oweals/openssl.git
4 years agoAdd DH key validation to default provider
Shane Lontis [Tue, 21 Jan 2020 05:45:40 +0000 (15:45 +1000)]
Add DH key validation to default provider

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10911)

4 years agoconfig, Configure: move the check of removed crypto/ sub-systems
Richard Levitte [Mon, 2 Mar 2020 09:50:24 +0000 (10:50 +0100)]
config, Configure: move the check of removed crypto/ sub-systems

The 'config' script checked for a bunch of crypto/ sub-system
directories, and added 'no-' options if they weren't there.

We move it to 'Configure' in an effort to simplify 'config' for
further work.

Note: this is pretty much a historical thing.  In modern OpenSSL, it's
much simpler to edit the SUBDIRS statement in crypto/build.info.
However, it's been claimed the there are those who still remove some
of these sub-system sources.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11217)

4 years ago.travis.yml: where it matters, have build and source nesting levels differ
Richard Levitte [Wed, 26 Feb 2020 13:57:39 +0000 (14:57 +0100)]
.travis.yml: where it matters, have build and source nesting levels differ

Where we build out of source, the source directory was _srcdist and
the build directory was _build.  That gives the same nesting level for
both, which doesn't quite exercise all aspects of relative back
references from build to source tree.

Changing the build tree to be in _build/tree will challenge back
references a bit more, and ensure a bit more that we got it right.

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11186)

4 years agoAdd some missing env var documentation
Rich Salz [Wed, 26 Feb 2020 20:25:43 +0000 (15:25 -0500)]
Add some missing env var documentation

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11189)

4 years ago.gitignore: Add /apps/progs.{c,h}
Vladimir Panteleev [Mon, 2 Mar 2020 18:05:03 +0000 (18:05 +0000)]
.gitignore: Add /apps/progs.{c,h}

These files were removed from the source tree in
fe909ee4aeb6eb64f6f31a1544c5d3c81c5fe1f1.

CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11222)

4 years agoAdd Serializers for EC
Shane Lontis [Sun, 16 Feb 2020 09:54:08 +0000 (19:54 +1000)]
Add Serializers for EC

Provide EC serializers for text, pem and der.

EC parameters use ANS1 'CHOICE' - which means they are more embedded than other parameters used by
other KEY types (which normally have a SEQUENCE at the top level).
For this reason the ANS1_STRING type that was being passed around has been changed to a void so that the
code can still be shared with EC.

The EC serializer only supports named curves currently.

NOTE the serializer code assumes PKCS8 format - if the older encode methods are needed they will need to be
added in another PR. (Probably when deserialization is considered).

EVP_PKEY_key_fromdata_init was changed from using a keypair selection to all bits of a key. A side effect of this was
that the very restrictive checks in the ecx code needed to be relaxed as it was assuming all selection flags were non
optional. As this is not the case for any other key the code has been modified.

Fixed a bug in legacy_ctrl_str_to_params() - "ecdh_cofactor_mode" was being incorrectly converted to the wrong keyname.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11107)

4 years agoCorrect two small documentation issues
Tomas Mraz [Tue, 3 Mar 2020 14:34:53 +0000 (15:34 +0100)]
Correct two small documentation issues

The find-doc-nits complains about non-zero word and about missing
line before =head1 which causes build failure.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11231)

4 years agoDocumenting newly added CMS modification
Dmitry Belyavskiy [Tue, 21 Jan 2020 12:04:42 +0000 (15:04 +0300)]
Documenting newly added CMS modification

Documented CMS-related API functions.
Documented flags added to openssl-cms command

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10904)

4 years agoImplementation of Russian GOST CMS
Dmitry Belyavskiy [Mon, 20 Jan 2020 15:17:44 +0000 (18:17 +0300)]
Implementation of Russian GOST CMS

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10904)

4 years agodoc: document that 'openssl rand' is cryptographically secure
Dr. Matthias St. Pierre [Sun, 1 Mar 2020 23:25:29 +0000 (00:25 +0100)]
doc: document that 'openssl rand' is cryptographically secure

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11213)

4 years agoFix build with clang assembler
Philippe Antoine [Mon, 2 Mar 2020 12:46:37 +0000 (13:46 +0100)]
Fix build with clang assembler

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11219)

4 years agoAdd pairwise consistency self tests to asym keygenerators
Shane Lontis [Tue, 3 Mar 2020 04:02:36 +0000 (14:02 +1000)]
Add pairwise consistency self tests to asym keygenerators

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10952)

4 years ago.travis.yml: Remove NOUPDATE support
Richard Levitte [Thu, 27 Feb 2020 01:07:50 +0000 (02:07 +0100)]
.travis.yml: Remove NOUPDATE support

It was a temporary measure to deal with the fact that util/progs.pl
didn't work right at all times, but that has now been fixed.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11185)

4 years agoRemove apps/progs.c and apps/progs.h
Richard Levitte [Wed, 26 Feb 2020 13:52:04 +0000 (14:52 +0100)]
Remove apps/progs.c and apps/progs.h

Since they are generated in build time, there's not need to keep them
in the source tree.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11185)

