diff options
| author | Pierre Pronchery <pierre@freebsdfoundation.org> | 2023-05-31 22:06:50 +0000 |
|---|---|---|
| committer | Ed Maste <emaste@FreeBSD.org> | 2023-06-23 13:13:27 +0000 |
| commit | b84c4564effd02dfdc047dd6cbeaf910bbb1a888 (patch) | |
| tree | 39604e7e6f13fced003ef2f77c35f3989aa574ca | |
| parent | e4520c8bd1d300a7a338d0ed4af171a2d0e583ef (diff) | |
openssl: Vendor import of OpenSSL-3.0.9vendor/openssl/3.0.9
Summary:
Release notes can be found at
https://www.openssl.org/news/openssl-3.0-notes.html .
Obtained from: https://www.openssl.org/source/openssl-3.0.9.tar.gz
Test Plan:
```
$ git status
On branch vendor/openssl-3.0
Your branch is up to date with 'origin/vendor/openssl-3.0'.
nothing to commit, working tree clean
$ (cd ..; fetch http://www.openssl.org/source/openssl-${OSSLVER}.tar.gz http://www.openssl.org/source/openssl-${OSSLVER}.tar.gz.asc)
openssl-3.0.9.tar.gz 14 MB 74 MBps 01s
openssl-3.0.9.tar.gz.asc 833 B 10 MBps 00s
$ set | egrep '(XLIST|OSSLVER)='
OSSLVER=3.0.9
XLIST=FREEBSD-Xlist
$ gpg --list-keys
/home/khorben/.gnupg/pubring.kbx
--------------------------------
pub rsa4096 2021-07-16 [SC] [expires: 2031-07-14]
A21FAB74B0088AA361152586B8EF1A6BA9DA2D5C
uid [ unknown] Tomáš Mráz <tm@t8m.info>
uid [ unknown] Tomáš Mráz <tomas@arleto.cz>
uid [ unknown] Tomáš Mráz <tomas@openssl.org>
sub rsa4096 2021-07-16 [S] [expires: 2027-07-15]
sub rsa4096 2021-07-16 [E] [expires: 2031-07-14]
$ gpg --verify ../openssl-${OSSLVER}.tar.gz.asc ../openssl-${OSSLVER}.tar.gz
gpg: Signature made Tue May 30 14:32:24 2023 CEST
gpg: using RSA key DC7032662AF885E2F47F243F527466A21CA79E6D
gpg: Good signature from "Tomáš Mráz <tm@t8m.info>" [unknown]
gpg: aka "Tomáš Mráz <tomas@arleto.cz>" [unknown]
gpg: aka "Tomáš Mráz <tomas@openssl.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: A21F AB74 B008 8AA3 6115 2586 B8EF 1A6B A9DA 2D5C
Subkey fingerprint: DC70 3266 2AF8 85E2 F47F 243F 5274 66A2 1CA7 9E6D
$ tar -x -X $XLIST -f ../openssl-${OSSLVER}.tar.gz -C ..
$ rsync --exclude FREEBSD.* --delete -avzz ../openssl-${OSSLVER}/* .
[...]
$ diff -arq ../openssl-${OSSLVER} .
Only in .: .git
Only in .: FREEBSD-Xlist
Only in .: FREEBSD-upgrade
$ git status FREEBSD*
On branch vendor/openssl-3.0
Your branch is up to date with 'origin/vendor/openssl-3.0'.
nothing to commit, working tree clean
```
181 files changed, 2745 insertions, 1761 deletions
diff --git a/CHANGES.md b/CHANGES.md index 7cdd9d974536..0fb1eb1f6a71 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -28,6 +28,80 @@ breaking changes, and mappings for the large list of deprecated functions. [Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod +### Changes between 3.0.8 and 3.0.9 [30 May 2023] + + * Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic + OBJECT IDENTIFIER sub-identifiers to canonical numeric text form. + + OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical + numeric text form. For gigantic sub-identifiers, this would take a very + long time, the time complexity being O(n^2) where n is the size of that + sub-identifier. ([CVE-2023-2650]) + + To mitigitate this, `OBJ_obj2txt()` will only translate an OBJECT + IDENTIFIER to canonical numeric text form if the size of that OBJECT + IDENTIFIER is 586 bytes or less, and fail otherwise. + + The basis for this restriction is RFC 2578 (STD 58), section 3.5. OBJECT + IDENTIFIER values, which stipulates that OBJECT IDENTIFIERS may have at + most 128 sub-identifiers, and that the maximum value that each sub- + identifier may have is 2^32-1 (4294967295 decimal). + + For each byte of every sub-identifier, only the 7 lower bits are part of + the value, so the maximum amount of bytes that an OBJECT IDENTIFIER with + these restrictions may occupy is 32 * 128 / 7, which is approximately 586 + bytes. + + Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5 + + *Richard Levitte* + + * Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms which + happens if the buffer size is 4 mod 5 in 16 byte AES blocks. This can + trigger a crash of an application using AES-XTS decryption if the memory + just after the buffer being decrypted is not mapped. + Thanks to Anton Romanov (Amazon) for discovering the issue. + ([CVE-2023-1255]) + + *Nevine Ebeid* + + * Reworked the Fix for the Timing Oracle in RSA Decryption ([CVE-2022-4304]). + The previous fix for this timing side channel turned out to cause + a severe 2-3x performance regression in the typical use case + compared to 3.0.7. The new fix uses existing constant time + code paths, and restores the previous performance level while + fully eliminating all existing timing side channels. + The fix was developed by Bernd Edlinger with testing support + by Hubert Kario. + + *Bernd Edlinger* + + * Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention + that it does not enable policy checking. Thanks to David Benjamin for + discovering this issue. + ([CVE-2023-0466]) + + *Tomáš Mráz* + + * Fixed an issue where invalid certificate policies in leaf certificates are + silently ignored by OpenSSL and other certificate policy checks are skipped + for that certificate. A malicious CA could use this to deliberately assert + invalid certificate policies in order to circumvent policy checking on the + certificate altogether. + ([CVE-2023-0465]) + + *Matt Caswell* + + * Limited the number of nodes created in a policy tree to mitigate + against CVE-2023-0464. The default limit is set to 1000 nodes, which + should be sufficient for most installations. If required, the limit + can be adjusted by setting the OPENSSL_POLICY_TREE_NODES_MAX build + time define to a desired maximum number of nodes or zero to allow + unlimited growth. + ([CVE-2023-0464]) + + *Paul Dale* + ### Changes between 3.0.7 and 3.0.8 [7 Feb 2023] * Fixed NULL dereference during PKCS7 data verification. @@ -19578,6 +19652,11 @@ ndif <!-- Links --> +[CVE-2023-2650]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2650 +[CVE-2023-1255]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-1255 +[CVE-2023-0466]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466 +[CVE-2023-0465]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0465 +[CVE-2023-0464]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0464 [CVE-2023-0401]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0401 [CVE-2023-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0286 [CVE-2023-0217]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0217 @@ -19588,7 +19667,7 @@ ndif [CVE-2022-4203]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4203 [CVE-2022-3996]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-3996 [CVE-2022-2274]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2274 -[CVE-2022-2097]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2274 +[CVE-2022-2097]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2097 [CVE-2020-1971]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1971 [CVE-2020-1967]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1967 [CVE-2019-1563]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1563 diff --git a/Configure b/Configure index 5ac4b5222e4f..4ddc275f787e 100755 --- a/Configure +++ b/Configure @@ -1423,7 +1423,7 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m) } if ($target =~ /linux.*-mips/ && !$disabled{asm} - && !grep { $_ !~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) { + && !grep { $_ =~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) { # minimally required architecture flags for assembly modules my $value; $value = '-mips2' if ($target =~ /mips32/); @@ -18,6 +18,17 @@ OpenSSL Releases OpenSSL 3.0 ----------- +### Major changes between OpenSSL 3.0.8 and OpenSSL 3.0.9 [30 May 2023] + + * Mitigate for very slow `OBJ_obj2txt()` performance with gigantic OBJECT + IDENTIFIER sub-identities. ([CVE-2023-2650]) + * Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms + ([CVE-2023-1255]) + * Fixed documentation of X509_VERIFY_PARAM_add0_policy() ([CVE-2023-0466]) + * Fixed handling of invalid certificate policies in leaf certificates + ([CVE-2023-0465]) + * Limited the number of nodes created in a policy tree ([CVE-2023-0464]) + ### Major changes between OpenSSL 3.0.7 and OpenSSL 3.0.8 [7 Feb 2023] * Fixed NULL dereference during PKCS7 data verification ([CVE-2023-0401]) @@ -1430,6 +1441,12 @@ OpenSSL 0.9.x * Support for various new platforms <!-- Links --> + +[CVE-2023-2650]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2650 +[CVE-2023-1255]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-1255 +[CVE-2023-0466]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466 +[CVE-2023-0465]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0465 +[CVE-2023-0464]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0464 [CVE-2023-0401]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0401 [CVE-2023-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0286 [CVE-2023-0217]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0217 @@ -1440,7 +1457,7 @@ OpenSSL 0.9.x [CVE-2022-4203]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4203 [CVE-2022-3996]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-3996 [CVE-2022-2274]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2274 -[CVE-2022-2097]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2274 +[CVE-2022-2097]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2097 [CVE-2020-1971]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1971 [CVE-2020-1967]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1967 [CVE-2019-1563]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1563 diff --git a/NOTES-NONSTOP.md b/NOTES-NONSTOP.md index 627843babf32..68438b998884 100644 --- a/NOTES-NONSTOP.md +++ b/NOTES-NONSTOP.md @@ -44,6 +44,20 @@ instead of `nsx` in the set above. You cannot build for TNS/E for FIPS, so you must specify the `no-fips` option to `./Configure`. +Linking and Loading Considerations +---------------------------------- + +Because of how the NonStop Common Runtime Environment (CRE) works, there are +restrictions on how programs can link and load with OpenSSL libraries. +On current NonStop platforms, programs cannot both statically link OpenSSL +libraries and dynamically load OpenSSL shared libraries concurrently. If this +is done, there is a high probability of encountering a SIGSEGV condition +relating to `atexit()` processing when a shared library is unloaded and when +the program terminates. This limitation applies to all OpenSSL shared library +components. + +A resolution to this situation is under investigation. + About Prefix and OpenSSLDir --------------------------- diff --git a/NOTES-VMS.md b/NOTES-VMS.md index e27f3d682a2a..566a04d2a9fe 100644 --- a/NOTES-VMS.md +++ b/NOTES-VMS.md @@ -83,6 +83,23 @@ When done, we recommend that you turn that flag back off: $ set image /flag=nocall_debug [.test]evp_test.exe +About assembler acceleration +---------------------------- + +OpenSSL has assembler acceleration for a number of BIGNUM and crypto +routines. The VMS config targets tries to look for a selection of +assemblers and will use what they find. If none of the assemblers are +found, OpenSSL will be built as if `no-asm` was configured. + +### For Itanium / IA64 / I64 + +- There is only one assembler, a port of Intel's `ias`, found in the + HP Open Source Tools CD, available through [DECUSlib](http://www.decuslib.com). + It's assumed to be set up as per the instructions, where `disk` and + `dir` are expected to be adapted to local conditions: + + $ ias :== $disk:[dir]iasi64.exe + Checking the distribution ------------------------- diff --git a/VERSION.dat b/VERSION.dat index 375a0de7e128..be1c292b2ad7 100644 --- a/VERSION.dat +++ b/VERSION.dat @@ -1,7 +1,7 @@ MAJOR=3 MINOR=0 -PATCH=8 +PATCH=9 PRE_RELEASE_TAG= BUILD_METADATA= -RELEASE_DATE="7 Feb 2023" +RELEASE_DATE="30 May 2023" SHLIB_VERSION=3 diff --git a/apps/cmp.c b/apps/cmp.c index 9b9e405bb248..3463579c24fb 100644 --- a/apps/cmp.c +++ b/apps/cmp.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * @@ -158,6 +158,7 @@ static char *opt_reqin = NULL; static int opt_reqin_new_tid = 0; static char *opt_reqout = NULL; static char *opt_rspin = NULL; +static int rspin_in_use = 0; static char *opt_rspout = NULL; static int opt_use_mock_srv = 0; @@ -371,7 +372,7 @@ const OPTIONS cmp_options[] = { OPT_SECTION("Server authentication"), {"trusted", OPT_TRUSTED, 's', - "Certificates to trust as chain roots when verifying signed CMP responses"}, + "Certificates to use as trust anchors when verifying signed CMP responses"}, {OPT_MORE_STR, 0, 0, "unless -srvcert is given"}, {"untrusted", OPT_UNTRUSTED, 's', "Intermediate CA certs for chain construction for CMP/TLS/enrolled certs"}, @@ -417,7 +418,7 @@ const OPTIONS cmp_options[] = { {OPT_MORE_STR, 0, 0, "This can be used as the default CMP signer cert chain to include"}, {"unprotected_requests", OPT_UNPROTECTED_REQUESTS, '-', - "Send messages without CMP-level protection"}, + "Send request messages without CMP-level protection"}, OPT_SECTION("Credentials format"), {"certform", OPT_CERTFORM, 's', @@ -462,13 +463,16 @@ const OPTIONS cmp_options[] = { "Do not interactively prompt for input when a password is required etc."}, {"repeat", OPT_REPEAT, 'p', "Invoke the transaction the given positive number of times. Default 1"}, - {"reqin", OPT_REQIN, 's', "Take sequence of CMP requests from file(s)"}, + {"reqin", OPT_REQIN, 's', + "Take sequence of CMP requests to send to server from file(s)"}, {"reqin_new_tid", OPT_REQIN_NEW_TID, '-', "Use fresh transactionID for CMP requests read from -reqin"}, - {"reqout", OPT_REQOUT, 's', "Save sequence of CMP requests to file(s)"}, + {"reqout", OPT_REQOUT, 's', + "Save sequence of CMP requests created by the client to file(s)"}, {"rspin", OPT_RSPIN, 's', "Process sequence of CMP responses provided in file(s), skipping server"}, - {"rspout", OPT_RSPOUT, 's', "Save sequence of CMP responses to file(s)"}, + {"rspout", OPT_RSPOUT, 's', + "Save sequence of actually used CMP responses to file(s)"}, {"use_mock_srv", OPT_USE_MOCK_SRV, '-', "Use internal mock server at API level, bypassing socket-based HTTP"}, @@ -754,12 +758,12 @@ static int write_PKIMESSAGE(const OSSL_CMP_MSG *msg, char **filenames) } /* read DER-encoded OSSL_CMP_MSG from the specified file name item */ -static OSSL_CMP_MSG *read_PKIMESSAGE(char **filenames) +static OSSL_CMP_MSG *read_PKIMESSAGE(const char *desc, char **filenames) { char *file; OSSL_CMP_MSG *ret; - if (filenames == NULL) { + if (filenames == NULL || desc == NULL) { CMP_err("NULL arg to read_PKIMESSAGE"); return NULL; } @@ -774,6 +778,8 @@ static OSSL_CMP_MSG *read_PKIMESSAGE(char **filenames) ret = OSSL_CMP_MSG_read(file, app_get0_libctx(), app_get0_propq()); if (ret == NULL) CMP_err1("cannot read PKIMessage from file '%s'", file); + else + CMP_info2("%s %s", desc, file); return ret; } @@ -795,7 +801,7 @@ static OSSL_CMP_MSG *read_write_req_resp(OSSL_CMP_CTX *ctx, && !write_PKIMESSAGE(req, &opt_reqout)) goto err; if (opt_reqin != NULL && opt_rspin == NULL) { - if ((req_new = read_PKIMESSAGE(&opt_reqin)) == NULL) + if ((req_new = read_PKIMESSAGE("actually sending", &opt_reqin)) == NULL) goto err; /*- * The transaction ID in req_new read from opt_reqin may not be fresh. @@ -805,22 +811,44 @@ static OSSL_CMP_MSG *read_write_req_resp(OSSL_CMP_CTX *ctx, if (opt_reqin_new_tid && !OSSL_CMP_MSG_update_transactionID(ctx, req_new)) goto err; + + /* + * Except for first request, need to satisfy recipNonce check by server. + * Unfortunately requires re-protection if protection is required. + */ + if (!OSSL_CMP_MSG_update_recipNonce(ctx, req_new)) + goto err; } if (opt_rspin != NULL) { - res = read_PKIMESSAGE(&opt_rspin); + res = read_PKIMESSAGE("actually using", &opt_rspin); } else { - const OSSL_CMP_MSG *actual_req = opt_reqin != NULL ? req_new : req; + const OSSL_CMP_MSG *actual_req = req_new != NULL ? req_new : req; - res = opt_use_mock_srv - ? OSSL_CMP_CTX_server_perform(ctx, actual_req) - : OSSL_CMP_MSG_http_perform(ctx, actual_req); + if (opt_use_mock_srv) { + if (rspin_in_use) + CMP_warn("too few -rspin filename arguments; resorting to using mock server"); + res = OSSL_CMP_CTX_server_perform(ctx, actual_req); + } else { +#ifndef OPENSSL_NO_SOCK + if (opt_server == NULL) { + CMP_err("missing -server or -use_mock_srv option, or too few -rspin filename arguments"); + goto err; + } + if (rspin_in_use) + CMP_warn("too few -rspin filename arguments; resorting to contacting server"); + res = OSSL_CMP_MSG_http_perform(ctx, actual_req); +#else + CMP_err("-server not supported on no-sock build; missing -use_mock_srv option or too few -rspin filename arguments"); +#endif + } + rspin_in_use = 0; } if (res == NULL) goto err; - if (opt_reqin != NULL || prev_opt_rspin != NULL) { - /* need to satisfy nonce and transactionID checks */ + if (req_new != NULL || prev_opt_rspin != NULL) { + /* need to satisfy nonce and transactionID checks by client */ ASN1_OCTET_STRING *nonce; ASN1_OCTET_STRING *tid; @@ -1024,10 +1052,10 @@ static OSSL_CMP_SRV_CTX *setup_srv_ctx(ENGINE *engine) goto err; } } else if (opt_srv_cert == NULL) { - CMP_err("mock server credentials must be given if -use_mock_srv or -port is used"); + CMP_err("server credentials (-srv_secret or -srv_cert) must be given if -use_mock_srv or -port is used"); goto err; } else { - CMP_warn("mock server will not be able to handle PBM-protected requests since -srv_secret is not given"); + CMP_warn("server will not be able to handle PBM-protected requests since -srv_secret is not given"); } if (opt_srv_secret == NULL @@ -1121,7 +1149,7 @@ static OSSL_CMP_SRV_CTX *setup_srv_ctx(ENGINE *engine) goto err; if (opt_send_error) - (void)ossl_cmp_mock_srv_set_send_error(srv_ctx, 1); + (void)ossl_cmp_mock_srv_set_sendError(srv_ctx, 1); if (opt_send_unprotected) (void)OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_UNPROTECTED_SEND, 1); @@ -1283,7 +1311,9 @@ static SSL_CTX *setup_ssl_ctx(OSSL_CMP_CTX *ctx, const char *host, /* disable any cert status/revocation checking etc. */ X509_VERIFY_PARAM_clear_flags(tls_vpm, ~(X509_V_FLAG_USE_CHECK_TIME - | X509_V_FLAG_NO_CHECK_TIME)); + | X509_V_FLAG_NO_CHECK_TIME + | X509_V_FLAG_PARTIAL_CHAIN + | X509_V_FLAG_POLICY_CHECK)); } CMP_debug("trying to build cert chain for own TLS cert"); if (SSL_CTX_build_cert_chain(ssl_ctx, @@ -1498,10 +1528,25 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) CMP_warn("no -subject given; no -csr or -oldcert or -cert available for fallback"); if (opt_cmd == CMP_IR || opt_cmd == CMP_CR || opt_cmd == CMP_KUR) { - if (opt_newkey == NULL && opt_key == NULL && opt_csr == NULL) { - CMP_err("missing -newkey (or -key) to be certified and no -csr given"); + if (opt_newkey == NULL + && opt_key == NULL && opt_csr == NULL && opt_oldcert == NULL) { + CMP_err("missing -newkey (or -key) to be certified and no -csr, -oldcert, or -cert given for fallback public key"); return 0; } + if (opt_newkey == NULL + && opt_popo != OSSL_CRMF_POPO_NONE + && opt_popo != OSSL_CRMF_POPO_RAVERIFIED) { + if (opt_csr != NULL) { + CMP_err1("no -newkey option given with private key for POPO, -csr option only provides public key%s", + opt_key == NULL ? "" : + ", and -key option superseded by by -csr"); + return 0; + } + if (opt_key == NULL) { + CMP_err("missing -newkey (or -key) option for POPO"); + return 0; + } + } if (opt_certout == NULL) { CMP_err("-certout not given, nowhere to save newly enrolled certificate"); return 0; @@ -1897,8 +1942,11 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) (void)OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_TOTAL_TIMEOUT, opt_total_timeout); - if (opt_reqin != NULL && opt_rspin != NULL) - CMP_warn("-reqin is ignored since -rspin is present"); + if (opt_rspin != NULL) { + rspin_in_use = 1; + if (opt_reqin != NULL) + CMP_warn("-reqin is ignored since -rspin is present"); + } if (opt_reqin_new_tid && opt_reqin == NULL) CMP_warn("-reqin_new_tid is ignored since -reqin is not present"); if (opt_reqin != NULL || opt_reqout != NULL @@ -1923,12 +1971,14 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) if ((info = OPENSSL_zalloc(sizeof(*info))) == NULL) goto err; (void)OSSL_CMP_CTX_set_http_cb_arg(ctx, info); - info->server = opt_server; - info->port = server_port; + info->ssl_ctx = setup_ssl_ctx(ctx, host, engine); + info->server = host; + host = NULL; /* prevent deallocation */ + if ((info->port = OPENSSL_strdup(server_port)) == NULL) + goto err; /* workaround for callback design flaw, see #17088: */ info->use_proxy = proxy_host != NULL; info->timeout = OSSL_CMP_CTX_get_option(ctx, OSSL_CMP_OPT_MSG_TIMEOUT); - info->ssl_ctx = setup_ssl_ctx(ctx, host, engine); if (info->ssl_ctx == NULL) goto err; @@ -1952,7 +2002,9 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) /* not printing earlier, to minimize confusion in case setup fails before */ if (opt_rspin != NULL) - CMP_info("will not contact any server since -rspin is given"); + CMP_info2("will contact %s%s " + "only if -rspin argument gives too few filenames", + server_buf, proxy_buf); else CMP_info2("will contact %s%s", server_buf, proxy_buf); @@ -2847,8 +2899,16 @@ int cmp_main(int argc, char **argv) CMP_err("-tls_used option not supported with -port option"); goto err; } - if (opt_use_mock_srv || opt_server != NULL || opt_rspin != NULL) { - CMP_err("cannot use -port with -use_mock_srv, -server, or -rspin options"); + if (opt_server != NULL || opt_use_mock_srv) { + CMP_err("The -port option excludes -server and -use_mock_srv"); + goto err; + } + if (opt_reqin != NULL || opt_reqout != NULL) { + CMP_err("The -port option does not support -reqin and -reqout"); + goto err; + } + if (opt_rspin != NULL || opt_rspout != NULL) { + CMP_err("The -port option does not support -rspin and -rspout"); goto err; } } @@ -2857,10 +2917,6 @@ int cmp_main(int argc, char **argv) goto err; } #endif - if (opt_rspin != NULL && opt_use_mock_srv) { - CMP_err("cannot use both -rspin and -use_mock_srv options"); - goto err; - } if (opt_use_mock_srv #ifndef OPENSSL_NO_SOCK @@ -2881,8 +2937,8 @@ int cmp_main(int argc, char **argv) } #ifndef OPENSSL_NO_SOCK - if (opt_tls_used && (opt_use_mock_srv || opt_rspin != NULL)) { - CMP_warn("ignoring -tls_used option since -use_mock_srv or -rspin is given"); + if (opt_tls_used && (opt_use_mock_srv || opt_server == NULL)) { + CMP_warn("ignoring -tls_used option since -use_mock_srv is given or -server is not given"); opt_tls_used = 0; } @@ -2893,11 +2949,11 @@ int cmp_main(int argc, char **argv) /* act as CMP client, possibly using internal mock server */ - if (opt_server != NULL) { - if (opt_rspin != NULL) { - CMP_warn("ignoring -server option since -rspin is given"); - opt_server = NULL; - } + if (opt_rspin != NULL) { + if (opt_server != NULL) + CMP_warn("-server option is not used if enough filenames given for -rspin"); + if (opt_use_mock_srv) + CMP_warn("-use_mock_srv option is not used if enough filenames given for -rspin"); } #endif @@ -3010,7 +3066,11 @@ int cmp_main(int argc, char **argv) /* cannot free info already here, as it may be used indirectly by: */ OSSL_CMP_CTX_free(cmp_ctx); #ifndef OPENSSL_NO_SOCK - APP_HTTP_TLS_INFO_free(info); + if (info != NULL) { + OPENSSL_free((char *)info->server); + OPENSSL_free((char *)info->port); + APP_HTTP_TLS_INFO_free(info); + } #endif } X509_VERIFY_PARAM_free(vpm); diff --git a/apps/dgst.c b/apps/dgst.c index 1042d940f49c..e12389197de4 100644 --- a/apps/dgst.c +++ b/apps/dgst.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -487,8 +487,11 @@ static void show_digests(const OBJ_NAME *name, void *arg) /* Filter out message digests that we cannot use */ md = EVP_MD_fetch(app_get0_libctx(), name->name, app_get0_propq()); - if (md == NULL) - return; + if (md == NULL) { + md = EVP_get_digestbyname(name->name); + if (md == NULL) + return; + } BIO_printf(dec->bio, "-%-25s", name->name); if (++dec->n == 3) { diff --git a/apps/enc.c b/apps/enc.c index 3dd609856304..b3bf4cc2592d 100644 --- a/apps/enc.c +++ b/apps/enc.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -30,6 +30,10 @@ #define SIZE (512) #define BSIZE (8*1024) +#define PBKDF2_ITER_DEFAULT 10000 +#define STR(a) XSTR(a) +#define XSTR(a) #a + static int set_hex(const char *in, unsigned char *out, int size); static void show_ciphers(const OBJ_NAME *name, void *bio_); @@ -88,8 +92,13 @@ const OPTIONS enc_options[] = { {"S", OPT_UPPER_S, 's', "Salt, in hex"}, {"iv", OPT_IV, 's', "IV in hex"}, {"md", OPT_MD, 's', "Use specified digest to create a key from the passphrase"}, - {"iter", OPT_ITER, 'p', "Specify the iteration count and force use of PBKDF2"}, - {"pbkdf2", OPT_PBKDF2, '-', "Use password-based key derivation function 2"}, + {"iter", OPT_ITER, 'p', + "Specify the iteration count and force the use of PBKDF2"}, + {OPT_MORE_STR, 0, 0, "Default: " STR(PBKDF2_ITER_DEFAULT)}, + {"pbkdf2", OPT_PBKDF2, '-', + "Use password-based key derivation function 2 (PBKDF2)"}, + {OPT_MORE_STR, 0, 0, + "Use -iter to change the iteration count from " STR(PBKDF2_ITER_DEFAULT)}, {"none", OPT_NONE, '-', "Don't encrypt"}, #ifdef ZLIB {"z", OPT_Z, '-', "Compress or decompress encrypted data using zlib"}, @@ -272,7 +281,7 @@ int enc_main(int argc, char **argv) case OPT_PBKDF2: pbkdf2 = 1; if (iter == 0) /* do not overwrite a chosen value */ - iter = 10000; + iter = PBKDF2_ITER_DEFAULT; break; case OPT_NONE: cipher = NULL; diff --git a/apps/include/cmp_mock_srv.h b/apps/include/cmp_mock_srv.h index 6beba1473590..18c141c563c4 100644 --- a/apps/include/cmp_mock_srv.h +++ b/apps/include/cmp_mock_srv.h @@ -1,5 +1,5 @@ /* - * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Siemens AG 2018-2020 * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -27,7 +27,7 @@ int ossl_cmp_mock_srv_set1_caPubsOut(OSSL_CMP_SRV_CTX *srv_ctx, STACK_OF(X509) *caPubs); int ossl_cmp_mock_srv_set_statusInfo(OSSL_CMP_SRV_CTX *srv_ctx, int status, int fail_info, const char *text); -int ossl_cmp_mock_srv_set_send_error(OSSL_CMP_SRV_CTX *srv_ctx, int val); +int ossl_cmp_mock_srv_set_sendError(OSSL_CMP_SRV_CTX *srv_ctx, int bodytype); int ossl_cmp_mock_srv_set_pollCount(OSSL_CMP_SRV_CTX *srv_ctx, int count); int ossl_cmp_mock_srv_set_checkAfterTime(OSSL_CMP_SRV_CTX *srv_ctx, int sec); diff --git a/apps/lib/apps.c b/apps/lib/apps.c index 0d7a20b52afc..79afa1deab99 100644 --- a/apps/lib/apps.c +++ b/apps/lib/apps.