This requires changing semantics of the keymgmt_has()
function a little in the sense that it now returns 1
if the selection has no meaning for the key type. It
was already doing so for ECX keys for example.
The keymgmt_validate function semantics is changed
similarly to allow passing validation on the same
selection that the key returns 1 for.
Fixes#14509
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14511)
All 3 files that included crypto/siphash.h also included siphash_local.h,
and no other files included siphash_local.h independently. They probably
should be just one header file.
Fixes#14360
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14558)
RSA keys have no parameters and pass EVP_PKEY_param_check(). Previously,
ECX keys had no parammeters and failed EVP_PKEY_param_check(). We should
be consistent. It makes more sense to always pass, and therefore this
commit implements that behaviour.
Fixes#14482
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14485)
Fixes#14480
An internal flag that is set during param gen was not being tested, so
the wrong type was used to select the dsa domain param validation method.
In the default provider - if no gen_type is set then by default the fips186_4 gentype
will be selected when pbits >=2048 otherwise it selects fips186_2.
The fips provider ignores the gen_type and always uses fips186_4.
Before this change dsa used fips186_2 by default in the default
provider.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14508)
This is in gmac_final(), where the cipher is known to be fetched.
It's more suitable to use OSSL_PARAMs than _ctrl functions, as the
latter are expected to become obsolete.
Fixes#14359
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14484)
Providers (particularly the FIPS provider) needs access to BIOs from libcrypto.
Libcrypto is allowed to change the internal format of the BIO structure and it
is still expected to work with providers that were already built. This means
that the libcrypto BIO must be distinct from and not castable to the provider
side OSSL_CORE_BIO.
Unfortunately, this requirement was broken in both directions. This fixes
things by forcing the two to be different and any casts break loudly.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14419)
Fixes#13185Fixes#13352
Removed the existing code in file_store that was trying to figure out the
input type.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14407)
The FIPS provider no longer has seeding sources inside the boundary, the
related conditional code can therefore be removed.
Fixes#14358
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14382)
This allows making the signature operations return different
settable params when the context is initialized with
EVP_DigestSign/VerifyInit.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14338)
Those TODOs do not really apply to 3.0 as the legacy internal
keys will stay.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14367)
Added some error reporting in dh_exch.c and unified error reporting
with it in other key exchange methods.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14367)
Those TODOs are not relevant anymore as the headers
are now in providers.
Also make the header guard defines better reflect the
header placement.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14367)
The DER writing errors can be ignored safely.
Document that the EVP_MAX_MD_SIZE is a hardcoded limit
for digest sizes.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14367)
Partial fix for #12964
This adds ossl_ names for the following symbols:
ec_*, ecx_*, ecdh_*, ecdsa_*, sm2_*
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14231)
Partial fix for #12964
This adds ossl_ names for the following symbols:
dsa_check_pairwise, dsa_check_params, dsa_check_priv_key, dsa_check_pub_key, dsa_check_pub_key_partial,
dsa_do_sign_int, dsa_ffc_params_fromdata,
dsa_generate_ffc_parameters, dsa_generate_public_key,
dsa_get0_params, dsa_key_fromdata, dsa_new_with_ctx, dsa_pkey_method, dsa_sign_int
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14231)
This partially reverts commit 270a5ce1d9.
This also slightly modifies the way diverse parameters in are
specified in providers/fips/self_test_data.inc for better consistency.
Fixes#14027
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14035)
When a SubjectPublicKeyInfo (SPKI) is decoded into an X509_PUBKEY
structure, the corresponding EVP_PKEY is automatically added as well.
This used to only support our built-in keytypes, and only in legacy
form.
This is now refactored by making The ASN1 implementation of the
X509_PUBKEY an EXTERN_ASN1, resulting in a more manual implementation
of the basic support routines. Specifically, the d2i routine will do
what was done in the callback before, and try to interpret the input
as an EVP_PKEY, first in legacy form, and then using OSSL_DECODER.
Fixes#13893
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14281)
Adding the EVP_PKEY_param_check_quick() reminded me that there are also
partial checks for public keys as part of SP800-56A for FFC (DH named safe
prime groups) and ECC. The code was mainly already there and just needed
to be plumbed into the validate methods.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14206)
The pem2der decoder can infer certain information about the endoded der
data based on the PEM headers. This information should be passed to the
next decoders in the chain to ensure we end up loading the correct type of
thing.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14191)
keys and digests.