4 years agoConfigure: Diverse cleanups
Richard Levitte [Wed, 26 Feb 2020 13:42:10 +0000 (14:42 +0100)]
Configure: Diverse cleanups

There were some remaining old code and comments that don't serve a
purpose any longer.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11185)

4 years agoBuild: Generate apps/progs.c and apps/progs.h in build time
Richard Levitte [Wed, 26 Feb 2020 13:39:16 +0000 (14:39 +0100)]
Build: Generate apps/progs.c and apps/progs.h in build time

util/progs.pl depends on the build tree (on configdata.pm,
specifically), so it needs to be run from the build tree.  But why
stop there?  We might as well generate apps/progs.c and apps/progs.h
when building.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11185)

4 years agobuild.info: Implement simply substitutions in variable values
Richard Levitte [Wed, 26 Feb 2020 13:35:17 +0000 (14:35 +0100)]
build.info: Implement simply substitutions in variable values

Use case: having a variable with multiple source files in its value,
and wanting to refer to the corresponding object file.

    $SRCS=foo.c bar.c
    SOURCE[program]=$SRCS
    DEPEND[${SRCS/.c/.o}]=prog.h

    GENERATE[prog.h]=...

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11185)

4 years agobuild.info: Make it possible to have more than one item in KEYWORD[]
Richard Levitte [Wed, 26 Feb 2020 13:30:38 +0000 (14:30 +0100)]
build.info: Make it possible to have more than one item in KEYWORD[]

So far, the "index" part of KEYWORD[whatever] could only handle one
item.  There are cases, however, where we want to add the exact same
value to multiple items.  This is especially helpful if a variable
that may have multi-item values are used in the "index" part.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11185)

4 years agoPROV: Add a OP_keymgmt_match() function to our DH, DSA, RSA and EC_KEY impl
Richard Levitte [Thu, 6 Feb 2020 08:53:15 +0000 (09:53 +0100)]
PROV: Add a OP_keymgmt_match() function to our DH, DSA, RSA and EC_KEY impl

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11158)

4 years agoEVP: Add support for copying provided EVP_PKEYs
Richard Levitte [Wed, 5 Feb 2020 15:30:21 +0000 (16:30 +0100)]
EVP: Add support for copying provided EVP_PKEYs

This adds evp_keymgmt_util_copy() and affects EVP_PKEY_copy_parameters()

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11158)

4 years agoKEYMGMT: Add a keydata copy function
Richard Levitte [Wed, 5 Feb 2020 14:41:58 +0000 (15:41 +0100)]
KEYMGMT: Add a keydata copy function

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11158)

4 years agoEVP: Add support for comparing provided EVP_PKEYs
Richard Levitte [Wed, 5 Feb 2020 11:55:43 +0000 (12:55 +0100)]
EVP: Add support for comparing provided EVP_PKEYs

This adds evp_keymgmt_util_match() and affects EVP_PKEY_cmp() and
EVP_PKEY_cmp_parameters().

The word 'match' was used for the new routines because many associate
'cmp' with comparison functions that allows sorting, i.e. return -1, 0
or 1 depending on the order in which the two compared elements should
be sorted.  EVP_PKEY_cmp() and EVP_PKEY_cmp_parameters() don't quite
do that.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11158)

4 years agoKEYMGMT: Add a keydata matching function
Richard Levitte [Wed, 5 Feb 2020 11:53:14 +0000 (12:53 +0100)]
KEYMGMT: Add a keydata matching function

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11158)

4 years agoEVP: Adapt EVP_PKEY_missing_parameters() for provider keys
Richard Levitte [Wed, 5 Feb 2020 09:18:51 +0000 (10:18 +0100)]
EVP: Adapt EVP_PKEY_missing_parameters() for provider keys

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11158)

4 years agocrypto/perlasm/x86_64-xlate.pl: detect GNU as to deal with quirks
Richard Levitte [Thu, 27 Feb 2020 05:03:52 +0000 (06:03 +0100)]
crypto/perlasm/x86_64-xlate.pl: detect GNU as to deal with quirks

It turns out that GNU as and Solaris as don't have compatible ideas on
the .section syntax, so we need to check if we're using GNU as or
another assembler and adapt this .section syntax accordingly.

Fixes #11132

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11191)

4 years agoFix drop of const qualifier
André Klitzing [Sat, 29 Feb 2020 22:40:29 +0000 (23:40 +0100)]
Fix drop of const qualifier

The parameter got "const" in 9fdcc21fdc9 but that was not added
to cast. So this throws a -Wcast-qual in user code.

error: cast from 'const DUMMY *' to 'ASN1_VALUE_st *' drops const qualifier [-Werror,-Wcast-qual]

CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11210)

4 years agoDOCS: Add and modify docs for internal EVP_KEYMGMT utility functions
Richard Levitte [Mon, 24 Feb 2020 18:15:47 +0000 (19:15 +0100)]
DOCS: Add and modify docs for internal EVP_KEYMGMT utility functions

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11148)

4 years agoDOCS: Add internal docs for EVP_PKEY and the export functions
Richard Levitte [Mon, 24 Feb 2020 13:36:09 +0000 (14:36 +0100)]
DOCS: Add internal docs for EVP_PKEY and the export functions