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -2474,6 +2474,10 @@ BIO *app_http_tls_cb(BIO *bio, void *arg, int connect, int detail) if (connect) { SSL *ssl; BIO *sbio = NULL; + X509_STORE *ts = SSL_CTX_get_cert_store(ssl_ctx); + X509_VERIFY_PARAM *vpm = X509_STORE_get0_param(ts); + const char *host = vpm == NULL ? NULL : + X509_VERIFY_PARAM_get0_host(vpm, 0 /* first hostname */); /* adapt after fixing callback design flaw, see #17088 */ if ((info->use_proxy @@ -2488,8 +2492,8 @@ BIO *app_http_tls_cb(BIO *bio, void *arg, int connect, int detail) return NULL; } - /* adapt after fixing callback design flaw, see #17088 */ - SSL_set_tlsext_host_name(ssl, info->server); /* not critical to do */ + if (vpm != NULL) + SSL_set_tlsext_host_name(ssl, host /* may be NULL */); SSL_set_connect_state(ssl); BIO_set_ssl(sbio, ssl, BIO_CLOSE); diff --git a/apps/lib/cmp_mock_srv.c b/apps/lib/cmp_mock_srv.c index b37f3dd3d89c..637bd1d0b7a4 100644 --- a/apps/lib/cmp_mock_srv.c +++ b/apps/lib/cmp_mock_srv.c @@ -1,5 +1,5 @@ /* - * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Siemens AG 2018-2020 * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -14,7 +14,7 @@ #include <openssl/cmp.h> #include <openssl/err.h> #include <openssl/cmperr.h> - + /* the context for the CMP mock server */ typedef struct { @@ -22,9 +22,8 @@ typedef struct STACK_OF(X509) *chainOut; /* chain of certOut to add to extraCerts field */ STACK_OF(X509) *caPubsOut; /* certs to return in caPubs field of ip msg */ OSSL_CMP_PKISI *statusOut; /* status for ip/cp/kup/rp msg unless polling */ - int sendError; /* send error response also on valid requests */ + int sendError; /* send error response on given request type */ OSSL_CMP_MSG *certReq; /* ir/cr/p10cr/kur remembered while polling */ - int certReqId; /* id of last ir/cr/kur, used for polling */ int pollCount; /* number of polls before actual cert response */ int curr_pollCount; /* number of polls so far for current request */ int checkAfterTime; /* time the client should wait between polling */ @@ -54,7 +53,7 @@ static mock_srv_ctx *mock_srv_ctx_new(void) if ((ctx->statusOut = OSSL_CMP_PKISI_new()) == NULL) goto err; - ctx->certReqId = -1; + ctx->sendError = -1; /* all other elements are initialized to 0 or NULL, respectively */ return ctx; @@ -130,7 +129,7 @@ int ossl_cmp_mock_srv_set_statusInfo(OSSL_CMP_SRV_CTX *srv_ctx, int status, return 1; } -int ossl_cmp_mock_srv_set_send_error(OSSL_CMP_SRV_CTX *srv_ctx, int val) +int ossl_cmp_mock_srv_set_sendError(OSSL_CMP_SRV_CTX *srv_ctx, int bodytype) { mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx); @@ -138,7 +137,8 @@ int ossl_cmp_mock_srv_set_send_error(OSSL_CMP_SRV_CTX *srv_ctx, int val) ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); return 0; } - ctx->sendError = val != 0; + /* might check bodytype, but this would require exporting all body types */ + ctx->sendError = bodytype; return 1; } @@ -172,7 +172,7 @@ int ossl_cmp_mock_srv_set_checkAfterTime(OSSL_CMP_SRV_CTX *srv_ctx, int sec) static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx, const OSSL_CMP_MSG *cert_req, - int certReqId, + ossl_unused int certReqId, const OSSL_CRMF_MSG *crm, const X509_REQ *p10cr, X509 **certOut, @@ -187,7 +187,8 @@ static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx, ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); return NULL; } - if (ctx->sendError) { + if (ctx->sendError == 1 + || ctx->sendError == OSSL_CMP_MSG_get_bodytype(cert_req)) { ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE); return NULL; } @@ -195,7 +196,6 @@ static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx, *certOut = NULL; *chainOut = NULL; *caPubs = NULL; - ctx->certReqId = certReqId; if (ctx->pollCount > 0 && ctx->curr_pollCount == 0) { /* start polling */ @@ -270,7 +270,8 @@ static OSSL_CMP_PKISI *process_rr(OSSL_CMP_SRV_CTX *srv_ctx, ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); return NULL; } - if (ctx->sendError || ctx->certOut == NULL) { + if (ctx->certOut == NULL || ctx->sendError == 1 + || ctx->sendError == OSSL_CMP_MSG_get_bodytype(rr)) { ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE); return NULL; } @@ -301,7 +302,9 @@ static int process_genm(OSSL_CMP_SRV_CTX *srv_ctx, ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); return 0; } - if (sk_OSSL_CMP_ITAV_num(in) > 1 || ctx->sendError) { + if (ctx->sendError == 1 + || ctx->sendError == OSSL_CMP_MSG_get_bodytype(genm) + || sk_OSSL_CMP_ITAV_num(in) > 1) { ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE); return 0; } @@ -358,7 +361,8 @@ static void process_error(OSSL_CMP_SRV_CTX *srv_ctx, const OSSL_CMP_MSG *error, } static int process_certConf(OSSL_CMP_SRV_CTX *srv_ctx, - const OSSL_CMP_MSG *certConf, int certReqId, + const OSSL_CMP_MSG *certConf, + ossl_unused int certReqId, const ASN1_OCTET_STRING *certHash, const OSSL_CMP_PKISI *si) { @@ -369,17 +373,13 @@ static int process_certConf(OSSL_CMP_SRV_CTX *srv_ctx, ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); return 0; } - if (ctx->sendError || ctx->certOut == NULL) { + if (ctx->sendError == 1 + || ctx->sendError == OSSL_CMP_MSG_get_bodytype(certConf) + || ctx->certOut == NULL) { ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE); return 0; } - if (certReqId != ctx->certReqId) { - /* in case of error, invalid reqId -1 */ - ERR_raise(ERR_LIB_CMP, CMP_R_BAD_REQUEST_ID); - return 0; - } - if ((digest = X509_digest_sig(ctx->certOut, NULL, NULL)) == NULL) return 0; if (ASN1_OCTET_STRING_cmp(certHash, digest) != 0) { @@ -392,7 +392,8 @@ static int process_certConf(OSSL_CMP_SRV_CTX *srv_ctx, } static int process_pollReq(OSSL_CMP_SRV_CTX *srv_ctx, - const OSSL_CMP_MSG *pollReq, int certReqId, + const OSSL_CMP_MSG *pollReq, + ossl_unused int certReqId, OSSL_CMP_MSG **certReq, int64_t *check_after) { mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx); @@ -402,7 +403,8 @@ static int process_pollReq(OSSL_CMP_SRV_CTX *srv_ctx, ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); return 0; } - if (ctx->sendError) { + if (ctx->sendError == 1 + || ctx->sendError == OSSL_CMP_MSG_get_bodytype(pollReq)) { *certReq = NULL; ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE); return 0; diff --git a/apps/openssl.cnf b/apps/openssl.cnf index 03330e0120a2..12bc40896ef2 100644 --- a/apps/openssl.cnf +++ b/apps/openssl.cnf @@ -356,7 +356,7 @@ cmd = ir # default operation, can be overridden on cmd line with, e.g., kur # Certificate enrollment subject = "/CN=openssl-cmp-test" newkey = insta.priv.pem -out_trusted = insta.ca.crt +out_trusted = apps/insta.ca.crt # does not include keyUsage digitalSignature certout = insta.cert.pem [pbm] # Password-based protection for Insta CA @@ -366,7 +366,7 @@ secret = $insta::secret # pass:insta [signature] # Signature-based protection for Insta CA # Server authentication -trusted = insta.ca.crt # does not include keyUsage digitalSignature +trusted = $insta::out_trusted # apps/insta.ca.crt # Client authentication secret = # disable PBM diff --git a/apps/rehash.c b/apps/rehash.c index e4a4e14fd497..5c6d5340becf 100644 --- a/apps/rehash.c +++ b/apps/rehash.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2013-2014 Timo Teräs <timo.teras@gmail.com> * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -340,6 +340,11 @@ static int ends_with_dirsep(const char *path) return *path == '/'; } +static int sk_strcmp(const char * const *a, const char * const *b) +{ + return strcmp(*a, *b); +} + /* * Process a directory; return number of errors found. */ @@ -369,7 +374,7 @@ static int do_dir(const char *dirname, enum Hash h) if (verbose) BIO_printf(bio_out, "Doing %s\n", dirname); - if ((files = sk_OPENSSL_STRING_new_null()) == NULL) { + if ((files = sk_OPENSSL_STRING_new(sk_strcmp)) == NULL) { BIO_printf(bio_err, "Skipping %s, out of memory\n", dirname); errs = 1; goto err; diff --git a/apps/s_server.c b/apps/s_server.c index 2b0b6ba381fb..a203d6a091ca 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * @@ -229,6 +229,7 @@ static int psk_find_session_cb(SSL *ssl, const unsigned char *identity, || !SSL_SESSION_set_cipher(tmpsess, cipher) || !SSL_SESSION_set_protocol_version(tmpsess, SSL_version(ssl))) { OPENSSL_free(key); + SSL_SESSION_free(tmpsess); return 0; } OPENSSL_free(key); diff --git a/crypto/aes/asm/aesv8-armx.pl b/crypto/aes/asm/aesv8-armx.pl index 6a7bf05d1b35..544dc7e8effe 100755 --- a/crypto/aes/asm/aesv8-armx.pl +++ b/crypto/aes/asm/aesv8-armx.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2014-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2014-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -2261,10 +2261,10 @@ $code.=<<___ if ($flavour =~ /64/); b.ne .Lxts_enc_big_size // Encrypt the iv with key2, as the first XEX iv. ldr $rounds,[$key2,#240] - vld1.8 {$dat},[$key2],#16 + vld1.32 {$dat},[$key2],#16 vld1.8 {$iv0},[$ivp] sub $rounds,$rounds,#2 - vld1.8 {$dat1},[$key2],#16 + vld1.32 {$dat1},[$key2],#16 .Loop_enc_iv_enc: aese $iv0,$dat @@ -2866,9 +2866,9 @@ $code.=<<___ if ($flavour =~ /64/); // Encrypt the composite block to get the last second encrypted text block ldr $rounds,[$key1,#240] // load key schedule... - vld1.8 {$dat},[$key1],#16 + vld1.32 {$dat},[$key1],#16 sub $rounds,$rounds,#2 - vld1.8 {$dat1},[$key1],#16 // load key schedule... + vld1.32 {$dat1},[$key1],#16 // load key schedule... .Loop_final_enc: aese $tmpin,$dat0 aesmc $tmpin,$tmpin @@ -2937,10 +2937,10 @@ $code.=<<___ if ($flavour =~ /64/); b.ne .Lxts_dec_big_size // Encrypt the iv with key2, as the first XEX iv. ldr $rounds,[$key2,#240] - vld1.8 {$dat},[$key2],#16 + vld1.32 {$dat},[$key2],#16 vld1.8 {$iv0},[$ivp] sub $rounds,$rounds,#2 - vld1.8 {$dat1},[$key2],#16 + vld1.32 {$dat1},[$key2],#16 .Loop_dec_small_iv_enc: aese $iv0,$dat @@ -3020,10 +3020,10 @@ $code.=<<___ if ($flavour =~ /64/); // Encrypt the iv with key2, as the first XEX iv ldr $rounds,[$key2,#240] - vld1.8 {$dat},[$key2],#16 + vld1.32 {$dat},[$key2],#16 vld1.8 {$iv0},[$ivp] sub $rounds,$rounds,#2 - vld1.8 {$dat1},[$key2],#16 + vld1.32 {$dat1},[$key2],#16 .Loop_dec_iv_enc: aese $iv0,$dat @@ -3353,7 +3353,7 @@ $code.=<<___ if ($flavour =~ /64/); .align 4 .Lxts_dec_tail4x: add $inp,$inp,#16 - vld1.32 {$dat0},[$inp],#16 + tst $tailcnt,#0xf veor $tmp1,$dat1,$tmp0 vst1.8 {$tmp1},[$out],#16 veor $tmp2,$dat2,$tmp2 @@ -3362,6 +3362,8 @@ $code.=<<___ if ($flavour =~ /64/); veor $tmp4,$dat4,$tmp4 vst1.8 {$tmp3-$tmp4},[$out],#32 + b.eq .Lxts_dec_abort + vld1.8 {$dat0},[$inp],#16 b .Lxts_done .align 4 .Lxts_outer_dec_tail: @@ -3539,7 +3541,7 @@ $code.=<<___ if ($flavour =~ /64/); // Processing the last two blocks with cipher stealing. mov x7,x3 cbnz x2,.Lxts_dec_1st_done - vld1.32 {$dat0},[$inp],#16 + vld1.8 {$dat0},[$inp],#16 // Decrypt the last secod block to get the last plain text block .Lxts_dec_1st_done: @@ -3584,9 +3586,9 @@ $code.=<<___ if ($flavour =~ /64/); // Decrypt the composite block to get the last second plain text block ldr $rounds,[$key_,#240] - vld1.8 {$dat},[$key_],#16 + vld1.32 {$dat},[$key_],#16 sub $rounds,$rounds,#2 - vld1.8 {$dat1},[$key_],#16 + vld1.32 {$dat1},[$key_],#16 .Loop_final_dec: aesd $tmpin,$dat0 aesimc $tmpin,$tmpin diff --git a/crypto/aes/asm/bsaes-armv7.pl b/crypto/aes/asm/bsaes-armv7.pl index 9c5dd5839acb..6cbd00e2c672 100644 --- a/crypto/aes/asm/bsaes-armv7.pl +++ b/crypto/aes/asm/bsaes-armv7.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2012-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2012-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -14,7 +14,7 @@ # details see http://www.openssl.org/~appro/cryptogams/. # # Specific modes and adaptation for Linux kernel by Ard Biesheuvel -# of Linaro. Permission to use under GPL terms is granted. +# of Linaro. # ==================================================================== # Bit-sliced AES for ARM NEON @@ -1447,7 +1447,7 @@ ossl_bsaes_ctr32_encrypt_blocks: .align 2 0: add r12, $key, #248 vld1.8 {@XMM[0]}, [$ctr] @ load counter - adrl $ctr, .LREVM0SR @ borrow $ctr + add $ctr, $const, #.LREVM0SR-.LM0 @ borrow $ctr vldmia r12, {@XMM[4]} @ load round0 key sub sp, #0x10 @ place for adjusted round0 key #endif diff --git a/crypto/asn1/a_bitstr.c b/crypto/asn1/a_bitstr.c index 7c256493571e..4930d5022ee3 100644 --- a/crypto/asn1/a_bitstr.c +++ b/crypto/asn1/a_bitstr.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -148,6 +148,9 @@ int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value) int w, v, iv; unsigned char *c; + if (n < 0) + return 0; + w = n / 8; v = 1 << (7 - (n & 0x07)); iv = ~v; @@ -182,6 +185,9 @@ int ASN1_BIT_STRING_get_bit(const ASN1_BIT_STRING *a, int n) { int w, v; + if (n < 0) + return 0; + w = n / 8; v = 1 << (7 - (n & 0x07)); if ((a == NULL) || (a->length < (w + 1)) || (a->data == NULL)) diff --git a/crypto/asn1/asn1_parse.c b/crypto/asn1/asn1_parse.c index 04d7ef66cfc9..6a4618d253d5 100644 --- a/crypto/asn1/asn1_parse.c +++ b/crypto/asn1/asn1_parse.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -50,7 +50,7 @@ static int asn1_print_info(BIO *bp, long offset, int depth, int hl, long len, pop_f_prefix = 1; } saved_indent = BIO_get_indent(bp); - if (BIO_set_prefix(bp, str) <= 0 || BIO_set_indent(bp, indent) < 0) + if (BIO_set_prefix(bp, str) <= 0 || BIO_set_indent(bp, indent) <= 0) goto err; } diff --git a/crypto/asn1/asn_pack.c b/crypto/asn1/asn_pack.c index 292e6d817697..2389264f17da 100644 --- a/crypto/asn1/asn_pack.c +++ b/crypto/asn1/asn_pack.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -29,7 +29,7 @@ ASN1_STRING *ASN1_item_pack(void *obj, const ASN1_ITEM *it, ASN1_STRING **oct) OPENSSL_free(octmp->data); octmp->data = NULL; - if ((octmp->length = ASN1_item_i2d(obj, &octmp->data, it)) == 0) { + if ((octmp->length = ASN1_item_i2d(obj, &octmp->data, it)) <= 0) { ERR_raise(ERR_LIB_ASN1, ASN1_R_ENCODE_ERROR); goto err; } diff --git a/crypto/bio/bio_lib.c b/crypto/bio/bio_lib.c index ecc16a5ee36a..c86b9ac198ca 100644 --- a/crypto/bio/bio_lib.c +++ b/crypto/bio/bio_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -784,7 +784,7 @@ BIO *BIO_dup_chain(BIO *in) /* This will let SSL_s_sock() work with stdin/stdout */ new_bio->num = bio->num; - if (!BIO_dup_state(bio, (char *)new_bio)) { + if (BIO_dup_state(bio, (char *)new_bio) <= 0) { BIO_free(new_bio); goto err; } diff --git a/crypto/bio/bss_acpt.c b/crypto/bio/bss_acpt.c index 1cda96733548..8870831039e9 100644 --- a/crypto/bio/bss_acpt.c +++ b/crypto/bio/bss_acpt.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -566,7 +566,7 @@ BIO *BIO_new_accept(const char *str) ret = BIO_new(BIO_s_accept()); if (ret == NULL) return NULL; - if (BIO_set_accept_name(ret, str)) + if (BIO_set_accept_name(ret, str) > 0) return ret; BIO_free(ret); return NULL; diff --git a/crypto/bn/bn_asm.c b/crypto/bn/bn_asm.c index 257701d9dc7c..4ffe443066cc 100644 --- a/crypto/bn/bn_asm.c +++ b/crypto/bn/bn_asm.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -381,25 +381,33 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, #ifndef OPENSSL_SMALL_FOOTPRINT while (n & ~3) { t1 = a[0]; - t2 = b[0]; - r[0] = (t1 - t2 - c) & BN_MASK2; - if (t1 != t2) - c = (t1 < t2); + t2 = (t1 - c) & BN_MASK2; + c = (t2 > t1); + t1 = b[0]; + t1 = (t2 - t1) & BN_MASK2; + r[0] = t1; + c += (t1 > t2); t1 = a[1]; - t2 = b[1]; - r[1] = (t1 - t2 - c) & BN_MASK2; - if (t1 != t2) - c = (t1 < t2); + t2 = (t1 - c) & BN_MASK2; + c = (t2 > t1); + t1 = b[1]; + t1 = (t2 - t1) & BN_MASK2; + r[1] = t1; + c += (t1 > t2); t1 = a[2]; - t2 = b[2]; - r[2] = (t1 - t2 - c) & BN_MASK2; - if (t1 != t2) - c = (t1 < t2); + t2 = (t1 - c) & BN_MASK2; + c = (t2 > t1); + t1 = b[2]; + t1 = (t2 - t1) & BN_MASK2; + r[2] = t1; + c += (t1 > t2); t1 = a[3]; - t2 = b[3]; - r[3] = (t1 - t2 - c) & BN_MASK2; - if (t1 != t2) - c = (t1 < t2); + t2 = (t1 - c) & BN_MASK2; + c = (t2 > t1); + t1 = b[3]; + t1 = (t2 - t1) & BN_MASK2; + r[3] = t1; + c += (t1 > t2); a += 4; b += 4; r += 4; @@ -408,10 +416,12 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, #endif while (n) { t1 = a[0]; - t2 = b[0]; - r[0] = (t1 - t2 - c) & BN_MASK2; - if (t1 != t2) - c = (t1 < t2); + t2 = (t1 - c) & BN_MASK2; + c = (t2 > t1); + t1 = b[0]; + t1 = (t2 - t1) & BN_MASK2; + r[0] = t1; + c += (t1 > t2); a++; b++; r++; @@ -446,7 +456,7 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, t += c0; /* no carry */ \ c0 = (BN_ULONG)Lw(t); \ hi = (BN_ULONG)Hw(t); \ - c1 = (c1+hi)&BN_MASK2; if (c1<hi) c2++; \ + c1 = (c1+hi)&BN_MASK2; c2 += (c1<hi); \ } while(0) # define mul_add_c2(a,b,c0,c1,c2) do { \ @@ -455,11 +465,11 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, BN_ULLONG tt = t+c0; /* no carry */ \ c0 = (BN_ULONG)Lw(tt); \ hi = (BN_ULONG)Hw(tt); \ - c1 = (c1+hi)&BN_MASK2; if (c1<hi) c2++; \ + c1 = (c1+hi)&BN_MASK2; c2 += (c1<hi); \ t += c0; /* no carry */ \ c0 = (BN_ULONG)Lw(t); \ hi = (BN_ULONG)Hw(t); \ - c1 = (c1+hi)&BN_MASK2; if (c1<hi) c2++; \ + c1 = (c1+hi)&BN_MASK2; c2 += (c1<hi); \ } while(0) # define sqr_add_c(a,i,c0,c1,c2) do { \ @@ -468,7 +478,7 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, t += c0; /* no carry */ \ c0 = (BN_ULONG)Lw(t); \ hi = (BN_ULONG)Hw(t); \ - c1 = (c1+hi)&BN_MASK2; if (c1<hi) c2++; \ + c1 = (c1+hi)&BN_MASK2; c2 += (c1<hi); \ } while(0) # define sqr_add_c2(a,i,j,c0,c1,c2) \ @@ -483,26 +493,26 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, BN_ULONG ta = (a), tb = (b); \ BN_ULONG lo, hi; \ BN_UMULT_LOHI(lo,hi,ta,tb); \ - c0 += lo; hi += (c0<lo)?1:0; \ - c1 += hi; c2 += (c1<hi)?1:0; \ + c0 += lo; hi += (c0<lo); \ + c1 += hi; c2 += (c1<hi); \ } while(0) # define mul_add_c2(a,b,c0,c1,c2) do { \ BN_ULONG ta = (a), tb = (b); \ BN_ULONG lo, hi, tt; \ BN_UMULT_LOHI(lo,hi,ta,tb); \ - c0 += lo; tt = hi+((c0<lo)?1:0); \ - c1 += tt; c2 += (c1<tt)?1:0; \ - c0 += lo; hi += (c0<lo)?1:0; \ - c1 += hi; c2 += (c1<hi)?1:0; \ + c0 += lo; tt = hi + (c0<lo); \ + c1 += tt; c2 += (c1<tt); \ + c0 += lo; hi += (c0<lo); \ + c1 += hi; c2 += (c1<hi); \ } while(0) # define sqr_add_c(a,i,c0,c1,c2) do { \ BN_ULONG ta = (a)[i]; \ BN_ULONG lo, hi; \ BN_UMULT_LOHI(lo,hi,ta,ta); \ - c0 += lo; hi += (c0<lo)?1:0; \ - c1 += hi; c2 += (c1<hi)?1:0; \ + c0 += lo; hi += (c0<lo); \ + c1 += hi; c2 += (c1<hi); \ } while(0) # define sqr_add_c2(a,i,j,c0,c1,c2) \ @@ -517,26 +527,26 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, BN_ULONG ta = (a), tb = (b); \ BN_ULONG lo = ta * tb; \ BN_ULONG hi = BN_UMULT_HIGH(ta,tb); \ - c0 += lo; hi += (c0<lo)?1:0; \ - c1 += hi; c2 += (c1<hi)?1:0; \ + c0 += lo; hi += (c0<lo); \ + c1 += hi; c2 += (c1<hi); \ } while(0) # define mul_add_c2(a,b,c0,c1,c2) do { \ BN_ULONG ta = (a), tb = (b), tt; \ BN_ULONG lo = ta * tb; \ BN_ULONG hi = BN_UMULT_HIGH(ta,tb); \ - c0 += lo; tt = hi + ((c0<lo)?1:0); \ - c1 += tt; c2 += (c1<tt)?1:0; \ - c0 += lo; hi += (c0<lo)?1:0; \ - c1 += hi; c2 += (c1<hi)?1:0; \ + c0 += lo; tt = hi + (c0<lo); \ + c1 += tt; c2 += (c1<tt); \ + c0 += lo; hi += (c0<lo); \ + c1 += hi; c2 += (c1<hi); \ } while(0) # define sqr_add_c(a,i,c0,c1,c2) do { \ BN_ULONG ta = (a)[i]; \ BN_ULONG lo = ta * ta; \ BN_ULONG hi = BN_UMULT_HIGH(ta,ta); \ - c0 += lo; hi += (c0<lo)?1:0; \ - c1 += hi; c2 += (c1<hi)?1:0; \ + c0 += lo; hi += (c0<lo); \ + c1 += hi; c2 += (c1<hi); \ } while(0) # define sqr_add_c2(a,i,j,c0,c1,c2) \ @@ -551,8 +561,8 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, BN_ULONG lo = LBITS(a), hi = HBITS(a); \ BN_ULONG bl = LBITS(b), bh = HBITS(b); \ mul64(lo,hi,bl,bh); \ - c0 = (c0+lo)&BN_MASK2; if (c0<lo) hi++; \ - c1 = (c1+hi)&BN_MASK2; if (c1<hi) c2++; \ + c0 = (c0+lo)&BN_MASK2; hi += (c0<lo); \ + c1 = (c1+hi)&BN_MASK2; c2 += (c1<hi); \ } while(0) # define mul_add_c2(a,b,c0,c1,c2) do { \ @@ -561,17 +571,17 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, BN_ULONG bl = LBITS(b), bh = HBITS(b); \ mul64(lo,hi,bl,bh); \ tt = hi; \ - c0 = (c0+lo)&BN_MASK2; if (c0<lo) tt++; \ - c1 = (c1+tt)&BN_MASK2; if (c1<tt) c2++; \ - c0 = (c0+lo)&BN_MASK2; if (c0<lo) hi++; \ - c1 = (c1+hi)&BN_MASK2; if (c1<hi) c2++; \ + c0 = (c0+lo)&BN_MASK2; tt += (c0<lo); \ + c1 = (c1+tt)&BN_MASK2; c2 += (c1<tt); \ + c0 = (c0+lo)&BN_MASK2; hi += (c0<lo); \ + c1 = (c1+hi)&BN_MASK2; c2 += (c1<hi); \ } while(0) # define sqr_add_c(a,i,c0,c1,c2) do { \ BN_ULONG lo, hi; \ sqr64(lo,hi,(a)[i]); \ - c0 = (c0+lo)&BN_MASK2; if (c0<lo) hi++; \ - c1 = (c1+hi)&BN_MASK2; if (c1<hi) c2++; \ + c0 = (c0+lo)&BN_MASK2; hi += (c0<lo); \ + c1 = (c1+hi)&BN_MASK2; c2 += (c1<hi); \ } while(0) # define sqr_add_c2(a,i,j,c0,c1,c2) \ diff --git a/crypto/bn/bn_blind.c b/crypto/bn/bn_blind.c index 0b6d1bccc2a2..7e5a1c52e27d 100644 --- a/crypto/bn/bn_blind.c +++ b/crypto/bn/bn_blind.c @@ -13,6 +13,20 @@ #define BN_BLINDING_COUNTER 32 +struct bn_blinding_st { + BIGNUM *A; + BIGNUM *Ai; + BIGNUM *e; + BIGNUM *mod; /* just a reference */ + CRYPTO_THREAD_ID tid; + int counter; + unsigned long flags; + BN_MONT_CTX *m_ctx; + int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); + CRYPTO_RWLOCK *lock; +}; + BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod) { BN_BLINDING *ret = NULL; @@ -177,7 +191,8 @@ int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, n->top = (int)(rtop & ~mask) | (ntop & mask); n->flags |= (BN_FLG_FIXED_TOP & ~mask); } - ret = BN_mod_mul_montgomery(n, n, r, b->m_ctx, ctx); + ret = bn_mul_mont_fixed_top(n, n, r, b->m_ctx, ctx); + bn_correct_top_consttime(n); } else { ret = BN_mod_mul(n, n, r, b->mod, ctx); } diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c index 7ad6842560b4..cf1bfe8ab085 100644 --- a/crypto/bn/bn_lib.c +++ b/crypto/bn/bn_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -1021,6 +1021,28 @@ BIGNUM *bn_wexpand(BIGNUM *a, int words) return (words <= a->dmax) ? a : bn_expand2(a, words); } +void bn_correct_top_consttime(BIGNUM *a) +{ + int j, atop; + BN_ULONG limb; + unsigned int mask; + + for (j = 0, atop = 0; j < a->dmax; j++) { + limb = a->d[j]; + limb |= 0 - limb; + limb >>= BN_BITS2 - 1; + limb = 0 - limb; + mask = (unsigned int)limb; + mask &= constant_time_msb(j - a->top); + atop = constant_time_select_int(mask, j + 1, atop); + } + + mask = constant_time_eq_int(atop, 0); + a->top = atop; + a->neg = constant_time_select_int(mask, 0, a->neg); + a->flags &= ~BN_FLG_FIXED_TOP; +} + void bn_correct_top(BIGNUM *a) { BN_ULONG *ftl; diff --git a/crypto/bn/bn_local.h b/crypto/bn/bn_local.h index 2cc445607e18..50e9d26e215b 100644 --- a/crypto/bn/bn_local.h +++ b/crypto/bn/bn_local.h @@ -290,20 +290,6 @@ struct bn_gencb_st { } cb; }; -struct bn_blinding_st { - BIGNUM *A; - BIGNUM *Ai; - BIGNUM *e; - BIGNUM *mod; /* just a reference */ - CRYPTO_THREAD_ID tid; - int counter; - unsigned long flags; - BN_MONT_CTX *m_ctx; - int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p, - const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); - CRYPTO_RWLOCK *lock; -}; - /*- * BN_window_bits_for_exponent_size -- macro for sliding window mod_exp functions * @@ -378,24 +364,6 @@ struct bn_blinding_st { # define BN_MUL_LOW_RECURSIVE_SIZE_NORMAL (32)/* 32 */ # define BN_MONT_CTX_SET_SIZE_WORD (64)/* 32 */ -/* - * 2011-02-22 SMS. In various places, a size_t variable or a type cast to - * size_t was used to perform integer-only operations on pointers. This - * failed on VMS with 64-bit pointers (CC /POINTER_SIZE = 64) because size_t - * is still only 32 bits. What's needed in these cases is an integer type - * with the same size as a pointer, which size_t is not certain to be. The - * only fix here is VMS-specific. - */ -# if defined(OPENSSL_SYS_VMS) -# if __INITIAL_POINTER_SIZE == 64 -# define PTR_SIZE_INT long long -# else /* __INITIAL_POINTER_SIZE == 64 */ -# define PTR_SIZE_INT int -# endif /* __INITIAL_POINTER_SIZE == 64 [else] */ -# elif !defined(PTR_SIZE_INT) /* defined(OPENSSL_SYS_VMS) */ -# define PTR_SIZE_INT size_t -# endif /* defined(OPENSSL_SYS_VMS) [else] */ - # if !