Partial fix for #12964
This adds ossl_ names for the following symbols:
digest_get_approved_nid, digest_get_approved_nid_with_sha1
digest_is_allowed, digest_md_to_nid, digest_rsa_sign_get_md_nid,
securitycheck_enabled,
dh_check_key, dsa_check_key, ec_check_key,
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14211)
Partial fix for #12964
This adds ossl_ names for the following symbols:
blake2b512_init,blake2b_final,blake2b_init,blake2b_init_key,
blake2b_param_init,blake2b_param_set_digest_length,blake2b_param_set_key_length,
blake2b_param_set_personal,blake2b_param_set_salt,blake2b_update,
blake2s256_init,blake2s_final,blake2s_init,blake2s_init_key,
blake2s_param_init,blake2s_param_set_digest_length,blake2s_param_set_key_length,
blake2s_param_set_personal,blake2s_param_set_salt,blake2s_update,
digest_default_get_params,digest_default_gettable_params
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14211)
mac_dupctx() should make a copy of the propq field. Currently it
does a shallow copy which can result in a double free and crash.
The double free occurs when using a provider property string.
For example, passing in "fips=no" to SSL_CTX_new_ex() causes the
propq field to get set to that value. When mac_dupctx() and
mac_freectx() is called (ie: in SSL_write()) it ends up freeing
the reference of the original object instead of a copy.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13926)
Added primality check on p and q in the ossl_ffc_params_simple_validate().
Checking for p and q sizes in the default provider is made more
lenient.
Added two testcases for invalid parameters.
Fixes#13950
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14148)
Additional renames done in encoder and decoder implementation
to follow the style.
Fixes#13622
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14155)
The low level DH API has two functions for checking parameters:
DH_check_ex() and DH_check_params_ex(). The former does a "full" check,
while the latter does a "quick" check. Most importantly it skips the
check for a safe prime. We're ok without using safe primes here because
we're doing ephemeral DH.
Now that libssl is fully using the EVP API, we need a way to specify that
we want a quick check instead of a full check. Therefore we introduce
EVP_PKEY_param_check_quick() and use it.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14146)
Both DH_check_ex() and DH_check_params_ex() check the parameters.
DH_check_ex() performs a more complete check, while DH_check_params_ex()
performs a lightweight check. In 1.1.1 EVP_PKEY_param_check() would call
DH_check_ex() for DH keys. For backwards compatibility we should continue
with that behaviour.
Fixes#13501
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14146)
Fix CID 1472835: the explicit NULL check for prsactx is useless when
we have already dereferenced it in the initializers.
Move the actual initialization to the function body to get the
logic sequenced properly.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14160)
Using ERR_LIB_* causes the error output to say 'reason(n)' instead of
the name of the sub-library in question.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14152)
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14086)
The PROV_R codes can be returned to applications so it is useful
to have some common set of provider reason codes for the applications
or third party providers.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14086)
This 'special' way of specifying the data should only be used for testing
purposes. It should not be used in production environments.
ACVP passes a blob of DER encoded data for some of the fields rather
than passing them as separate fields that need to be DER encoded.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14077)
Fixes#13969
- properly handle the mandatory RSA-PSS key parameters
- improve parameter checking when setting the parameters
- compute the algorithm id at the time it is requested so it
reflects the actual parameters set
- when generating keys do not override previously set parameters
with defaults
- tests added to the test_req recipe that should cover the PSS signature
handling
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13988)
There was a remaining function signature declaration, but no
OSSL_DISPATCH number for it nor any way it's ever used. It did exist
once, but was replaced with an OSSL_PARAM item to retrieve.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14048)
The EC KEYMGMT implementation handled SM2 as well, except what's
needed to support decoding: loading functions for both EC and SM2 that
checks for the presence or absence of the SM2 curve the same way as
the EC / SM2 import functions.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14028)
In 1.1.1 and earlier it was possible to create EC_KEYs that did not have
the public key in it. We need to ensure that this continues to work in 3.0.
Fixes#12612
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13922)
Handling of parameter OSSL_KDF_PARAM_SSHKDF_TYPE mixed integer and string
parameters. This caused endianness problems on big-endian machines. As a
result, it is not possible to pass FIPS tests since the parameter was stored
with an integer value but read via a cast to char pointer. While this works
on little endian machines, big endian s390 read the most significant bits
instead of the least significant (as done by, e.g., x86). Change the
parameter to char array and fix the usages.
Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com>
(Merged from https://github.com/openssl/openssl/pull/13781)
