nov 2019 09:44:02 +0000 (10:44 +0100)]
Remove deadlock that was caused by calling pthread_rwlock_wrlock() on same thread twice. This can be reproduce only with musl.
CLA: trivial
Signed-off-by: Matus Kysel <mkysel@tachyum.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10501)
Benjamin Kaduk [Wed, 13 Nov 2019 17:42:19 +0000 (09:42 -0800)]
Fix a race condition in SNI handling
As was done for ciphers, supported groups, and EC point formats in
https://github.com/openssl/openssl/pull/9162, only write the negotiated
SNI hostname value to the session object when not resuming, even for
TLS 1.3 resumptions. Otherwise, when using a stateful session cache
(as is done by default when 0-RTT data is enabled), we can have multiple
SSLs active using the same in-memory session object, which leads to
double-frees and similar race conditions in the SNI handler prior
to this commit.
Fortunately, since draft-ietf-tls-tls13-22, there is no requirement
that the SNI hostname be preserved across TLS 1.3 resumption, and thus
not a need to continually update the session object with the "current"
value (to be used when producing session tickets, so that the subsequent
resumption can be checked against the current value). So we can just
relax the logic and only write to the session object for initial handshakes.
This still leaves us in a somewhat inconsistent state, since if the SNI value
does change across handshakes, the session object will continue to record
the initial handshake's value, even if that bears no relation to the
current handshake. The current SSL_get_servername() implementation
prefers the value from the session if s->hit, but a more complete fix
for that and related issues is underway in
https://github.com/openssl/openssl/pull/10018; there is no need to wait
for the complete fix for SNI name handling in order to close the
race condition and avoid runtime crashes.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10441)
Richard Levitte [Thu, 23 May 2019 01:27:37 +0000 (03:27 +0200)]
Replumbing: pre-populate the EVP namemap with commonly known names
This adds ossl_namemap_empty(), to detect if a namemap is empty and
can thereby be pre-populated.
This also affects the way legacy NIDs are looked up in
evp_cipher_from_dispatch() and evp_md_from_dispatch(). Instead of
trying to find the NID directly, look up the legacy method structure
and grab the NID from there. The reason is that NIDs can be aliases
for other NIDs, which looks like a clash even if wasn't really one.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8984)
Patrick Steuer [Fri, 1 Nov 2019 23:02:47 +0000 (00:02 +0100)]
Allow specifying the tag after AAD in CCM mode (2)
In addition to 67c81ec3 which introduced this behavior in CCM mode
docs but only implemented it for AES-CCM.
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10331)
Patrick Steuer [Fri, 1 Nov 2019 13:58:36 +0000 (14:58 +0100)]
Dont pass zero length input to asm modules for ciphers
The asm modules may assume an input length > 0.
Fixes: #9262 Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10323)
Add documentation for all commands that have parameters.
Fix a couple of minor doc and programming bugs, too.
Fixes #10313
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10371)
Matt Caswell [Fri, 15 Nov 2019 14:15:09 +0000 (14:15 +0000)]
Add test for non-default sized keys in variable key size ciphers
Various ciphers have the ability to support varaible length keys.
This adds some test cases for algorithms where we did not test a key
length other than the default size.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10449)
Matt Caswell [Thu, 14 Nov 2019 16:05:19 +0000 (16:05 +0000)]
EVP_CIPHER_CTX_set_keylen should not succeed if a bad keylen is passed
EVP_CIPHER_CTX_set_keylen() was succeeding even though a bad key length
is passed to it. This is because the set_ctx_params() were all accepting
this parameter and blindly changing the keylen even though the cipher did
not accept a variable key length. Even removing this didn't entirely
resolve the issue because set_ctx_params() functions succeed even if
passed a parameter they do not recognise.
This should fix various issues found by OSSfuzz/Cryptofuzz.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10449)
Xiaokang Qian [Tue, 12 Nov 2019 08:48:27 +0000 (08:48 +0000)]
Fix the issue that aes-xxx-siv algorithms failed in OpenSSL speed test
Speed test, aes-siv related cases fail on both x86 and arm.
The return value of siv_init() causes this problem, remove
the iv check to fix it.
Verify it locally, the result is pass.
Pauli [Mon, 11 Nov 2019 01:17:32 +0000 (11:17 +1000)]
Properties: make query cache reference count aware.
The property query cache was not reference count aware and this could cause
problems if the property store removes an algorithm while it is being returned
from an asynchronous query. This change makes the cache reference count aware
and avoids disappearing algorithms.
A side effect of this change is that the reference counts are now owned by the
cache and store.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10408)
Shane Lontis [Mon, 18 Nov 2019 03:13:05 +0000 (13:13 +1000)]
Fix Use after free when copying cipher ctx
Fixes #10438
issue found by clusterfuzz/ossfuzz
The dest was getting a copy of the src structure which contained a pointer that should point to an offset inside itself - because of the copy it was pointing to the original structure.
The setup for a ctx is mainly done by the initkey method in the PROV_CIPHER_HW structure. Because of this it makes sense that the structure should also contain a copyctx method that is use to resolve any pointers that need to be setup.
A dup_ctx has been added to the cipher_enc tests in evp_test. It does a dup after setup and then frees the original ctx. This detects any floating pointers in the duplicated context that were pointing back to the freed ctx.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10443)
Patrick Steuer [Fri, 15 Nov 2019 09:52:03 +0000 (10:52 +0100)]
s390x assembly pack: fix bn_mul_comba4
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10454)
Anthony Hu [Fri, 8 Nov 2019 02:47:53 +0000 (21:47 -0500)]
Add missing EVP_PKEY_METHOD accessors for digestsign and digestverify
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10388)
Reviewed-by: Paul Yang <kaishen.yy@antfin.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10380)
Rich Salz [Thu, 22 Aug 2019 05:21:25 +0000 (10:51 +0530)]
Fix some broken doc links
Replace L<> link to header-file with a C<> reference.