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) && !defined(PEDANTIC) /* * BN_UMULT_HIGH section. @@ -536,10 +504,10 @@ unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b, ret = (r); \ BN_UMULT_LOHI(low,high,w,tmp); \ ret += (c); \ - (c) = (ret<(c))?1:0; \ + (c) = (ret<(c)); \ (c) += high; \ ret += low; \ - (c) += (ret<low)?1:0; \ + (c) += (ret<low); \ (r) = ret; \ } @@ -548,7 +516,7 @@ unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b, BN_UMULT_LOHI(low,high,w,ta); \ ret = low + (c); \ (c) = high; \ - (c) += (ret<low)?1:0; \ + (c) += (ret<low); \ (r) = ret; \ } @@ -564,10 +532,10 @@ unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b, high= BN_UMULT_HIGH(w,tmp); \ ret += (c); \ low = (w) * tmp; \ - (c) = (ret<(c))?1:0; \ + (c) = (ret<(c)); \ (c) += high; \ ret += low; \ - (c) += (ret<low)?1:0; \ + (c) += (ret<low); \ (r) = ret; \ } @@ -577,7 +545,7 @@ unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b, high= BN_UMULT_HIGH(w,ta); \ ret = low + (c); \ (c) = high; \ - (c) += (ret<low)?1:0; \ + (c) += (ret<low); \ (r) = ret; \ } @@ -610,10 +578,10 @@ unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b, lt=(bl)*(lt); \ m1=(bl)*(ht); \ ht =(bh)*(ht); \ - m=(m+m1)&BN_MASK2; if (m < m1) ht+=L2HBITS((BN_ULONG)1); \ + m=(m+m1)&BN_MASK2; ht += L2HBITS((BN_ULONG)(m < m1)); \ ht+=HBITS(m); \ m1=L2HBITS(m); \ - lt=(lt+m1)&BN_MASK2; if (lt < m1) ht++; \ + lt=(lt+m1)&BN_MASK2; ht += (lt < m1); \ (l)=lt; \ (h)=ht; \ } @@ -630,7 +598,7 @@ unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b, h*=h; \ h+=(m&BN_MASK2h1)>>(BN_BITS4-1); \ m =(m&BN_MASK2l)<<(BN_BITS4+1); \ - l=(l+m)&BN_MASK2; if (l < m) h++; \ + l=(l+m)&BN_MASK2; h += (l < m); \ (lo)=l; \ (ho)=h; \ } @@ -644,9 +612,9 @@ unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b, mul64(l,h,(bl),(bh)); \ \ /* non-multiply part */ \ - l=(l+(c))&BN_MASK2; if (l < (c)) h++; \ + l=(l+(c))&BN_MASK2; h += (l < (c)); \ (c)=(r); \ - l=(l+(c))&BN_MASK2; if (l < (c)) h++; \ + l=(l+(c))&BN_MASK2; h += (l < (c)); \ (c)=h&BN_MASK2; \ (r)=l; \ } @@ -660,7 +628,7 @@ unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b, mul64(l,h,(bl),(bh)); \ \ /* non-multiply part */ \ - l+=(c); if ((l&BN_MASK2) < (c)) h++; \ + l+=(c); h += ((l&BN_MASK2) < (c)); \ (c)=h&BN_MASK2; \ (r)=l&BN_MASK2; \ } @@ -690,7 +658,7 @@ BN_ULONG bn_sub_part_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, int cl, int dl); int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, const BN_ULONG *np, const BN_ULONG *n0, int num); - +void bn_correct_top_consttime(BIGNUM *a); BIGNUM *int_bn_mod_inverse(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx, int *noinv); diff --git a/crypto/bn/bn_nist.c b/crypto/bn/bn_nist.c index da10c4054a3e..3d4d9a2fb2df 100644 --- a/crypto/bn/bn_nist.c +++ b/crypto/bn/bn_nist.c @@ -1,5 +1,5 @@ /* - * Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -338,7 +338,6 @@ int BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, sizeof(unsigned int)]; } buf; BN_ULONG c_d[BN_NIST_192_TOP], *res; - PTR_SIZE_INT mask; static const BIGNUM ossl_bignum_nist_p_192_sqr = { (BN_ULONG *)_nist_p_192_sqr, OSSL_NELEM(_nist_p_192_sqr), @@ -439,13 +438,9 @@ int BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, * 'tmp=result-modulus; if (!carry || !borrow) result=tmp;' * this is what happens below, but without explicit if:-) a. */ - mask = - 0 - (PTR_SIZE_INT) bn_sub_words(c_d, r_d, _nist_p_192[0], - BN_NIST_192_TOP); - mask &= 0 - (PTR_SIZE_INT) carry; - res = c_d; - res = (BN_ULONG *) - (((PTR_SIZE_INT) res & ~mask) | ((PTR_SIZE_INT) r_d & mask)); + res = (bn_sub_words(c_d, r_d, _nist_p_192[0], BN_NIST_192_TOP) && carry) + ? r_d + : c_d; nist_cp_bn(r_d, res, BN_NIST_192_TOP); r->top = BN_NIST_192_TOP; bn_correct_top(r); @@ -479,11 +474,7 @@ int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, sizeof(unsigned int)]; } buf; BN_ULONG c_d[BN_NIST_224_TOP], *res; - PTR_SIZE_INT mask; - union { - bn_addsub_f f; - PTR_SIZE_INT p; - } u; + bn_addsub_f adjust; static const BIGNUM ossl_bignum_nist_p_224_sqr = { (BN_ULONG *)_nist_p_224_sqr, OSSL_NELEM(_nist_p_224_sqr), @@ -597,7 +588,7 @@ int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, # endif } #endif - u.f = bn_sub_words; + adjust = bn_sub_words; if (carry > 0) { carry = (int)bn_sub_words(r_d, r_d, _nist_p_224[carry - 1], @@ -616,19 +607,14 @@ int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, carry = (int)bn_add_words(r_d, r_d, _nist_p_224[-carry - 1], BN_NIST_224_TOP); - mask = 0 - (PTR_SIZE_INT) carry; - u.p = ((PTR_SIZE_INT) bn_sub_words & mask) | - ((PTR_SIZE_INT) bn_add_words & ~mask); + adjust = carry ? bn_sub_words : bn_add_words; } else carry = 1; /* otherwise it's effectively same as in BN_nist_mod_192... */ - mask = - 0 - (PTR_SIZE_INT) (*u.f) (c_d, r_d, _nist_p_224[0], BN_NIST_224_TOP); - mask &= 0 - (PTR_SIZE_INT) carry; - res = c_d; - res = (BN_ULONG *)(((PTR_SIZE_INT) res & ~mask) | - ((PTR_SIZE_INT) r_d & mask)); + res = ((*adjust) (c_d, r_d, _nist_p_224[0], BN_NIST_224_TOP) && carry) + ? r_d + : c_d; nist_cp_bn(r_d, res, BN_NIST_224_TOP); r->top = BN_NIST_224_TOP; bn_correct_top(r); @@ -660,11 +646,7 @@ int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, sizeof(unsigned int)]; } buf; BN_ULONG c_d[BN_NIST_256_TOP], *res; - PTR_SIZE_INT mask; - union { - bn_addsub_f f; - PTR_SIZE_INT p; - } u; + bn_addsub_f adjust; static const BIGNUM ossl_bignum_nist_p_256_sqr = { (BN_ULONG *)_nist_p_256_sqr, OSSL_NELEM(_nist_p_256_sqr), @@ -850,7 +832,7 @@ int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, } #endif /* see BN_nist_mod_224 for explanation */ - u.f = bn_sub_words; + adjust = bn_sub_words; if (carry > 0) carry = (int)bn_sub_words(r_d, r_d, _nist_p_256[carry - 1], @@ -859,18 +841,13 @@ int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, carry = (int)bn_add_words(r_d, r_d, _nist_p_256[-carry - 1], BN_NIST_256_TOP); - mask = 0 - (PTR_SIZE_INT) carry; - u.p = ((PTR_SIZE_INT) bn_sub_words & mask) | - ((PTR_SIZE_INT) bn_add_words & ~mask); + adjust = carry ? bn_sub_words : bn_add_words; } else carry = 1; - mask = - 0 - (PTR_SIZE_INT) (*u.f) (c_d, r_d, _nist_p_256[0], BN_NIST_256_TOP); - mask &= 0 - (PTR_SIZE_INT) carry; - res = c_d; - res = (BN_ULONG *)(((PTR_SIZE_INT) res & ~mask) | - ((PTR_SIZE_INT) r_d & mask)); + res = ((*adjust) (c_d, r_d, _nist_p_256[0], BN_NIST_256_TOP) && carry) + ? r_d + : c_d; nist_cp_bn(r_d, res, BN_NIST_256_TOP); r->top = BN_NIST_256_TOP; bn_correct_top(r); @@ -906,11 +883,7 @@ int BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, sizeof(unsigned int)]; } buf; BN_ULONG c_d[BN_NIST_384_TOP], *res; - PTR_SIZE_INT mask; - union { - bn_addsub_f f; - PTR_SIZE_INT p; - } u; + bn_addsub_f adjust; static const BIGNUM ossl_bignum_nist_p_384_sqr = { (BN_ULONG *)_nist_p_384_sqr, OSSL_NELEM(_nist_p_384_sqr), @@ -1131,7 +1104,7 @@ int BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, } #endif /* see BN_nist_mod_224 for explanation */ - u.f = bn_sub_words; + adjust = bn_sub_words; if (carry > 0) carry = (int)bn_sub_words(r_d, r_d, _nist_p_384[carry - 1], @@ -1140,18 +1113,13 @@ int BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, carry = (int)bn_add_words(r_d, r_d, _nist_p_384[-carry - 1], BN_NIST_384_TOP); - mask = 0 - (PTR_SIZE_INT) carry; - u.p = ((PTR_SIZE_INT) bn_sub_words & mask) | - ((PTR_SIZE_INT) bn_add_words & ~mask); + adjust = carry ? bn_sub_words : bn_add_words; } else carry = 1; - mask = - 0 - (PTR_SIZE_INT) (*u.f) (c_d, r_d, _nist_p_384[0], BN_NIST_384_TOP); - mask &= 0 - (PTR_SIZE_INT) carry; - res = c_d; - res = (BN_ULONG *)(((PTR_SIZE_INT) res & ~mask) | - ((PTR_SIZE_INT) r_d & mask)); + res = ((*adjust) (c_d, r_d, _nist_p_384[0], BN_NIST_384_TOP) && carry) + ? r_d + : c_d; nist_cp_bn(r_d, res, BN_NIST_384_TOP); r->top = BN_NIST_384_TOP; bn_correct_top(r); @@ -1168,7 +1136,6 @@ int BN_nist_mod_521(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, { int top = a->top, i; BN_ULONG *r_d, *a_d = a->d, t_d[BN_NIST_521_TOP], val, tmp, *res; - PTR_SIZE_INT mask; static const BIGNUM ossl_bignum_nist_p_521_sqr = { (BN_ULONG *)_nist_p_521_sqr, OSSL_NELEM(_nist_p_521_sqr), @@ -1221,12 +1188,10 @@ int BN_nist_mod_521(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, r_d[i] &= BN_NIST_521_TOP_MASK; bn_add_words(r_d, r_d, t_d, BN_NIST_521_TOP); - mask = - 0 - (PTR_SIZE_INT) bn_sub_words(t_d, r_d, _nist_p_521, - BN_NIST_521_TOP); - res = t_d; - res = (BN_ULONG *)(((PTR_SIZE_INT) res & ~mask) | - ((PTR_SIZE_INT) r_d & mask)); + res = bn_sub_words(t_d, r_d, _nist_p_521, + BN_NIST_521_TOP) + ? r_d + : t_d; nist_cp_bn(r_d, res, BN_NIST_521_TOP); r->top = BN_NIST_521_TOP; bn_correct_top(r); diff --git a/crypto/bn/bn_rsa_fips186_4.c b/crypto/bn/bn_rsa_fips186_4.c index abce1aa2d830..62d8685d03e0 100644 --- a/crypto/bn/bn_rsa_fips186_4.c +++ b/crypto/bn/bn_rsa_fips186_4.c @@ -1,5 +1,5 @@ /* - * Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2018-2019, Oracle and/or its affiliates. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -318,7 +318,7 @@ int ossl_bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin, * sqrt(2) * 2^(nlen/2-1) <= Random X <= (2^(nlen/2)) - 1. */ if (!BN_priv_rand_range_ex(X, range, 0, ctx) || !BN_add(X, X, base)) - goto end; + goto err; } /* (Step 4) Y = X + ((R - X) mod 2r1r2) */ if (!BN_mod_sub(Y, R, X, r1r2x2, ctx) || !BN_add(Y, Y, X)) diff --git a/crypto/bn/build.info b/crypto/bn/build.info index f4ff6192393e..c4ba51b26552 100644 --- a/crypto/bn/build.info +++ b/crypto/bn/build.info @@ -105,7 +105,7 @@ $COMMON=bn_add.c bn_div.c bn_exp.c bn_lib.c bn_ctx.c bn_mul.c \ bn_mod.c bn_conv.c bn_rand.c bn_shift.c bn_word.c bn_blind.c \ bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_sqr.c \ bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c bn_gf2m.c bn_nist.c \ - bn_intern.c bn_dh.c bn_rsa_fips186_4.c bn_const.c rsa_sup_mul.c + bn_intern.c bn_dh.c bn_rsa_fips186_4.c bn_const.c SOURCE[../../libcrypto]=$COMMON $BNASM bn_print.c bn_err.c bn_srp.c DEFINE[../../libcrypto]=$BNDEF IF[{- !$disabled{'deprecated-0.9.8'} -}] diff --git a/crypto/bn/rsa_sup_mul.c b/crypto/bn/rsa_sup_mul.c deleted file mode 100644 index 0e0d02e1946e..000000000000 --- a/crypto/bn/rsa_sup_mul.c +++ /dev/null @@ -1,604 +0,0 @@ -#include <openssl/e_os2.h> -#include <stddef.h> -#include <sys/types.h> -#include <string.h> -#include <openssl/bn.h> -#include <openssl/err.h> -#include <openssl/rsaerr.h> -#include "internal/endian.h" -#include "internal/numbers.h" -#include "internal/constant_time.h" -#include "bn_local.h" - -# if BN_BYTES == 8 -typedef uint64_t limb_t; -# if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__ == 16 -typedef uint128_t limb2_t; -# define HAVE_LIMB2_T -# endif -# define LIMB_BIT_SIZE 64 -# define LIMB_BYTE_SIZE 8 -# elif BN_BYTES == 4 -typedef uint32_t limb_t; -typedef uint64_t limb2_t; -# define LIMB_BIT_SIZE 32 -# define LIMB_BYTE_SIZE 4 -# define HAVE_LIMB2_T -# else -# error "Not supported" -# endif - -/* - * For multiplication we're using schoolbook multiplication, - * so if we have two numbers, each with 6 "digits" (words) - * the multiplication is calculated as follows: - * A B C D E F - * x I J K L M N - * -------------- - * N*F - * N*E - * N*D - * N*C - * N*B - * N*A - * M*F - * M*E - * M*D - * M*C - * M*B - * M*A - * L*F - * L*E - * L*D - * L*C - * L*B - * L*A - * K*F - * K*E - * K*D - * K*C - * K*B - * K*A - * J*F - * J*E - * J*D - * J*C - * J*B - * J*A - * I*F - * I*E - * I*D - * I*C - * I*B - * + I*A - * ========================== - * N*B N*D N*F - * + N*A N*C N*E - * + M*B M*D M*F - * + M*A M*C M*E - * + L*B L*D L*F - * + L*A L*C L*E - * + K*B K*D K*F - * + K*A K*C K*E - * + J*B J*D J*F - * + J*A J*C J*E - * + I*B I*D I*F - * + I*A I*C I*E - * - * 1+1 1+3 1+5 - * 1+0 1+2 1+4 - * 0+1 0+3 0+5 - * 0+0 0+2 0+4 - * - * 0 1 2 3 4 5 6 - * which requires n^2 multiplications and 2n full length additions - * as we can keep every other result of limb multiplication in two separate - * limbs - */ - -#if defined HAVE_LIMB2_T -static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) -{ - limb2_t t; - /* - * this is idiomatic code to tell compiler to use the native mul - * those three lines will actually compile to single instruction - */ - - t = (limb2_t)a * b; - *hi = t >> LIMB_BIT_SIZE; - *lo = (limb_t)t; -} -#elif (BN_BYTES == 8) && (defined _MSC_VER) -/* https://learn.microsoft.com/en-us/cpp/intrinsics/umul128?view=msvc-170 */ -#pragma intrinsic(_umul128) -static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) -{ - *lo = _umul128(a, b, hi); -} -#else -/* - * if the compiler doesn't have either a 128bit data type nor a "return - * high 64 bits of multiplication" - */ -static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) -{ - limb_t a_low = (limb_t)(uint32_t)a; - limb_t a_hi = a >> 32; - limb_t b_low = (limb_t)(uint32_t)b; - limb_t b_hi = b >> 32; - - limb_t p0 = a_low * b_low; - limb_t p1 = a_low * b_hi; - limb_t p2 = a_hi * b_low; - limb_t p3 = a_hi * b_hi; - - uint32_t cy = (uint32_t)(((p0 >> 32) + (uint32_t)p1 + (uint32_t)p2) >> 32); - - *lo = p0 + (p1 << 32) + (p2 << 32); - *hi = p3 + (p1 >> 32) + (p2 >> 32) + cy; -} -#endif - -/* add two limbs with carry in, return carry out */ -static ossl_inline limb_t _add_limb(limb_t *ret, limb_t a, limb_t b, limb_t carry) -{ - limb_t carry1, carry2, t; - /* - * `c = a + b; if (c < a)` is idiomatic code that makes compilers - * use add with carry on assembly level - */ - - *ret = a + carry; - if (*ret < a) - carry1 = 1; - else - carry1 = 0; - - t = *ret; - *ret = t + b; - if (*ret < t) - carry2 = 1; - else - carry2 = 0; - - return carry1 + carry2; -} - -/* - * add two numbers of the same size, return overflow - * - * add a to b, place result in ret; all arrays need to be n limbs long - * return overflow from addition (0 or 1) - */ -static ossl_inline limb_t add(limb_t *ret, limb_t *a, limb_t *b, size_t n) -{ - limb_t c = 0; - ossl_ssize_t i; - - for(i = n - 1; i > -1; i--) - c = _add_limb(&ret[i], a[i], b[i], c); - - return c; -} - -/* - * return number of limbs necessary for temporary values - * when multiplying numbers n limbs large - */ -static ossl_inline size_t mul_limb_numb(size_t n) -{ - return 2 * n * 2; -} - -/* - * multiply two numbers of the same size - * - * multiply a by b, place result in ret; a and b need to be n limbs long - * ret needs to be 2*n limbs long, tmp needs to be mul_limb_numb(n) limbs - * long - */ -static void limb_mul(limb_t *ret, limb_t *a, limb_t *b, size_t n, limb_t *tmp) -{ - limb_t *r_odd, *r_even; - size_t i, j, k; - - r_odd = tmp; - r_even = &tmp[2 * n]; - - memset(ret, 0, 2 * n * sizeof(limb_t)); - - for (i = 0; i < n; i++) { - for (k = 0; k < i + n + 1; k++) { - r_even[k] = 0; - r_odd[k] = 0; - } - for (j = 0; j < n; j++) { - /* - * place results from even and odd limbs in separate arrays so that - * we don't have to calculate overflow every time we get individual - * limb multiplication result - */ - if (j % 2 == 0) - _mul_limb(&r_even[i + j], &r_even[i + j + 1], a[i], b[j]); - else - _mul_limb(&r_odd[i + j], &r_odd[i + j + 1], a[i], b[j]); - } - /* - * skip the least significant limbs when adding multiples of - * more significant limbs (they're zero anyway) - */ - add(ret, ret, r_even, n + i + 1); - add(ret, ret, r_odd, n + i + 1); - } -} - -/* modifies the value in place by performing a right shift by one bit */ -static ossl_inline void rshift1(limb_t *val, size_t n) -{ - limb_t shift_in = 0, shift_out = 0; - size_t i; - - for (i = 0; i < n; i++) { - shift_out = val[i] & 1; - val[i] = shift_in << (LIMB_BIT_SIZE - 1) | (val[i] >> 1); - shift_in = shift_out; - } -} - -/* extend the LSB of flag to all bits of limb */ -static ossl_inline limb_t mk_mask(limb_t flag) -{ - flag |= flag << 1; - flag |= flag << 2; - flag |= flag << 4; - flag |= flag << 8; - flag |= flag << 16; -#if (LIMB_BYTE_SIZE == 8) - flag |= flag << 32; -#endif - return flag; -} - -/* - * copy from either a or b to ret based on flag - * when flag == 0, then copies from b - * when flag == 1, then copies from a - */ -static ossl_inline void cselect(limb_t flag, limb_t *ret, limb_t *a, limb_t *b, size_t n) -{ - /* - * would be more efficient with non volatile mask, but then gcc - * generates code with jumps - */ - volatile limb_t mask; - size_t i; - - mask = mk_mask(flag); - for (i = 0; i < n; i++) { -#if (LIMB_BYTE_SIZE == 8) - ret[i] = constant_time_select_64(mask, a[i], b[i]); -#else - ret[i] = constant_time_select_32(mask, a[i], b[i]); -#endif - } -} - -static limb_t _sub_limb(limb_t *ret, limb_t a, limb_t b, limb_t borrow) -{ - limb_t borrow1, borrow2, t; - /* - * while it doesn't look constant-time, this is idiomatic code - * to tell compilers to use the carry bit from subtraction - */ - - *ret = a - borrow; - if (*ret > a) - borrow1 = 1; - else - borrow1 = 0; - - t = *ret; - *ret = t - b; - if (*ret > t) - borrow2 = 1; - else - borrow2 = 0; - - return borrow1 + borrow2; -} - -/* - * place the result of a - b into ret, return the borrow bit. - * All arrays need to be n limbs long - */ -static limb_t sub(limb_t *ret, limb_t *a, limb_t *b, size_t n) -{ - limb_t borrow = 0; - ossl_ssize_t i; - - for (i = n - 1; i > -1; i--) - borrow = _sub_limb(&ret[i], a[i], b[i], borrow); - - return borrow; -} - -/* return the number of limbs necessary to allocate for the mod() tmp operand */ -static ossl_inline size_t mod_limb_numb(size_t anum, size_t modnum) -{ - return (anum + modnum) * 3; -} - -/* - * calculate a % mod, place the result in ret - * size of a is defined by anum, size of ret and mod is modnum, - * size of tmp is returned by mod_limb_numb() - */ -static void mod(limb_t *ret, limb_t *a, size_t anum, limb_t *mod, - size_t modnum, limb_t *tmp) -{ - limb_t *atmp, *modtmp, *rettmp; - limb_t res; - size_t i; - - memset(tmp, 0, mod_limb_numb(anum, modnum) * LIMB_BYTE_SIZE); - - atmp = tmp; - modtmp = &tmp[anum + modnum]; - rettmp = &tmp[(anum + modnum) * 2]; - - for (i = modnum; i <modnum + anum; i++) - atmp[i] = a[i-modnum]; - - for (i = 0; i < modnum; i++) - modtmp[i] = mod[i]; - - for (i = 0; i < anum * LIMB_BIT_SIZE; i++) { - rshift1(modtmp, anum + modnum); - res = sub(rettmp, atmp, modtmp, anum+modnum); - cselect(res, atmp, atmp, rettmp, anum+modnum); - } - - memcpy(ret, &atmp[anum], sizeof(limb_t) * modnum); -} - -/* necessary size of tmp for a _mul_add_limb() call with provided anum */ -static ossl_inline size_t _mul_add_limb_numb(size_t anum) -{ - return 2 * (anum + 1); -} - -/* multiply a by m, add to ret, return carry */ -static limb_t _mul_add_limb(limb_t *ret, limb_t *a, size_t anum, - limb_t m, limb_t *tmp) -{ - limb_t carry = 0; - limb_t *r_odd, *r_even; - size_t i; - - memset(tmp, 0, sizeof(limb_t) * (anum + 1) * 2); - - r_odd = tmp; - r_even = &tmp[anum + 1]; - - for (i = 0; i < anum; i++) { - /* - * place the results from even and odd limbs in separate arrays - * so that we have to worry about carry just once - */ - if (i % 2 == 0) - _mul_limb(&r_even[i], &r_even[i + 1], a[i], m); - else - _mul_limb(&r_odd[i], &r_odd[i + 1], a[i], m); - } - /* assert: add() carry here will be equal zero */ - add(r_even, r_even, r_odd, anum + 1); - /* - * while here it will not overflow as the max value from multiplication - * is -2 while max overflow from addition is 1, so the max value of - * carry is -1 (i.e. max int) - */ - carry = add(ret, ret, &r_even[1], anum) + r_even[0]; - - return carry; -} - -static ossl_inline size_t mod_montgomery_limb_numb(size_t modnum) -{ - return modnum * 2 + _mul_add_limb_numb(modnum); -} - -/* - * calculate a % mod, place result in ret - * assumes that a is in Montgomery form with the R (Montgomery modulus) being - * smallest power of two big enough to fit mod and that's also a power - * of the count of number of bits in limb_t (B). - * For calculation, we also need n', such that mod * n' == -1 mod B. - * anum must be <= 2 * modnum - * ret needs to be modnum words long - * tmp needs to be mod_montgomery_limb_numb(modnum) limbs long - */ -static void mod_montgomery(limb_t *ret, limb_t *a, size_t anum, limb_t *mod, - size_t modnum, limb_t ni0, limb_t *tmp) -{ - limb_t carry, v; - limb_t *res, *rp, *tmp2; - ossl_ssize_t i; - - res = tmp; - /* - * for intermediate result we need an integer twice as long as modulus - * but keep the input in the least significant limbs - */ - memset(res, 0, sizeof(limb_t) * (modnum * 2)); - memcpy(&res[modnum * 2 - anum], a, sizeof(limb_t) * anum); - rp = &res[modnum]; - tmp2 = &res[modnum * 2]; - - carry = 0; - - /* add multiples of the modulus to the value until R divides it cleanly */ - for (i = modnum; i > 0; i--, rp--) { - v = _mul_add_limb(rp, mod, modnum, rp[modnum-1] * ni0, tmp2); - v = v + carry + rp[-1]; - carry |= (v != rp[-1]); - carry &= (v <= rp[-1]); - rp[-1] = v; - } - - /* perform the final reduction by mod... */ - carry -= sub(ret, rp, mod, modnum); - - /* ...conditionally */ - cselect(carry, ret, rp, ret, modnum); -} - -/* allocated buffer should be freed afterwards */ -static void BN_to_limb(const BIGNUM *bn, limb_t *buf, size_t limbs) -{ - int i; - int real_limbs = (BN_num_bytes(bn) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; - limb_t *ptr = buf + (limbs - real_limbs); - - for (i = 0; i < real_limbs; i++) - ptr[i] = bn->d[real_limbs - i - 1]; -} - -#if LIMB_BYTE_SIZE == 8 -static ossl_inline uint64_t be64(uint64_t host) -{ - uint64_t big = 0; - DECLARE_IS_ENDIAN; - - if (!IS_LITTLE_ENDIAN) - return host; - - big |= (host & 0xff00000000000000) >> 56; - big |= (host & 0x00ff000000000000) >> 40; - big |= (host & 0x0000ff0000000000) >> 24; - big |= (host & 0x000000ff00000000) >> 8; - big |= (host & 0x00000000ff000000) << 8; - big |= (host & 0x0000000000ff0000) << 24; - big |= (host & 0x000000000000ff00) << 40; - big |= (host & 0x00000000000000ff) << 56; - return big; -} - -#else -/* Not all platforms have htobe32(). */ -static ossl_inline uint32_t be32(uint32_t host) -{ - uint32_t big = 0; - DECLARE_IS_ENDIAN; - - if (!IS_LITTLE_ENDIAN) - return host; - - big |= (host & 0xff000000) >> 24; - big |= (host & 0x00ff0000) >> 8; - big |= (host & 0x0000ff00) << 8; - big |= (host & 0x000000ff) << 24; - return big; -} -#endif - -/* - * We assume that intermediate, possible_arg2, blinding, and ctx are used - * similar to BN_BLINDING_invert_ex() arguments. - * to_mod is RSA modulus. - * buf and num is the serialization buffer and its length. - * - * Here we use classic/Montgomery multiplication and modulo. After the calculation finished - * we serialize the new structure instead of BIGNUMs taking endianness into account. - */ -int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate, - const BN_BLINDING *blinding, - const BIGNUM *possible_arg2, - const BIGNUM *to_mod, BN_CTX *ctx, - unsigned char *buf, int num) -{ - limb_t *l_im = NULL, *l_mul = NULL, *l_mod = NULL; - limb_t *l_ret = NULL, *l_tmp = NULL, l_buf; - size_t l_im_count = 0, l_mul_count = 0, l_size = 0, l_mod_count = 0; - size_t l_tmp_count = 0; - int ret = 0; - size_t i; - unsigned char *tmp; - const BIGNUM *arg1 = intermediate; - const BIGNUM *arg2 = (possible_arg2 == NULL) ? blinding->Ai : possible_arg2; - - l_im_count = (BN_num_bytes(arg1) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; - l_mul_count = (BN_num_bytes(arg2) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; - l_mod_count = (BN_num_bytes(to_mod) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; - - l_size = l_im_count > l_mul_count ? l_im_count : l_mul_count; - l_im = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE); - l_mul = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE); - l_mod = OPENSSL_zalloc(l_mod_count * LIMB_BYTE_SIZE); - - if ((l_im == NULL) || (l_mul == NULL) || (l_mod == NULL)) - goto err; - - BN_to_limb(arg1, l_im, l_size); - BN_to_limb(arg2, l_mul, l_size); - BN_to_limb(to_mod, l_mod, l_mod_count); - - l_ret = OPENSSL_malloc(2 * l_size * LIMB_BYTE_SIZE); - - if (blinding->m_ctx != NULL) { - l_tmp_count = mul_limb_numb(l_size) > mod_montgomery_limb_numb(l_mod_count) ? - mul_limb_numb(l_size) : mod_montgomery_limb_numb(l_mod_count); - l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE); - } else { - l_tmp_count = mul_limb_numb(l_size) > mod_limb_numb(2 * l_size, l_mod_count) ? - mul_limb_numb(l_size) : mod_limb_numb(2 * l_size, l_mod_count); - l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE); - } - - if ((l_ret == NULL) || (l_tmp == NULL)) - goto err; - - if (blinding->m_ctx != NULL) { - limb_mul(l_ret, l_im, l_mul, l_size, l_tmp); - mod_montgomery(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count, - blinding->m_ctx->n0[0], l_tmp); - } else { - limb_mul(l_ret, l_im, l_mul, l_size, l_tmp); - mod(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count, l_tmp); - } - - /* modulus size in bytes can be equal to num but after limbs conversion it becomes bigger */ - if (num < BN_num_bytes(to_mod)) { - ERR_raise(ERR_LIB_BN, ERR_R_PASSED_INVALID_ARGUMENT); - goto err; - } - - memset(buf, 0, num); - tmp = buf + num - BN_num_bytes(to_mod); - for (i = 0; i < l_mod_count; i++) { -#if LIMB_BYTE_SIZE == 8 - l_buf = be64(l_ret[i]); -#else - l_buf = be32(l_ret[i]); -#endif - if (i == 0) { - int delta = LIMB_BYTE_SIZE - ((l_mod_count * LIMB_BYTE_SIZE) - num); - - memcpy(tmp, ((char *)&l_buf) + LIMB_BYTE_SIZE - delta, delta); - tmp += delta; - } else { - memcpy(tmp, &l_buf, LIMB_BYTE_SIZE); - tmp += LIMB_BYTE_SIZE; - } - } - ret = num; - - err: - OPENSSL_free(l_im); - OPENSSL_free(l_mul); - OPENSSL_free(l_mod); - OPENSSL_free(l_tmp); - OPENSSL_free(l_ret); - - return ret; -} diff --git a/crypto/build.info b/crypto/build.info index 16584234feb7..b90390ae864c 100644 --- a/crypto/build.info +++ b/crypto/build.info @@ -97,9 +97,7 @@ $UTIL_COMMON=\ context.c sparse_array.c asn1_dsa.c packet.c param_build.c \ param_build_set.c der_writer.c threads_lib.c params_dup.c -IF[{- !