Functions covered:

- evp_pkey_export_to_provider()
- evp_pkey_upgrade_to_provider()

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11148)

4 years agoEVP: Add evp_pkey_upgrade_to_provider(), for EVP_PKEY upgrades
Richard Levitte [Thu, 20 Feb 2020 21:55:41 +0000 (22:55 +0100)]
EVP: Add evp_pkey_upgrade_to_provider(), for EVP_PKEY upgrades

This function "upgrades" a key from a legacy key container to a
provider side key container.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11148)

4 years agoRethink the EVP_PKEY cache of provider side keys
Richard Levitte [Thu, 20 Feb 2020 19:26:16 +0000 (20:26 +0100)]
Rethink the EVP_PKEY cache of provider side keys

The role of this cache was two-fold:

1.  It was a cache of key copies exported to providers with which an
    operation was initiated.
2.  If the EVP_PKEY didn't have a legacy key, item 0 of the cache was
    the corresponding provider side origin, while the rest was the
    actual cache.

This dual role for item 0 made the code a bit confusing, so we now
make a separate keymgmt / keydata pair outside of that cache, which is
the provider side "origin" key.

A hard rule is that an EVP_PKEY cannot hold a legacy "origin" and a
provider side "origin" at the same time.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11148)

4 years agoman: openssl-ocsp: separate client and server options
Dr. Matthias St. Pierre [Thu, 6 Feb 2020 14:24:07 +0000 (15:24 +0100)]
man: openssl-ocsp: separate client and server options

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11033)

4 years agox509v3 subjectSignTool extention support
Nikolay Morozov [Fri, 14 Feb 2020 10:14:30 +0000 (13:14 +0300)]
x509v3 subjectSignTool extention support

Subject Sign Tool (1.2.643.100.111) The name of the tool used to signs the subject (UTF8String)
This extention is required to obtain the status of a qualified certificate at Russian Federation.
RFC-style description is available here: https://tools.ietf.org/html/draft-deremin-rfc4491-bis-04#section-5
Russian Federal Law 63 "Digital Sign" is available here:  http://www.consultant.ru/document/cons_doc_LAW_112701/

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11093)

4 years agoFix util/mktar.sh to use the new VERSION information
Richard Levitte [Thu, 27 Feb 2020 00:09:23 +0000 (01:09 +0100)]
Fix util/mktar.sh to use the new VERSION information

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11190)

4 years agoFix comment placement in ecp_nistp256.ci
Scott Arciszewski [Mon, 24 Feb 2020 20:29:12 +0000 (12:29 -0800)]
Fix comment placement in ecp_nistp256.ci

CLA: trivial

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/11175)

4 years agoDeprecate ASN1_sign(), ASN1_verify() and ASN1_digest()
Richard Levitte [Mon, 24 Feb 2020 21:33:52 +0000 (22:33 +0100)]
Deprecate ASN1_sign(), ASN1_verify() and ASN1_digest()

These are old functions that fell out of use with OpenSL 0.9.7.
It's more than time to deprecate them.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11161)

4 years agoImplement the ECX Serializers
Matt Caswell [Thu, 27 Feb 2020 22:08:59 +0000 (08:08 +1000)]
Implement the ECX Serializers

Provide serializers for X25519 and X448 for text, pem and der. There are
no parameter serializers because there are no parameters for these
algorithms.

Add some documentation about the various import/export types available
Add additional testing for the serializers

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11095)

4 years agoReplace util/shlib_wrap.sh with util/wrap.pl in diverse docs
Richard Levitte [Tue, 18 Feb 2020 07:25:06 +0000 (08:25 +0100)]
Replace util/shlib_wrap.sh with util/wrap.pl in diverse docs

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/11110)

4 years agoBuild file templates: don't set OPENSSL_{ENGINES,MODULES}
Richard Levitte [Mon, 17 Feb 2020 14:20:57 +0000 (15:20 +0100)]
Build file templates: don't set OPENSSL_{ENGINES,MODULES}

Since we've now switched to use util/wrap.pl to wrap uninstalled
programs everywhere, there's no need to set the environment variables
OPENSSL_ENGINES and OPENSSL_MODULES globally for the tests.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/11110)

4 years agoTEST: add util/wrap.pl and use it
Richard Levitte [Mon, 17 Feb 2020 14:05:04 +0000 (15:05 +0100)]
TEST: add util/wrap.pl and use it

util/wrap.pl is a script that defines the environment variables
OPENSSL_ENGINES and OPENSSL_MODULES, then calls the command line
that's given as its arguments.

