summaryrefslogtreecommitdiff
path: root/providers/implementations/asymciphers
Commit message (Collapse)AuthorAgeFilesLines
* rsa: Add option to disable implicit rejectionHubert Kario2022-12-121-2/+24
| | | | | | | Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13817)
* set MGF1 digest correctlyJames Muir2022-10-071-3/+5
| | | | | | | | | | | | | Fixes #19290 update rsa_set_ctx_params() so that the digest function used in the MGF1 construction is set correctly. Add a test for this to evp_extra_test.c based on the code scaro-axway provided in #19290. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19342)
* Stop raising ERR_R_MALLOC_FAILURE in most placesRichard Levitte2022-10-051-6/+2
| | | | | | | | | | | | | | | | | | | | | | | Since OPENSSL_malloc() and friends report ERR_R_MALLOC_FAILURE, and at least handle the file name and line number they are called from, there's no need to report ERR_R_MALLOC_FAILURE where they are called directly, or when SSLfatal() and RLAYERfatal() is used, the reason `ERR_R_MALLOC_FAILURE` is changed to `ERR_R_CRYPTO_LIB`. There were a number of places where `ERR_R_MALLOC_FAILURE` was reported even though it was a function from a different sub-system that was called. Those places are changed to report ERR_R_{lib}_LIB, where {lib} is the name of that sub-system. Some of them are tricky to get right, as we have a lot of functions that belong in the ASN1 sub-system, and all the `sk_` calls or from the CRYPTO sub-system. Some extra adaptation was necessary where there were custom OPENSSL_malloc() wrappers, and some bugs are fixed alongside these changes. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19301)
* sm2_dupctx: Avoid potential use after free of the mdTomas Mraz2022-06-101-0/+2
| | | | | | Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18494)
* Correctly calculate the length of SM2 plaintext given the ciphertextMatt Caswell2021-08-241-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | Previously the length of the SM2 plaintext could be incorrectly calculated. The plaintext length was calculated by taking the ciphertext length and taking off an "overhead" value. The overhead value was assumed to have a "fixed" element of 10 bytes. This is incorrect since in some circumstances it can be more than 10 bytes. Additionally the overhead included the length of two integers C1x and C1y, which were assumed to be the same length as the field size (32 bytes for the SM2 curve). However in some cases these integers can have an additional padding byte when the msb is set, to disambiguate them from negative integers. Additionally the integers can also be less than 32 bytes in length in some cases. If the calculated overhead is incorrect and larger than the actual value this can result in the calculated plaintext length being too small. Applications are likely to allocate buffer sizes based on this and therefore a buffer overrun can occur. CVE-2021-3711 Issue reported by John Ouyang. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
* Move libssl related defines used by fips provider to prov_ssl.hTomas Mraz2021-06-041-1/+1
| | | | | | | | | This nicely reduces the number of files considered as fips provider sources. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15609)
* Rename all getters to use get/get0 in nameTomas Mraz2021-06-012-3/+3
| | | | | | | | | | | | | | For functions that exist in 1.1.1 provide a simple aliases via #define. Fixes #15236 Functions with OSSL_DECODER_, OSSL_ENCODER_, OSSL_STORE_LOADER_, EVP_KEYEXCH_, EVP_KEM_, EVP_ASYM_CIPHER_, EVP_SIGNATURE_, EVP_KEYMGMT_, EVP_RAND_, EVP_MAC_, EVP_KDF_, EVP_PKEY_, EVP_MD_, and EVP_CIPHER_ prefixes are renamed. Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15405)
* Use "" for include crypto/xxxRich Salz2021-05-271-1/+1
| | | | | | Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15468)
* Drop libimplementations.aRichard Levitte2021-05-071-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | libimplementations.a was a nice idea, but had a few flaws: 1. The idea to have common code in libimplementations.a and FIPS sensitive helper functions in libfips.a / libnonfips.a didn't catch on, and we saw full implementation ending up in them instead and not appearing in libimplementations.a at all. 2. Because more or less ALL algorithm implementations were included in libimplementations.a (the idea being that the appropriate objects from it would be selected automatically by the linker when building the shared libraries), it's very hard to find only the implementation source