$disabled{shared} -}] - SOURCE[../libssl]=sparse_array.c -ENDIF +SHARED_SOURCE[../libssl]=sparse_array.c SOURCE[../libcrypto]=$UTIL_COMMON \ mem.c mem_sec.c \ diff --git a/crypto/cmp/cmp_client.c b/crypto/cmp/cmp_client.c index 22ae7d07e82d..dc41f4c3b7d9 100644 --- a/crypto/cmp/cmp_client.c +++ b/crypto/cmp/cmp_client.c @@ -64,10 +64,10 @@ static int unprotected_exception(const OSSL_CMP_CTX *ctx, break; default: if (IS_CREP(rcvd_type)) { + int any_rid = OSSL_CMP_CERTREQID_NONE; OSSL_CMP_CERTREPMESSAGE *crepmsg = rep->body->value.ip; OSSL_CMP_CERTRESPONSE *crep = - ossl_cmp_certrepmessage_get0_certresponse(crepmsg, - -1 /* any rid */); + ossl_cmp_certrepmessage_get0_certresponse(crepmsg, any_rid); if (sk_OSSL_CMP_CERTRESPONSE_num(crepmsg->response) > 1) return -1; @@ -357,15 +357,16 @@ static int poll_for_response(OSSL_CMP_CTX *ctx, int sleep, int rid, * Send certConf for IR, CR or KUR sequences and check response, * not modifying ctx->status during the certConf exchange */ -int ossl_cmp_exchange_certConf(OSSL_CMP_CTX *ctx, int fail_info, - const char *txt) +int ossl_cmp_exchange_certConf(OSSL_CMP_CTX *ctx, int certReqId, + int fail_info, const char *txt) { OSSL_CMP_MSG *certConf; OSSL_CMP_MSG *PKIconf = NULL; int res = 0; /* OSSL_CMP_certConf_new() also checks if all necessary options are set */ - if ((certConf = ossl_cmp_certConf_new(ctx, fail_info, txt)) == NULL) + certConf = ossl_cmp_certConf_new(ctx, certReqId, fail_info, txt); + if (certConf == NULL) goto err; res = send_receive_check(ctx, certConf, &PKIconf, OSSL_CMP_PKIBODY_PKICONF); @@ -411,12 +412,10 @@ static X509 *get1_cert_status(OSSL_CMP_CTX *ctx, int bodytype, { char buf[OSSL_CMP_PKISI_BUFLEN]; X509 *crt = NULL; - EVP_PKEY *privkey; if (!ossl_assert(ctx != NULL && crep != NULL)) return NULL; - privkey = OSSL_CMP_CTX_get0_newPkey(ctx, 1); switch (ossl_cmp_pkisi_get_status(crep->status)) { case OSSL_CMP_PKISTATUS_waiting: ossl_cmp_err(ctx, @@ -454,7 +453,7 @@ static X509 *get1_cert_status(OSSL_CMP_CTX *ctx, int bodytype, ERR_raise(ERR_LIB_CMP, CMP_R_UNKNOWN_PKISTATUS); goto err; } - crt = ossl_cmp_certresponse_get1_cert(crep, ctx, privkey); + crt = ossl_cmp_certresponse_get1_cert(ctx, crep); if (crt == NULL) /* according to PKIStatus, we can expect a cert */ ERR_raise(ERR_LIB_CMP, CMP_R_CERTIFICATE_NOT_FOUND); @@ -493,18 +492,46 @@ int OSSL_CMP_certConf_cb(OSSL_CMP_CTX *ctx, X509 *cert, int fail_info, if (fail_info != 0) /* accept any error flagged by CMP core library */ return fail_info; - ossl_cmp_debug(ctx, "trying to build chain for newly enrolled cert"); - chain = X509_build_chain(cert, ctx->untrusted, out_trusted /* maybe NULL */, - 0, ctx->libctx, ctx->propq); + if (out_trusted == NULL) { + ossl_cmp_debug(ctx, "trying to build chain for newly enrolled cert"); + chain = X509_build_chain(cert, ctx->untrusted, out_trusted, + 0, ctx->libctx, ctx->propq); + } else { + X509_STORE_CTX *csc = X509_STORE_CTX_new_ex(ctx->libctx, ctx->propq); + + ossl_cmp_debug(ctx, "validating newly enrolled cert"); + if (csc == NULL) + goto err; + if (!X509_STORE_CTX_init(csc, out_trusted, cert, ctx->untrusted)) + goto err; + /* disable any cert status/revocation checking etc. */ + X509_VERIFY_PARAM_clear_flags(X509_STORE_CTX_get0_param(csc), + ~(X509_V_FLAG_USE_CHECK_TIME + | X509_V_FLAG_NO_CHECK_TIME + | X509_V_FLAG_PARTIAL_CHAIN + | X509_V_FLAG_POLICY_CHECK)); + if (X509_verify_cert(csc) <= 0) + goto err; + + if (!ossl_x509_add_certs_new(&chain, X509_STORE_CTX_get0_chain(csc), + X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP + | X509_ADD_FLAG_NO_SS)) { + sk_X509_free(chain); + chain = NULL; + } + err: + X509_STORE_CTX_free(csc); + } + if (sk_X509_num(chain) > 0) X509_free(sk_X509_shift(chain)); /* remove leaf (EE) cert */ if (out_trusted != NULL) { if (chain == NULL) { - ossl_cmp_err(ctx, "failed building chain for newly enrolled cert"); + ossl_cmp_err(ctx, "failed to validate newly enrolled cert"); fail_info = 1 << OSSL_CMP_PKIFAILUREINFO_incorrectData; } else { ossl_cmp_debug(ctx, - "succeeded building proper chain for newly enrolled cert"); + "success validating newly enrolled cert"); } } else if (chain == NULL) { ossl_cmp_warn(ctx, "could not build approximate chain for newly enrolled cert, resorting to received extraCerts"); @@ -521,6 +548,7 @@ int OSSL_CMP_certConf_cb(OSSL_CMP_CTX *ctx, X509 *cert, int fail_info, /*- * Perform the generic handling of certificate responses for IR/CR/KUR/P10CR. + * |rid| must be OSSL_CMP_CERTREQID_NONE if not available, namely for p10cr * Returns -1 on receiving pollRep if sleep == 0, setting the checkAfter value. * Returns 1 on success and provides the received PKIMESSAGE in *resp. * Returns 0 on error (which includes the case that timeout has been reached). @@ -530,7 +558,7 @@ static int cert_response(OSSL_CMP_CTX *ctx, int sleep, int rid, OSSL_CMP_MSG **resp, int *checkAfter, int req_type, int expected_type) { - EVP_PKEY *rkey = OSSL_CMP_CTX_get0_newPkey(ctx /* may be NULL */, 0); + EVP_PKEY *rkey = ossl_cmp_ctx_get0_newPubkey(ctx); int fail_info = 0; /* no failure */ const char *txt = NULL; OSSL_CMP_CERTREPMESSAGE *crepmsg; @@ -554,10 +582,9 @@ static int cert_response(OSSL_CMP_CTX *ctx, int sleep, int rid, return 0; if (!save_statusInfo(ctx, crep->status)) return 0; - if (rid == -1) { - /* for OSSL_CMP_PKIBODY_P10CR learn CertReqId from response */ + if (rid == OSSL_CMP_CERTREQID_NONE) { /* used for OSSL_CMP_PKIBODY_P10CR */ rid = ossl_cmp_asn1_get_int(crep->certReqId); - if (rid == -1) { + if (rid != OSSL_CMP_CERTREQID_NONE) { ERR_raise(ERR_LIB_CMP, CMP_R_BAD_REQUEST_ID); return 0; } @@ -621,7 +648,7 @@ static int cert_response(OSSL_CMP_CTX *ctx, int sleep, int rid, "rejecting newly enrolled cert with subject: %s", subj); if (!ctx->disableConfirm && !ossl_cmp_hdr_has_implicitConfirm((*resp)->header)) { - if (!ossl_cmp_exchange_certConf(ctx, fail_info, txt)) + if (!ossl_cmp_exchange_certConf(ctx, rid, fail_info, txt)) ret = 0; } @@ -630,6 +657,7 @@ static int cert_response(OSSL_CMP_CTX *ctx, int sleep, int rid, ERR_raise_data(ERR_LIB_CMP, CMP_R_CERTIFICATE_NOT_ACCEPTED, "rejecting newly enrolled cert with subject: %s; %s", subj, txt); + ctx->status = OSSL_CMP_PKISTATUS_rejection; ret = 0; } OPENSSL_free(subj); @@ -662,7 +690,7 @@ int OSSL_CMP_try_certreq(OSSL_CMP_CTX *ctx, int req_type, { OSSL_CMP_MSG *rep = NULL; int is_p10 = req_type == OSSL_CMP_PKIBODY_P10CR; - int rid = is_p10 ? -1 : OSSL_CMP_CERTREQID; + int rid = is_p10 ? OSSL_CMP_CERTREQID_NONE : OSSL_CMP_CERTREQID; int rep_type = is_p10 ? OSSL_CMP_PKIBODY_CP : req_type + 1; int res = 0; @@ -704,7 +732,7 @@ X509 *OSSL_CMP_exec_certreq(OSSL_CMP_CTX *ctx, int req_type, OSSL_CMP_MSG *rep = NULL; int is_p10 = req_type == OSSL_CMP_PKIBODY_P10CR; - int rid = is_p10 ? -1 : OSSL_CMP_CERTREQID; + int rid = is_p10 ? OSSL_CMP_CERTREQID_NONE : OSSL_CMP_CERTREQID; int rep_type = is_p10 ? OSSL_CMP_PKIBODY_CP : req_type + 1; X509 *result = NULL; diff --git a/crypto/cmp/cmp_ctx.c b/crypto/cmp/cmp_ctx.c index 4b610b746e45..9d9bd357daf7 100644 --- a/crypto/cmp/cmp_ctx.c +++ b/crypto/cmp/cmp_ctx.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * @@ -457,8 +457,8 @@ int OSSL_CMP_CTX_set1_referenceValue(OSSL_CMP_CTX *ctx, } /* Set or clear the password to be used for protecting messages with PBMAC */ -int OSSL_CMP_CTX_set1_secretValue(OSSL_CMP_CTX *ctx, const unsigned char *sec, - const int len) +int OSSL_CMP_CTX_set1_secretValue(OSSL_CMP_CTX *ctx, + const unsigned char *sec, int len) { ASN1_OCTET_STRING *secretValue = NULL; if (ctx == NULL) { @@ -669,13 +669,13 @@ int OSSL_CMP_CTX_set1_##FIELD(OSSL_CMP_CTX *ctx, TYPE *val) \ */ DEFINE_OSSL_CMP_CTX_set1_up_ref(srvCert, X509) -/* Set the X509 name of the recipient. Set in the PKIHeader */ +/* Set the X509 name of the recipient to be placed in the PKIHeader */ DEFINE_OSSL_CMP_CTX_set1(recipient, X509_NAME) /* Store the X509 name of the expected sender in the PKIHeader of responses */ DEFINE_OSSL_CMP_CTX_set1(expected_sender, X509_NAME) -/* Set the X509 name of the issuer. Set in the PKIHeader */ +/* Set the X509 name of the issuer to be placed in the certTemplate */ DEFINE_OSSL_CMP_CTX_set1(issuer, X509_NAME) /* @@ -834,6 +834,7 @@ int OSSL_CMP_CTX_set0_newPkey(OSSL_CMP_CTX *ctx, int priv, EVP_PKEY *pkey) } /* Get the private/public key to use for cert enrollment, or NULL on error */ +/* In case |priv| == 0, better use ossl_cmp_ctx_get0_newPubkey() below */ EVP_PKEY *OSSL_CMP_CTX_get0_newPkey(const OSSL_CMP_CTX *ctx, int priv) { if (ctx == NULL) { @@ -848,6 +849,21 @@ EVP_PKEY *OSSL_CMP_CTX_get0_newPkey(const OSSL_CMP_CTX *ctx, int priv) return ctx->pkey; /* may be NULL */ } +EVP_PKEY *ossl_cmp_ctx_get0_newPubkey(const OSSL_CMP_CTX *ctx) +{ + if (!ossl_assert(ctx != NULL)) + return NULL; + if (ctx->newPkey != NULL) + return ctx->newPkey; + if (ctx->p10CSR != NULL) + return X509_REQ_get0_pubkey(ctx->p10CSR); + if (ctx->oldCert != NULL) + return X509_get0_pubkey(ctx->oldCert); + if (ctx->cert != NULL) + return X509_get0_pubkey(ctx->cert); + return ctx->pkey; +} + /* Set the given transactionID to the context */ int OSSL_CMP_CTX_set1_transactionID(OSSL_CMP_CTX *ctx, const ASN1_OCTET_STRING *id) diff --git a/crypto/cmp/cmp_err.c b/crypto/cmp/cmp_err.c index fe7b96348bae..dfc6dfbedee9 100644 --- a/crypto/cmp/cmp_err.c +++ b/crypto/cmp/cmp_err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -95,7 +95,10 @@ static const ERR_STRING_DATA CMP_str_reasons[] = { {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_MISSING_PBM_SECRET), "missing pbm secret"}, {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_MISSING_PRIVATE_KEY), "missing private key"}, + {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_MISSING_PRIVATE_KEY_FOR_POPO), + "missing private key for popo"}, {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_MISSING_PROTECTION), "missing protection"}, + {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_MISSING_PUBLIC_KEY), "missing public key"}, {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_MISSING_REFERENCE_CERT), "missing reference cert"}, {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_MISSING_SECRET), "missing secret"}, diff --git a/crypto/cmp/cmp_local.h b/crypto/cmp/cmp_local.h index 3da021043b81..8eeb56d4e0f0 100644 --- a/crypto/cmp/cmp_local.h +++ b/crypto/cmp/cmp_local.h @@ -1,5 +1,5 @@ /* - * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * @@ -789,6 +789,7 @@ int ossl_cmp_ctx_set1_extraCertsIn(OSSL_CMP_CTX *ctx, STACK_OF(X509) *extraCertsIn); int ossl_cmp_ctx_set1_recipNonce(OSSL_CMP_CTX *ctx, const ASN1_OCTET_STRING *nonce); +EVP_PKEY *ossl_cmp_ctx_get0_newPubkey(const OSSL_CMP_CTX *ctx); /* from cmp_status.c */ int ossl_cmp_pkisi_get_status(const OSSL_CMP_PKISI *si); @@ -852,7 +853,9 @@ int ossl_cmp_hdr_init(OSSL_CMP_CTX *ctx, OSSL_CMP_PKIHEADER *hdr); # define OSSL_CMP_PKIBODY_POLLREP 26 # define OSSL_CMP_PKIBODY_TYPE_MAX OSSL_CMP_PKIBODY_POLLREP /* certReqId for the first - and so far only - certificate request */ -# define OSSL_CMP_CERTREQID 0 +# define OSSL_CMP_CERTREQID 0 +# define OSSL_CMP_CERTREQID_NONE -1 +# define OSSL_CMP_CERTREQID_INVALID -2 /* sequence id for the first - and so far only - revocation request */ # define OSSL_CMP_REVREQSID 0 int ossl_cmp_msg_set0_libctx(OSSL_CMP_MSG *msg, OSSL_LIB_CTX *libctx, @@ -885,8 +888,8 @@ OSSL_CMP_MSG *ossl_cmp_error_new(OSSL_CMP_CTX *ctx, const OSSL_CMP_PKISI *si, int unprotected); int ossl_cmp_certstatus_set0_certHash(OSSL_CMP_CERTSTATUS *certStatus, ASN1_OCTET_STRING *hash); -OSSL_CMP_MSG *ossl_cmp_certConf_new(OSSL_CMP_CTX *ctx, int fail_info, - const char *text); +OSSL_CMP_MSG *ossl_cmp_certConf_new(OSSL_CMP_CTX *ctx, int certReqId, + int fail_info, const char *text); OSSL_CMP_MSG *ossl_cmp_pollReq_new(OSSL_CMP_CTX *ctx, int crid); OSSL_CMP_MSG *ossl_cmp_pollRep_new(OSSL_CMP_CTX *ctx, int crid, int64_t poll_after); @@ -900,8 +903,8 @@ ossl_cmp_pollrepcontent_get0_pollrep(const OSSL_CMP_POLLREPCONTENT *prc, OSSL_CMP_CERTRESPONSE * ossl_cmp_certrepmessage_get0_certresponse(const OSSL_CMP_CERTREPMESSAGE *crm, int rid); -X509 *ossl_cmp_certresponse_get1_cert(const OSSL_CMP_CERTRESPONSE *crep, - const OSSL_CMP_CTX *ctx, EVP_PKEY *pkey); +X509 *ossl_cmp_certresponse_get1_cert(const OSSL_CMP_CTX *ctx, + const OSSL_CMP_CERTRESPONSE *crep); OSSL_CMP_MSG *ossl_cmp_msg_load(const char *file); /* from cmp_protect.c */ @@ -922,8 +925,8 @@ int ossl_cmp_verify_popo(const OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg, int accept_RAVerified); /* from cmp_client.c */ -int ossl_cmp_exchange_certConf(OSSL_CMP_CTX *ctx, int fail_info, - const char *txt); +int ossl_cmp_exchange_certConf(OSSL_CMP_CTX *ctx, int certReqId, + int fail_info, const char *txt); int ossl_cmp_exchange_error(OSSL_CMP_CTX *ctx, int status, int fail_info, const char *txt, int errorCode, const char *detail); diff --git a/crypto/cmp/cmp_msg.c b/crypto/cmp/cmp_msg.c index b244f1e17f0d..c8e467f3c21f 100644 --- a/crypto/cmp/cmp_msg.c +++ b/crypto/cmp/cmp_msg.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * @@ -274,7 +274,7 @@ OSSL_CRMF_MSG *OSSL_CMP_CTX_setup_CRM(OSSL_CMP_CTX *ctx, int for_KUR, int rid) OSSL_CRMF_MSG *crm = NULL; X509 *refcert = ctx->oldCert != NULL ? ctx->oldCert : ctx->cert; /* refcert defaults to current client cert */ - EVP_PKEY *rkey = OSSL_CMP_CTX_get0_newPkey(ctx, 0); + EVP_PKEY *rkey = ossl_cmp_ctx_get0_newPubkey(ctx); STACK_OF(GENERAL_NAME) *default_sans = NULL; const X509_NAME *ref_subj = refcert != NULL ? X509_get_subject_name(refcert) : NULL; @@ -286,15 +286,9 @@ OSSL_CRMF_MSG *OSSL_CMP_CTX_setup_CRM(OSSL_CMP_CTX *ctx, int for_KUR, int rid) /* RFC5280: subjectAltName MUST be critical if subject is null */ X509_EXTENSIONS *exts = NULL; - if (rkey == NULL && ctx->p10CSR != NULL) - rkey = X509_REQ_get0_pubkey(ctx->p10CSR); - if (rkey == NULL && refcert != NULL) - rkey = X509_get0_pubkey(refcert); - if (rkey == NULL) - rkey = ctx->pkey; /* default is independent of ctx->oldCert */ if (rkey == NULL) { #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION - ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); + ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_PUBLIC_KEY); return NULL; #endif } @@ -411,15 +405,9 @@ OSSL_CMP_MSG *ossl_cmp_certreq_new(OSSL_CMP_CTX *ctx, int type, if (type != OSSL_CMP_PKIBODY_P10CR) { EVP_PKEY *privkey = OSSL_CMP_CTX_get0_newPkey(ctx, 1); - /* - * privkey is NULL in case ctx->newPkey does not include a private key. - * We then may try to use ctx->pkey as fallback/default, but only - * if ctx-> newPkey does not include a (non-matching) public key: - */ - if (privkey == NULL && OSSL_CMP_CTX_get0_newPkey(ctx, 0) == NULL) - privkey = ctx->pkey; /* default is independent of ctx->oldCert */ - if (ctx->popoMethod == OSSL_CRMF_POPO_SIGNATURE && privkey == NULL) { - ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_PRIVATE_KEY); + /* privkey is ctx->newPkey (if private, else NULL) or ctx->pkey */ + if (ctx->popoMethod >= OSSL_CRMF_POPO_SIGNATURE && privkey == NULL) { + ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_PRIVATE_KEY_FOR_POPO); goto err; } if (crm == NULL) { @@ -794,15 +782,17 @@ int ossl_cmp_certstatus_set0_certHash(OSSL_CMP_CERTSTATUS *certStatus, return 1; } -OSSL_CMP_MSG *ossl_cmp_certConf_new(OSSL_CMP_CTX *ctx, int fail_info, - const char *text) +OSSL_CMP_MSG *ossl_cmp_certConf_new(OSSL_CMP_CTX *ctx, int certReqId, + int fail_info, const char *text) { OSSL_CMP_MSG *msg = NULL; OSSL_CMP_CERTSTATUS *certStatus = NULL; ASN1_OCTET_STRING *certHash = NULL; OSSL_CMP_PKISI *sinfo; - if (!ossl_assert(ctx != NULL && ctx->newCert != NULL)) + if (!ossl_assert(ctx != NULL && ctx->newCert != NULL + && (certReqId == OSSL_CMP_CERTREQID + || certReqId == OSSL_CMP_CERTREQID_NONE))) return NULL; if ((unsigned)fail_info > OSSL_CMP_PKIFAILUREINFO_MAX_BIT_PATTERN) { @@ -816,10 +806,13 @@ OSSL_CMP_MSG *ossl_cmp_certConf_new(OSSL_CMP_CTX *ctx, int fail_info, if ((certStatus = OSSL_CMP_CERTSTATUS_new()) == NULL) goto err; /* consume certStatus into msg right away so it gets deallocated with msg */ - if (!sk_OSSL_CMP_CERTSTATUS_push(msg->body->value.certConf, certStatus)) + if (sk_OSSL_CMP_CERTSTATUS_push(msg->body->value.certConf, certStatus) < 1) { + OSSL_CMP_CERTSTATUS_free(certStatus); goto err; + } + /* set the ID of the certReq */ - if (!ASN1_INTEGER_set(certStatus->certReqId, OSSL_CMP_CERTREQID)) + if (!ASN1_INTEGER_set(certStatus->certReqId, certReqId)) goto err; /* * The hash of the certificate, using the same hash algorithm @@ -965,12 +958,12 @@ static int suitable_rid(const ASN1_INTEGER *certReqId, int rid) { int trid; - if (rid == -1) + if (rid == OSSL_CMP_CERTREQID_NONE) return 1; trid = ossl_cmp_asn1_get_int(certReqId); - if (trid == -1) { + if (trid == OSSL_CMP_CERTREQID_NONE) { ERR_raise(ERR_LIB_CMP, CMP_R_BAD_REQUEST_ID); return 0; } @@ -1031,14 +1024,15 @@ ossl_cmp_certrepmessage_get0_certresponse(const OSSL_CMP_CERTREPMESSAGE *crm, /*- * Retrieve the newly enrolled certificate from the given certResponse crep. - * In case of indirect POPO uses the libctx and propq from ctx and private key. + * Uses libctx and propq from ctx, in case of indirect POPO also private key. * Returns a pointer to a copy of the found certificate, or NULL if not found. */ -X509 *ossl_cmp_certresponse_get1_cert(const OSSL_CMP_CERTRESPONSE *crep, - const OSSL_CMP_CTX *ctx, EVP_PKEY *pkey) +X509 *ossl_cmp_certresponse_get1_cert(const OSSL_CMP_CTX *ctx, + const OSSL_CMP_CERTRESPONSE *crep) { OSSL_CMP_CERTORENCCERT *coec; X509 *crt = NULL; + EVP_PKEY *pkey; if (!ossl_assert(crep != NULL && ctx != NULL)) return NULL; @@ -1051,6 +1045,8 @@ X509 *ossl_cmp_certresponse_get1_cert(const OSSL_CMP_CERTRESPONSE *crep, break; case OSSL_CMP_CERTORENCCERT_ENCRYPTEDCERT: /* cert encrypted for indirect PoP; RFC 4210, 5.2.8.2 */ + pkey = OSSL_CMP_CTX_get0_newPkey(ctx, 1); + /* pkey is ctx->newPkey (if private, else NULL) or ctx->pkey */ if (pkey == NULL) { ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_PRIVATE_KEY); return NULL; @@ -1084,6 +1080,20 @@ int OSSL_CMP_MSG_update_transactionID(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg) || ossl_cmp_msg_protect(ctx, msg); } +int OSSL_CMP_MSG_update_recipNonce(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg) +{ + if (ctx == NULL || msg == NULL || msg->header == NULL) { + ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); + return 0; + } + if (ctx->recipNonce == NULL) /* nothing to do for 1st msg in transaction */ + return 1; + if (!ossl_cmp_asn1_octet_string_set1(&msg->header->recipNonce, + ctx->recipNonce)) + return 0; + return msg->header->protectionAlg == NULL || ossl_cmp_msg_protect(ctx, msg); +} + OSSL_CMP_MSG *OSSL_CMP_MSG_read(const char *file, OSSL_LIB_CTX *libctx, const char *propq) { diff --git a/crypto/cmp/cmp_protect.c b/crypto/cmp/cmp_protect.c index 02526196ad2a..539f6534cd01 100644 --- a/crypto/cmp/cmp_protect.c +++ b/crypto/cmp/cmp_protect.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * @@ -129,6 +129,7 @@ ASN1_BIT_STRING *ossl_cmp_calc_protection(const OSSL_CMP_CTX *ctx, } } +/* ctx is not const just because ctx->chain may get adapted */ int ossl_cmp_msg_add_extraCerts(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg) { if (!ossl_assert(ctx != NULL && msg != NULL)) @@ -251,6 +252,7 @@ static int set_senderKID(const OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg, return id == NULL || ossl_cmp_hdr_set1_senderKID(msg->header, id); } +/* ctx is not const just because ctx->chain may get adapted */ int ossl_cmp_msg_protect(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg) { if (!ossl_assert(ctx != NULL && msg != NULL)) diff --git a/crypto/cmp/cmp_server.c b/crypto/cmp/cmp_server.c index 946c32c45ebf..96f977636ca2 100644 --- a/crypto/cmp/cmp_server.c +++ b/crypto/cmp/cmp_server.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * @@ -22,8 +22,9 @@ /* the context for the generic CMP server */ struct ossl_cmp_srv_ctx_st { - OSSL_CMP_CTX *ctx; /* Client CMP context, partly reused for srv */ - void *custom_ctx; /* pointer to specific server context */ + void *custom_ctx; /* pointer to application-specific server context */ + OSSL_CMP_CTX *ctx; /* Client CMP context, reusing transactionID etc. */ + int certReqId; /* id of last ir/cr/kur, OSSL_CMP_CERTREQID_NONE for p10cr */ OSSL_CMP_SRV_cert_request_cb_t process_cert_request; OSSL_CMP_SRV_rr_cb_t process_rr; @@ -57,6 +58,7 @@ OSSL_CMP_SRV_CTX *OSSL_CMP_SRV_CTX_new(OSSL_LIB_CTX *libctx, const char *propq) if ((ctx->ctx = OSSL_CMP_CTX_new(libctx, propq)) == NULL) goto err; + ctx->certReqId = OSSL_CMP_CERTREQID_INVALID; /* all other elements are initialized to 0 or NULL, respectively */ return ctx; @@ -184,7 +186,7 @@ static OSSL_CMP_MSG *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx, } if (OSSL_CMP_MSG_get_bodytype(req) == OSSL_CMP_PKIBODY_P10CR) { - certReqId = OSSL_CMP_CERTREQID; + certReqId = OSSL_CMP_CERTREQID_NONE; /* p10cr does not include an Id */ p10cr = req->body->value.p10cr; } else { OSSL_CRMF_MSGS *reqs = req->body->value.ir; /* same for cr and kur */ @@ -199,7 +201,12 @@ static OSSL_CMP_MSG *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx, return NULL; } certReqId = OSSL_CRMF_MSG_get_certReqId(crm); + if (certReqId != OSSL_CMP_CERTREQID) { + ERR_raise(ERR_LIB_CMP, CMP_R_BAD_REQUEST_ID); + return 0; + } } + srv_ctx->certReqId = certReqId; if (!ossl_cmp_verify_popo(srv_ctx->ctx, req, srv_ctx->acceptRAVerified)) { /* Proof of possession could not be verified */ @@ -356,6 +363,10 @@ static OSSL_CMP_MSG *process_certConf(OSSL_CMP_SRV_CTX *srv_ctx, ASN1_OCTET_STRING *certHash = status->certHash; OSSL_CMP_PKISI *si = status->statusInfo; + if (certReqId != srv_ctx->certReqId) { + ERR_raise(ERR_LIB_CMP, CMP_R_BAD_REQUEST_ID); + return NULL; + } if (!srv_ctx->process_certConf(srv_ctx, req, certReqId, certHash, si)) return NULL; /* reason code may be: CMP_R_CERTHASH_UNMATCHED */ @@ -394,8 +405,12 @@ static OSSL_CMP_MSG *process_pollReq(OSSL_CMP_SRV_CTX *srv_ctx, return NULL; } - pr = sk_OSSL_CMP_POLLREQ_value(prc, 0); + pr = sk_OSSL_CMP_POLLREQ_value(prc, OSSL_CMP_CERTREQID); certReqId = ossl_cmp_asn1_get_int(pr->certReqId); + if (certReqId != srv_ctx->certReqId) { + ERR_raise(ERR_LIB_CMP, CMP_R_BAD_REQUEST_ID); + return NULL; + } if (!srv_ctx->process_pollReq(srv_ctx, req, certReqId, &certReq, &check_after)) return NULL; @@ -446,7 +461,7 @@ OSSL_CMP_MSG *OSSL_CMP_SRV_process_request(OSSL_CMP_SRV_CTX *srv_ctx, ASN1_OCTET_STRING *backup_secret; OSSL_CMP_PKIHEADER *hdr; int req_type, rsp_type; - int res; + int req_verified = 0; OSSL_CMP_MSG *rsp = NULL; if (srv_ctx == NULL || srv_ctx->ctx == NULL @@ -506,12 +521,12 @@ OSSL_CMP_MSG *OSSL_CMP_SRV_process_request(OSSL_CMP_SRV_CTX *srv_ctx, } } - res = ossl_cmp_msg_check_update(ctx, req, unprotected_exception, - srv_ctx->acceptUnprotected); + req_verified = ossl_cmp_msg_check_update(ctx, req, unprotected_exception, + srv_ctx->acceptUnprotected); if (ctx->secretValue != NULL && ctx->pkey != NULL && ossl_cmp_hdr_get_protection_nid(hdr) != NID_id_PasswordBasedMAC) ctx->secretValue = NULL; /* use MSG_SIG_ALG when protecting rsp */ - if (!res) + if (!req_verified) goto err; switch (req_type) { @@ -568,9 +583,15 @@ OSSL_CMP_MSG *OSSL_CMP_SRV_process_request(OSSL_CMP_SRV_CTX *srv_ctx, int fail_info = 1 << OSSL_CMP_PKIFAILUREINFO_badRequest; OSSL_CMP_PKISI *si = NULL; - if (ctx->transactionID == NULL) { - /* ignore any (extra) error in next two function calls: */ - (void)OSSL_CMP_CTX_set1_transactionID(ctx, hdr->transactionID); + if (!req_verified) { + /* + * Above ossl_cmp_msg_check_update() was not successfully executed, + * which normally would set ctx->transactionID and ctx->recipNonce. + * So anyway try to provide the right transactionID and recipNonce, + * while ignoring any (extra) error in next two function calls. + */ + if (ctx->transactionID == NULL) + (void)OSSL_CMP_CTX_set1_transactionID(ctx, hdr->transactionID); (void)ossl_cmp_ctx_set1_recipNonce(ctx, hdr->senderNonce); } diff --git a/crypto/cmp/cmp_vfy.c b/crypto/cmp/cmp_vfy.c index 99cd56cb091f..7ce91ec5d167 100644 --- a/crypto/cmp/cmp_vfy.c +++ b/crypto/cmp/cmp_vfy.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2020 * Copyright Siemens AG 2015-2020 * @@ -323,11 +323,11 @@ static int check_cert_path_3gpp(const OSSL_CMP_CTX *ctx, * verify that the newly enrolled certificate (which assumed rid == * OSSL_CMP_CERTREQID) can also be validated with the same trusted store */ - EVP_PKEY *pkey = OSSL_CMP_CTX_get0_newPkey(ctx, 1); OSSL_CMP_CERTRESPONSE *crep = ossl_cmp_certrepmessage_get0_certresponse(msg->body->value.ip, OSSL_CMP_CERTREQID); - X509 *newcrt = ossl_cmp_certresponse_get1_cert(crep, ctx, pkey); + X509 *newcrt = ossl_cmp_certresponse_get1_cert(ctx, crep); + /* * maybe better use get_cert_status() from cmp_client.c, which catches * errors @@ -642,7 +642,6 @@ int OSSL_CMP_validate_msg(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg) return 0; } - /*- * Check received message (i.e., response by server or request from client) * Any msg->extraCerts are prepended to ctx->untrusted. @@ -765,6 +764,11 @@ int ossl_cmp_msg_check_update(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg, #endif } + /* if not yet present, learn transactionID */ + if (ctx->transactionID == NULL + && !OSSL_CMP_CTX_set1_transactionID(ctx, hdr->transactionID)) + return 0; + /* * RFC 4210 section 5.1.1 states: the recipNonce is copied from * the senderNonce of the previous message in the transaction. @@ -773,11 +777,6 @@ int ossl_cmp_msg_check_update(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg, if (!ossl_cmp_ctx_set1_recipNonce(ctx, hdr->senderNonce)) return 0; - /* if not yet present, learn transactionID */ - if (ctx->transactionID == NULL - && !OSSL_CMP_CTX_set1_transactionID(ctx, hdr->transactionID)) - return -1; - /* * Store any provided extraCerts in ctx for future use, * such that they are available to ctx->certConf_cb and @@ -788,7 +787,7 @@ int ossl_cmp_msg_check_update(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg, /* this allows self-signed certs */ X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP | X509_ADD_FLAG_PREPEND)) - return -1; + return 0; if (ossl_cmp_hdr_get_protection_nid(hdr) == NID_id_PasswordBasedMAC) { /* diff --git a/crypto/cms/cms_dh.c b/crypto/cms/cms_dh.c index 7cc36f835f21..9509796317b3 100644 --- a/crypto/cms/cms_dh.c +++ b/crypto/cms/cms_dh.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -309,7 +309,7 @@ static int dh_cms_encrypt(CMS_RecipientInfo *ri) */ penc = NULL; penclen = i2d_X509_ALGOR(wrap_alg, &penc); - if (penc == NULL || penclen == 0) + if (penclen <= 0) goto err; wrap_str = ASN1_STRING_new(); if (wrap_str == NULL) diff --git a/crypto/cms/cms_ec.c b/crypto/cms/cms_ec.c index 8ecf730aa7b0..d5ebe1ced0a6 100644 --- a/crypto/cms/cms_ec.c +++ b/crypto/cms/cms_ec.