On a POSIX platform, the command line call is done via
util/shlib_wrap.sh to ensure that the shared library paths are
correct.  For other platforms, util/wrap.pl currently assumes that
similar things are already in place through other means.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/11110)

4 years agoVMS: mitigate for the C++ compiler that doesn't understand certain pragmas
Richard Levitte [Mon, 24 Feb 2020 13:56:26 +0000 (14:56 +0100)]
VMS: mitigate for the C++ compiler that doesn't understand certain pragmas

This only affects __DECC_INCLUDE_EPILOGUE.H and __DECC_INCLUDE_PROLOGUE.H,
which are used automatically by HP and VSI C/C++ compilers.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/11159)

(cherry picked from commit 605a0c709f4d50497a1c49ee117a0ec4bb956d58)

4 years agodoc: add a fancy CHANGES entry to celebrate the new Markdown format
Dr. Matthias St. Pierre [Tue, 25 Feb 2020 16:04:47 +0000 (17:04 +0100)]
doc: add a fancy CHANGES entry to celebrate the new Markdown format

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10545)

4 years agodoc: revamp the SUPPORT file
Dr. Matthias St. Pierre [Fri, 29 Nov 2019 18:45:56 +0000 (19:45 +0100)]
doc: revamp the SUPPORT file

Too be continued...

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10545)

4 years agodoc: revamp the INSTALL file
Dr. Matthias St. Pierre [Tue, 31 Dec 2019 00:09:40 +0000 (01:09 +0100)]
doc: revamp the INSTALL file

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10545)

4 years agodoc: add missing CHANGES entries for all versions >= 1.0.0
Dr. Matthias St. Pierre [Tue, 3 Dec 2019 17:32:21 +0000 (18:32 +0100)]
doc: add missing CHANGES entries for all versions >= 1.0.0

Up to now, CHANGES entries for older releases where only added to the
corresponding stable branches, so they were missing in the master
branch. This commit adds the missing entries, taking them from the
respective stable branches.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10545)

4 years agodoc: add missing NEWS entries for all versions >= 1.0.0
Dr. Matthias St. Pierre [Sat, 30 Nov 2019 16:07:31 +0000 (17:07 +0100)]
doc: add missing NEWS entries for all versions >= 1.0.0

Up to now, NEWS entries for older releases where only added to the
corresponding stable branches, so they were missing in the master
branch. This commit adds the missing entries, taking them from the
respective stable branches.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10545)

4 years agodoc: revamp the README file
Dr. Matthias St. Pierre [Fri, 29 Nov 2019 19:45:28 +0000 (20:45 +0100)]
doc: revamp the README file

 * Add an OpenSSL logo and CI badges
 * Add a table of contents
 * Add a lot of links

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10545)

4 years agodoc: add OpenSSL logo
Dr. Matthias St. Pierre [Sat, 30 Nov 2019 22:45:03 +0000 (23:45 +0100)]
doc: add OpenSSL logo

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10545)

4 years agodoc: introduce some minimalistic markdown without essential changes
Dr. Matthias St. Pierre [Thu, 28 Nov 2019 22:10:51 +0000 (23:10 +0100)]
doc: introduce some minimalistic markdown without essential changes

The goal is to transform the standard documents

    README, INSTALL, SUPPORT, CONTRIBUTING, ...

from a pure text format into markdown format, but in such a way
that the documentation remains nicely formatted an easy readable
when viewed with an normal text editor.

To achieve this goal, we use a special form of 'minimalistic' markdown
which interferes as little as possible with the reading flow.

 * avoid [ATX headings][] and use [setext headings][] instead
   (works for `<h1>` and `<h2>` headings only).
 * avoid [inline links][] and use [reference links][] instead.
 * avoid [fenced code blocks][], use [indented-code-blocks][] instead.

The transformation will take place in several steps. This commit
introduces mostly changes the formatting and does not chang the
content significantly.

[ATX headings]:         https://github.github.com/gfm/#atx-headings
[setext headings]:      https://github.github.com/gfm/#setext-headings
[inline links]:         https://github.github.com/gfm/#inline-link
[reference links]:      https://github.github.com/gfm/#reference-link
[fenced code blocks]:   https://github.github.com/gfm/#fenced-code-blocks
[indented code blocks]: https://github.github.com/gfm/#indented-code-blocks

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10545)

4 years agodoc: convert standard project docs to markdown
Dr. Matthias St. Pierre [Thu, 28 Nov 2019 22:56:36 +0000 (23:56 +0100)]
doc: convert standard project docs to markdown

In the first step, we just add the .md extension and move some
files around, without changing any content. These changes will
occur in the following commits.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10545)

4 years agoUse a wrapper for pod2html
Rich Salz [Wed, 15 Jan 2020 19:53:29 +0000 (14:53 -0500)]
Use a wrapper for pod2html

Remove unused util/process_docs.pl

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10856)

4 years agoapps x509: restrict CAkeyform option to OPT_FMT_PDE
Bastian Germann [Thu, 13 Feb 2020 10:45:50 +0000 (11:45 +0100)]
apps x509: restrict CAkeyform option to OPT_FMT_PDE

CAkeyform may be set to PEM, DER or ENGINE, but the current options
are not using the proper optionformat 'E' (OPT_FMT_PDE) for this.

Set the valtype for CAkeyform to 'E' and use OPT_FMT_PDE when extracting
the option value.

This amends 0ab6fc79a9a ("Fix regression on x509 keyform argument") which
did the same thing for keyform and changed the manpage synopsis entries
for both keyform and CAkeyform but did not change the option section.
Hence, change the option section for both of them.