that should go into the FIPS module, with the result that the FIPS checksum mechanism include source files that it shouldn't To mitigate, we drop libimplementations.a, but retain the idea of collecting implementations in static libraries. With that, we not have: libfips.a Includes all implementations that should become part of the FIPS provider. liblegacy.a Includes all implementations that should become part of the legacy provider. libdefault.a Includes all implementations that should become part of the default and base providers. With this, libnonfips.a becomes irrelevant and is dropped. libcommon.a is retained to include common provider code that can be used uniformly by all providers. Fixes #15157 Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15171)
* Store some FIPS global variables in the FIPS_GLOBAL structureMatt Caswell2021-04-161-1/+1
| | | | | | | | | | | | | We had some FIPS global variables that were based on values from the config file. In theory if two instances of the fips module are loaded they could be based on different config files which would cause this to fail. Instead we store them in the FIPS_GLOBAL structure. Fixes #14364 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14814)
* Deprecate the EVP_PKEY controls for CMS and PKCS#7Tomas Mraz2021-04-061-9/+9
| | | | | | | | | | | | | Improve the ossl_rsa_check_key() to prevent non-signature operations with PSS keys. Do not invoke the EVP_PKEY controls for CMS and PKCS#7 anymore as they are not needed anymore and deprecate them. Fixes #14276 Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/14760)
* rsa: fix coverity 1472658: resource leakPauli2021-03-201-0/+2
| | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14596)
* prov: asym ciphers take an extra init() params argumentPauli2021-03-122-12/+19
| | | | | Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/14383)
* EVP_PKEY_CTX_get/settable_params: pass provider operation contextTomas Mraz2021-03-032-4/+8
| | | | | | | | | | This allows making the signature operations return different settable params when the context is initialized with EVP_DigestSign/VerifyInit. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/14338)
* Remove RSA SSLv23 padding modeRich Salz2021-03-011-1/+0
| | | | | | Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14248)
* Fix external symbols related to ec & sm2 keysShane Lontis2021-02-261-4/+4
| | | | | | | | | | | Partial fix for #12964 This adds ossl_ names for the following symbols: ec_*, ecx_*, ecdh_*, ecdsa_*, sm2_* Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14231)
* Move the PROV_R reason codes to a public headerTomas Mraz2021-02-112-2/+2
| | | | | | | | | | | The PROV_R codes can be returned to applications so it is useful to have some common set of provider reason codes for the applications or third party providers. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/14086)
* Fix some odd names in our provider source codeRichard Levitte2021-02-011-1/+1
| | | | | | | | | | | | ecossl_dh_keyexch_functions -> ossl_ecdh_keyexch_functions ecossl_dsa_signature_functions -> ossl_ecdsa_signature_functions sm2_asym_cipher_functions -> ossl_sm2_asym_cipher_functions sm2_keymgmt_functions -> ossl_sm2_keymgmt_functions sm2_signature_functions -> ossl_sm2_signature_functions Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14028)
* Update copyright yearRichard Levitte2021-01-282-2/+2
| | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13999)
* Clean away unnecessary length related OSSL_PARAM key namesRichard Levitte2021-01-261-6/+3
| | | | | | | This cleans away old misunderstandings of what can be done with OSSL_PARAM. Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13946)
* Deprecate EC_KEY + Update ec apps to use EVP_PKEYShane Lontis2021-01-261-0/+2
| | | | | | | | | Co-author: Richard Levitte <levitte@openssl.org> Co-author: Tomas Mraz <tmraz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13139)
* Convert all {NAME}err() in providers/ to their corresponding ERR_raise() callRichard Levitte2020-11-111-4/+4
| | | | | | | This was done using util/err-to-raise Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/13319)
* Rename some occurrences of 'library_context' and 'lib_ctx' to 'libctx'Dr. Matthias St. Pierre2020-10-152-2/+2
| | | | | | | | | This change makes the naming more consistent, because three different terms were used for the same thing. (The term libctx was used by far most often.) Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12621)