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -8,6 +8,7 @@ */ #include <assert.h> +#include <limits.h> #include <openssl/cms.h> #include <openssl/err.h> #include <openssl/decoder.h> @@ -257,7 +258,7 @@ static int ecdh_cms_encrypt(CMS_RecipientInfo *ri) ASN1_STRING *wrap_str; ASN1_OCTET_STRING *ukm; unsigned char *penc = NULL; - size_t penclen; + int penclen; int rv = 0; int ecdh_nid, kdf_type, kdf_nid, wrap_nid; const EVP_MD *kdf_md; @@ -274,15 +275,18 @@ static int ecdh_cms_encrypt(CMS_RecipientInfo *ri) /* Is everything uninitialised? */ if (aoid == OBJ_nid2obj(NID_undef)) { /* Set the key */ + size_t enckeylen; - penclen = EVP_PKEY_get1_encoded_public_key(pkey, &penc); - ASN1_STRING_set0(pubkey, penc, penclen); + enckeylen = EVP_PKEY_get1_encoded_public_key(pkey, &penc); + if (enckeylen > INT_MAX || enckeylen == 0) + goto err; + ASN1_STRING_set0(pubkey, penc, (int)enckeylen); pubkey->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07); pubkey->flags |= ASN1_STRING_FLAG_BITS_LEFT; penc = NULL; - X509_ALGOR_set0(talg, OBJ_nid2obj(NID_X9_62_id_ecPublicKey), - V_ASN1_UNDEF, NULL); + (void)X509_ALGOR_set0(talg, OBJ_nid2obj(NID_X9_62_id_ecPublicKey), + V_ASN1_UNDEF, NULL); /* cannot fail */ } /* See if custom parameters set */ @@ -346,7 +350,7 @@ static int ecdh_cms_encrypt(CMS_RecipientInfo *ri) penclen = CMS_SharedInfo_encode(&penc, wrap_alg, ukm, keylen); - if (penclen == 0) + if (penclen <= 0) goto err; if (EVP_PKEY_CTX_set0_ecdh_kdf_ukm(pctx, penc, penclen) <= 0) @@ -358,7 +362,7 @@ static int ecdh_cms_encrypt(CMS_RecipientInfo *ri) * of another AlgorithmIdentifier. */ penclen = i2d_X509_ALGOR(wrap_alg, &penc); - if (penc == NULL || penclen == 0) + if (penclen <= 0) goto err; wrap_str = ASN1_STRING_new(); if (wrap_str == NULL) diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c index 51a1d7df848c..3105d37726a5 100644 --- a/crypto/cms/cms_env.c +++ b/crypto/cms/cms_env.c @@ -1,5 +1,5 @@ /* - * Copyright 2008-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -138,7 +138,7 @@ int ossl_cms_env_asn1_ctrl(CMS_RecipientInfo *ri, int cmd) return 1; } -CMS_EncryptedContentInfo* ossl_cms_get0_env_enc_content(const CMS_ContentInfo *cms) +CMS_EncryptedContentInfo *ossl_cms_get0_env_enc_content(const CMS_ContentInfo *cms) { switch (cms_get_enveloped_type(cms)) { case CMS_ENVELOPED_STANDARD: diff --git a/crypto/cms/cms_lib.c b/crypto/cms/cms_lib.c index 1fd542d2375c..0738da3da280 100644 --- a/crypto/cms/cms_lib.c +++ b/crypto/cms/cms_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2008-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -432,7 +432,7 @@ BIO *ossl_cms_DigestAlgorithm_init_bio(X509_ALGOR *digestAlgorithm, (void)ERR_pop_to_mark(); mdbio = BIO_new(BIO_f_md()); - if (mdbio == NULL || !BIO_set_md(mdbio, digest)) { + if (mdbio == NULL || BIO_set_md(mdbio, digest) <= 0) { ERR_raise(ERR_LIB_CMS, CMS_R_MD_BIO_INIT_ERROR); goto err; } @@ -615,11 +615,12 @@ int CMS_add0_crl(CMS_ContentInfo *cms, X509_CRL *crl) int CMS_add1_crl(CMS_ContentInfo *cms, X509_CRL *crl) { - int r; - r = CMS_add0_crl(cms, crl); - if (r > 0) - X509_CRL_up_ref(crl); - return r; + if (!X509_CRL_up_ref(crl)) + return 0; + if (CMS_add0_crl(cms, crl)) + return 1; + X509_CRL_free(crl); + return 0; } STACK_OF(X509) *CMS_get1_certs(CMS_ContentInfo *cms) diff --git a/crypto/cms/cms_smime.c b/crypto/cms/cms_smime.c index d17df31dd412..479038d5732f 100644 --- a/crypto/cms/cms_smime.c +++ b/crypto/cms/cms_smime.c @@ -1,5 +1,5 @@ /* - * Copyright 2008-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -701,14 +701,21 @@ int CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert) int CMS_decrypt_set1_pkey_and_peer(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert, X509 *peer) { - STACK_OF(CMS_RecipientInfo) *ris; + STACK_OF(CMS_RecipientInfo) *ris = CMS_get0_RecipientInfos(cms); CMS_RecipientInfo *ri; int i, r, cms_pkey_ri_type; int debug = 0, match_ri = 0; + CMS_EncryptedContentInfo *ec = ossl_cms_get0_env_enc_content(cms); - ris = CMS_get0_RecipientInfos(cms); - if (ris != NULL) - debug = ossl_cms_get0_env_enc_content(cms)->debug; + /* Prevent mem leak on earlier CMS_decrypt_set1_{pkey_and_peer,password} */ + if (ec != NULL) { + OPENSSL_clear_free(ec->key, ec->keylen); + ec->key = NULL; + ec->keylen = 0; + } + + if (ris != NULL && ec != NULL) + debug = ec->debug; cms_pkey_ri_type = ossl_cms_pkey_get_ri_type(pk); if (cms_pkey_ri_type == CMS_RECIPINFO_NONE) { @@ -731,11 +738,8 @@ int CMS_decrypt_set1_pkey_and_peer(CMS_ContentInfo *cms, EVP_PKEY *pk, if (r < 0) return 0; } - /* - * If we have a cert try matching RecipientInfo otherwise try them - * all. - */ - else if (cert == NULL|| !CMS_RecipientInfo_ktri_cert_cmp(ri, cert)) { + /* If we have a cert, try matching RecipientInfo, else try them all */ + else if (cert == NULL || !CMS_RecipientInfo_ktri_cert_cmp(ri, cert)) { EVP_PKEY_up_ref(pk); CMS_RecipientInfo_set0_pkey(ri, pk); r = CMS_RecipientInfo_decrypt(cms, ri); @@ -772,7 +776,8 @@ int CMS_decrypt_set1_pkey_and_peer(CMS_ContentInfo *cms, EVP_PKEY *pk, return 1; } - ERR_raise(ERR_LIB_CMS, CMS_R_NO_MATCHING_RECIPIENT); + if (!match_ri) + ERR_raise(ERR_LIB_CMS, CMS_R_NO_MATCHING_RECIPIENT); return 0; } @@ -783,7 +788,7 @@ int CMS_decrypt_set1_key(CMS_ContentInfo *cms, { STACK_OF(CMS_RecipientInfo) *ris; CMS_RecipientInfo *ri; - int i, r; + int i, r, match_ri = 0; ris = CMS_get0_RecipientInfos(cms); for (i = 0; i < sk_CMS_RecipientInfo_num(ris); i++) { @@ -791,11 +796,10 @@ int CMS_decrypt_set1_key(CMS_ContentInfo *cms, if (CMS_RecipientInfo_type(ri) != CMS_RECIPINFO_KEK) continue; - /* - * If we have an id try matching RecipientInfo otherwise try them - * all. - */ - if (id == NULL || (CMS_RecipientInfo_kekri_id_cmp(ri, id, idlen) == 0)) { + /* If we have an id, try matching RecipientInfo, else try them all */ + if (id == NULL + || (CMS_RecipientInfo_kekri_id_cmp(ri, id, idlen) == 0)) { + match_ri = 1; CMS_RecipientInfo_set0_key(ri, key, keylen); r = CMS_RecipientInfo_decrypt(cms, ri); CMS_RecipientInfo_set0_key(ri, NULL, 0); @@ -809,7 +813,8 @@ int CMS_decrypt_set1_key(CMS_ContentInfo *cms, } } - ERR_raise(ERR_LIB_CMS, CMS_R_NO_MATCHING_RECIPIENT); + if (!match_ri) + ERR_raise(ERR_LIB_CMS, CMS_R_NO_MATCHING_RECIPIENT); return 0; } @@ -817,15 +822,25 @@ int CMS_decrypt_set1_key(CMS_ContentInfo *cms, int CMS_decrypt_set1_password(CMS_ContentInfo *cms, unsigned char *pass, ossl_ssize_t passlen) { - STACK_OF(CMS_RecipientInfo) *ris; + STACK_OF(CMS_RecipientInfo) *ris = CMS_get0_RecipientInfos(cms); CMS_RecipientInfo *ri; - int i, r; + int i, r, match_ri = 0; + CMS_EncryptedContentInfo *ec = ossl_cms_get0_env_enc_content(cms); + + /* Prevent mem leak on earlier CMS_decrypt_set1_{pkey_and_peer,password} */ + if (ec != NULL) { + OPENSSL_clear_free(ec->key, ec->keylen); + ec->key = NULL; + ec->keylen = 0; + } - ris = CMS_get0_RecipientInfos(cms); for (i = 0; i < sk_CMS_RecipientInfo_num(ris); i++) { ri = sk_CMS_RecipientInfo_value(ris, i); if (CMS_RecipientInfo_type(ri) != CMS_RECIPINFO_PASS) continue; + + /* Must try each PasswordRecipientInfo */ + match_ri = 1; CMS_RecipientInfo_set0_password(ri, pass, passlen); r = CMS_RecipientInfo_decrypt(cms, ri); CMS_RecipientInfo_set0_password(ri, NULL, 0); @@ -833,7 +848,8 @@ int CMS_decrypt_set1_password(CMS_ContentInfo *cms, return 1; } - ERR_raise(ERR_LIB_CMS, CMS_R_NO_MATCHING_RECIPIENT); + if (!match_ri) + ERR_raise(ERR_LIB_CMS, CMS_R_NO_MATCHING_RECIPIENT); return 0; } @@ -843,7 +859,7 @@ int CMS_decrypt(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert, { int r; BIO *cont; - + CMS_EncryptedContentInfo *ec; int nid = OBJ_obj2nid(CMS_get0_type(cms)); if (nid != NID_pkcs7_enveloped @@ -853,14 +869,9 @@ int CMS_decrypt(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert, } if (dcont == NULL && !check_content(cms)) return 0; - if (flags & CMS_DEBUG_DECRYPT) - ossl_cms_get0_env_enc_content(cms)->debug = 1; - else - ossl_cms_get0_env_enc_content(cms)->debug = 0; - if (cert == NULL) - ossl_cms_get0_env_enc_content(cms)->havenocert = 1; - else - ossl_cms_get0_env_enc_content(cms)->havenocert = 0; + ec = ossl_cms_get0_env_enc_content(cms); + ec->debug = (flags & CMS_DEBUG_DECRYPT) != 0; + ec->havenocert = cert == NULL; if (pk == NULL && cert == NULL && dcont == NULL && out == NULL) return 1; if (pk != NULL && !CMS_decrypt_set1_pkey(cms, pk, cert)) diff --git a/crypto/conf/conf_def.c b/crypto/conf/conf_def.c index b5d6668f4276..5acc90b69e1c 100644 --- a/crypto/conf/conf_def.c +++ b/crypto/conf/conf_def.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -226,6 +226,9 @@ static int def_load_bio(CONF *conf, BIO *in, long *line) char *dirpath = NULL; OPENSSL_DIR_CTX *dirctx = NULL; #endif +#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION + int numincludes = 0; +#endif if ((buff = BUF_MEM_new()) == NULL) { ERR_raise(ERR_LIB_CONF, ERR_R_BUF_LIB); @@ -442,6 +445,20 @@ static int def_load_bio(CONF *conf, BIO *in, long *line) const char *include_dir = ossl_safe_getenv("OPENSSL_CONF_INCLUDE"); char *include_path = NULL; +#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION + /* + * The include processing below can cause the "conf" fuzzer to + * timeout due to the fuzzer inserting large and complicated + * includes - with a large amount of time spent in + * OPENSSL_strlcat/OPENSSL_strcpy. This is not a security + * concern because config files should never come from untrusted + * sources. We just set an arbitrary limit on the allowed + * number of includes when fuzzing to prevent this timeout. + */ + if (numincludes++ > 10) + goto err; +#endif + if (include_dir == NULL) include_dir = conf->includedir; diff --git a/crypto/dsa/dsa_backend.c b/crypto/dsa/dsa_backend.c index f9a71bdc9e0b..389df304bdce 100644 --- a/crypto/dsa/dsa_backend.c +++ b/crypto/dsa/dsa_backend.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -173,7 +173,10 @@ DSA *ossl_dsa_key_from_pkcs8(const PKCS8_PRIV_KEY_INFO *p8inf, ERR_raise(ERR_LIB_DSA, DSA_R_BN_ERROR); goto dsaerr; } - DSA_set0_key(dsa, dsa_pubkey, dsa_privkey); + if (!DSA_set0_key(dsa, dsa_pubkey, dsa_privkey)) { + ERR_raise(ERR_LIB_DSA, ERR_R_INTERNAL_ERROR); + goto dsaerr; + } goto done; diff --git a/crypto/dsa/dsa_err.c b/crypto/dsa/dsa_err.c index 5685d5e83eb3..a92ca6166477 100644 --- a/crypto/dsa/dsa_err.c +++ b/crypto/dsa/dsa_err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -36,6 +36,7 @@ static const ERR_STRING_DATA DSA_str_reasons[] = { {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_Q_NOT_PRIME), "q not prime"}, {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_SEED_LEN_SMALL), "seed_len is less than the length of q"}, + {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_TOO_MANY_RETRIES), "too many retries"}, {0, NULL} }; diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c index 86d89f4c724f..62f7c70149f4 100644 --- a/crypto/dsa/dsa_ossl.c +++ b/crypto/dsa/dsa_ossl.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -21,6 +21,9 @@ #include "dsa_local.h" #include <openssl/asn1.h> +#define MIN_DSA_SIGN_QBITS 128 +#define MAX_DSA_SIGN_RETRIES 8 + static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa); static int dsa_sign_setup_no_digest(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp); @@ -75,6 +78,7 @@ DSA_SIG *ossl_dsa_do_sign_int(const unsigned char *dgst, int dlen, DSA *dsa) int reason = ERR_R_BN_LIB; DSA_SIG *ret = NULL; int rv = 0; + int retries = 0; if (dsa->params.p == NULL || dsa->params.q == NULL @@ -129,7 +133,10 @@ DSA_SIG *ossl_dsa_do_sign_int(const unsigned char *dgst, int dlen, DSA *dsa) * s := blind^-1 * k^-1 * (blind * m + blind * r * priv_key) mod q */ - /* Generate a blinding value */ + /* + * Generate a blinding value + * The size of q is tested in dsa_sign_setup() so there should not be an infinite loop here. + */ do { if (!BN_priv_rand_ex(blind, BN_num_bits(dsa->params.q) - 1, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY, 0, ctx)) @@ -164,14 +171,19 @@ DSA_SIG *ossl_dsa_do_sign_int(const unsigned char *dgst, int dlen, DSA *dsa) goto err; /* - * Redo if r or s is zero as required by FIPS 186-3: this is very - * unlikely. + * Redo if r or s is zero as required by FIPS 186-4: Section 4.6 + * This is very unlikely. + * Limit the retries so there is no possibility of an infinite + * loop for bad domain parameter values. */ - if (BN_is_zero(ret->r) || BN_is_zero(ret->s)) + if (BN_is_zero(ret->r) || BN_is_zero(ret->s)) { + if (retries++ > MAX_DSA_SIGN_RETRIES) { + reason = DSA_R_TOO_MANY_RETRIES; + goto err; + } goto redo; - + } rv = 1; - err: if (rv == 0) { ERR_raise(ERR_LIB_DSA, reason); @@ -212,7 +224,10 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, /* Reject obviously invalid parameters */ if (BN_is_zero(dsa->params.p) || BN_is_zero(dsa->params.q) - || BN_is_zero(dsa->params.g)) { + || BN_is_zero(dsa->params.g) + || BN_is_negative(dsa->params.p) + || BN_is_negative(dsa->params.q) + || BN_is_negative(dsa->params.g)) { ERR_raise(ERR_LIB_DSA, DSA_R_INVALID_PARAMETERS); return 0; } @@ -220,7 +235,6 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, ERR_raise(ERR_LIB_DSA, DSA_R_MISSING_PRIVATE_KEY); return 0; } - k = BN_new(); l = BN_new(); if (k == NULL || l == NULL) @@ -236,7 +250,8 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, /* Preallocate space */ q_bits = BN_num_bits(dsa->params.q); q_words = bn_get_top(dsa->params.q); - if (!bn_wexpand(k, q_words + 2) + if (q_bits < MIN_DSA_SIGN_QBITS + || !bn_wexpand(k, q_words + 2) || !bn_wexpand(l, q_words + 2)) goto err; diff --git a/crypto/dsa/dsa_sign.c b/crypto/dsa/dsa_sign.c index 21b0cbd5fbef..ddfbfa18af15 100644 --- a/crypto/dsa/dsa_sign.c +++ b/crypto/dsa/dsa_sign.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -165,7 +165,7 @@ int ossl_dsa_sign_int(int type, const unsigned char *dgst, int dlen, *siglen = 0; return 0; } - *siglen = i2d_DSA_SIG(s, &sig); + *siglen = i2d_DSA_SIG(s, sig != NULL ? &sig : NULL); DSA_SIG_free(s); return 1; } diff --git a/crypto/ec/asm/ecp_nistp521-ppc64.pl b/crypto/ec/asm/ecp_nistp521-ppc64.pl index 4260e24a1f57..cf3bc79085f8 100755 --- a/crypto/ec/asm/ecp_nistp521-ppc64.pl +++ b/crypto/ec/asm/ecp_nistp521-ppc64.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -140,6 +140,7 @@ ___ } $code.=<<___; +.machine "any" .text ___ diff --git a/crypto/ec/ec_err.c b/crypto/ec/ec_err.c index 4d6f2a76ad20..480376686b9e 100644 --- a/crypto/ec/ec_err.c +++ b/crypto/ec/ec_err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -108,6 +108,7 @@ static const ERR_STRING_DATA EC_str_reasons[] = { "random number generation failed"}, {ERR_PACK(ERR_LIB_EC, 0, EC_R_SHARED_INFO_ERROR), "shared info error"}, {ERR_PACK(ERR_LIB_EC, 0, EC_R_SLOT_FULL), "slot full"}, + {ERR_PACK(ERR_LIB_EC, 0, EC_R_TOO_MANY_RETRIES), "too many retries"}, {ERR_PACK(ERR_LIB_EC, 0, EC_R_UNDEFINED_GENERATOR), "undefined generator"}, {ERR_PACK(ERR_LIB_EC, 0, EC_R_UNDEFINED_ORDER), "undefined order"}, {ERR_PACK(ERR_LIB_EC, 0, EC_R_UNKNOWN_COFACTOR), "unknown cofactor"}, diff --git a/crypto/ec/ecdsa_ossl.c b/crypto/ec/ecdsa_ossl.c index fe9b3cf59363..0bf4635e2f97 100644 --- a/crypto/ec/ecdsa_ossl.c +++ b/crypto/ec/ecdsa_ossl.c @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -20,6 +20,15 @@ #include "crypto/bn.h" #include "ec_local.h" +#define MIN_ECDSA_SIGN_ORDERBITS 64 +/* + * It is highly unlikely that a retry will happen, + * Multiple retries would indicate that something is wrong + * with the group parameters (which would normally only happen + * with a bad custom group). + */ +#define MAX_ECDSA_SIGN_RETRIES 8 + int ossl_ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) { @@ -66,7 +75,7 @@ int ossl_ecdsa_sign(int type, const unsigned char *dgst, int dlen, *siglen = 0; return 0; } - *siglen = i2d_ECDSA_SIG(s, &sig); + *siglen = i2d_ECDSA_SIG(s, sig != NULL ? &sig : NULL); ECDSA_SIG_free(s); return 1; } @@ -120,7 +129,9 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, /* Preallocate space */ order_bits = BN_num_bits(order); - if (!BN_set_bit(k, order_bits) + /* Check the number of bits here so that an infinite loop is not possible */ + if (order_bits < MIN_ECDSA_SIGN_ORDERBITS + || !BN_set_bit(k, order_bits) || !BN_set_bit(r, order_bits) || !BN_set_bit(X, order_bits)) goto err; @@ -195,6 +206,7 @@ ECDSA_SIG *ossl_ecdsa_simple_sign_sig(const unsigned char *dgst, int dgst_len, EC_KEY *eckey) { int ok = 0, i; + int retries = 0; BIGNUM *kinv = NULL, *s, *m = NULL; const BIGNUM *order, *ckinv; BN_CTX *ctx = NULL; @@ -304,6 +316,11 @@ ECDSA_SIG *ossl_ecdsa_simple_sign_sig(const unsigned char *dgst, int dgst_len, ERR_raise(ERR_LIB_EC, EC_R_NEED_NEW_SETUP_VALUES); goto err; } + /* Avoid infinite loops cause by invalid group parameters */ + if (retries++ > MAX_ECDSA_SIGN_RETRIES) { + ERR_raise(ERR_LIB_EC, EC_R_TOO_MANY_RETRIES); + goto err; + } } else { /* s != 0 => we have a valid signature */ break; diff --git a/crypto/ec/ecx_meth.c b/crypto/ec/ecx_meth.c index 4e32210bf436..c97dc472ac57 100644 --- a/crypto/ec/ecx_meth.c +++ b/crypto/ec/ecx_meth.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -712,7 +712,7 @@ const EVP_PKEY_ASN1_METHOD ossl_ed448_asn1_meth = { static int pkey_ecx_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) { ECX_KEY *ecx = ossl_ecx_key_op(NULL, NULL, 0, ctx->pmeth->pkey_id, - KEY_OP_PUBLIC, NULL, NULL); + KEY_OP_KEYGEN, NULL, NULL); if (ecx != NULL) { EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, ecx); diff --git a/crypto/engine/eng_lib.c b/crypto/engine/eng_lib.c index 05c6a67c1e1b..dfd53a433195 100644 --- a/crypto/engine/eng_lib.c +++ b/crypto/engine/eng_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -140,8 +140,9 @@ void engine_cleanup_add_first(ENGINE_CLEANUP_CB *cb) if (!int_cleanup_check(1)) return; item = int_cleanup_item(cb); - if (item) - sk_ENGINE_CLEANUP_ITEM_insert(cleanup_stack, item, 0); + if (item != NULL) + if (sk_ENGINE_CLEANUP_ITEM_insert(cleanup_stack, item, 0) <= 0) + OPENSSL_free(item); } void engine_cleanup_add_last(ENGINE_CLEANUP_CB *cb) diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index 49e42550db1a..0cd8c4633aae 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -1,4 +1,4 @@ -# Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -233,7 +233,9 @@ CMP_R_MISSING_KEY_USAGE_DIGITALSIGNATURE:142:missing key usage digitalsignature CMP_R_MISSING_P10CSR:121:missing p10csr CMP_R_MISSING_PBM_SECRET:166:missing pbm secret CMP_R_MISSING_PRIVATE_KEY:131:missing private key +CMP_R_MISSING_PRIVATE_KEY_FOR_POPO:190:missing private key for popo CMP_R_MISSING_PROTECTION:143:missing protection +CMP_R_MISSING_PUBLIC_KEY:183:missing public key CMP_R_MISSING_REFERENCE_CERT:168:missing reference cert CMP_R_MISSING_SECRET:178:missing secret CMP_R_MISSING_SENDER_IDENTIFICATION:111:missing sender identification @@ -514,6 +516,7 @@ DSA_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error DSA_R_P_NOT_PRIME:115:p not prime DSA_R_Q_NOT_PRIME:113:q not prime DSA_R_SEED_LEN_SMALL:110:seed_len is less than the length of q +DSA_R_TOO_MANY_RETRIES:116:too many retries DSO_R_CTRL_FAILED:100:control command failed DSO_R_DSO_ALREADY_LOADED:110:dso already loaded DSO_R_EMPTY_FILE_STRUCTURE:113:empty file structure @@ -597,6 +600,7 @@ EC_R_POINT_IS_NOT_ON_CURVE:107:point is not on curve EC_R_RANDOM_NUMBER_GENERATION_FAILED:158:random number generation failed EC_R_SHARED_INFO_ERROR:150:shared info error EC_R_SLOT_FULL:108:slot full +EC_R_TOO_MANY_RETRIES:176:too many retries EC_R_UNDEFINED_GENERATOR:113:undefined generator EC_R_UNDEFINED_ORDER:128:undefined order EC_R_UNKNOWN_COFACTOR:164:unknown cofactor diff --git a/crypto/evp/ctrl_params_translate.c b/crypto/evp/ctrl_params_translate.c index c767c316439d..ccafdfddd58f 100644 --- a/crypto/evp/ctrl_params_translate.c +++ b/crypto/evp/ctrl_params_translate.c @@ -1,5 +1,5 @@ /* - * Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -387,7 +387,7 @@ static int default_fixup_args(enum state state, { int ret; - if ((ret = default_check(state, translation, ctx)) < 0) + if ((ret = default_check(state, translation, ctx)) <= 0) return ret; switch (state) { @@ -1136,6 +1136,7 @@ static int fix_ec_paramgen_curve_nid(enum state state, const struct translation_st *translation, struct translation_ctx_st *ctx) { + char *p2 = NULL; int ret; if ((ret = default_check(state, translation, ctx)) <= 0) @@ -1148,13 +1149,25 @@ static int fix_ec_paramgen_curve_nid(enum state state, if (state == PRE_CTRL_TO_PARAMS) { ctx->p2 = (char *)OBJ_nid2sn(ctx->p1); ctx->p1 = 0; + } else if (state == PRE_PARAMS_TO_CTRL) { + /* + * We're translating from params to ctrl and setting the curve name. + * The ctrl function needs it to be a NID, but meanwhile, we need + * space to get the curve name from the param. |ctx->name_buf| is + * sufficient for that. + * The double indirection is necessary for default_fixup_args()'s + * call of OSSL_PARAM_get_utf8_string() to be done correctly. + */ + p2 = ctx->name_buf; + ctx->p2 = &p2; + ctx->sz = sizeof(ctx->name_buf); } if ((ret = default_fixup_args(state, translation, ctx)) <= 0) return ret; if (state == PRE_PARAMS_TO_CTRL) { - ctx->p1 = OBJ_sn2nid(ctx->p2); + ctx->p1 = OBJ_sn2nid(p2); ctx->p2 = NULL; } @@ -2141,6 +2154,46 @@ static const struct translation_st evp_pkey_ctx_translations[] = { OSSL_EXCHANGE_PARAM_KDF_UKM, OSSL_PARAM_OCTET_PTR, NULL }, /*- + * SM2 + * == + */ + { SET, EVP_PKEY_SM2, 0, EVP_PKEY_OP_PARAMGEN | EVP_PKEY_OP_KEYGEN, + EVP_PKEY_CTRL_EC_PARAM_ENC, "ec_param_enc", NULL, + OSSL_PKEY_PARAM_EC_ENCODING, OSSL_PARAM_UTF8_STRING, fix_ec_param_enc }, + { SET, EVP_PKEY_SM2, 0, EVP_PKEY_OP_PARAMGEN | EVP_PKEY_OP_KEYGEN, + EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID, "ec_paramgen_curve", NULL, + OSSL_PKEY_PARAM_GROUP_NAME, OSSL_PARAM_UTF8_STRING, + fix_ec_paramgen_curve_nid }, + /* + * EVP_PKEY_CTRL_EC_ECDH_COFACTOR and EVP_PKEY_CTRL_EC_KDF_TYPE are used + * both for setting and getting. The fixup function has to handle this... + */ + { NONE, EVP_PKEY_SM2, 0, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_EC_ECDH_COFACTOR, "ecdh_cofactor_mode", NULL, + OSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE, OSSL_PARAM_INTEGER, + fix_ecdh_cofactor }, + { NONE, EVP_PKEY_SM2, 0, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_EC_KDF_TYPE, NULL, NULL, + OSSL_EXCHANGE_PARAM_KDF_TYPE, OSSL_PARAM_UTF8_STRING, fix_ec_kdf_type }, + { SET, EVP_PKEY_SM2, 0, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_EC_KDF_MD, "ecdh_kdf_md", NULL, + OSSL_EXCHANGE_PARAM_KDF_DIGEST, OSSL_PARAM_UTF8_STRING, fix_md }, + { GET, EVP_PKEY_SM2, 0, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_GET_EC_KDF_MD, NULL, NULL, + OSSL_EXCHANGE_PARAM_KDF_DIGEST, OSSL_PARAM_UTF8_STRING, fix_md }, + { SET, EVP_PKEY_SM2, 0, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_EC_KDF_OUTLEN, NULL, NULL, + OSSL_EXCHANGE_PARAM_KDF_OUTLEN, OSSL_PARAM_UNSIGNED_INTEGER, NULL }, + { GET, EVP_PKEY_SM2, 0, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_GET_EC_KDF_OUTLEN, NULL, NULL, + OSSL_EXCHANGE_PARAM_KDF_OUTLEN, OSSL_PARAM_UNSIGNED_INTEGER, NULL }, + { SET, EVP_PKEY_SM2, 0, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_EC_KDF_UKM, NULL, NULL, + OSSL_EXCHANGE_PARAM_KDF_UKM, OSSL_PARAM_OCTET_STRING, NULL }, + { GET, EVP_PKEY_SM2, 0, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_GET_EC_KDF_UKM, NULL, NULL, + OSSL_EXCHANGE_PARAM_KDF_UKM, OSSL_PARAM_OCTET_PTR, NULL }, + /*- * RSA * === */ @@ -2307,8 +2360,12 @@ static const struct translation_st evp_pkey_ctx_translations[] = { */ { SET, EVP_PKEY_X25519, EVP_PKEY_X25519, EVP_PKEY_OP_KEYGEN, -1, NULL, NULL, OSSL_PKEY_PARAM_GROUP_NAME, OSSL_PARAM_UTF8_STRING, fix_group_ecx }, + { SET, EVP_PKEY_X25519, EVP_PKEY_X25519, EVP_PKEY_OP_PARAMGEN, -1, NULL, NULL, + OSSL_PKEY_PARAM_GROUP_NAME, OSSL_PARAM_UTF8_STRING, fix_group_ecx }, { SET, EVP_PKEY_X448, EVP_PKEY_X448, EVP_PKEY_OP_KEYGEN, -1, NULL, NULL, OSSL_PKEY_PARAM_GROUP_NAME, OSSL_PARAM_UTF8_STRING, fix_group_ecx }, + { SET, EVP_PKEY_X448, EVP_PKEY_X448, EVP_PKEY_OP_PARAMGEN, -1, NULL, NULL, + OSSL_PKEY_PARAM_GROUP_NAME, OSSL_PARAM_UTF8_STRING, fix_group_ecx }, }; static const struct translation_st evp_pkey_translations[] = { @@ -2721,6 +2778,7 @@ static int evp_pkey_ctx_setget_params_to_ctrl(EVP_PKEY_CTX *pctx, if (translation->fixup_args != NULL) fixup = translation->fixup_args; ctx.action_type = translation->action_type; + ctx.ctrl_cmd = translation->ctrl_num; } ctx.pctx = pctx; ctx.params = params; diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c index e6e03eaf34a5..eefed523ec12 100644 --- a/crypto/evp/digest.c +++ b/crypto/evp/digest.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -447,7 +447,7 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *isize) if (isize != NULL) { if (size <= UINT_MAX) { - *isize = (int)size; + *isize = (unsigned int)size; } else { ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR); ret = 0; @@ -762,7 +762,7 @@ int EVP_MD_CTX_get_params(EVP_MD_CTX *ctx, OSSL_PARAM params[]) return pctx->op.sig.signature->get_ctx_md_params(pctx->op.sig.algctx, params); - if (ctx->digest != NULL && ctx->digest->get_params != NULL) + if (ctx->digest != NULL && ctx->digest->get_ctx_params != NULL) return ctx->digest->get_ctx_params(ctx->algctx, params); return 0; diff --git a/crypto/evp/ec_ctrl.c b/crypto/evp/ec_ctrl.c index 404358ab97f1..c1cf221a0db5 100644 --- a/crypto/evp/ec_ctrl.c +++ b/crypto/evp/ec_ctrl.