Change some broken L<provider(3)> links to L<provider(7)>.
For consistency, rename four cipher pages to have a specific mode.
Fix up all references to any "generic" names to point to specific names.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10100)
Patrick Steuer [Thu, 14 Nov 2019 09:34:02 +0000 (10:34 +0100)]
travis.yml: add arch s390x target
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10446)
Patrick Steuer [Wed, 13 Nov 2019 17:39:51 +0000 (18:39 +0100)]
testutil/init.c rename to testutil/testutil_init.c
Avoid conflicts with some linkers.
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10439)
Matt Caswell [Tue, 12 Nov 2019 17:16:14 +0000 (17:16 +0000)]
Fix an uninitialised read in conf_def.c
PR 8882 added a new field to the CONF structure. Unfortunately this
structure was created using OPENSSL_malloc() and the new field was not
explicitly initialised in the "init" function. Therefore when we came to
read it for the first time we got an uninitialised read.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10428)
Richard Levitte [Fri, 8 Nov 2019 14:24:42 +0000 (15:24 +0100)]
CORE & PROV: make export of key data leaner through callback
Exporting data from a provider owned domainparams or key is quite an
ordeal, with having to figure out what parameter keys an
implementation supports, call the export function a first time to find
out how large each parameter buffer must be, allocate the necessary
space for it, and call the export function again.
So how about letting the export function build up the key data params
and call back with that? This change implements exactly such a
mechanism.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10414)
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com> Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10417)
Nicola Tuveri [Mon, 11 Nov 2019 22:52:00 +0000 (00:52 +0200)]
Extend docs for EC_POINT conversion functions
Add more explicit documentation about the relation between
EC_POINT_point2oct(), EC_POINT_point2hex(), EC_POINT_point2bn() and
their reverse.
In particular highlight that EC_POINT_point2oct() and
EC_POINT_oct2point() conform to, respectively, Sec. 2.3.3 and Sec. 2.3.4
of the SECG SEC 1 standard (which is the normative reference for the
already mentioned RFC 5480), highlighting with a note how this affect
the encoding/decoding of the point at infinity (which in contrast with
any other valid generic point of a curve is assigned an exceptional
fixed octet string encoding, i.e., 0x00).
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10329)
Nicola Tuveri [Fri, 1 Nov 2019 20:09:40 +0000 (22:09 +0200)]
Add self-test for EC_POINT_hex2point
Adds tests for each curve to ensure that encodings obtained through
EC_POINT_hex2point() can be fed to EC_POINT_point2hex() yielding a point
identical to the one from which the encoding is generated.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10329)
Nicola Tuveri [Fri, 1 Nov 2019 20:38:21 +0000 (22:38 +0200)]
Fix EC_POINT_bn2point() for BN_zero()
EC_POINT_bn2point() rejected BIGNUMs with a zero value.
This behavior indirectly caused failures when converting a point
at infinity through EC_POINT_point2hex() and then back to a point with
EC_POINT_hex2point().
With this change such BIGNUMs are treated like any other and exported to
an octet buffer filled with zero.
It is then EC_POINT_oct2point() (either the default implementation or
the custom one in group->meth->oct2point) to determine if such encoding
maps to a valid point (generally the point at infinity is encoded as
0x00).
Fixes #10258
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10329)
Nicola Tuveri [Thu, 31 Oct 2019 15:17:31 +0000 (17:17 +0200)]
Add more tests for apps/req
https://github.com/openssl/openssl/issues/10224#issuecomment-546593113
highlighted that existing testing infrastructure is not covering common
usage patterns of the `req` app.
This commit explicitly adds request generations thorugh the CLI using
RSA, DSA and ECDSA (P-256) keys.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/pr-10312)
Jon Spillett [Mon, 2 Sep 2019 04:51:05 +0000 (14:51 +1000)]
Add missing docs for some PKCS12 functions
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9752)
This also removes the incorrect documentation comments by those
functions, and fixes a bug in SSL_add_store_cert_subjects_to_stack(),
where the condition for recursive addition was 'depth == 0' when it
should be 'depth > 0'.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10402)
Richard Levitte [Sun, 10 Nov 2019 12:07:46 +0000 (13:07 +0100)]
Make sure KDF reason codes are conserved in their current state
Because KDF errors are deprecated and only conserved for backward
compatibilty, we must make sure that they remain untouched. A simple
way to signal that is by modifying crypto/err/openssl.ec and replace
the main header file (include/openssl/kdf.h in this case) with 'NONE',
while retaining the error table file (crypto/kdf/kdf_err.c).
util/mkerr.pl is modified to silently ignore anything surrounding a
conserved lib when such a .ec line is found.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10368)
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10398)
Ido Ben-Natan [Sat, 9 Nov 2019 13:04:39 +0000 (15:04 +0200)]
Fix misspelled resumption_label for CHARSET_EBCDIC
The resumption_label variable when CHARSET_EBCDIC was enabled, was misspelled.
Instead of evaluating to 'res binder' as expected, it evaluated to 'red binder'.
CLA: trivial
Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10396)
Rich Salz [Fri, 1 Nov 2019 20:26:05 +0000 (16:26 -0400)]
Fix L<xxx(1)> links to be L<openssl-xxx(1)>
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10328)
Many Windows-based GOST TLS implementations are unable to extend the
list of supported SignatureAlgorithms because of lack of the necessary
callback in Windows. So for TLS 1.2 it makes sense to imply the support
of GOST algorithms in case when the GOST ciphersuites are present.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10377)