Commit Graph

35506 Commits

Author SHA1 Message Date
pohsingwu
81bb88481d Call key_check_passed in set_ctx_params
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/23900)
2024-08-01 16:47:12 +10:00
pohsingwu
ba977226cf Add FIPS indicator tests for KDFs
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/23900)
2024-08-01 16:47:12 +10:00
pohsingwu
1b838621c3 Restrict the length of key-derivation key used in KDFs
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/23900)
2024-08-01 16:47:12 +10:00
Tomas Mraz
96b59ec4b6 CMS_get1_crls(): Remove redundant check for NULL crls
Fixes Coverity 1610380

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24928)
2024-07-31 15:58:24 +02:00
Neil Horman
7408d58714 disable rwlocks on nonstop klt model
It appears nonstops new threading model defines some level of rwlock
pthread api, but its not working properly.  Disable rwlocks for
_KLT_MODEL_ for now

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24969)
2024-07-31 08:05:53 -04:00
Neil Horman
9bd5e92aff Add error checking to CRYPTO_atomic_[load|store] calls
Noted that we didn't check return codes of the atomic loads/stores in
the new hashtable, and they can fail

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24969)
2024-07-31 08:05:53 -04:00
Neil Horman
8e5cc43e74 Make ossl_ht_delete use read-once semantics
To ensure that the value of h->md doesn't get recomputed during a delete
operation use ossl_rcu_deref on it

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24969)
2024-07-31 08:05:53 -04:00
Neil Horman
3190f5c06b Fix CRYPTO_atomic_store
If the implementation of this function falls to using a pthread lock to
update a value, it should be a write lock, not a read lock

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24969)
2024-07-31 08:05:53 -04:00
Tomas Mraz
454ca902c7 evp_get_digest/cipherbyname_ex(): Try to fetch if not found
If the name is not found in namemap, we need
to try to fetch the algorithm and query the
namemap again.

Fixes #19338

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/24940)
2024-07-31 11:25:55 +02:00
Tomas Mraz
4fa9d1f40f Avoid leaking *ba_ret on reconnections
Also fixes Coverity 1604639
There is no point in checking ba_ret as it can never be NULL.

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24931)
2024-07-31 11:23:16 +02:00
Dimitri John Ledkov
f41b5ffe33 jitter: retry intermittent failures
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24844)
2024-07-31 14:44:51 +10:00
Dimitri John Ledkov
f8c510cd20 JITTER: implement error handling from jitter library
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24844)
2024-07-31 14:44:51 +10:00
Dimitri John Ledkov
1e7ff7be23 JITTER: excercise all tests in CI with JITTER seed source under certain build configuration
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24844)
2024-07-31 14:44:51 +10:00
Dimitri John Ledkov
8f3ebb7d60 JITTER: add documentation
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24844)
2024-07-31 14:44:51 +10:00
Dimitri John Ledkov
b28b312804 jitter: add a new provider containing a jitter entropy source alone
This entropy source can be used instead of SEED-SRC. Sample
openssl.cnf configuration is provided. It is built as a separate
provider, because it is likely to require less frequent updates than
fips provider. The same build likely can span multiple generations of
FIPS 140 standard revisions.

Note that rand-instances currently chain from public/private instances
to primary, prior to consuming the seed. Thus currently a unique ESV
needs to be obtained, and resue of jitterentropy.a certificate is not
possible as is. Separately a patch will be sent to allow for
unchaining public/private RAND instances for the purpose of reusing
ESV.

Also I do wonder if it makes sense to create a fips variant of stock
SEED-SRC entropy source, which in addition to using getrandom() also
verifies that the kernel is operating in FIPS mode and thus is likely
a validated entropy source. As in on Linux, check that
/proc/sys/crypto/fips_enabled is set to 1, and similar checks on
Windows / MacOS and so on.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24844)
2024-07-31 14:44:51 +10:00
slontis
4f5febe2c6 Add FIPS indicator to CMAC.
There is a issue currently related to CMAC TDES, when the new provider
is tested against older branches.

The new strict check caused backwards compatibility issues when
using old branch with the new FIPS provider.

To get around this CMAC now allows TDES by default, but it can be either
enabled via config or a settable. (i.e it uses an indicator)

Where the TDES cipher check can be done turned out to be problematic.
Shifting the check in the TDES cipherout of the init doesnt work because
ciphers can run thru either final or cipher (and checking on every
cipher call seemed bad). This means it needs to stay in the cipher init.
So the check needs to be done in CMAC BEFORE the underlying TDES cipher
does it check.
When using an indicator the TDES cipher needs its "encrypt-check" set
so that needs to be propagated from the CMAC object. This requires
the ability to set the param at the time the cipher ctx is inited.
An internal function was required in order to pass params to CMAC_Init.