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -283,7 +283,9 @@ int EVP_PKEY_CTX_get0_ecdh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char **pukm) */ int EVP_PKEY_CTX_set_ec_paramgen_curve_nid(EVP_PKEY_CTX *ctx, int nid) { - return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, EVP_PKEY_OP_TYPE_GEN, + int keytype = nid == EVP_PKEY_SM2 ? EVP_PKEY_SM2 : EVP_PKEY_EC; + + return EVP_PKEY_CTX_ctrl(ctx, keytype, EVP_PKEY_OP_TYPE_GEN, EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID, nid, NULL); } diff --git a/crypto/evp/evp_pbe.c b/crypto/evp/evp_pbe.c index 5f6720d2c3f3..56ee69865c9e 100644 --- a/crypto/evp/evp_pbe.c +++ b/crypto/evp/evp_pbe.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -136,7 +136,7 @@ int EVP_PBE_CipherInit_ex(ASN1_OBJECT *pbe_obj, const char *pass, int passlen, md = md_fetch = EVP_MD_fetch(libctx, OBJ_nid2sn(md_nid), propq); /* Fallback to legacy method */ if (md == NULL) - EVP_get_digestbynid(md_nid); + md = EVP_get_digestbynid(md_nid); if (md == NULL) { (void)ERR_clear_last_mark(); diff --git a/crypto/evp/keymgmt_meth.c b/crypto/evp/keymgmt_meth.c index 90fd8068dc42..b1e8870e36ac 100644 --- a/crypto/evp/keymgmt_meth.c +++ b/crypto/evp/keymgmt_meth.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -378,7 +378,7 @@ void *evp_keymgmt_gen(const EVP_KEYMGMT *keymgmt, void *genctx, void evp_keymgmt_gen_cleanup(const EVP_KEYMGMT *keymgmt, void *genctx) { - if (keymgmt->gen != NULL) + if (keymgmt->gen_cleanup != NULL) keymgmt->gen_cleanup(genctx); } diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c index 5803974c3221..f6acb5b47eff 100644 --- a/crypto/evp/p_lib.c +++ b/crypto/evp/p_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -1324,6 +1324,8 @@ static int evp_pkey_asn1_ctrl(EVP_PKEY *pkey, int op, int arg1, void *arg2) int EVP_PKEY_get_default_digest_nid(EVP_PKEY *pkey, int *pnid) { + if (pkey == NULL) + return 0; return evp_pkey_asn1_ctrl(pkey, ASN1_PKEY_CTRL_DEFAULT_MD_NID, 0, pnid); } @@ -1374,7 +1376,9 @@ int EVP_PKEY_digestsign_supports_digest(EVP_PKEY *pkey, OSSL_LIB_CTX *libctx, int EVP_PKEY_set1_encoded_public_key(EVP_PKEY *pkey, const unsigned char *pub, size_t publen) { - if (pkey != NULL && evp_pkey_is_provided(pkey)) + if (pkey == NULL) + return 0; + if (evp_pkey_is_provided(pkey)) return EVP_PKEY_set_octet_string_param(pkey, OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY, @@ -1393,7 +1397,9 @@ size_t EVP_PKEY_get1_encoded_public_key(EVP_PKEY *pkey, unsigned char **ppub) { int rv; - if (pkey != NULL && evp_pkey_is_provided(pkey)) { + if (pkey == NULL) + return 0; + if (evp_pkey_is_provided(pkey)) { size_t return_size = OSSL_PARAM_UNMODIFIED; unsigned char *buf; @@ -2172,7 +2178,14 @@ int EVP_PKEY_get_bn_param(const EVP_PKEY *pkey, const char *key_name, goto err; ret = OSSL_PARAM_get_BN(params, bn); err: - OPENSSL_free(buf); + if (buf != NULL) { + if (OSSL_PARAM_modified(params)) + OPENSSL_clear_free(buf, buf_sz); + else + OPENSSL_free(buf); + } else if (OSSL_PARAM_modified(params)) { + OPENSSL_cleanse(buffer, params[0].data_size); + } return ret; } diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c index da367ed05fbe..ce6e1a1ccbd5 100644 --- a/crypto/evp/pmeth_lib.c +++ b/crypto/evp/pmeth_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -509,8 +509,11 @@ EVP_PKEY_CTX *EVP_PKEY_CTX_dup(const EVP_PKEY_CTX *pctx) if (pctx->op.kex.algctx != NULL) { if (!ossl_assert(pctx->op.kex.exchange != NULL)) goto err; - rctx->op.kex.algctx - = pctx->op.kex.exchange->dupctx(pctx->op.kex.algctx); + + if (pctx->op.kex.exchange->dupctx != NULL) + rctx->op.kex.algctx + = pctx->op.kex.exchange->dupctx(pctx->op.kex.algctx); + if (rctx->op.kex.algctx == NULL) { EVP_KEYEXCH_free(rctx->op.kex.exchange); rctx->op.kex.exchange = NULL; @@ -527,8 +530,11 @@ EVP_PKEY_CTX *EVP_PKEY_CTX_dup(const EVP_PKEY_CTX *pctx) if (pctx->op.sig.algctx != NULL) { if (!ossl_assert(pctx->op.sig.signature != NULL)) goto err; - rctx->op.sig.algctx - = pctx->op.sig.signature->dupctx(pctx->op.sig.algctx); + + if (pctx->op.sig.signature->dupctx != NULL) + rctx->op.sig.algctx + = pctx->op.sig.signature->dupctx(pctx->op.sig.algctx); + if (rctx->op.sig.algctx == NULL) { EVP_SIGNATURE_free(rctx->op.sig.signature); rctx->op.sig.signature = NULL; @@ -545,8 +551,11 @@ EVP_PKEY_CTX *EVP_PKEY_CTX_dup(const EVP_PKEY_CTX *pctx) if (pctx->op.ciph.algctx != NULL) { if (!ossl_assert(pctx->op.ciph.cipher != NULL)) goto err; - rctx->op.ciph.algctx - = pctx->op.ciph.cipher->dupctx(pctx->op.ciph.algctx); + + if (pctx->op.ciph.cipher->dupctx != NULL) + rctx->op.ciph.algctx + = pctx->op.ciph.cipher->dupctx(pctx->op.ciph.algctx); + if (rctx->op.ciph.algctx == NULL) { EVP_ASYM_CIPHER_free(rctx->op.ciph.cipher); rctx->op.ciph.cipher = NULL; @@ -563,8 +572,11 @@ EVP_PKEY_CTX *EVP_PKEY_CTX_dup(const EVP_PKEY_CTX *pctx) if (pctx->op.encap.algctx != NULL) { if (!ossl_assert(pctx->op.encap.kem != NULL)) goto err; - rctx->op.encap.algctx - = pctx->op.encap.kem->dupctx(pctx->op.encap.algctx); + + if (pctx->op.encap.kem->dupctx != NULL) + rctx->op.encap.algctx + = pctx->op.encap.kem->dupctx(pctx->op.encap.algctx); + if (rctx->op.encap.algctx == NULL) { EVP_KEM_free(rctx->op.encap.kem); rctx->op.encap.kem = NULL; diff --git a/crypto/ffc/ffc_backend.c b/crypto/ffc/ffc_backend.c index dbd28b0e66bd..fe0a82eac8a6 100644 --- a/crypto/ffc/ffc_backend.c +++ b/crypto/ffc/ffc_backend.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -111,6 +111,7 @@ int ossl_ffc_params_fromdata(FFC_PARAMS *ffc, const OSSL_PARAM params[]) if (p1 != NULL) { if (p1->data_type != OSSL_PARAM_UTF8_STRING) goto err; + props = p1->data; } if (!ossl_ffc_set_digest(ffc, prm->data, props)) goto err; diff --git a/crypto/ffc/ffc_params.c b/crypto/ffc/ffc_params.c index fb558f8221f6..3536efd1ad85 100644 --- a/crypto/ffc/ffc_params.c +++ b/crypto/ffc/ffc_params.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -182,6 +182,8 @@ int ossl_ffc_params_copy(FFC_PARAMS *dst, const FFC_PARAMS *src) || !ffc_bn_cpy(&dst->j, src->j)) return 0; + dst->mdname = src->mdname; + dst->mdprops = src->mdprops; OPENSSL_free(dst->seed); dst->seedlen = src->seedlen; if (src->seed != NULL) { diff --git a/crypto/http/http_client.c b/crypto/http/http_client.c index 0d62f1c7bf16..ee41c03103e5 100644 --- a/crypto/http/http_client.c +++ b/crypto/http/http_client.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Siemens AG 2018-2020 * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -1122,7 +1122,7 @@ BIO *OSSL_HTTP_get(const char *url, const char *proxy, const char *no_proxy, char *port; char *path; int use_ssl; - OSSL_HTTP_REQ_CTX *rctx; + OSSL_HTTP_REQ_CTX *rctx = NULL; BIO *resp = NULL; time_t max_time = timeout > 0 ? time(NULL) + timeout : 0; @@ -1148,10 +1148,12 @@ BIO *OSSL_HTTP_get(const char *url, const char *proxy, const char *no_proxy, NULL /* req */, expected_ct, expect_asn1, max_resp_len, -1 /* use same max time (timeout) */, - 0 /* no keep_alive */)) + 0 /* no keep_alive */)) { OSSL_HTTP_REQ_CTX_free(rctx); - else + rctx = NULL; + } else { resp = OSSL_HTTP_exchange(rctx, &redirection_url); + } } OPENSSL_free(path); if (resp == NULL && redirection_url != NULL) { @@ -1166,6 +1168,7 @@ BIO *OSSL_HTTP_get(const char *url, const char *proxy, const char *no_proxy, OPENSSL_free(host); OPENSSL_free(port); (void)OSSL_HTTP_close(rctx, 1); + rctx = NULL; BIO_free(resp); OPENSSL_free(current_url); return NULL; @@ -1175,6 +1178,7 @@ BIO *OSSL_HTTP_get(const char *url, const char *proxy, const char *no_proxy, OPENSSL_free(host); OPENSSL_free(port); (void)OSSL_HTTP_close(rctx, 1); + rctx = NULL; continue; } /* if redirection not allowed, ignore it */ @@ -1184,6 +1188,7 @@ BIO *OSSL_HTTP_get(const char *url, const char *proxy, const char *no_proxy, OPENSSL_free(port); if (!OSSL_HTTP_close(rctx, resp != NULL)) { BIO_free(resp); + rctx = NULL; resp = NULL; } break; diff --git a/crypto/http/http_lib.c b/crypto/http/http_lib.c index bd9c096b989c..ec24e0dc488e 100644 --- a/crypto/http/http_lib.c +++ b/crypto/http/http_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -253,9 +253,9 @@ static int use_proxy(const char *no_proxy, const char *server) * compatible with other HTTP client implementations like wget, curl and git */ if (no_proxy == NULL) - no_proxy = getenv("no_proxy"); + no_proxy = ossl_safe_getenv("no_proxy"); if (no_proxy == NULL) - no_proxy = getenv(OPENSSL_NO_PROXY); + no_proxy = ossl_safe_getenv(OPENSSL_NO_PROXY); if (no_proxy != NULL) found = strstr(no_proxy, server); @@ -275,10 +275,9 @@ const char *OSSL_HTTP_adapt_proxy(const char *proxy, const char *no_proxy, * compatible with other HTTP client implementations like wget, curl and git */ if (proxy == NULL) - proxy = getenv(use_ssl ? "https_proxy" : "http_proxy"); + proxy = ossl_safe_getenv(use_ssl ? "https_proxy" : "http_proxy"); if (proxy == NULL) - proxy = getenv(use_ssl ? OPENSSL_HTTP_PROXY : - OPENSSL_HTTPS_PROXY); + proxy = ossl_safe_getenv(use_ssl ? OPENSSL_HTTP_PROXY : OPENSSL_HTTPS_PROXY); if (proxy == NULL || *proxy == '\0' || !use_proxy(no_proxy, server)) return NULL; diff --git a/crypto/modes/asm/aes-gcm-armv8_64.pl b/crypto/modes/asm/aes-gcm-armv8_64.pl index 3b9d5b651193..302b6f5a8ec8 100755 --- a/crypto/modes/asm/aes-gcm-armv8_64.pl +++ b/crypto/modes/asm/aes-gcm-armv8_64.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -217,6 +217,7 @@ my $mod_constant="v8"; my $mod_t="v31"; my ($rk0,$rk1,$rk2,$rk3,$rk4,$rk5,$rk6,$rk7,$rk8,$rk9)=map("v$_.16b",(18..27)); +my ($rk0s,$rk1s,$rk2s,$rk3s,$rk4s,$rk5s,$rk6s,$rk7s,$rk8s,$rk9s)=map("v$_.4s",(18..27)); my ($rk0q,$rk1q,$rk2q,$rk3q,$rk4q,$rk5q,$rk6q,$rk7q,$rk8q,$rk9q)=map("q$_",(18..27)); my $rk2q1="v20.1q"; my $rk3q1="v21.1q"; @@ -268,28 +269,36 @@ aes_gcm_enc_128_kernel: stp d14, d15, [sp, #96] ldp $ctr96_b64x, $ctr96_t32x, [$counter] @ ctr96_b64, ctr96_t32 +#ifdef __AARCH64EB__ + rev $ctr96_b64x, $ctr96_b64x + rev $ctr96_t32x, $ctr96_t32x +#endif ldp $rk10_l, $rk10_h, [$cc, #160] @ load rk10 - +#ifdef __AARCH64EB__ + ror $rk10_l, $rk10_l, #32 + ror $rk10_h, $rk10_h, #32 +#endif ld1 {$acc_lb}, [$current_tag] ext $acc_lb, $acc_lb, $acc_lb, #8 rev64 $acc_lb, $acc_lb lsr $main_end_input_ptr, $bit_length, #3 @ byte_len mov $len, $main_end_input_ptr - ldr $rk9q, [$cc, #144] @ load rk9 + ld1 {$rk0s}, [$cc], #16 @ load rk0 add $end_input_ptr, $input_ptr, $bit_length, lsr #3 @ end_input_ptr sub $main_end_input_ptr, $main_end_input_ptr, #1 @ byte_len - 1 lsr $rctr32x, $ctr96_t32x, #32 ldr $h4q, [$current_tag, #112] @ load h4l | h4h +#ifndef __AARCH64EB__ ext $h4b, $h4b, $h4b, #8 - +#endif fmov $ctr1d, $ctr96_b64x @ CTR block 1 rev $rctr32w, $rctr32w @ rev_ctr32 add $rctr32w, $rctr32w, #1 @ increment rev_ctr32 orr $ctr96_t32w, $ctr96_t32w, $ctr96_t32w - ldr $rk0q, [$cc, #0] @ load rk0 + ld1 {$rk1s}, [$cc], #16 @ load rk1 rev $ctr32w, $rctr32w @ CTR block 1 add $rctr32w, $rctr32w, #1 @ CTR block 1 @@ -309,45 +318,50 @@ aes_gcm_enc_128_kernel: rev $ctr32w, $rctr32w @ CTR block 3 orr $ctr32x, $ctr96_t32x, $ctr32x, lsl #32 @ CTR block 3 - ldr $rk1q, [$cc, #16] @ load rk1 + ld1 {$rk2s}, [$cc], #16 @ load rk2 add $rctr32w, $rctr32w, #1 @ CTR block 3 fmov $ctr3.d[1], $ctr32x @ CTR block 3 ldr $h3q, [$current_tag, #80] @ load h3l | h3h +#ifndef __AARCH64EB__ ext $h3b, $h3b, $h3b, #8 - +#endif aese $ctr1b, $rk0 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 0 - ldr $rk2q, [$cc, #32] @ load rk2 + ld1 {$rk3s}, [$cc], #16 @ load rk3 aese $ctr2b, $rk0 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 0 ldr $h1q, [$current_tag, #32] @ load h1l | h1h +#ifndef __AARCH64EB__ ext $h1b, $h1b, $h1b, #8 +#endif aese $ctr0b, $rk0 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 0 - ldr $rk8q, [$cc, #128] @ load rk8 + ld1 {$rk4s}, [$cc], #16 @ load rk4 aese $ctr3b, $rk0 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 0 - ldr $rk3q, [$cc, #48] @ load rk3 + ld1 {$rk5s}, [$cc], #16 @ load rk5 aese $ctr2b, $rk1 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 1 trn2 $h34k.2d, $h3.2d, $h4.2d @ h4l | h3l aese $ctr0b, $rk1 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 1 - ldr $rk6q, [$cc, #96] @ load rk6 + ld1 {$rk6s}, [$cc], #16 @ load rk6 aese $ctr1b, $rk1 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 1 - ldr $rk7q, [$cc, #112] @ load rk7 + ld1 {$rk7s}, [$cc], #16 @ load rk7 aese $ctr3b, $rk1 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 1 trn1 $acc_h.2d, $h3.2d, $h4.2d @ h4h | h3h aese $ctr0b, $rk2 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 2 - ldr $rk5q, [$cc, #80] @ load rk5 + ld1 {$rk8s}, [$cc], #16 @ load rk8 aese $ctr1b, $rk2 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 2 ldr $h2q, [$current_tag, #64] @ load h2l | h2h +#ifndef __AARCH64EB__ ext $h2b, $h2b, $h2b, #8 +#endif aese $ctr3b, $rk2 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 2 @@ -359,7 +373,7 @@ aes_gcm_enc_128_kernel: aese $ctr1b, $rk3 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 3 aese $ctr2b, $rk3 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 3 - ldr $rk4q, [$cc, #64] @ load rk4 + ld1 {$rk9s}, [$cc], #16 @ load rk9 aese $ctr3b, $rk3 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 3 @@ -421,13 +435,25 @@ aes_gcm_enc_128_kernel: b.ge .L128_enc_tail @ handle tail ldp $input_l0, $input_h0, [$input_ptr, #0] @ AES block 0 - load plaintext - +#ifdef __AARCH64EB__ + rev $input_l0, $input_l0 + rev $input_h0, $input_h0 +#endif ldp $input_l2, $input_h2, [$input_ptr, #32] @ AES block 2 - load plaintext - +#ifdef __AARCH64EB__ + rev $input_l2, $input_l2 + rev $input_h2, $input_h2 +#endif ldp $input_l1, $input_h1, [$input_ptr, #16] @ AES block 1 - load plaintext - +#ifdef __AARCH64EB__ + rev $input_l1, $input_l1 + rev $input_h1, $input_h1 +#endif ldp $input_l3, $input_h3, [$input_ptr, #48] @ AES block 3 - load plaintext - +#ifdef __AARCH64EB__ + rev $input_l3, $input_l3 + rev $input_h3, $input_h3 +#endif eor $input_l0, $input_l0, $rk10_l @ AES block 0 - round 10 low eor $input_h0, $input_h0, $rk10_h @ AES block 0 - round 10 high @@ -492,6 +518,10 @@ aes_gcm_enc_128_kernel: .L128_enc_main_loop: @ main loop start ldp $input_l3, $input_h3, [$input_ptr, #48] @ AES block 4k+3 - load plaintext +#ifdef __AARCH64EB__ + rev $input_l3, $input_l3 + rev $input_h3, $input_h3 +#endif rev64 $res0b, $res0b @ GHASH block 4k (only t0 is free) rev64 $res2b, $res2b @ GHASH block 4k+2 (t0, t1, and t2 free) @@ -520,7 +550,10 @@ aes_gcm_enc_128_kernel: pmull2 $t1.1q, $res1.2d, $h3.2d @ GHASH block 4k+1 - high eor $t6.8b, $t6.8b, $res2.8b @ GHASH block 4k+2 - mid ldp $input_l0, $input_h0, [$input_ptr, #0] @ AES block 4k+4 - load plaintext - +#ifdef __AARCH64EB__ + rev $input_l0, $input_l0 + rev $input_h0, $input_h0 +#endif aese $ctr0b, $rk1 \n aesmc $ctr0b, $ctr0b @ AES block 4k+4 - round 1 rev $ctr32w, $rctr32w @ CTR block 4k+8 @@ -590,13 +623,19 @@ aes_gcm_enc_128_kernel: aese $ctr1b, $rk5 \n aesmc $ctr1b, $ctr1b @ AES block 4k+5 - round 5 ldp $input_l1, $input_h1, [$input_ptr, #16] @ AES block 4k+5 - load plaintext - +#ifdef __AARCH64EB__ + rev $input_l1, $input_l1 + rev $input_h1, $input_h1 +#endif aese $ctr3b, $rk3 \n aesmc $ctr3b, $ctr3b @ AES block 4k+7 - round 3 eor $acc_mb, $acc_mb, $t6.16b @ GHASH block 4k+2 - mid aese $ctr0b, $rk5 \n aesmc $ctr0b, $ctr0b @ AES block 4k+4 - round 5 ldp $input_l2, $input_h2, [$input_ptr, #32] @ AES block 4k+6 - load plaintext - +#ifdef __AARCH64EB__ + rev $input_l2, $input_l2 + rev $input_h2, $input_h2 +#endif pmull $mod_t.1q, $acc_h.1d, $mod_constant.1d @ MODULO - top 64b align with mid eor $acc_lb, $acc_lb, $t8.16b @ GHASH block 4k+3 - low @@ -853,7 +892,10 @@ aes_gcm_enc_128_kernel: sub $main_end_input_ptr, $end_input_ptr, $input_ptr @ main_end_input_ptr is number of bytes left to process ldp $input_l0, $input_h0, [$input_ptr], #16 @ AES block 4k+4 - load plaintext - +#ifdef __AARCH64EB__ + rev $input_l0, $input_l0 + rev $input_h0, $input_h0 +#endif cmp $main_end_input_ptr, #48 ext $t0.16b, $acc_lb, $acc_lb, #8 @ prepare final partial tag @@ -891,7 +933,10 @@ aes_gcm_enc_128_kernel: st1 { $res1b}, [$output_ptr], #16 @ AES final-3 block - store result ldp $input_l0, $input_h0, [$input_ptr], #16 @ AES final-2 block - load input low & high - +#ifdef __AARCH64EB__ + rev $input_l0, $input_l0 + rev $input_h0, $input_h0 +#endif rev64 $res0b, $res1b @ GHASH final-3 block eor $res0b, $res0b, $t0.16b @ feed in partial tag @@ -920,7 +965,10 @@ aes_gcm_enc_128_kernel: rev64 $res0b, $res1b @ GHASH final-2 block ldp $input_l0, $input_h0, [$input_ptr], #16 @ AES final-1 block - load input low & high - +#ifdef __AARCH64EB__ + rev $input_l0, $input_l0 + rev $input_h0, $input_h0 +#endif eor $res0b, $res0b, $t0.16b @ feed in partial tag eor $input_l0, $input_l0, $rk10_l @ AES final-1 block - round 10 low @@ -954,7 +1002,10 @@ aes_gcm_enc_128_kernel: rev64 $res0b, $res1b @ GHASH final-1 block ldp $input_l0, $input_h0, [$input_ptr], #16 @ AES final block - load input low & high - +#ifdef __AARCH64EB__ + rev $input_l0, $input_l0 + rev $input_h0, $input_h0 +#endif eor $res0b, $res0b, $t0.16b @ feed in partial tag eor $input_h0, $input_h0, $rk10_h @ AES final block - round 10 high @@ -1017,9 +1068,11 @@ aes_gcm_enc_128_kernel: ld1 { $rk0}, [$output_ptr] @ load existing bytes where the possibly partial last block is to be stored eor $t0.8b, $t0.8b, $res0.8b @ GHASH final block - mid - +#ifndef __AARCH64EB__ rev $ctr32w, $rctr32w - +#else + mov $ctr32w, $rctr32w +#endif pmull2 $rk2q1, $res0.2d, $h1.2d @ GHASH final block - high pmull $t0.1q, $t0.1d, $h12k.1d @ GHASH final block - mid @@ -1103,20 +1156,29 @@ aes_gcm_dec_128_kernel: lsr $main_end_input_ptr, $bit_length, #3 @ byte_len mov $len, $main_end_input_ptr ldp $ctr96_b64x, $ctr96_t32x, [$counter] @ ctr96_b64, ctr96_t32 - +#ifdef __AARCH64EB__ + rev $ctr96_b64x, $ctr96_b64x + rev $ctr96_t32x, $ctr96_t32x +#endif + ldp $rk10_l, $rk10_h, [$cc, #160] @ load rk10 +#ifdef __AARCH64EB__ + ror $rk10_h, $rk10_h, 32 + ror $rk10_l, $rk10_l, 32 +#endif sub $main_end_input_ptr, $main_end_input_ptr, #1 @ byte_len - 1 - ldr $rk0q, [$cc, #0] @ load rk0 + ld1 {$rk0s}, [$cc], #16 @ load rk0 and $main_end_input_ptr, $main_end_input_ptr, #0xffffffffffffffc0 @ number of bytes to be processed in main loop (at least 1 byte must be handled by tail) ld1 { $ctr0b}, [$counter] @ special case vector load initial counter so we can start first AES block as quickly as possible ldr $h2q, [$current_tag, #64] @ load h2l | h2h +#ifndef __AARCH64EB__ ext $h2b, $h2b, $h2b, #8 - +#endif lsr $rctr32x, $ctr96_t32x, #32 fmov $ctr2d, $ctr96_b64x @ CTR block 2 - ldr $rk1q, [$cc, #16] @ load rk1 + ld1 {$rk1s}, [$cc], #16 @ load rk1 orr $ctr96_t32w, $ctr96_t32w, $ctr96_t32w rev $rctr32w, $rctr32w @ rev_ctr32 @@ -1127,7 +1189,7 @@ aes_gcm_dec_128_kernel: rev $ctr32w, $rctr32w @ CTR block 1 orr $ctr32x, $ctr96_t32x, $ctr32x, lsl #32 @ CTR block 1 - ldr $rk2q, [$cc, #32] @ load rk2 + ld1 {$rk2s}, [$cc], #16 @ load rk2 add $rctr32w, $rctr32w, #1 @ CTR block 1 fmov $ctr1.d[1], $ctr32x @ CTR block 1 @@ -1148,23 +1210,22 @@ aes_gcm_dec_128_kernel: add $end_input_ptr, $input_ptr, $bit_length, lsr #3 @ end_input_ptr aese $ctr1b, $rk0 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 0 - ldr $rk3q, [$cc, #48] @ load rk3 + ld1 {$rk3s}, [$cc], #16 @ load rk3 aese $ctr0b, $rk2 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 2 - ldr $rk6q, [$cc, #96] @ load rk6 + ld1 {$rk4s}, [$cc], #16 @ load rk4 aese $ctr2b, $rk0 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 0 - ldr $rk7q, [$cc, #112] @ load rk7 + ld1 {$rk5s}, [$cc], #16 @ load rk5 aese $ctr1b, $rk1 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 1 - ldr $rk4q, [$cc, #64] @ load rk4 + ld1 {$rk6s}, [$cc], #16 @ load rk6 aese $ctr3b, $rk0 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 0 aese $ctr2b, $rk1 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 1 aese $ctr1b, $rk2 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 2 - ldp $rk10_l, $rk10_h, [$cc, #160] @ load rk10 aese $ctr3b, $rk1 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 1 ld1 { $acc_lb}, [$current_tag] @@ -1172,14 +1233,14 @@ aes_gcm_dec_128_kernel: rev64 $acc_lb, $acc_lb aese $ctr0b, $rk3 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 3 - ldr $rk5q, [$cc, #80] @ load rk5 + ld1 {$rk7s}, [$cc], #16 @ load rk7 aese $ctr1b, $rk3 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 3 aese $ctr3b, $rk2 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 2 aese $ctr2b, $rk2 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 2 - ldr $rk9q, [$cc, #144] @ load rk9 + ld1 {$rk8s}, [$cc], #16 @ load rk8 aese $ctr1b, $rk4 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 4 @@ -1187,10 +1248,11 @@ aes_gcm_dec_128_kernel: aese $ctr2b, $rk3 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 3 ldr $h3q, [$current_tag, #80] @ load h3l | h3h +#ifndef __AARCH64EB__ ext $h3b, $h3b, $h3b, #8 - +#endif aese $ctr0b, $rk4 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 4 - ldr $rk8q, [$cc, #128] @ load rk8 + ld1 {$rk9s}, [$cc], #16 @ load rk9 aese $ctr1b, $rk5 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 5 @@ -1202,8 +1264,9 @@ aes_gcm_dec_128_kernel: aese $ctr2b, $rk5 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 5 ldr $h1q, [$current_tag, #32] @ load h1l | h1h +#ifndef __AARCH64EB__ ext $h1b, $h1b, $h1b, #8 - +#endif aese $ctr3b, $rk5 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 5 aese $ctr0b, $rk6 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 6 @@ -1216,7 +1279,9 @@ aes_gcm_dec_128_kernel: trn1 $t0.2d, $h1.2d, $h2.2d @ h2h | h1h ldr $h4q, [$current_tag, #112] @ load h4l | h4h +#ifndef __AARCH64EB__ ext $h4b, $h4b, $h4b, #8 +#endif trn2 $h12k.2d, $h1.2d, $h2.2d @ h2l | h1l add $main_end_input_ptr, $main_end_input_ptr, $input_ptr @@ -1250,12 +1315,10 @@ aes_gcm_dec_128_kernel: eor $h34k.16b, $h34k.16b, $acc_h.16b @ h4k | h3k b.ge .L128_dec_tail @ handle tail - ldr $res1q, [$input_ptr, #16] @ AES block 1 - load ciphertext - - ldr $res0q, [$input_ptr, #0] @ AES block 0 - load ciphertext + ld1 {$res0b, $res1b}, [$input_ptr], #32 @ AES block 0 - load ciphertext; AES block 1 - load ciphertext eor $ctr1b, $res1b, $ctr1b @ AES block 1 - result - ldr $res2q, [$input_ptr, #32] @ AES block 2 - load ciphertext + ld1 {$res2b}, [$input_ptr], #16 @ AES block 2 - load ciphertext eor $ctr0b, $res0b, $ctr0b @ AES block 0 - result rev64 $res0b, $res0b @ GHASH block 0 @@ -1263,10 +1326,9 @@ aes_gcm_dec_128_kernel: orr $ctr32x, $ctr96_t32x, $ctr32x, lsl #32 @ CTR block 4 add $rctr32w, $rctr32w, #1 @ CTR block 4 - ldr $res3q, [$input_ptr, #48] @ AES block 3 - load ciphertext + ld1 {$res3b}, [$input_ptr], #16 @ AES block 3 - load ciphertext rev64 $res1b, $res1b @ GHASH block 1 - add $input_ptr, $input_ptr, #64 @ AES input_ptr update mov $output_l1, $ctr1.d[0] @ AES block 1 - mov low mov $output_h1, $ctr1.d[1] @ AES block 1 - mov high @@ -1281,7 +1343,9 @@ aes_gcm_dec_128_kernel: fmov $ctr0.d[1], $ctr32x @ CTR block 4 rev $ctr32w, $rctr32w @ CTR block 5 eor $output_l1, $output_l1, $rk10_l @ AES block 1 - round 10 low - +#ifdef __AARCH64EB__ + rev $output_l1, $output_l1 +#endif fmov $ctr1d, $ctr96_b64x @ CTR block 5 add $rctr32w, $rctr32w, #1 @ CTR block 5 orr $ctr32x, $ctr96_t32x, $ctr32x, lsl #32 @ CTR block 5 @@ -1293,10 +1357,19 @@ aes_gcm_dec_128_kernel: orr $ctr32x, $ctr96_t32x, $ctr32x, lsl #32 @ CTR block 6 eor $output_h1, $output_h1, $rk10_h @ AES block 1 - round 10 high +#ifdef __AARCH64EB__ + rev $output_h1, $output_h1 +#endif eor $output_l0, $output_l0, $rk10_l @ AES block 0 - round 10 low +#ifdef __AARCH64EB__ + rev $output_l0, $output_l0 +#endif eor $ctr2b, $res2b, $ctr2b @ AES block 2 - result eor $output_h0, $output_h0, $rk10_h @ AES block 0 - round 10 high +#ifdef __AARCH64EB__ + rev $output_h0, $output_h0 +#endif stp $output_l0, $output_h0, [$output_ptr], #16 @ AES block 0 - store result stp $output_l1, $output_h1, [$output_ptr], #16 @ AES block 1 - store result @@ -1356,9 +1429,14 @@ aes_gcm_dec_128_kernel: aese $ctr3b, $rk1 \n aesmc $ctr3b, $ctr3b @ AES block 4k+7 - round 1 eor $output_l3, $output_l3, $rk10_l @ AES block 4k+3 - round 10 low - +#ifdef __AARCH64EB__ + rev $output_l3, $output_l3 +#endif pmull $t3.1q, $t3.1d, $h34k.1d @ GHASH block 4k+1 - mid eor $output_h2, $output_h2, $rk10_h @ AES block 4k+2 - round 10 high +#ifdef __AARCH64EB__ + rev $output_h2, $output_h2 +#endif mov $t6d, $res2.d[1] @ GHASH block 4k+2 - mid aese $ctr0b, $rk1 \n aesmc $ctr0b, $ctr0b @ AES block 4k+4 - round 1 @@ -1389,13 +1467,17 @@ aes_gcm_dec_128_kernel: pmull2 $t6.1q, $t6.2d, $h12k.2d @ GHASH block 4k+2 - mid eor $output_h3, $output_h3, $rk10_h @ AES block 4k+3 - round 10 high - +#ifdef __AARCH64EB__ + rev $output_h3, $output_h3 +#endif aese $ctr2b, $rk2 \n aesmc $ctr2b, $ctr2b @ AES block 4k+6 - round 2 eor $t9.8b, $t9.8b, $res3.8b @ GHASH block 4k+3 - mid aese $ctr1b, $rk5 \n aesmc $ctr1b, $ctr1b @ AES block 4k+5 - round 5 eor $output_l2, $output_l2, $rk10_l @ AES block 4k+2 - round 10 low - +#ifdef __AARCH64EB__ + rev $output_l2, $output_l2 +#endif aese $ctr0b, $rk5 \n aesmc $ctr0b, $ctr0b @ AES block 4k+4 - round 5 movi $mod_constant.8b, #0xc2 @@ -1412,7 +1494,7 @@ aes_gcm_dec_128_kernel: pmull $t9.1q, $t9.1d, $h12k.1d @ GHASH block 4k+3 - mid eor $acc_hb, $acc_hb, $t7.16b @ GHASH block 4k+3 - high - ldr $res0q, [$input_ptr, #0] @ AES block 4k+4 - load ciphertext + ld1 {$res0b}, [$input_ptr], #16 @ AES block 4k+3 - load ciphertext aese $ctr1b, $rk7 \n aesmc $ctr1b, $ctr1b @ AES block 4k+5 - round 7 add $rctr32w, $rctr32w, #1 @ CTR block 4k+7 @@ -1433,7 +1515,7 @@ aes_gcm_dec_128_kernel: rev $ctr32w, $rctr32w @ CTR block 4k+8 pmull $mod_t.1q, $acc_h.1d, $mod_constant.1d @ MODULO - top 64b align with mid - ldr $res1q, [$input_ptr, #16] @ AES block 4k+5 - load ciphertext + ld1 {$res1b}, [$input_ptr], #16 @ AES