CLA: trivial

Co-developed-by: Torben Hohn <torben.hohn@linutronix.de>
Signed-off-by: Torben Hohn <torben.hohn@linutronix.de>
Signed-off-by: Bastian Germann <bage@linutronix.de>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11085)

4 years agobugfix in cmac calculation example
Asfak Rahman [Fri, 21 Feb 2020 07:41:29 +0000 (09:41 +0200)]
bugfix in cmac calculation example

The example never executes code inside of the while loop, as read()
returns bigger number than 0. Thus the end result is wrong.

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11143)

4 years agoAvoid arm64 builds timeout due to silent make taking too long time
Tomas Mraz [Wed, 26 Feb 2020 07:41:36 +0000 (08:41 +0100)]
Avoid arm64 builds timeout due to silent make taking too long time

Also reuse one of the arm64 builds as a no-deprecated build
Also include a single ppc64le-build

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11181)

4 years agosecmem: ignore small minsize arguments to CRYPTO_secure_malloc_init().
Pauli [Sat, 22 Feb 2020 08:39:28 +0000 (18:39 +1000)]
secmem: ignore small minsize arguments to CRYPTO_secure_malloc_init().

If the user specifies a minimum allocation size that is smaller than
the free list structure (or zero), calculate the minimum possible size rather
than failing.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11149)

4 years agosec_mem: add note about the minimum size parameter.
Pauli [Sat, 22 Feb 2020 00:35:26 +0000 (10:35 +1000)]
sec_mem: add note about the minimum size parameter.

Add a note indicating that the minimum size parameter to
CRYPTO_secure_malloc_init() should be small.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11149)

4 years agoMem-sec small code adjustment
Davide Galassi [Wed, 26 Feb 2020 05:31:17 +0000 (15:31 +1000)]
Mem-sec small code adjustment

Conditional code readability improvement.

Remove unused macro

Commit #11042 has introduced a new, unused, CRYPTO_EX_INDEX macro.
Remove before version release.

Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11103)

4 years agox86_64: Replace .asciz "GNU" with .byte
H.J. Lu [Wed, 26 Feb 2020 03:04:41 +0000 (13:04 +1000)]
x86_64: Replace .asciz "GNU" with .byte

Replace .asciz "GNU" with .byte since .asciz isn't supported on Solaris.
Fixes https://github.com/openssl/openssl/issues/11132

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11137)

4 years agoCheck that the DRBG's internal state has been zeroized after uninstantiation
Dr. Matthias St. Pierre [Mon, 17 Feb 2020 18:39:05 +0000 (19:39 +0100)]
Check that the DRBG's internal state has been zeroized after uninstantiation

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11111)

4 years agoDRBG: delay initialization of DRBG method until instantiation
Dr. Matthias St. Pierre [Mon, 17 Feb 2020 18:25:55 +0000 (19:25 +0100)]
DRBG: delay initialization of DRBG method until instantiation

Previously, the initialization was done immediately in RAND_DRBG_set(),
which is also called in RAND_DRBG_uninstantiate().

This made it difficult for the FIPS DRBG self test to verify that the
internal state had been zeroized, because it had the side effect that
the drbg->data structure was reinitialized immediately.

To solve the problem, RAND_DRBG_set() has been split in two parts

    static int rand_drbg_set(RAND_DRBG *drbg, int type, unsigned int flags);
    static int rand_drbg_init_method(RAND_DRBG *drbg);

and only the first part is called from RAND_DRBG_uninstantiate().

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11111)

4 years agoconfig: Drop linux-alpha-gcc+bwx
Matt Turner [Tue, 18 Feb 2020 18:08:27 +0000 (10:08 -0800)]
config: Drop linux-alpha-gcc+bwx

Its entry in Configuration/10-main.conf was dropped in commit
7ead0c89185c ("Configure: fold related configurations more aggressively
and clean-up.") probably because all but one of its bn_ops were removed
(RC4_CHAR remained). Benchmarks on an Alpha EV7 indicate that RC4_INT is
better than RC4_CHAR so rather than restoring the configuation, remove
it from config.

CLA: trivial
Bug: https://bugs.gentoo.org/697840

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11130)

4 years agoFix default provider merge glitch
Richard Levitte [Sat, 22 Feb 2020 02:27:14 +0000 (03:27 +0100)]
Fix default provider merge glitch

Property "default" no longer exists, replace "default=yes" with
"provider=default"

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11150)

4 years agoRefactor evp_pkey_make_provided() to do legacy to provider export
Richard Levitte [Wed, 12 Feb 2020 13:28:50 +0000 (14:28 +0100)]
Refactor evp_pkey_make_provided() to do legacy to provider export

Previously, evp-keymgmt_util_export_to_provider() took care of all
kinds of exports of EVP_PKEYs to provider side keys, be it from its
legacy key or from another provider side key.  This works most of the
times, but there may be cases where the caller wants to be a bit more
in control of what sort of export happens when.

Also, when it's time to remove all legacy stuff, that job will be much
easier if we have a better separation between legacy support and
support of provided stuff, as far as we can take it.