* Rename OPENSSL_CTX prefix to OSSL_LIB_CTXDr. Matthias St. Pierre2020-10-152-2/+2
| | | | | | | | | | | | Many of the new types introduced by OpenSSL 3.0 have an OSSL_ prefix, e.g., OSSL_CALLBACK, OSSL_PARAM, OSSL_ALGORITHM, OSSL_SERIALIZER. The OPENSSL_CTX type stands out a little by using a different prefix. For consistency reasons, this type is renamed to OSSL_LIB_CTX. Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12621)
* rsa: add ossl_ prefix to internal rsa_ calls.Pauli2020-10-071-11/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The functions being: rsa_check_crt_components, rsa_check_key, rsa_check_pminusq_diff, rsa_check_prime_factor, rsa_check_prime_factor_range, rsa_check_private_exponent, rsa_check_public_exponent, rsa_digestinfo_encoding, rsa_fips186_4_gen_prob_primes, rsa_fromdata, rsa_get0_all_params, rsa_get0_libctx, rsa_get0_pss_params_30, rsa_get_lcm, rsa_mgf_nid2name, rsa_mp_coeff_names, rsa_mp_exp_names, rsa_mp_factor_names, rsa_new_with_ctx, rsa_oaeppss_md2nid, rsa_oaeppss_nid2name, rsa_padding_add_PKCS1_OAEP_mgf1_with_libctx, rsa_padding_add_PKCS1_type_2_with_libctx, rsa_padding_add_SSLv23_with_libctx, rsa_padding_check_PKCS1_type_2_TLS, rsa_pkey_method, rsa_pss_params_30_copy, rsa_pss_params_30_fromdata, rsa_pss_params_30_hashalg, rsa_pss_params_30_is_unrestricted, rsa_pss_params_30_maskgenalg, rsa_pss_params_30_maskgenhashalg, rsa_pss_params_30_saltlen, rsa_pss_params_30_set_defaults, rsa_pss_params_30_set_hashalg, rsa_pss_params_30_set_maskgenalg, rsa_pss_params_30_set_maskgenhashalg, rsa_pss_params_30_set_saltlen, rsa_pss_params_30_set_trailerfield, rsa_pss_params_30_todata, rsa_pss_params_30_trailerfield, rsa_pss_pkey_method, rsa_set0_all_params, rsa_sp800_56b_check_keypair, rsa_sp800_56b_check_private, rsa_sp800_56b_check_public, rsa_sp800_56b_derive_params_from_pq, rsa_sp800_56b_generate_key, rsa_sp800_56b_pairwise_test, rsa_sp800_56b_validate_strength, rsa_todata, rsa_validate_pairwise, rsa_validate_private and rsa_validate_public. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13040)
* Run the withlibctx.pl scriptMatt Caswell2020-10-011-6/+5
| | | | | | | | Automatically rename all instances of _with_libctx() to _ex() as per our coding style. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12970)
* prov: prefix all OSSL_DISPATCH tables names with ossl_Pauli2020-09-291-1/+1
| | | | | | | | This stops them leaking into other namespaces in a static build. They remain internal. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13013)
* Move SM2 asymmetric encryption to be available in the default providerMatt Caswell2020-09-252-0/+230
| | | | | | | Fixes #12908 Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12913)
* Add 'fips-securitychecks' option and plumb this into the actual fips checksShane Lontis2020-09-181-1/+1
| | | | | Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12745)
* Add fips checks for rsa encryptionShane Lontis2020-09-181-6/+22
| | | | | Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12745)
* asymciphers: add FIPS error state handlingPauli2020-09-121-2/+18
| | | | | | | Check for provider being runnable in newctx, init, encrypt and decrypt. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12801)
* provider: add the unused paramater tag to the gettable and settable functionsPauli2020-08-121-2/+2
| | | | | Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12603)
* gettables: provider changes to pass the provider context.Pauli2020-08-071-2/+2
| | | | | Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12581)
* Make the naming scheme for dispatched functions more consistentDr. Matthias St. Pierre2020-06-241-11/+11
| | | | | | | | | | | | | | | | | | | | | | | | | The new naming scheme consistently usese the `OSSL_FUNC_` prefix for all functions which are dispatched between the core and providers. This change includes in particular all up- and downcalls, i.e., the dispatched functions passed from core to provider and vice versa. - OSSL_core_ -> OSSL_FUNC_core_ - OSSL_provider_ -> OSSL_FUNC_core_ For operations and their function dispatch tables, the following convention is used: Type | Name (evp_generic_fetch(3)) | ---------------------|-----------------------------------| operation | OSSL_OP_FOO | function id | OSSL_FUNC_FOO_FUNCTION_NAME | function "name" | OSSL_FUNC_foo_function_name | function typedef | OSSL_FUNC_foo_function_name_fn | function ptr getter | OSSL_FUNC_foo_function_name | Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12222)
* Rename <openssl/core_numbers.h> -> <openssl/core_dispatch.h>Dr. Matthias St. Pierre2020-06-241-1/+1
| | | | | Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12222)
* PROV: Use rsa_padding_add_PKCS1_OAEP_mgf1_with_libctx() in RSA-OAEPRichard Levitte2020-05-271-5/+7
| | | | | | | Fixes #11904 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11959)
* PROV: Fix RSA-OAEP memory leakRichard Levitte2020-05-261-0/+1
| | | | | | | The OAEP label wasn't freed when the operation context was freed. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11927)
* Update core_names.h fields and document most fields.Shane Lontis2020-05-261-6/+5
| | | | | | | | | | | | | | | Renamed some values in core_names i.e Some DH specific names were changed to use DH instead of FFC. Added some strings values related to RSA keys. Moved set_params related docs out of EVP_PKEY_CTX_ctrl.pod into its own file. Updated Keyexchange and signature code and docs. Moved some common DSA/DH docs into a shared EVP_PKEY-FFC.pod. Moved Ed25519.pod into EVP_SIGNATURE-ED25519.pod and reworked it. Added some usage examples. As a result of the usage examples the following change was also made: ec allows OSSL_PKEY_PARAM_USE_COFACTOR_ECDH as a settable gen parameter. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11610)
* PROV & ASYM_CIPHER: Adapt the RSA asymmetric cipher code for PSS-parametersRichard Levitte2020-05-141-1/+10
| | | | | Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11710)
* Update copyright yearMatt Caswell2020-04-231-1/+1
| | | | | Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11616)
* Use RAND_bytes_ex in crypto/rsaMatt Caswell2020-03-191-1/+2
| | | | | | | | At various points in crypto/rsa we need to get random numbers. We should ensure that we use the correct libctx when doing so. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11355)
* Deprecate the low level RSA functions.Pauli2020-02-201-0/+6
| | | | | | | | Use of the low level RSA functions has been informally discouraged for a long time. We now formally deprecate them. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11063)
* Coverity 1458439: fix resource leakPauli2020-02-171-0/+1
| | | | | Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11101)
* Make the RSA ASYM_CIPHER implementation available inside the FIPS moduleMatt Caswell2020-02-132-2/+16
| | | | | | | | | RSA ASYM_CIPHER was already available within the default provider. We now make it also available from inside the FIPS module. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10881)
* PROV: Implement padding mode words in the RSA ASYM_CIPHER implementationRichard Levitte2020-02-041-6/+66
| | | | | | | | | | | | Because the libcrypto code has relinquished control of exact words to express padding mode choices, we re-implement them in the appropriate provider implementation. For the sake of legacy controls, we maintain support for the numeric form of the padding mode, but leave that support otherwise undeclared. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10947)
* Add internal maxsize macrosRichard Levitte2020-01-231-2/+3
| | | | | | | | | | | | We've started to see "magic" numbers being used for certain sizes, such as algorithm names and property query strings. This change takes care of the few items where buffers for algorithm names and property query strings are used. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/10928)
* Teach the RSA implementation about TLS RSA Key TransportMatt Caswell2019-12-051-16/+84
| | | | | | | | | | | | | | | | | | | | | | In TLSv1.2 a pre-master secret value is passed from the client to the server encrypted using RSA PKCS1 type 2 padding in a ClientKeyExchange message. As well as the normal formatting rules for RSA PKCA1 type 2 padding TLS imposes some additional rules about what constitutes a well formed key. Specifically it must be exactly the right length and encode the TLS version originally requested by the client (as opposed to the actual negotiated version) in its first two bytes. All of these checks need to be done in constant time and, if they fail, then the TLS implementation is supposed to continue anyway with a random key (and therefore the connection will fail later on). This avoids padding oracle type attacks. This commit implements this within the RSA padding code so that we keep all the constant time padding logic in one place. A later commit will remove it from libssl. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/10411)
* Move RSA Asym cipher code to the default providerMatt Caswell2019-11-142-0/+395
Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10152)