block 4k+4 - load ciphertext ext $acc_hb, $acc_hb, $acc_hb, #8 @ MODULO - other top alignment aese $ctr0b, $rk9 @ AES block 4k+4 - round 9 @@ -1448,17 +1530,16 @@ aes_gcm_dec_128_kernel: eor $ctr0b, $res0b, $ctr0b @ AES block 4k+4 - result aese $ctr3b, $rk5 \n aesmc $ctr3b, $ctr3b @ AES block 4k+7 - round 5 - ldr $res2q, [$input_ptr, #32] @ AES block 4k+6 - load ciphertext + ld1 {$res2b}, [$input_ptr], #16 @ AES block 4k+5 - load ciphertext add $rctr32w, $rctr32w, #1 @ CTR block 4k+8 eor $acc_mb, $acc_mb, $mod_t.16b @ MODULO - fold into mid eor $ctr1b, $res1b, $ctr1b @ AES block 4k+5 - result aese $ctr2b, $rk7 \n aesmc $ctr2b, $ctr2b @ AES block 4k+6 - round 7 - ldr $res3q, [$input_ptr, #48] @ AES block 4k+3 - load ciphertext + ld1 {$res3b}, [$input_ptr], #16 @ AES block 4k+6 - load ciphertext aese $ctr3b, $rk6 \n aesmc $ctr3b, $ctr3b @ AES block 4k+7 - round 6 - add $input_ptr, $input_ptr, #64 @ AES input_ptr update rev64 $res1b, $res1b @ GHASH block 4k+5 eor $acc_mb, $acc_mb, $acc_hb @ MODULO - fold into mid @@ -1480,11 +1561,15 @@ aes_gcm_dec_128_kernel: aese $ctr3b, $rk8 \n aesmc $ctr3b, $ctr3b @ AES block 4k+7 - round 8 eor $output_h0, $output_h0, $rk10_h @ AES block 4k+4 - round 10 high - +#ifdef __AARCH64EB__ + rev $output_h0, $output_h0 +#endif eor $acc_lb, $acc_lb, $mod_constant.16b @ MODULO - fold into low mov $output_h1, $ctr1.d[1] @ AES block 4k+5 - mov high eor $output_l0, $output_l0, $rk10_l @ AES block 4k+4 - round 10 low - +#ifdef __AARCH64EB__ + rev $output_l0, $output_l0 +#endif eor $ctr2b, $res2b, $ctr2b @ AES block 4k+6 - result mov $output_l1, $ctr1.d[0] @ AES block 4k+5 - mov low add $rctr32w, $rctr32w, #1 @ CTR block 4k+9 @@ -1501,9 +1586,15 @@ aes_gcm_dec_128_kernel: add $rctr32w, $rctr32w, #1 @ CTR block 4k+10 eor $output_h1, $output_h1, $rk10_h @ AES block 4k+5 - round 10 high +#ifdef __AARCH64EB__ + rev $output_h1, $output_h1 +#endif stp $output_l0, $output_h0, [$output_ptr], #16 @ AES block 4k+4 - store result eor $output_l1, $output_l1, $rk10_l @ AES block 4k+5 - round 10 low +#ifdef __AARCH64EB__ + rev $output_l1, $output_l1 +#endif stp $output_l1, $output_h1, [$output_ptr], #16 @ AES block 4k+5 - store result orr $ctr32x, $ctr96_t32x, $ctr32x, lsl #32 @ CTR block 4k+10 @@ -1596,9 +1687,14 @@ aes_gcm_dec_128_kernel: aese $ctr3b, $rk2 \n aesmc $ctr3b, $ctr3b @ AES block 4k+7 - round 2 eor $output_l3, $output_l3, $rk10_l @ AES block 4k+3 - round 10 low - +#ifdef __AARCH64EB__ + rev $output_l3, $output_l3 +#endif pmull $t9.1q, $t9.1d, $h12k.1d @ GHASH block 4k+3 - mid eor $output_l2, $output_l2, $rk10_l @ AES block 4k+2 - round 10 low +#ifdef __AARCH64EB__ + rev $output_l2, $output_l2 +#endif eor $acc_lb, $acc_lb, $t8.16b @ GHASH block 4k+3 - low aese $ctr2b, $rk3 \n aesmc $ctr2b, $ctr2b @ AES block 4k+6 - round 3 @@ -1652,7 +1748,9 @@ aes_gcm_dec_128_kernel: pmull $mod_constant.1q, $acc_m.1d, $mod_constant.1d @ MODULO - mid 64b align with low eor $output_h3, $output_h3, $rk10_h @ AES block 4k+3 - round 10 high - +#ifdef __AARCH64EB__ + rev $output_h3, $output_h3 +#endif aese $ctr2b, $rk7 \n aesmc $ctr2b, $ctr2b @ AES block 4k+6 - round 7 ext $acc_mb, $acc_mb, $acc_mb, #8 @ MODULO - other mid alignment @@ -1665,7 +1763,9 @@ aes_gcm_dec_128_kernel: aese $ctr3b, $rk8 \n aesmc $ctr3b, $ctr3b @ AES block 4k+7 - round 8 eor $output_h2, $output_h2, $rk10_h @ AES block 4k+2 - round 10 high - +#ifdef __AARCH64EB__ + rev $output_h2, $output_h2 +#endif aese $ctr0b, $rk9 @ AES block 4k+4 - round 9 stp $output_l2, $output_h2, [$output_ptr], #16 @ AES block 4k+2 - store result @@ -1689,9 +1789,14 @@ aes_gcm_dec_128_kernel: cmp $main_end_input_ptr, #48 eor $output_h0, $output_h0, $rk10_h @ AES block 4k+4 - round 10 high - +#ifdef __AARCH64EB__ + rev $output_h0, $output_h0 +#endif ext $t0.16b, $acc_lb, $acc_lb, #8 @ prepare final partial tag eor $output_l0, $output_l0, $rk10_l @ AES block 4k+4 - round 10 low +#ifdef __AARCH64EB__ + rev $output_l0, $output_l0 +#endif b.gt .L128_dec_blocks_more_than_3 mov $ctr3b, $ctr2b @@ -1735,9 +1840,14 @@ aes_gcm_dec_128_kernel: movi $t0.8b, #0 @ suppress further partial tag feed in eor $output_h0, $output_h0, $rk10_h @ AES final-2 block - round 10 high - +#ifdef __AARCH64EB__ + rev $output_h0, $output_h0 +#endif pmull $acc_m.1q, $rk4v.1d, $acc_m.1d @ GHASH final-3 block - mid eor $output_l0, $output_l0, $rk10_l @ AES final-2 block - round 10 low +#ifdef __AARCH64EB__ + rev $output_l0, $output_l0 +#endif .L128_dec_blocks_more_than_2: @ blocks left > 2 rev64 $res0b, $res1b @ GHASH final-2 block @@ -1763,12 +1873,18 @@ aes_gcm_dec_128_kernel: pmull $rk4v.1q, $rk4v.1d, $h34k.1d @ GHASH final-2 block - mid eor $output_l0, $output_l0, $rk10_l @ AES final-1 block - round 10 low +#ifdef __AARCH64EB__ + rev $output_l0, $output_l0 +#endif eor $acc_lb, $acc_lb, $rk3 @ GHASH final-2 block - low eor $acc_hb, $acc_hb, $rk2 @ GHASH final-2 block - high eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-2 block - mid eor $output_h0, $output_h0, $rk10_h @ AES final-1 block - round 10 high +#ifdef __AARCH64EB__ + rev $output_h0, $output_h0 +#endif .L128_dec_blocks_more_than_1: @ blocks left > 1 rev64 $res0b, $res1b @ GHASH final-1 block @@ -1799,8 +1915,13 @@ aes_gcm_dec_128_kernel: eor $acc_hb, $acc_hb, $rk2 @ GHASH final-1 block - high eor $output_h0, $output_h0, $rk10_h @ AES final block - round 10 high - +#ifdef __AARCH64EB__ + rev $output_h0, $output_h0 +#endif eor $output_l0, $output_l0, $rk10_l @ AES final block - round 10 low +#ifdef __AARCH64EB__ + rev $output_l0, $output_l0 +#endif eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-1 block - mid .L128_dec_blocks_less_than_1: @ blocks left <= 1 @@ -1846,7 +1967,11 @@ aes_gcm_dec_128_kernel: bic $end_input_ptr, $end_input_ptr, $ctr32x @ mask out low existing bytes and $output_l0, $output_l0, $ctr32x +#ifndef __AARCH64EB__ rev $ctr32w, $rctr32w +#else + mov $ctr32w, $rctr32w +#endif eor $acc_mb, $acc_mb, $t0.16b @ GHASH final block - mid movi $mod_constant.8b, #0xc2 @@ -1955,6 +2080,7 @@ my $mod_t="v31"; my ($rk0,$rk1,$rk2,$rk3,$rk4,$rk5,$rk6,$rk7,$rk8,$rk9,$rk10,$rk11)=map("v$_.16b",(18..29)); my ($rk0q,$rk1q,$rk2q,$rk3q,$rk4q,$rk5q,$rk6q,$rk7q,$rk8q,$rk9q,$rk10q,$rk11q)=map("q$_",(18..29)); +my ($rk0s,$rk1s,$rk2s,$rk3s,$rk4s,$rk5s,$rk6s,$rk7s,$rk8s,$rk9s,$rk10s,$rk11s)=map("v$_.4s",(18..29)); my $rk2q1="v20.1q"; my $rk3q1="v21.1q"; my $rk4v="v22"; @@ -1985,18 +2111,26 @@ aes_gcm_enc_192_kernel: stp d14, d15, [sp, #96] ldp $ctr96_b64x, $ctr96_t32x, [$counter] @ ctr96_b64, ctr96_t32 +#ifdef __AARCH64EB__ + rev $ctr96_b64x, $ctr96_b64x + rev $ctr96_t32x, $ctr96_t32x +#endif + ldp $rk12_l, $rk12_h, [$cc, #192] @ load rk12 +#ifdef __AARCH64EB__ + ror $rk12_l, $rk12_l, #32 + ror $rk12_h, $rk12_h, #32 +#endif + ld1 {$rk0s}, [$cc], #16 @ load rk0 - ldr $rk5q, [$cc, #80] @ load rk5 - - ldr $rk4q, [$cc, #64] @ load rk4 + ld1 {$rk1s}, [$cc], #16 @ load rk1 - ldr $rk8q, [$cc, #128] @ load rk8 + ld1 {$rk2s}, [$cc], #16 @ load rk2 lsr $rctr32x, $ctr96_t32x, #32 - ldr $rk6q, [$cc, #96] @ load rk6 + ld1 {$rk3s}, [$cc], #16 @ load rk3 orr $ctr96_t32w, $ctr96_t32w, $ctr96_t32w - ldr $rk7q, [$cc, #112] @ load rk7 + ld1 {$rk4s}, [$cc], #16 @ load rk4 rev $rctr32w, $rctr32w @ rev_ctr32 add $rctr32w, $rctr32w, #1 @ increment rev_ctr32 @@ -2020,15 +2154,13 @@ aes_gcm_enc_192_kernel: rev $ctr32w, $rctr32w @ CTR block 3 orr $ctr32x, $ctr96_t32x, $ctr32x, lsl #32 @ CTR block 3 - ldr $rk0q, [$cc, #0] @ load rk0 + ld1 {$rk5s}, [$cc], #16 @ load rk5 fmov $ctr3.d[1], $ctr32x @ CTR block 3 - ldr $rk3q, [$cc, #48] @ load rk3 - - ldp $rk12_l, $rk12_h, [$cc, #192] @ load rk12 + ld1 {$rk6s}, [$cc], #16 @ load rk6 - ldr $rk1q, [$cc, #16] @ load rk1 + ld1 {$rk7s}, [$cc], #16 @ load rk7 aese $ctr0b, $rk0 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 0 ld1 { $acc_lb}, [$current_tag] @@ -2036,29 +2168,32 @@ aes_gcm_enc_192_kernel: rev64 $acc_lb, $acc_lb aese $ctr3b, $rk0 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 0 - ldr $rk11q, [$cc, #176] @ load rk11 + ld1 {$rk8s}, [$cc], #16 @ load rk8 aese $ctr1b, $rk0 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 0 ldr $h4q, [$current_tag, #112] @ load h4l | h4h +#ifndef __AARCH64EB__ ext $h4b, $h4b, $h4b, #8 - +#endif aese $ctr2b, $rk0 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 0 - ldr $rk2q, [$cc, #32] @ load rk2 + ld1 {$rk9s}, [$cc], #16 @ load rk9 aese $ctr0b, $rk1 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 1 - ldr $rk10q, [$cc, #160] @ load rk10 + ld1 {$rk10s}, [$cc], #16 @ load rk10 aese $ctr1b, $rk1 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 1 ldr $h1q, [$current_tag, #32] @ load h1l | h1h +#ifndef __AARCH64EB__ ext $h1b, $h1b, $h1b, #8 - +#endif aese $ctr2b, $rk1 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 1 - ldr $rk9q, [$cc, #144] @ load rk9 + ld1 {$rk11s}, [$cc], #16 @ load rk11 aese $ctr3b, $rk1 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 1 ldr $h3q, [$current_tag, #80] @ load h3l | h3h +#ifndef __AARCH64EB__ ext $h3b, $h3b, $h3b, #8 - +#endif aese $ctr0b, $rk2 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 2 aese $ctr2b, $rk2 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 2 @@ -2097,8 +2232,9 @@ aes_gcm_enc_192_kernel: aese $ctr2b, $rk6 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 6 ldr $h2q, [$current_tag, #64] @ load h2l | h2h +#ifndef __AARCH64EB__ ext $h2b, $h2b, $h2b, #8 - +#endif aese $ctr1b, $rk6 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 6 aese $ctr3b, $rk6 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 6 @@ -2160,13 +2296,26 @@ aes_gcm_enc_192_kernel: rev $ctr32w, $rctr32w @ CTR block 4 ldp $input_l0, $input_h0, [$input_ptr, #0] @ AES block 0 - load plaintext - +#ifdef __AARCH64EB__ + rev $input_l0, $input_l0 + rev $input_h0, $input_h0 +#endif orr $ctr32x, $ctr96_t32x, $ctr32x, lsl #32 @ CTR block 4 ldp $input_l2, $input_h2, [$input_ptr, #32] @ AES block 2 - load plaintext - +#ifdef __AARCH64EB__ + rev $input_l2, $input_l2 + rev $input_h2, $input_h2 +#endif ldp $input_l3, $input_h3, [$input_ptr, #48] @ AES block 3 - load plaintext - +#ifdef __AARCH64EB__ + rev $input_l3, $input_l3 + rev $input_h3, $input_h3 +#endif ldp $input_l1, $input_h1, [$input_ptr, #16] @ AES block 1 - load plaintext +#ifdef __AARCH64EB__ + rev $input_l1, $input_l1 + rev $input_h1, $input_h1 +#endif add $input_ptr, $input_ptr, #64 @ AES input_ptr update cmp $input_ptr, $main_end_input_ptr @ check if we have <= 8 blocks @@ -2236,7 +2385,10 @@ aes_gcm_enc_192_kernel: aese $ctr1b, $rk0 \n aesmc $ctr1b, $ctr1b @ AES block 4k+5 - round 0 ldp $input_l1, $input_h1, [$input_ptr, #16] @ AES block 4k+5 - load plaintext - +#ifdef __AARCH64EB__ + rev $input_l1, $input_l1 + rev $input_h1, $input_h1 +#endif ext $acc_lb, $acc_lb, $acc_lb, #8 @ PRE 0 fmov $ctr3d, $ctr96_b64x @ CTR block 4k+3 rev64 $res0b, $res0b @ GHASH block 4k (only t0 is free) @@ -2247,10 +2399,16 @@ aes_gcm_enc_192_kernel: pmull2 $t1.1q, $res1.2d, $h3.2d @ GHASH block 4k+1 - high rev64 $res3b, $res3b @ GHASH block 4k+3 (t0, t1, t2 and t3 free) ldp $input_l2, $input_h2, [$input_ptr, #32] @ AES block 4k+6 - load plaintext - +#ifdef __AARCH64EB__ + rev $input_l2, $input_l2 + rev $input_h2, $input_h2 +#endif aese $ctr0b, $rk0 \n aesmc $ctr0b, $ctr0b @ AES block 4k+4 - round 0 ldp $input_l3, $input_h3, [$input_ptr, #48] @ AES block 4k+3 - load plaintext - +#ifdef __AARCH64EB__ + rev $input_l3, $input_l3 + rev $input_h3, $input_h3 +#endif pmull $t2.1q, $res1.1d, $h3.1d @ GHASH block 4k+1 - low eor $res0b, $res0b, $acc_lb @ PRE 1 @@ -2327,7 +2485,10 @@ aes_gcm_enc_192_kernel: aese $ctr1b, $rk4 \n aesmc $ctr1b, $ctr1b @ AES block 4k+5 - round 4 ldp $input_l0, $input_h0, [$input_ptr, #0] @ AES block 4k+4 - load plaintext - +#ifdef __AARCH64EB__ + rev $input_l0, $input_l0 + rev $input_h0, $input_h0 +#endif aese $ctr0b, $rk6 \n aesmc $ctr0b, $ctr0b @ AES block 4k+4 - round 6 eor $acc_lb, $acc_lb, $t5.16b @ GHASH block 4k+2 - low @@ -2624,7 +2785,10 @@ aes_gcm_enc_192_kernel: sub $main_end_input_ptr, $end_input_ptr, $input_ptr @ main_end_input_ptr is number of bytes left to process ldp $input_l0, $input_h0, [$input_ptr], #16 @ AES block 4k+4 - load plaintext - +#ifdef __AARCH64EB__ + rev $input_l0, $input_l0 + rev $input_h0, $input_h0 +#endif eor $input_l0, $input_l0, $rk12_l @ AES block 4k+4 - round 12 low eor $input_h0, $input_h0, $rk12_h @ AES block 4k+4 - round 12 high @@ -2661,7 +2825,10 @@ aes_gcm_enc_192_kernel: st1 { $res1b}, [$output_ptr], #16 @ AES final-3 block - store result ldp $input_l0, $input_h0, [$input_ptr], #16 @ AES final-2 block - load input low & high - +#ifdef __AARCH64EB__ + rev $input_l0, $input_l0 + rev $input_h0, $input_h0 +#endif rev64 $res0b, $res1b @ GHASH final-3 block eor $input_l0, $input_l0, $rk12_l @ AES final-2 block - round 12 low @@ -2692,7 +2859,10 @@ aes_gcm_enc_192_kernel: rev64 $res0b, $res1b @ GHASH final-2 block ldp $input_l0, $input_h0, [$input_ptr], #16 @ AES final-1 block - load input low & high - +#ifdef __AARCH64EB__ + rev $input_l0, $input_l0 + rev $input_h0, $input_h0 +#endif eor $res0b, $res0b, $t0.16b @ feed in partial tag eor $input_h0, $input_h0, $rk12_h @ AES final-1 block - round 12 high @@ -2723,7 +2893,10 @@ aes_gcm_enc_192_kernel: st1 { $res1b}, [$output_ptr], #16 @ AES final-1 block - store result ldp $input_l0, $input_h0, [$input_ptr], #16 @ AES final block - load input low & high - +#ifdef __AARCH64EB__ + rev $input_l0, $input_l0 + rev $input_h0, $input_h0 +#endif rev64 $res0b, $res1b @ GHASH final-1 block eor $input_l0, $input_l0, $rk12_l @ AES final block - round 12 low @@ -2755,7 +2928,11 @@ aes_gcm_enc_192_kernel: .L192_enc_blocks_less_than_1: @ blocks left <= 1 ld1 { $rk0}, [$output_ptr] @ load existing bytes where the possibly partial last block is to be stored +#ifndef __AARCH64EB__ rev $ctr32w, $rctr32w +#else + mov $ctr32w, $rctr32w +#endif and $bit_length, $bit_length, #127 @ bit_length %= 128 sub $bit_length, $bit_length, #128 @ bit_length -= 128 @@ -2871,14 +3048,22 @@ aes_gcm_dec_192_kernel: add $end_input_ptr, $input_ptr, $bit_length, lsr #3 @ end_input_ptr ldp $ctr96_b64x, $ctr96_t32x, [$counter] @ ctr96_b64, ctr96_t32 - +#ifdef __AARCH64EB__ + rev $ctr96_b64x, $ctr96_b64x + rev $ctr96_t32x, $ctr96_t32x +#endif + ldp $rk12_l, $rk12_h, [$cc, #192] @ load rk12 +#ifdef __AARCH64EB__ + ror $rk12_l, $rk12_l, #32 + ror $rk12_h, $rk12_h, #32 +#endif ld1 { $ctr0b}, [$counter] @ special case vector load initial counter so we can start first AES block as quickly as possible - ldr $rk0q, [$cc, #0] @ load rk0 + ld1 {$rk0s}, [$cc], #16 @ load rk0 lsr $main_end_input_ptr, $bit_length, #3 @ byte_len mov $len, $main_end_input_ptr - ldr $rk2q, [$cc, #32] @ load rk2 + ld1 {$rk1s}, [$cc], #16 @ load rk1 lsr $rctr32x, $ctr96_t32x, #32 orr $ctr96_t32w, $ctr96_t32w, $ctr96_t32w @@ -2888,14 +3073,14 @@ aes_gcm_dec_192_kernel: fmov $ctr1d, $ctr96_b64x @ CTR block 1 add $rctr32w, $rctr32w, #1 @ increment rev_ctr32 - ldr $rk1q, [$cc, #16] @ load rk1 + ld1 {$rk2s}, [$cc], #16 @ load rk2 aese $ctr0b, $rk0 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 0 rev $ctr32w, $rctr32w @ CTR block 1 add $rctr32w, $rctr32w, #1 @ CTR block 1 orr $ctr32x, $ctr96_t32x, $ctr32x, lsl #32 @ CTR block 1 - ldr $rk3q, [$cc, #48] @ load rk3 + ld1 {$rk3s}, [$cc], #16 @ load rk3 fmov $ctr1.d[1], $ctr32x @ CTR block 1 rev $ctr32w, $rctr32w @ CTR block 2 @@ -2912,43 +3097,46 @@ aes_gcm_dec_192_kernel: fmov $ctr3.d[1], $ctr32x @ CTR block 3 - ldr $rk8q, [$cc, #128] @ load rk8 + ld1 {$rk4s}, [$cc], #16 @ load rk4 aese $ctr0b, $rk2 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 2 aese $ctr2b, $rk0 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 0 - ldr $rk11q, [$cc, #176] @ load rk11 + ld1 {$rk5s}, [$cc], #16 @ load rk5 aese $ctr1b, $rk0 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 0 ldr $h4q, [$current_tag, #112] @ load h4l | h4h +#ifndef __AARCH64EB__ ext $h4b, $h4b, $h4b, #8 - +#endif aese $ctr3b, $rk0 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 0 ldr $h2q, [$current_tag, #64] @ load h2l | h2h +#ifndef __AARCH64EB__ ext $h2b, $h2b, $h2b, #8 - +#endif aese $ctr2b, $rk1 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 1 ldr $h3q, [$current_tag, #80] @ load h3l | h3h +#ifndef __AARCH64EB__ ext $h3b, $h3b, $h3b, #8 - +#endif aese $ctr1b, $rk1 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 1 - ldp $rk12_l, $rk12_h, [$cc, #192] @ load rk12 aese $ctr3b, $rk1 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 1 ldr $h1q, [$current_tag, #32] @ load h1l | h1h +#ifndef __AARCH64EB__ ext $h1b, $h1b, $h1b, #8 - +#endif aese $ctr2b, $rk2 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 2 - ldr $rk10q, [$cc, #160] @ load rk10 + ld1 {$rk6s}, [$cc], #16 @ load rk6 aese $ctr0b, $rk3 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 3 - ldr $rk9q, [$cc, #144] @ load rk9 + ld1 {$rk7s}, [$cc], #16 @ load rk7 aese $ctr1b, $rk2 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 2 - ldr $rk7q, [$cc, #112] @ load rk7 + ld1 {$rk8s}, [$cc], #16 @ load rk8 aese $ctr3b, $rk2 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 2 - ldr $rk4q, [$cc, #64] @ load rk4 + ld1 {$rk9s}, [$cc], #16 @ load rk9 aese $ctr2b, $rk3 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 3 ld1 { $acc_lb}, [$current_tag] @@ -2962,7 +3150,7 @@ aes_gcm_dec_192_kernel: trn1 $acc_h.2d, $h3.2d, $h4.2d @ h4h | h3h aese $ctr0b, $rk4 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 4 - ldr $rk5q, [$cc, #80] @ load rk5 + ld1 {$rk10s}, [$cc], #16 @ load rk10 aese $ctr1b, $rk4 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 4 trn2 $h34k.2d, $h3.2d, $h4.2d @ h4l | h3l @@ -2973,7 +3161,7 @@ aes_gcm_dec_192_kernel: trn2 $h12k.2d, $h1.2d, $h2.2d @ h2l | h1l aese $ctr0b, $rk5 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 5 - ldr $rk6q, [$cc, #96] @ load rk6 + ld1 {$rk11s}, [$cc], #16 @ load rk11 aese $ctr1b, $rk5 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 5 @@ -3037,17 +3225,13 @@ aes_gcm_dec_192_kernel: aese $ctr0b, $rk11 @ AES block 0 - round 11 b.ge .L192_dec_tail @ handle tail - ldr $res1q, [$input_ptr, #16] @ AES block 1 - load ciphertext - - ldr $res0q, [$input_ptr, #0] @ AES block 0 - load ciphertext + ld1 {$res0b, $res1b}, [$input_ptr], #32 @ AES block 0,1 - load ciphertext eor $ctr1b, $res1b, $ctr1b @ AES block 1 - result eor $ctr0b, $res0b, $ctr0b @ AES block 0 - result rev $ctr32w, $rctr32w @ CTR block 4 - ldr $res3q, [$input_ptr, #48] @ AES block 3 - load ciphertext - - ldr $res2q, [$input_ptr, #32] @ AES block 2 - load ciphertext + ld1 {$res2b, $res3b}, [$input_ptr], #32 @ AES block 2,3 - load ciphertext mov $output_l1, $ctr1.d[0] @ AES block 1 - mov low @@ -3059,27 +3243,35 @@ aes_gcm_dec_192_kernel: mov $output_h0, $ctr0.d[1] @ AES block 0 - mov high rev64 $res0b, $res0b @ GHASH block 0 - add $input_ptr, $input_ptr, #64 @ AES input_ptr update fmov $ctr0d, $ctr96_b64x @ CTR block 4 rev64 $res1b, $res1b @ GHASH block 1 cmp $input_ptr, $main_end_input_ptr @ check if we have <= 8 blocks eor $output_l1, $output_l1, $rk12_l @ AES block 1 - round 12 low +#ifdef __AARCH64EB__ + rev $output_l1, $output_l1 +#endif fmov $ctr0.d[1], $ctr32x @ CTR block 4 rev $ctr32w, $rctr32w @ CTR block 5 orr $ctr32x, $ctr96_t32x, $ctr32x, lsl #32 @ CTR block 5 fmov $ctr1d, $ctr96_b64x @ CTR block 5 eor $output_h1, $output_h1, $rk12_h @ AES block 1 - round 12 high - +#ifdef __AARCH64EB__ + rev $output_h1, $output_h1 +#endif add $rctr32w, $rctr32w, #1 @ CTR block 5 fmov $ctr1.d[1], $ctr32x @ CTR block 5 eor $output_l0, $output_l0, $rk12_l @ AES block 0 - round 12 low - +#ifdef __AARCH64EB__ + rev $output_l0, $output_l0 +#endif rev $ctr32w, $rctr32w @ CTR block 6 eor $output_h0, $output_h0, $rk12_h @ AES block 0 - round 12 high - +#ifdef __AARCH64EB__ + rev $output_h0, $output_h0 +#endif stp $output_l0, $output_h0, [$output_ptr], #16 @ AES block 0 - store result orr $ctr32x, $ctr96_t32x, $ctr32x, lsl #32 @ CTR block 6 @@ -3134,7 +3326,9 @@ aes_gcm_dec_192_kernel: aese $ctr0b, $rk2 \n aesmc $ctr0b, $ctr0b @ AES block 4k+4 - round 2 eor $output_h2, $output_h2, $rk12_h @ AES block 4k+2 - round 12 high - +#ifdef __AARCH64EB__ + rev $output_h2, $output_h2 +#endif aese $ctr2b, $rk1 \n aesmc $ctr2b, $ctr2b @ AES block 4k+6 - round 1 eor $t3.8b, $t3.8b, $res1.8b @ GHASH block 4k+1 - mid @@ -3148,7 +3342,9 @@ aes_gcm_dec_192_kernel: pmull $t3.1q, $t3.1d, $h34k.1d @ GHASH block 4k+1 - mid eor $acc_lb, $acc_lb, $t2.16b @ GHASH block 4k+1 - low eor $output_l2, $output_l2, $rk12_l @ AES block 4k+2 - round 12 low - +#ifdef __AARCH64EB__ + rev $output_l2, $output_l2 +#endif aese $ctr1b, $rk4 \n aesmc $ctr1b, $ctr1b @ AES block 4k+5 - round 4 aese $ctr0b, $rk3 \n aesmc $ctr0b, $ctr0b @ AES block 4k+4 - round 3 @@ -3226,15 +3422,17 @@ aes_gcm_dec_192_kernel: aese $ctr1b, $rk10 \n aesmc $ctr1b, $ctr1b @ AES block 4k+5 - round 10 aese $ctr2b, $rk6 \n aesmc $ctr2b, $ctr2b @ AES block 4k+6 - round 6 - ldr $res2q, [$input_ptr, #32] @ AES block 4k+6 - load ciphertext + ld1 {$res0b}, [$input_ptr], #16 @ AES block 4k+4 - load ciphertext aese $ctr3b, $rk6 \n aesmc $ctr3b, $ctr3b @ AES block 4k+7 - round 6 eor $acc_mb, $acc_mb, $t9.16b @ MODULO - karatsuba tidy up pmull $mod_t.1q, $acc_h.1d, $mod_constant.1d @ MODULO - top 64b align with mid - ldr $res3q, [$input_ptr, #48] @ AES block 4k+7 - load ciphertext + ld1 {$res1b}, [$input_ptr], #16 @ AES block 4k+5 - load ciphertext eor $output_l3, $output_l3, $rk12_l @ AES block 4k+3 - round 12 low - +#ifdef __AARCH64EB__ + rev $output_l3, $output_l3 +#endif aese $ctr2b, $rk7 \n aesmc $ctr2b, $ctr2b @ AES block 4k+6 - round 7 ext $acc_hb, $acc_hb, $acc_hb, #8 @ MODULO - other top alignment @@ -3245,10 +3443,10 @@ aes_gcm_dec_192_kernel: eor $acc_mb, $acc_mb, $mod_t.16b @ MODULO - fold into mid aese $ctr2b, $rk8 \n aesmc $ctr2b, $ctr2b @ AES block 4k+6 - round 8 - ldr $res0q, [$input_ptr, #0] @ AES block 4k+4 - load ciphertext + ld1 {$res2b}, [$input_ptr], #16 @ AES block 4k+6 - load ciphertext aese $ctr1b, $rk11 @ AES block 4k+5 - round 11 - ldr $res1q, [$input_ptr, #16] @ AES block 4k+5 - load ciphertext + ld1 {$res3b}, [$input_ptr], #16 @ AES block 4k+7 - load ciphertext rev $ctr32w, $rctr32w @ CTR block 4k+8 aese $ctr3b, $rk8 \n aesmc $ctr3b, $ctr3b @ AES block 4k+7 - round 8 @@ -3257,11 +3455,13 @@ aes_gcm_dec_192_kernel: aese $ctr2b, $rk9 \n aesmc $ctr2b, $ctr2b @ AES block 4k+6 - round 9 eor $acc_mb, $acc_mb, $acc_hb @ MODULO - fold into mid - add $input_ptr, $input_ptr, #64 @ AES input_ptr update cmp $input_ptr, $main_end_input_ptr @ LOOP CONTROL eor $ctr0b, $res0b, $ctr0b @ AES block 4k+4 - result eor $output_h3, $output_h3, $rk12_h @ AES block 4k+3 - round 12 high +#ifdef __AARCH64EB__ + rev $output_h3, $output_h3 +#endif eor $ctr1b, $res1b, $ctr1b @ AES block 4k+5 - result aese $ctr2b, $rk10 \n aesmc $ctr2b, $ctr2b @ AES block 4k+6 - round 10 @@ -3291,18 +3491,28 @@ aes_gcm_dec_192_kernel: rev $ctr32w, $rctr32w @ CTR block 4k+9 eor $output_l0, $output_l0, $rk12_l @ AES block 4k+4 - round 12 low +#ifdef __AARCH64EB__ + rev $output_l0, $output_l0 +#endif orr $ctr32x, $ctr96_t32x, $ctr32x, lsl #32 @ CTR block 4k+9 eor $acc_lb, $acc_lb, $mod_constant.16b @ MODULO - fold into low fmov $ctr1d, $ctr96_b64x @ CTR block 4k+9 add $rctr32w, $rctr32w, #1 @ CTR block 4k+9 eor $output_l1, $output_l1, $rk12_l @ AES block 4k+5 - round 12 low - +#ifdef __AARCH64EB__ + rev $output_l1, $output_l1 +#endif fmov $ctr1.d[1], $ctr32x @ CTR block 4k+9 rev $ctr32w, $rctr32w @ CTR block 4k+10 eor $output_h1, $output_h1, $rk12_h @ AES block 4k+5 - round 12 high - +#ifdef __AARCH64EB__ + rev $output_h1, $output_h1 +#endif eor $output_h0, $output_h0, $rk12_h @ AES block 4k+4 - round 12 high +#ifdef __AARCH64EB__ + rev $output_h0, $output_h0 +#endif stp $output_l0, $output_h0, [$output_ptr], #16 @ AES block 4k+4 - store result eor $acc_lb, $acc_lb, $acc_mb @ MODULO - fold into low @@ -3351,17 +3561,28 @@ aes_gcm_dec_192_kernel: pmull $t2.1q, $res1.1d, $h3.1d @ GHASH block 4k+1 - low eor $output_h3, $output_h3, $rk12_h @ AES block 4k+3 - round 12 high +#ifdef __AARCH64EB__ + rev $output_h3, $output_h3 +#endif fmov $ctr3.d[1], $ctr32x @ CTR block 4k+7 aese $ctr0b, $rk2 \n aesmc $ctr0b, $ctr0b @ AES block 4k+4 - round 2 eor $output_l2, $output_l2, $rk12_l @ AES block 4k+2 - round 12 low - +#ifdef __AARCH64EB__ + rev $output_l2, $output_l2 +#endif pmull2 $t1.1q, $res1.2d, $h3.2d @ GHASH block 4k+1 - high eor $output_h2, $output_h2, $rk12_h @ AES block 4k+2 - round 12 high +#ifdef __AARCH64EB__ + rev $output_h2, $output_h2 +#endif eor $t3.8b, $t3.8b, $res1.8b @ GHASH block 4k+1 - mid pmull $acc_m.1q, $t0.1d, $acc_m.1d @ GHASH block 4k - mid eor $output_l3, $output_l3, $rk12_l @ AES block 4k+3 - round 12 low +#ifdef __AARCH64EB__ + rev $output_l3, $output_l3 +#endif stp $output_l2, $output_h2, [$output_ptr], #16 @ AES block 4k+2 - store result rev64 $res3b, $res3b @ GHASH block 4k+3 @@ -3513,8 +3734,13 @@ aes_gcm_dec_192_kernel: cmp $main_end_input_ptr, #48 eor $output_h0, $output_h0, $rk12_h @ AES block 4k+4 - round 12 high - +#ifdef __AARCH64EB__ + rev $output_h0, $output_h0 +#endif eor $output_l0, $output_l0, $rk12_l @ AES block 4k+4 - round 12 low +#ifdef __AARCH64EB__ + rev $output_l0, $output_l0 +#endif b.gt .L192_dec_blocks_more_than_3 movi $acc_l.8b, #0 @@ -3558,10 +3784,16 @@ aes_gcm_dec_192_kernel: pmull2 $acc_h.1q, $res0.2d, $h4.2d @ GHASH final-3 block - high eor $output_l0, $output_l0, $rk12_l @ AES final-2 block - round 12 low +#ifdef __AARCH64EB__ + rev $output_l0, $output_l0 +#endif movi $t0.8b, #0 @ suppress further partial tag feed in pmull $acc_m.1q, $rk4v.1d, $acc_m.1d @ GHASH final-3 block - mid eor $output_h0, $output_h0, $rk12_h @ AES