This changes moves the support of legacy key to provider side key
export from evp-keymgmt_util_export_to_provider() to
evp_pkey_make_provided(), and makes sure the latter is called from all
EVP_PKEY functions that handle legacy stuff.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11074)

4 years agoDSA: More conforming names in crypto/dsa/dsa_aid.c
Richard Levitte [Thu, 30 Jan 2020 14:14:37 +0000 (15:14 +0100)]
DSA: More conforming names in crypto/dsa/dsa_aid.c

Made macro names that refer to a known base OID, an commented accordingly.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10557)

4 years agodoc/man3/EVP_PKEY_CTX_ctrl.pod: cleanup
Richard Levitte [Thu, 12 Dec 2019 08:21:59 +0000 (09:21 +0100)]
doc/man3/EVP_PKEY_CTX_ctrl.pod: cleanup

Clean up a manual we've touched, according to conventions found in
Linux' man-pages(7); function arguments in descriptions should be in
italics, and types, macros and similar should be in bold, with the
exception for NULL.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10557)

4 years agoPROV: Avoid MDC2 in the RSA signature implementation in the FIPS module
Richard Levitte [Wed, 4 Dec 2019 08:54:35 +0000 (09:54 +0100)]
PROV: Avoid MDC2 in the RSA signature implementation in the FIPS module

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10557)

4 years agotest/recipes/30-test_evp_data/evppkey.txt
Richard Levitte [Tue, 3 Dec 2019 10:02:58 +0000 (11:02 +0100)]
test/recipes/30-test_evp_data/evppkey.txt

Tests that go through provider cannot recognise PKEY_CTRL_INVALID from
PKEY_CTRL_ERROR any more, because provided implementations' param
setting functions return 0 or 1.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10557)

4 years agotest/evp_extra_test.c: adapt for RSA signature tests
Richard Levitte [Mon, 2 Dec 2019 10:26:15 +0000 (11:26 +0100)]
test/evp_extra_test.c: adapt for RSA signature tests

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10557)

4 years agorsa_get0_all_params(): Allow zero CRT params
Richard Levitte [Mon, 2 Dec 2019 10:25:47 +0000 (11:25 +0100)]
rsa_get0_all_params(): Allow zero CRT params

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10557)

4 years agoPROV: add RSA signature implementation
Richard Levitte [Sun, 1 Dec 2019 14:01:50 +0000 (15:01 +0100)]
PROV: add RSA signature implementation

This includes legacy PSS controls to params conversion, and an attempt
to generalise the parameter names when they are suitable for more than
one operation.

Also added crypto/rsa/rsa_aid.c, containing proper AlgorithmIdentifiers
for known RSA+hash function combinations.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10557)

4 years agoDon't exclude quite so much in a no-sock build
Dr. David von Oheimb [Fri, 21 Feb 2020 20:41:56 +0000 (21:41 +0100)]
Don't exclude quite so much in a no-sock build

We were excluding more code than we needed to in the OCSP/HTTP code in
the event of no-sock. We should also not assume that a BIO passed to our
API is socket based.

This fixes the no-sock build

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11134)

4 years agoIntroduce the provider property
Matt Caswell [Fri, 14 Feb 2020 22:49:26 +0000 (22:49 +0000)]
Introduce the provider property

Replace the properties default, fips and legacy with a single property
called "provider". So, for example, instead of writing "default=yes" to
get algorithms from the default provider you would instead write
"provider=default". We also have a new "fips" property to indicate that
an algorithm is compatible with FIPS mode. This applies to all the
algorithms in the FIPS provider, as well as any non-cryptographic
algorithms (currently only serializers).

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11097)

4 years agoAdd DRBG self tests
Shane Lontis [Thu, 30 Jan 2020 21:53:04 +0000 (07:53 +1000)]
Add DRBG self tests

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/11010)

4 years agopkey: additional EC related options
Pauli [Tue, 18 Feb 2020 01:36:08 +0000 (11:36 +1000)]
pkey: additional EC related options

Add options to change the parameter encoding and point conversions for EC
public and private keys.  These options are present in the deprecated 'ec'
utility.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11113)

4 years agopkey: update command line tool examples in light of deprecations.
Pauli [Mon, 17 Feb 2020 23:46:52 +0000 (09:46 +1000)]
pkey: update command line tool examples in light of deprecations.

Specifically, refer from the deprecated tools to the pkey equivalents.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11113)

4 years agoapps: distinguish between a parameter error and an unknown parameter.
Pauli [Mon, 10 Feb 2020 03:37:53 +0000 (13:37 +1000)]
apps: distinguish between a parameter error and an unknown parameter.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11049)

4 years agopmeth_lib: detect unsupported OSSL_PARAM.
Pauli [Mon, 10 Feb 2020 03:32:36 +0000 (13:32 +1000)]
pmeth_lib: detect unsupported OSSL_PARAM.

When converting legacy controls to OSSL_PARAMs, return the unsupported -2
value correctly.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11049)

4 years agoParams: add argument to the _from_text calls to indicate if the param exists.
Pauli [Mon, 10 Feb 2020 03:29:49 +0000 (13:29 +1000)]
Params: add argument to the _from_text calls to indicate if the param exists.