Note also that the check was done where it is, because EVP_Q_mac() calls
EVP_MAC_CTX_set_params(ctx, cipher_param)
EVP_MAC_CTX_set_params(ctx, params)
EVP_MAC_init(ctx, key, keylen, params)
Where the second call to set_params would set up "encrypt-check" after
"cipher".

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25022)
2024-07-31 09:04:17 +10:00
Pauli
efba3f1351 Add negative tests for SHAKE with PBKDF2 and X9.42 KDF
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/24862)
2024-07-30 18:04:36 +10:00
Pauli
a5827910da Disallow SHAKE when using PBKDF2 and X9.42 KDF
The operation is non-sensical.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/24862)
2024-07-30 18:04:36 +10:00
slontis
07e4d7f474 Add RSA Signature restrictions for X9.31 padding in the FIPS provider.
In FIPS 140-3, RSA Signing with X9.31 padding is not approved,
but verification is allowed for legacy purposes. An indicator has been added
for RSA signing with X9.31 padding.

A strict restriction on the size of the RSA modulus has been added
i.e. It must be 1024 + 256 * s (which is part of the ANSI X9.31 spec).

Added implementation comments to the X9.31 padding code

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24021)
2024-07-29 10:16:30 +10:00
Pauli
9c57eb736e drbg: streamline test for allowed digests
Under FIPS, we've got a whitelist of algorithms.  There is no need to then
also check for XOF digests because they aren't possible.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25007)
2024-07-28 18:49:52 +10:00
Neil Horman
4811efe12f fix Coverity 1604662
Coverity flagged an issue in our bio_enc tests in which we failed to
check the return code of BIO_read for an error condition which can lead
to our length computation going backwards.

Just check the error code before adding it to length

Fixes openssl/project#779

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25006)
2024-07-27 10:07:35 -04:00
Neil Horman
32185d513c Fix second error from Coverity-161057
Coverity flagged a second error in this code

we're comparing block_padding and hs_padding for >= 0, which is always
true

With the change to the use of strtoul, inputs that are preceded with a -
(i.e. negative values), are caught already, so the check is redundant

just remove the check entirely

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24993)
2024-07-26 13:25:18 -04:00
Neil Horman
31cd9cd830 Fix coverity-993406
Coverity flagged an overflow warning in the cmsapitest.

Its pretty insignificant, but if a huge file is passed in via BIO, its
possible for the length variable returned to overflow.

Just check it as we read to silence coverity on it.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24995)
2024-07-26 13:16:10 -04:00
slontis
bc43158797 Add FIPS indicator support for Triple-DES encryption.
This leaves 3DES with the FIPS query "FIPS=yes", which allows
Triple-DES to be used for Decryption by default.

Disallow CMAC using Triple-DES in FIPS.
This does not use a FIPS indicator.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24960)
2024-07-26 14:26:49 +10:00
Pauli
8fe150cce8 test: fix failing KDF tests with changed behaviour
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24917)
2024-07-26 10:10:14 +10:00
Pauli
50a91de440 changes: add no_short_mac entry
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24917)
2024-07-26 10:10:14 +10:00
Pauli
3762a56b87 test: add unit tests for no-short-mac
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24917)
2024-07-26 10:10:14 +10:00
Pauli
98fbe67924 prov: add no-short-mac code to KMAC
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24917)
2024-07-26 10:10:14 +10:00
Pauli
d791c2c486 fips: wire in the no-short-mac option
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24917)
2024-07-26 10:10:13 +10:00
Pauli
3440a9a0e2 doc: document no-short-mac param
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24917)
2024-07-26 10:09:31 +10:00
Pauli
3f15ec76a4 paramnames: add params for no-short-mac option
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24917)
2024-07-26 10:09:31 +10:00
Pauli
fc98a2f6ad doc: document no_short_mac option to fipsinstall
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24917)
2024-07-26 10:09:29 +10:00
Pauli
00231a6ae9 fipsinstall: add no_short_mac option
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24917)
2024-07-26 10:08:43 +10:00
Pauli
4a002f51f0 evp_test: check MAC FIPS approved flag
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24917)
2024-07-26 10:08:43 +10:00
slontis
85caa417e0 Disable DSA signing in the FIPS provider.
This is a FIPS 140-3 requirement.
This uses a FIP indicator if either the FIPS configurable "dsa_sign_disabled" is set to 0,
OR OSSL_SIGNATURE_PARAM_FIPS_SIGN_CHECK is set to 0 in the dsa signing context.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24799)
2024-07-26 09:24:04 +10:00
Neil Horman
86fd4c1df9 Fix Coverity-1604641
Coverity flagged an overflow warning here that can occur if BIO_write
returns an error.