The extra argument is a integer pointer and is optional.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11049)

4 years agoAdd *.d.tmp files to .gitignore
Matt Caswell [Tue, 18 Feb 2020 16:08:30 +0000 (16:08 +0000)]
Add *.d.tmp files to .gitignore

These are temporary files generated by the build process that should not
be checked in.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11122)

4 years agoDeprecate the low level Diffie-Hellman functions.
Pauli [Mon, 3 Feb 2020 09:05:31 +0000 (19:05 +1000)]
Deprecate the low level Diffie-Hellman functions.

Use of the low level DH functions has been informally discouraged for a
long time.  We now formally deprecate them.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11024)

4 years agoDH: add CHANGES entry listing the deprecated DH functions.
Pauli [Sun, 16 Feb 2020 07:31:04 +0000 (17:31 +1000)]
DH: add CHANGES entry listing the deprecated DH functions.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11024)

4 years agoDH: fix header file indentation
Pauli [Mon, 3 Feb 2020 06:03:12 +0000 (16:03 +1000)]
DH: fix header file indentation

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11024)

4 years agoDeprecate the low level RSA functions.
Pauli [Wed, 12 Feb 2020 05:03:51 +0000 (15:03 +1000)]
Deprecate the low level RSA functions.

Use of the low level RSA functions has been informally discouraged for a
long time. We now formally deprecate them.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11063)

4 years agorsa: document deprecated RSA command line apps
Pauli [Wed, 12 Feb 2020 05:49:16 +0000 (15:49 +1000)]
rsa: document deprecated RSA command line apps

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11063)

4 years agorsa: document deprecated low level functions
Pauli [Wed, 12 Feb 2020 05:23:01 +0000 (15:23 +1000)]
rsa: document deprecated low level functions

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11063)

4 years agoNEWS: DH, DSA, ECDH, ECDSA and RSA public key function deprecation note
Pauli [Wed, 12 Feb 2020 05:05:39 +0000 (15:05 +1000)]
NEWS: DH, DSA, ECDH, ECDSA and RSA public key function deprecation note

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11063)

4 years agorsa.h: fix preprocessor indentation
Pauli [Wed, 12 Feb 2020 03:26:15 +0000 (13:26 +1000)]
rsa.h: fix preprocessor indentation

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11063)

4 years agoRemove unneeded switch statement to fix warning
Dane (4cad@silvertoque) [Wed, 19 Feb 2020 02:38:12 +0000 (21:38 -0500)]
Remove unneeded switch statement to fix warning

https://github.com/openssl/openssl/issues/10958

CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11125)

4 years agoHandle max_fragment_length overflow for DTLS
Simon Cornish [Fri, 14 Feb 2020 22:16:09 +0000 (14:16 -0800)]
Handle max_fragment_length overflow for DTLS

Allow for encryption overhead in early DTLS size check
and send overflow if validated record is too long

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11096)

4 years ago[PROV][EC] Update documentation
Nicola Tuveri [Sun, 9 Feb 2020 11:56:27 +0000 (13:56 +0200)]
[PROV][EC] Update documentation

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10631)

4 years ago[BN] harden `BN_copy()` against leaks from memory accesses
Nicola Tuveri [Tue, 21 Jan 2020 15:08:16 +0000 (17:08 +0200)]
[BN] harden `BN_copy()` against leaks from memory accesses

`BN_copy()` (and indirectly `BN_dup()`) do not propagate the
`BN_FLG_CONSTTIME` flag: the propagation has been turned on and off a
few times in the past years, because in some conditions it has shown
unintended consequences in some code paths.

Without turning the propagation on once more, we can still improve
`BN_copy()` by avoiding to leak `src->top` in case `src` is flagged with
`BN_FLG_CONSTTIME`.
In this case we can instead use `src->dmax` as the number of words
allocated for `dst` and for the `memcpy` operation.

Barring compiler or runtime optimizations, if the caller provides `src`
flagged as const time and preallocated to a public size, no leak should
happen due to the copy operation.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10631)

4 years ago[EC] harden EC_KEY against leaks from memory accesses
Nicola Tuveri [Tue, 21 Jan 2020 15:00:41 +0000 (17:00 +0200)]
[EC] harden EC_KEY against leaks from memory accesses

We should never leak the bit length of the secret scalar in the key,
so we always set the `BN_FLG_CONSTTIME` flag on the internal `BIGNUM`
holding the secret scalar.

This is important also because `BN_dup()` (and `BN_copy()`) do not
propagate the `BN_FLG_CONSTTIME` flag from the source `BIGNUM`, and
this brings an extra risk of inadvertently losing the flag, even when
the called specifically set it.

The propagation has been turned on and off a few times in the past
years because in some conditions has shown unintended consequences in
some code paths, so at the moment we can't fix this in the BN layer.

In `EC_KEY_set_private_key()` we can work around the propagation by
manually setting the flag after `BN_dup()` as we know for sure that
inside the EC module the `BN_FLG_CONSTTIME` is always treated
correctly and should not generate unintended consequences.

Setting the `BN_FLG_CONSTTIME` flag alone is never enough, we also have
to preallocate the `BIGNUM` internal buffer to a fixed public size big
enough that operations performed during the processing never trigger
a realloc which would leak the size of the scalar through memory
accesses.

Fixed Length
------------

The order of the large prime subgroup of the curve is our choice for
a fixed public size, as that is generally the upper bound for
generating a private key in EC cryptosystems and should fit all valid
secret scalars.

For preallocating the `BIGNUM` storage we look at the number of "words"
required for the internal representation of the order, and we
preallocate 2 extra "words" in case any of the subsequent processing
might temporarily overflow the order length.

Future work
-----------

A separate commit addresses further hardening of `BN_copy()` (and
indirectly `BN_dup()`).

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10631)

4 years ago[PROV][KEYMGMT][EC] Import/export of priv_key as padded const time BN
Nicola Tuveri [Tue, 21 Jan 2020 14:48:49 +0000 (16:48 +0200)]
[PROV][KEYMGMT][EC] Import/export of priv_key as padded const time BN

For EC keys it is particularly important to avoid leaking the bit length
of the secret scalar.

Key import/export should never leak the bit length of the secret
scalar in the key.

For this reason, on export we use padded BIGNUMs with fixed length,
using the new `ossl_param_bld_push_BN_pad()`.

When importing we also should make sure that, even if short lived,
the newly created BIGNUM is marked with the BN_FLG_CONSTTIME flag as
soon as possible, so that any processing of this BIGNUM might opt for
constant time implementations in the backend.

Setting the BN_FLG_CONSTTIME flag alone is never enough, we also have
to preallocate the BIGNUM internal buffer to a fixed size big enough
that operations performed during the processing never trigger a
realloc which would leak the size of the scalar through memory
accesses.

Fixed length
------------

The order of the large prime subgroup of the curve is our choice for
a fixed public size, as that is generally the upper bound for
generating a private key in EC cryptosystems and should fit all valid
secret scalars.

For padding on export we just use the bit length of the order
converted to bytes (rounding up).

For preallocating the BIGNUM storage we look at the number of "words"
required for the internal representation of the order, and we
preallocate 2 extra "words" in case any of the subsequent processing
might temporarily overflow the order length.

Future work
-----------

To ensure the flag and fixed size preallocation persists upon
`EC_KEY_set_private_key()`, we need to further harden
`EC_KEY_set_private_key()` and `BN_copy()`.
This is done in separate commits.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10631)

4 years ago[PROV][KMGMT][KEXCH][EC] Implement EC keymgtm and ECDH
Nicola Tuveri [Sat, 14 Dec 2019 22:20:53 +0000 (00:20 +0200)]
[PROV][KMGMT][KEXCH][EC] Implement EC keymgtm and ECDH

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10631)

4 years ago[CMS] Test decryption of a ciphertext encrypted from 1.1.1
Nicola Tuveri [Sat, 25 Jan 2020 16:19:56 +0000 (18:19 +0200)]
[CMS] Test decryption of a ciphertext encrypted from 1.1.1

Current CMS en/decryption tests only validate that our current decyption
and encryption algorithms are compatible, but they say nothing about
correctness of the output for the given set of parameters.

As a partial fix in absence of proper KAT tests, we decrypt ciphertexts
generated with OpenSSL 1.1.1.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10631)

4 years ago[EC] Constify internal EC_KEY pointer usage
Nicola Tuveri [Mon, 6 Jan 2020 23:19:13 +0000 (01:19 +0200)]
[EC] Constify internal EC_KEY pointer usage

A pair of internal functions related to EC_KEY handling could benefit
from declaring `EC_KEY *` variables as `const`, providing clarity for
callers and readers of the code, in addition to enlisting the compiler
in preventing some mistakes.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10631)

4 years ago[PROV][KEYMGMT][DH][DSA] use BN_clear_free for secrets
Nicola Tuveri [Sat, 14 Dec 2019 22:29:34 +0000 (00:29 +0200)]
[PROV][KEYMGMT][DH][DSA] use BN_clear_free for secrets

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10631)

4 years agox86_64: Don't assume 8-byte pointer size
H.J. Lu [Thu, 9 Jan 2020 14:20:09 +0000 (06:20 -0800)]
x86_64: Don't assume 8-byte pointer size

Since pointer in x32 is 4 bytes, add x86_64-support.pl to define
pointer_size and pointer_register based on flavour to support
stuctures like:

struct {  void *ptr; int blocks;  }

This fixes 90-test_sslapi.t on x32.  Verified with

$ ./Configure shared linux-x86_64
$ make
$ make test

and

$ ./Configure shared linux-x32
$ make
$ make test

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10988)

4 years agoDOC:Fix typos in x509v3_config.pod
Alex Boboc [Sun, 16 Feb 2020 20:07:41 +0000 (12:07 -0800)]
DOC:Fix typos in x509v3_config.pod

CLA: trivial

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11104)

4 years agoDOC:Fix typos in man5/config.pod
Alex Boboc [Sun, 16 Feb 2020 20:04:12 +0000 (12:04 -0800)]
DOC:Fix typos in man5/config.pod

CLA: trivial

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11104)

4 years agoDOC:Fix typos in openssl-enc.pod.in + openssl.pod
Alex Boboc [Sun, 16 Feb 2020 19:56:11 +0000 (11:56 -0800)]
DOC:Fix typos in openssl-enc.pod.in + openssl.pod

CLA: trivial

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11104)