The overflow itself is a bit of a non-issue, but if BIO_write returns
< 0, then the return from i2a_ASN1_OBJECT will be some odd value
representing whatever the offset from the error code to the number of
bytes the dump may or may not have written (or some larger negative
error code if both fail.

So lets fix it.  Only do the dump if the BIO_write call returned 0 or
greaater.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
(Merged from https://github.com/openssl/openssl/pull/24976)
2024-07-25 14:23:39 -04:00
pohsingwu
3c6e114959 Fix typo in mk-fipsmodule-cnf.pl
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24977)
2024-07-25 09:34:51 +10:00
Jonathan M. Wilbur
34e8ddfc44 doc: the basicAttConstraints X.509v3 extension
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24847)
2024-07-24 16:14:17 -04:00
Jonathan M. Wilbur
aa51de6d6a test: the basicAttConstraints X.509v3 extension
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24847)
2024-07-24 16:14:17 -04:00
Jonathan M. Wilbur
7f5db0c9a9 feat: support the basicAttConstraints X.509v3 extension
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24847)
2024-07-24 16:14:17 -04:00
Neil Horman
ec1d8ead28 Fix strtoul test on alpine/musl
The strtoul tests that were recently added had a compile time check for
__WORDSIZE to properly determine the string to use for an maximal
unsigned long.  Unfortunately musl libc doesn't define __WORDSIZE so we
were in a position where on that platform we fall to the 32 bit unsigned
long variant, which breaks on x86 platforms.

Fix it by doing a preprocessor comparisong on ULONG_MAX instead.

NOTE: This works because preprocessors do arithmetic evaluation on
macros for every compiler we support.  We should be wary of some more
esoteric compilers though.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24974)
2024-07-24 12:03:16 -04:00
pohsingwu
14e46600c6 Restrict digest in set_ctx_params
In this commit, we also return different error if the digest is XOF.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23889)
2024-07-24 13:16:08 +10:00
pohsingwu
5e25b8afc0 Add FIPS indicator tests for KDFs
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23889)
2024-07-24 13:16:08 +10:00
pohsingwu
6d47e819f2 Restrict digest algorithm used in KDFs
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23889)
2024-07-24 13:16:08 +10:00
Neil Horman
4f619ca622 Ensure cmd from fuzz buffer is always valid
The quic-srtm fuzzer uses a loop in which an integer command is
extracted from the fuzzer buffer input to determine the action to take,
switching on the values between 0 and 3, and ignoring all other
commands.  Howver in the failing fuzzer test case here:
https://oss-fuzz.com/testcase-detail/5618331942977536

The buffer provided shows a large number of 0 values (indicating an SRTM
add command), and almost no 1, 2, or 3 values.  As such, the fuzzer only
truly exercises the srtm add path, which has the side effect of growing
the SRTM hash table unboundedly, leading to a timeout when 10 entries
need to be iterated over when the hashtable doall command is executed.

Fix this by ensuring that the command is always valid, and reasonably
distributed among all the operations with some modulo math.

Introducing this change bounds the hash table size in the reproducer
test case to less than half of the initially observed size, and avoids
the timeout.

Fixes openssl/project#679

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24827)
2024-07-23 08:20:15 -04:00
Dimitri Papadopoulos
aececda752 unnecessary whitespace before a quoted newline
Found by running the checkpatch.pl Linux script to enforce coding style.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22097)
2024-07-22 06:55:35 -04:00
Dimitri Papadopoulos
001b92d68d Prefer ARRAY_SIZE(...)
In OpenSSL, it's actually OSSL_NELEM() in "internal/nelem.h".

Found by running the checkpatch.pl Linux script to enforce coding style.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22097)
2024-07-22 06:55:35 -04:00
Dimitri Papadopoulos
f83707dc6d open brace '{' following struct go on the same line
Found by running the checkpatch.pl Linux script to enforce coding style.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22097)
2024-07-22 06:55:35 -04:00
Dimitri Papadopoulos
962431d58b that open brace { should be on the previous line
Found by running the checkpatch.pl Linux script to enforce coding style.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22097)
2024-07-22 06:55:35 -04:00
Dimitri Papadopoulos
1cf2f8231e Remove trailing whitespace
Found by running the checkpatch.pl Linux script to enforce coding style.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22097)
2024-07-22 06:55:35 -04:00