final-2 block - round 12 high +#ifdef __AARCH64EB__ + rev $output_h0, $output_h0 +#endif .L192_dec_blocks_more_than_2: @ blocks left > 2 rev64 $res0b, $res1b @ GHASH final-2 block @@ -3591,8 +3823,13 @@ aes_gcm_dec_192_kernel: eor $acc_hb, $acc_hb, $rk2 @ GHASH final-2 block - high eor $output_h0, $output_h0, $rk12_h @ AES final-1 block - round 12 high - +#ifdef __AARCH64EB__ + rev $output_h0, $output_h0 +#endif eor $output_l0, $output_l0, $rk12_l @ AES final-1 block - round 12 low +#ifdef __AARCH64EB__ + rev $output_l0, $output_l0 +#endif eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-2 block - mid .L192_dec_blocks_more_than_1: @ blocks left > 1 @@ -3623,9 +3860,13 @@ aes_gcm_dec_192_kernel: movi $t0.8b, #0 @ suppress further partial tag feed in eor $acc_lb, $acc_lb, $rk3 @ GHASH final-1 block - low eor $output_h0, $output_h0, $rk12_h @ AES final block - round 12 high - +#ifdef __AARCH64EB__ + rev $output_h0, $output_h0 +#endif eor $output_l0, $output_l0, $rk12_l @ AES final block - round 12 low - +#ifdef __AARCH64EB__ + rev $output_l0, $output_l0 +#endif eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-1 block - mid .L192_dec_blocks_less_than_1: @ blocks left <= 1 @@ -3652,8 +3893,11 @@ aes_gcm_dec_192_kernel: orr $output_l0, $output_l0, $end_input_ptr mov $ctr0.d[1], $ctr96_b64x - +#ifndef __AARCH64EB__ rev $ctr32w, $rctr32w +#else + mov $ctr32w, $rctr32w +#endif and $res1b, $res1b, $ctr0b @ possibly partial last block has zeroes in highest bits str $ctr32w, [$counter, #12] @ store the updated counter @@ -3778,6 +4022,7 @@ my $mod_constant="v8"; my $mod_t="v7"; my ($rk0,$rk1,$rk2,$rk3,$rk4,$rk5,$rk6,$rk7,$rk8,$rk9,$rk10,$rk11,$rk12,$rk13)=map("v$_.16b",(18..31)); +my ($rk0s,$rk1s,$rk2s,$rk3s,$rk4s,$rk5s,$rk6s,$rk7s,$rk8s,$rk9s,$rk10s,$rk11s,$rk12s,$rk13s)=map("v$_.4s",(18..31)); my ($rk0q,$rk1q,$rk2q,$rk3q,$rk4q,$rk5q,$rk6q,$rk7q,$rk8q,$rk9q,$rk10q,$rk11q,$rk12q,$rk13q)=map("q$_",(18..31)); my $rk2q1="v20.1q"; my $rk3q1="v21.1q"; @@ -3812,14 +4057,22 @@ aes_gcm_enc_256_kernel: lsr $main_end_input_ptr, $bit_length, #3 @ byte_len mov $len, $main_end_input_ptr ldp $ctr96_b64x, $ctr96_t32x, [$counter] @ ctr96_b64, ctr96_t32 - +#ifdef __AARCH64EB__ + rev $ctr96_b64x, $ctr96_b64x + rev $ctr96_t32x, $ctr96_t32x +#endif + ldp $rk14_l, $rk14_h, [$cc, #224] @ load rk14 +#ifdef __AARCH64EB__ + ror $rk14_l, $rk14_l, #32 + ror $rk14_h, $rk14_h, #32 +#endif ld1 { $ctr0b}, [$counter] @ special case vector load initial counter so we can start first AES block as quickly as possible sub $main_end_input_ptr, $main_end_input_ptr, #1 @ byte_len - 1 - ldr $rk0q, [$cc, #0] @ load rk0 + ld1 {$rk0s}, [$cc], #16 @ load rk0 and $main_end_input_ptr, $main_end_input_ptr, #0xffffffffffffffc0 @ number of bytes to be processed in main loop (at least 1 byte must be handled by tail) - ldr $rk7q, [$cc, #112] @ load rk7 + ld1 {$rk1s}, [$cc], #16 @ load rk1 add $main_end_input_ptr, $main_end_input_ptr, $input_ptr lsr $rctr32x, $ctr96_t32x, #32 @@ -3838,14 +4091,14 @@ aes_gcm_enc_256_kernel: orr $ctr32x, $ctr96_t32x, $ctr32x, lsl #32 @ CTR block 1 add $rctr32w, $rctr32w, #1 @ CTR block 1 - ldr $rk1q, [$cc, #16] @ load rk1 + ld1 {$rk2s}, [$cc], #16 @ load rk2 fmov $ctr1.d[1], $ctr32x @ CTR block 1 rev $ctr32w, $rctr32w @ CTR block 2 add $rctr32w, $rctr32w, #1 @ CTR block 2 orr $ctr32x, $ctr96_t32x, $ctr32x, lsl #32 @ CTR block 2 - ldr $rk2q, [$cc, #32] @ load rk2 + ld1 {$rk3s}, [$cc], #16 @ load rk3 fmov $ctr2.d[1], $ctr32x @ CTR block 2 rev $ctr32w, $rctr32w @ CTR block 3 @@ -3856,46 +4109,48 @@ aes_gcm_enc_256_kernel: fmov $ctr3.d[1], $ctr32x @ CTR block 3 aese $ctr1b, $rk0 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 0 - ldr $rk3q, [$cc, #48] @ load rk3 + ld1 {$rk4s}, [$cc], #16 @ load rk4 aese $ctr0b, $rk2 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 2 - ldr $rk6q, [$cc, #96] @ load rk6 + ld1 {$rk5s}, [$cc], #16 @ load rk5 aese $ctr2b, $rk0 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 0 - ldr $rk5q, [$cc, #80] @ load rk5 + ld1 {$rk6s}, [$cc], #16 @ load rk6 aese $ctr1b, $rk1 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 1 ldr $h3q, [$current_tag, #80] @ load h3l | h3h +#ifndef __AARCH64EB__ ext $h3b, $h3b, $h3b, #8 - +#endif aese $ctr3b, $rk0 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 0 - ldr $rk13q, [$cc, #208] @ load rk13 + ld1 {$rk7s}, [$cc], #16 @ load rk7 aese $ctr2b, $rk1 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 1 - ldr $rk4q, [$cc, #64] @ load rk4 + ld1 {$rk8s}, [$cc], #16 @ load rk8 aese $ctr1b, $rk2 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 2 ldr $h2q, [$current_tag, #64] @ load h2l | h2h +#ifndef __AARCH64EB__ ext $h2b, $h2b, $h2b, #8 - +#endif aese $ctr3b, $rk1 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 1 - ldr $rk12q, [$cc, #192] @ load rk12 + ld1 {$rk9s}, [$cc], #16 @ load rk9 aese $ctr2b, $rk2 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 2 ldr $h4q, [$current_tag, #112] @ load h4l | h4h +#ifndef __AARCH64EB__ ext $h4b, $h4b, $h4b, #8 - +#endif aese $ctr1b, $rk3 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 3 - ldr $rk11q, [$cc, #176] @ load rk11 + ld1 {$rk10s}, [$cc], #16 @ load rk10 aese $ctr3b, $rk2 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 2 - ldr $rk8q, [$cc, #128] @ load rk8 + ld1 {$rk11s}, [$cc], #16 @ load rk11 aese $ctr2b, $rk3 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 3 add $rctr32w, $rctr32w, #1 @ CTR block 3 aese $ctr0b, $rk3 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 3 - ldp $rk14_l, $rk14_h, [$cc, #224] @ load rk14 aese $ctr3b, $rk3 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 3 ld1 { $acc_lb}, [$current_tag] @@ -3922,14 +4177,15 @@ aes_gcm_enc_256_kernel: trn2 $h34k.2d, $h3.2d, $h4.2d @ h4l | h3l aese $ctr3b, $rk6 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 6 - ldr $rk9q, [$cc, #144] @ load rk9 + ld1 {$rk12s}, [$cc], #16 @ load rk12 aese $ctr0b, $rk6 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 6 ldr $h1q, [$current_tag, #32] @ load h1l | h1h +#ifndef __AARCH64EB__ ext $h1b, $h1b, $h1b, #8 - +#endif aese $ctr2b, $rk6 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 6 - ldr $rk10q, [$cc, #160] @ load rk10 + ld1 {$rk13s}, [$cc], #16 @ load rk13 aese $ctr1b, $rk7 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 7 trn1 $acc_h.2d, $h3.2d, $h4.2d @ h4h | h3h @@ -3994,13 +4250,26 @@ aes_gcm_enc_256_kernel: b.ge .L256_enc_tail @ handle tail ldp $input_l1, $input_h1, [$input_ptr, #16] @ AES block 1 - load plaintext - +#ifdef __AARCH64EB__ + rev $input_l1, $input_l1 + rev $input_h1, $input_h1 +#endif rev $ctr32w, $rctr32w @ CTR block 4 ldp $input_l0, $input_h0, [$input_ptr, #0] @ AES block 0 - load plaintext - +#ifdef __AARCH64EB__ + rev $input_l0, $input_l0 + rev $input_h0, $input_h0 +#endif ldp $input_l3, $input_h3, [$input_ptr, #48] @ AES block 3 - load plaintext - +#ifdef __AARCH64EB__ + rev $input_l3, $input_l3 + rev $input_h3, $input_h3 +#endif ldp $input_l2, $input_h2, [$input_ptr, #32] @ AES block 2 - load plaintext +#ifdef __AARCH64EB__ + rev $input_l2, $input_l2 + rev $input_h2, $input_h2 +#endif add $input_ptr, $input_ptr, #64 @ AES input_ptr update eor $input_l1, $input_l1, $rk14_l @ AES block 1 - round 14 low @@ -4078,10 +4347,16 @@ aes_gcm_enc_256_kernel: aese $ctr1b, $rk1 \n aesmc $ctr1b, $ctr1b @ AES block 4k+5 - round 1 ldp $input_l3, $input_h3, [$input_ptr, #48] @ AES block 4k+7 - load plaintext - +#ifdef __AARCH64EB__ + rev $input_l3, $input_l3 + rev $input_h3, $input_h3 +#endif aese $ctr2b, $rk1 \n aesmc $ctr2b, $ctr2b @ AES block 4k+6 - round 1 ldp $input_l2, $input_h2, [$input_ptr, #32] @ AES block 4k+6 - load plaintext - +#ifdef __AARCH64EB__ + rev $input_l2, $input_l2 + rev $input_h2, $input_h2 +#endif aese $ctr0b, $rk2 \n aesmc $ctr0b, $ctr0b @ AES block 4k+4 - round 2 eor $res0b, $res0b, $acc_lb @ PRE 1 @@ -4167,7 +4442,10 @@ aes_gcm_enc_256_kernel: aese $ctr3b, $rk6 \n aesmc $ctr3b, $ctr3b @ AES block 4k+7 - round 6 ldp $input_l1, $input_h1, [$input_ptr, #16] @ AES block 4k+5 - load plaintext - +#ifdef __AARCH64EB__ + rev $input_l1, $input_l1 + rev $input_h1, $input_h1 +#endif aese $ctr1b, $rk8 \n aesmc $ctr1b, $ctr1b @ AES block 4k+5 - round 8 mov $t9d, $res3.d[1] @ GHASH block 4k+3 - mid @@ -4197,7 +4475,10 @@ aes_gcm_enc_256_kernel: aese $ctr2b, $rk8 \n aesmc $ctr2b, $ctr2b @ AES block 4k+6 - round 8 ldp $input_l0, $input_h0, [$input_ptr, #0] @ AES block 4k+4 - load plaintext - +#ifdef __AARCH64EB__ + rev $input_l0, $input_l0 + rev $input_h0, $input_h0 +#endif aese $ctr0b, $rk10 \n aesmc $ctr0b, $ctr0b @ AES block 4k+4 - round 10 shl $mod_constantd, $mod_constantd, #56 @ mod_constant @@ -4492,7 +4773,10 @@ aes_gcm_enc_256_kernel: ext $t0.16b, $acc_lb, $acc_lb, #8 @ prepare final partial tag sub $main_end_input_ptr, $end_input_ptr, $input_ptr @ main_end_input_ptr is number of bytes left to process ldp $input_l0, $input_h0, [$input_ptr], #16 @ AES block 4k+4 - load plaintext - +#ifdef __AARCH64EB__ + rev $input_l0, $input_l0 + rev $input_h0, $input_h0 +#endif eor $input_l0, $input_l0, $rk14_l @ AES block 4k+4 - round 14 low eor $input_h0, $input_h0, $rk14_h @ AES block 4k+4 - round 14 high @@ -4527,7 +4811,10 @@ aes_gcm_enc_256_kernel: st1 { $res1b}, [$output_ptr], #16 @ AES final-3 block - store result ldp $input_l0, $input_h0, [$input_ptr], #16 @ AES final-2 block - load input low & high - +#ifdef __AARCH64EB__ + rev $input_l0, $input_l0 + rev $input_h0, $input_h0 +#endif rev64 $res0b, $res1b @ GHASH final-3 block eor $input_l0, $input_l0, $rk14_l @ AES final-2 block - round 14 low @@ -4556,7 +4843,10 @@ aes_gcm_enc_256_kernel: st1 { $res1b}, [$output_ptr], #16 @ AES final-2 block - store result ldp $input_l0, $input_h0, [$input_ptr], #16 @ AES final-1 block - load input low & high - +#ifdef __AARCH64EB__ + rev $input_l0, $input_l0 + rev $input_h0, $input_h0 +#endif rev64 $res0b, $res1b @ GHASH final-2 block eor $input_l0, $input_l0, $rk14_l @ AES final-1 block - round 14 low @@ -4592,7 +4882,10 @@ aes_gcm_enc_256_kernel: rev64 $res0b, $res1b @ GHASH final-1 block ldp $input_l0, $input_h0, [$input_ptr], #16 @ AES final block - load input low & high - +#ifdef __AARCH64EB__ + rev $input_l0, $input_l0 + rev $input_h0, $input_h0 +#endif eor $res0b, $res0b, $t0.16b @ feed in partial tag movi $t0.8b, #0 @ suppress further partial tag feed in @@ -4653,7 +4946,11 @@ aes_gcm_enc_256_kernel: pmull2 $rk2q1, $res0.2d, $h1.2d @ GHASH final block - high mov $t0d, $res0.d[1] @ GHASH final block - mid +#ifndef __AARCH64EB__ rev $ctr32w, $rctr32w +#else + mov $ctr32w, $rctr32w +#endif pmull $rk3q1, $res0.1d, $h1.1d @ GHASH final block - low @@ -4743,21 +5040,29 @@ aes_gcm_dec_256_kernel: lsr $main_end_input_ptr, $bit_length, #3 @ byte_len mov $len, $main_end_input_ptr ldp $ctr96_b64x, $ctr96_t32x, [$counter] @ ctr96_b64, ctr96_t32 - - ldr $rk8q, [$cc, #128] @ load rk8 +#ifdef __AARCH64EB__ + rev $ctr96_b64x, $ctr96_b64x + rev $ctr96_t32x, $ctr96_t32x +#endif + ldp $rk14_l, $rk14_h, [$cc, #224] @ load rk14 +#ifdef __AARCH64EB__ + ror $rk14_h, $rk14_h, #32 + ror $rk14_l, $rk14_l, #32 +#endif + ld1 {$rk0s}, [$cc], #16 @ load rk0 sub $main_end_input_ptr, $main_end_input_ptr, #1 @ byte_len - 1 - ldr $rk7q, [$cc, #112] @ load rk7 + ld1 {$rk1s}, [$cc], #16 @ load rk1 and $main_end_input_ptr, $main_end_input_ptr, #0xffffffffffffffc0 @ number of bytes to be processed in main loop (at least 1 byte must be handled by tail) add $end_input_ptr, $input_ptr, $bit_length, lsr #3 @ end_input_ptr - ldr $rk6q, [$cc, #96] @ load rk6 + ld1 {$rk2s}, [$cc], #16 @ load rk2 lsr $rctr32x, $ctr96_t32x, #32 - ldr $rk5q, [$cc, #80] @ load rk5 + ld1 {$rk3s}, [$cc], #16 @ load rk3 orr $ctr96_t32w, $ctr96_t32w, $ctr96_t32w - ldr $rk3q, [$cc, #48] @ load rk3 + ld1 {$rk4s}, [$cc], #16 @ load rk4 add $main_end_input_ptr, $main_end_input_ptr, $input_ptr rev $rctr32w, $rctr32w @ rev_ctr32 @@ -4782,34 +5087,39 @@ aes_gcm_dec_256_kernel: rev $ctr32w, $rctr32w @ CTR block 3 orr $ctr32x, $ctr96_t32x, $ctr32x, lsl #32 @ CTR block 3 - ldr $rk0q, [$cc, #0] @ load rk0 + ld1 {$rk5s}, [$cc], #16 @ load rk5 fmov $ctr3.d[1], $ctr32x @ CTR block 3 add $rctr32w, $rctr32w, #1 @ CTR block 3 - ldr $rk4q, [$cc, #64] @ load rk4 + ld1 {$rk6s}, [$cc], #16 @ load rk6 - ldr $rk13q, [$cc, #208] @ load rk13 + ld1 {$rk7s}, [$cc], #16 @ load rk7 - ldr $rk1q, [$cc, #16] @ load rk1 + ld1 {$rk8s}, [$cc], #16 @ load rk8 aese $ctr0b, $rk0 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 0 ldr $h3q, [$current_tag, #80] @ load h3l | h3h +#ifndef __AARCH64EB__ ext $h3b, $h3b, $h3b, #8 +#endif aese $ctr3b, $rk0 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 0 ldr $h4q, [$current_tag, #112] @ load h4l | h4h +#ifndef __AARCH64EB__ ext $h4b, $h4b, $h4b, #8 +#endif aese $ctr1b, $rk0 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 0 ldr $h2q, [$current_tag, #64] @ load h2l | h2h +#ifndef __AARCH64EB__ ext $h2b, $h2b, $h2b, #8 +#endif aese $ctr2b, $rk0 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 0 - ldr $rk2q, [$cc, #32] @ load rk2 + ld1 {$rk9s}, [$cc], #16 @ load rk9 aese $ctr0b, $rk1 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 1 - ldp $rk14_l, $rk14_h, [$cc, #224] @ load rk14 aese $ctr1b, $rk1 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 1 ld1 { $acc_lb}, [$current_tag] @@ -4817,17 +5127,18 @@ aes_gcm_dec_256_kernel: rev64 $acc_lb, $acc_lb aese $ctr2b, $rk1 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 1 - ldr $rk9q, [$cc, #144] @ load rk9 + ld1 {$rk10s}, [$cc], #16 @ load rk10 aese $ctr3b, $rk1 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 1 - ldr $rk12q, [$cc, #192] @ load rk12 + ld1 {$rk11s}, [$cc], #16 @ load rk11 aese $ctr0b, $rk2 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 2 ldr $h1q, [$current_tag, #32] @ load h1l | h1h +#ifndef __AARCH64EB__ ext $h1b, $h1b, $h1b, #8 - +#endif aese $ctr2b, $rk2 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 2 - ldr $rk10q, [$cc, #160] @ load rk10 + ld1 {$rk12s}, [$cc], #16 @ load rk12 aese $ctr3b, $rk2 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 2 @@ -4883,7 +5194,7 @@ aes_gcm_dec_256_kernel: aese $ctr0b, $rk9 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 9 aese $ctr2b, $rk8 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 8 - ldr $rk11q, [$cc, #176] @ load rk11 + ld1 {$rk13s}, [$cc], #16 @ load rk13 aese $ctr1b, $rk9 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 9 @@ -4933,9 +5244,7 @@ aes_gcm_dec_256_kernel: aese $ctr0b, $rk13 @ AES block 0 - round 13 b.ge .L256_dec_tail @ handle tail - ldr $res0q, [$input_ptr, #0] @ AES block 0 - load ciphertext - - ldr $res1q, [$input_ptr, #16] @ AES block 1 - load ciphertext + ld1 {$res0b, $res1b}, [$input_ptr], #32 @ AES block 0,1 - load ciphertext rev $ctr32w, $rctr32w @ CTR block 4 @@ -4943,7 +5252,7 @@ aes_gcm_dec_256_kernel: eor $ctr1b, $res1b, $ctr1b @ AES block 1 - result rev64 $res1b, $res1b @ GHASH block 1 - ldr $res3q, [$input_ptr, #48] @ AES block 3 - load ciphertext + ld1 {$res2b}, [$input_ptr], #16 @ AES block 2 - load ciphertext mov $output_h0, $ctr0.d[1] @ AES block 0 - mov high @@ -4963,22 +5272,32 @@ aes_gcm_dec_256_kernel: orr $ctr32x, $ctr96_t32x, $ctr32x, lsl #32 @ CTR block 5 mov $output_h1, $ctr1.d[1] @ AES block 1 - mov high eor $output_h0, $output_h0, $rk14_h @ AES block 0 - round 14 high - +#ifdef __AARCH64EB__ + rev $output_h0, $output_h0 +#endif eor $output_l0, $output_l0, $rk14_l @ AES block 0 - round 14 low +#ifdef __AARCH64EB__ + rev $output_l0, $output_l0 +#endif stp $output_l0, $output_h0, [$output_ptr], #16 @ AES block 0 - store result fmov $ctr1d, $ctr96_b64x @ CTR block 5 - ldr $res2q, [$input_ptr, #32] @ AES block 2 - load ciphertext - add $input_ptr, $input_ptr, #64 @ AES input_ptr update + ld1 {$res3b}, [$input_ptr], #16 @ AES block 3 - load ciphertext fmov $ctr1.d[1], $ctr32x @ CTR block 5 rev $ctr32w, $rctr32w @ CTR block 6 add $rctr32w, $rctr32w, #1 @ CTR block 6 eor $output_l1, $output_l1, $rk14_l @ AES block 1 - round 14 low +#ifdef __AARCH64EB__ + rev $output_l1, $output_l1 +#endif orr $ctr32x, $ctr96_t32x, $ctr32x, lsl #32 @ CTR block 6 eor $output_h1, $output_h1, $rk14_h @ AES block 1 - round 14 high +#ifdef __AARCH64EB__ + rev $output_h1, $output_h1 +#endif stp $output_l1, $output_h1, [$output_ptr], #16 @ AES block 1 - store result eor $ctr2b, $res2b, $ctr2b @ AES block 2 - result @@ -5021,7 +5340,9 @@ aes_gcm_dec_256_kernel: aese $ctr0b, $rk3 \n aesmc $ctr0b, $ctr0b @ AES block 4k+4 - round 3 eor $output_h2, $output_h2, $rk14_h @ AES block 4k+2 - round 14 high - +#ifdef __AARCH64EB__ + rev $output_h2, $output_h2 +#endif aese $ctr2b, $rk1 \n aesmc $ctr2b, $ctr2b @ AES block 4k+6 - round 1 mov $acc_md, $h34k.d[1] @ GHASH block 4k - mid @@ -5030,7 +5351,9 @@ aes_gcm_dec_256_kernel: aese $ctr3b, $rk0 \n aesmc $ctr3b, $ctr3b @ AES block 4k+7 - round 0 eor $output_l2, $output_l2, $rk14_l @ AES block 4k+2 - round 14 low - +#ifdef __AARCH64EB__ + rev $output_l2, $output_l2 +#endif aese $ctr2b, $rk2 \n aesmc $ctr2b, $ctr2b @ AES block 4k+6 - round 2 stp $output_l2, $output_h2, [$output_ptr], #16 @ AES block 4k+2 - store result @@ -5043,9 +5366,14 @@ aes_gcm_dec_256_kernel: pmull $acc_m.1q, $t0.1d, $acc_m.1d @ GHASH block 4k - mid eor $output_l3, $output_l3, $rk14_l @ AES block 4k+3 - round 14 low - +#ifdef __AARCH64EB__ + rev $output_l3, $output_l3 +#endif pmull $t2.1q, $res1.1d, $h3.1d @ GHASH block 4k+1 - low eor $output_h3, $output_h3, $rk14_h @ AES block 4k+3 - round 14 high +#ifdef __AARCH64EB__ + rev $output_h3, $output_h3 +#endif eor $acc_hb, $acc_hb, $t1.16b @ GHASH block 4k+1 - high aese $ctr2b, $rk4 \n aesmc $ctr2b, $ctr2b @ AES block 4k+6 - round 4 @@ -5139,7 +5467,7 @@ aes_gcm_dec_256_kernel: eor $t9.16b, $acc_lb, $acc_hb @ MODULO - karatsuba tidy up aese $ctr1b, $rk9 \n aesmc $ctr1b, $ctr1b @ AES block 4k+5 - round 9 - ldr $res0q, [$input_ptr, #0] @ AES block 4k+4 - load ciphertext + ld1 {$res0b}, [$input_ptr], #16 @ AES block 4k+4 - load ciphertext aese $ctr0b, $rk13 @ AES block 4k+4 - round 13 ext $acc_hb, $acc_hb, $acc_hb, #8 @ MODULO - other top alignment @@ -5148,7 +5476,7 @@ aes_gcm_dec_256_kernel: eor $acc_mb, $acc_mb, $t9.16b @ MODULO - karatsuba tidy up aese $ctr2b, $rk9 \n aesmc $ctr2b, $ctr2b @ AES block 4k+6 - round 9 - ldr $res1q, [$input_ptr, #16] @ AES block 4k+5 - load ciphertext + ld1 {$res1b}, [$input_ptr], #16 @ AES block 4k+5 - load ciphertext aese $ctr3b, $rk8 \n aesmc $ctr3b, $ctr3b @ AES block 4k+7 - round 8 eor $ctr0b, $res0b, $ctr0b @ AES block 4k+4 - result @@ -5160,10 +5488,10 @@ aes_gcm_dec_256_kernel: eor $acc_mb, $acc_mb, $mod_t.16b @ MODULO - fold into mid aese $ctr3b, $rk9 \n aesmc $ctr3b, $ctr3b @ AES block 4k+7 - round 9 - ldr $res3q, [$input_ptr, #48] @ AES block 4k+7 - load ciphertext + ld1 {$res2b}, [$input_ptr], #16 @ AES block 4k+6 - load ciphertext aese $ctr1b, $rk12 \n aesmc $ctr1b, $ctr1b @ AES block 4k+5 - round 12 - ldr $res2q, [$input_ptr, #32] @ AES block 4k+6 - load ciphertext + ld1 {$res3b}, [$input_ptr], #16 @ AES block 4k+7 - load ciphertext aese $ctr2b, $rk11 \n aesmc $ctr2b, $ctr2b @ AES block 4k+6 - round 11 mov $output_h0, $ctr0.d[1] @ AES block 4k+4 - mov high @@ -5172,7 +5500,6 @@ aes_gcm_dec_256_kernel: eor $acc_mb, $acc_mb, $acc_hb @ MODULO - fold into mid aese $ctr1b, $rk13 @ AES block 4k+5 - round 13 - add $input_ptr, $input_ptr, #64 @ AES input_ptr update mov $output_l0, $ctr0.d[0] @ AES block 4k+4 - mov low aese $ctr2b, $rk12 \n aesmc $ctr2b, $ctr2b @ AES block 4k+6 - round 12 @@ -5192,8 +5519,13 @@ aes_gcm_dec_256_kernel: add $rctr32w, $rctr32w, #1 @ CTR block 4k+9 eor $output_l0, $output_l0, $rk14_l @ AES block 4k+4 - round 14 low +#ifdef __AARCH64EB__ + rev $output_l0, $output_l0 +#endif eor $output_h0, $output_h0, $rk14_h @ AES block 4k+4 - round 14 high - +#ifdef __AARCH64EB__ + rev $output_h0, $output_h0 +#endif mov $output_h1, $ctr1.d[1] @ AES block 4k+5 - mov high eor $ctr2b, $res2b, $ctr2b @ AES block 4k+6 - result eor $acc_lb, $acc_lb, $mod_constant.16b @ MODULO - fold into low @@ -5213,9 +5545,15 @@ aes_gcm_dec_256_kernel: rev64 $res1b, $res1b @ GHASH block 4k+5 eor $output_h1, $output_h1, $rk14_h @ AES block 4k+5 - round 14 high +#ifdef __AARCH64EB__ + rev $output_h1, $output_h1 +#endif stp $output_l0, $output_h0, [$output_ptr], #16 @ AES block 4k+4 - store result eor $output_l1, $output_l1, $rk14_l @ AES block 4k+5 - round 14 low +#ifdef __AARCH64EB__ + rev $output_l1, $output_l1 +#endif stp $output_l1, $output_h1, [$output_ptr], #16 @ AES block 4k+5 - store result rev64 $res0b, $res0b @ GHASH block 4k+4 @@ -5379,10 +5717,14 @@ aes_gcm_dec_256_kernel: aese $ctr0b, $rk10 \n aesmc $ctr0b, $ctr0b @ AES block 4k+4 - round 10 eor $output_h2, $output_h2, $rk14_h @ AES block 4k+2 - round 14 high - +#ifdef __AARCH64EB__ + rev $output_h2, $output_h2 +#endif aese $ctr1b, $rk10 \n aesmc $ctr1b, $ctr1b @ AES block 4k+5 - round 10 eor $output_l3, $output_l3, $rk14_l @ AES block 4k+3 - round 14 low - +#ifdef __AARCH64EB__ + rev $output_l3, $output_l3 +#endif aese $ctr2b, $rk11 \n aesmc $ctr2b, $ctr2b @ AES block 4k+6 - round 11 eor $acc_mb, $acc_mb, $acc_hb @ MODULO - fold into mid @@ -5391,11 +5733,17 @@ aes_gcm_dec_256_kernel: aese $ctr1b, $rk11 \n aesmc $ctr1b, $ctr1b @ AES block 4k+5 - round 11 eor $output_l2, $output_l2, $rk14_l @ AES block 4k+2 - round 14 low +#ifdef __AARCH64EB__ + rev $output_l2, $output_l2 +#endif aese $ctr2b, $rk12 \n aesmc $ctr2b, $ctr2b @ AES block 4k+6 - round 12 pmull $mod_constant.1q, $acc_m.1d, $mod_constant.1d @ MODULO - mid 64b align with low eor $output_h3, $output_h3, $rk14_h @ AES block 4k+3 - round 14 high +#ifdef __AARCH64EB__ + rev $output_h3, $output_h3 +#endif aese $ctr3b, $rk11 \n aesmc $ctr3b, $ctr3b @ AES block 4k+7 - round 11 stp $output_l2, $output_h2, [$output_ptr], #16 @ AES block 4k+2 - store result @@ -5432,8 +5780,14 @@ aes_gcm_dec_256_kernel: cmp $main_end_input_ptr, #48 eor $output_l0, $output_l0, $rk14_l @ AES block 4k+4 - round 14 low +#ifdef __AARCH64EB__ + rev $output_l0, $output_l0 +#endif eor $output_h0, $output_h0, $rk14_h @ AES block 4k+4 - round 14 high +#ifdef __AARCH64EB__ + rev $output_h0, $output_h0 +#endif b.gt .L256_dec_blocks_more_than_3 sub $rctr32w, $rctr32w, #1 @@ -5481,9 +5835,15 @@ aes_gcm_dec_256_kernel: pmull $acc_m.1q, $rk4v.1d, $acc_m.1d @ GHASH final-3 block - mid eor $output_l0, $output_l0, $rk14_l @ AES final-2 block - round 14 low +#ifdef __AARCH64EB__ + rev $output_l0, $output_l0 +#endif pmull $acc_l.1q, $res0.1d, $h4.1d @ GHASH final-3 block - low eor $output_h0, $output_h0, $rk14_h @ AES final-2 block - round 14 high +#ifdef __AARCH64EB__ + rev $output_h0, $output_h0 +#endif .L256_dec_blocks_more_than_2: @ blocks left > 2 rev64 $res0b, $res1b @ GHASH final-2 block @@ -5511,9 +5871,15 @@ aes_gcm_dec_256_kernel: eor $acc_hb, $acc_hb, $rk2 @ GHASH final-2 block - high eor $output_l0, $output_l0, $rk14_l @ AES final-1 block - round 14 low +#ifdef __AARCH64EB__ + rev $output_l0, $output_l0 +#endif eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-2 block - mid eor $output_h0, $output_h0, $rk14_h @ AES final-1 block - round 14 high +#ifdef __AARCH64EB__ + rev $output_h0, $output_h0 +#endif .L256_dec_blocks_more_than_1: @ blocks left > 1 stp $output_l0, $output_h0, [$output_ptr], #16 @ AES final-1 block - store result @@ -5541,13 +5907,18 @@ aes_gcm_dec_256_kernel: pmull2 $rk4v.1q, $rk4v.2d, $h12k.2d @ GHASH final-1 block - mid eor $output_l0, $output_l0, $rk14_l @ AES final block - round 14 low - +#ifdef __AARCH64EB__ + rev $output_l0, $output_l0 +#endif eor $acc_lb, $acc_lb, $rk3 @ GHASH final-1 block - low eor $acc_hb, $acc_hb, $rk2 @ GHASH final-1 block - high eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-1 block - mid eor $output_h0, $output_h0, $rk14_h @ AES final block - round 14 high +#ifdef __AARCH64EB__ + rev $output_h0, $output_h0 +#endif .L256_dec_blocks_less_than_1: @ blocks left <= 1 and $bit_length, $bit_length, #127 @ bit_length %= 128 @@ -5573,7 +5944,11 @@ aes_gcm_dec_256_kernel: mov $ctr0.d[1], $ctr96_b64x bic $end_input_ptr, $end_input_ptr, $ctr32x @ mask out low existing bytes +#ifndef __AARCH64EB__ rev $ctr32w, $rctr32w +#else + mov $ctr32w, $rctr32w +#endif bic $main_end_input_ptr, $main_end_input_ptr, $ctr96_b64x @ mask out high existing bytes @@ -5714,7 +6089,7 @@ if ($flavour =~ /64/) { ######## 64-bit code if (s/^(\s+)mov\.([a-z]+)/$1mov$2/) { print " it $2\n"; } - + s/__AARCH64E([BL])__/__ARME$1__/go; print $_,"\n"; } } diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c index 01cde00e98b7..1a52000e6e9d 100644 --- a/crypto/objects/obj_dat.c +++ b/crypto/objects/obj_dat.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -443,6 +443,25 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name) first = 1; bl = NULL; + /* + * RFC 2578 (STD 58) says this about OBJECT IDENTIFIERs: + * + * > 3.5. OBJECT IDENTIFIER values + * > + * > An OBJECT IDENTIFIER value is an ordered list of non-negative + * > numbers. For the SMIv2, each number in the list is referred to as a + * > sub-identifier, there are at most 128 sub-identifiers in a value, + * > and each sub-identifier has a maximum value of 2^32-1 (4294967295 + * > decimal). + * + * So a legitimate OID according to this RFC is at most (32 * 128 / 7), + * i.e. 586 bytes long. + * + * Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5 + */ + if (len > 586) + goto err; + while (len > 0) { l = 0; use_bn = 0; diff --git a/crypto/property/property.c b/crypto/property/property.c index 844c25cee936..b97861d4862f 100644 --- a/crypto/property/property.c +++ b/crypto/property/property.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -510,13 +510,14 @@ int ossl_method_store_fetch(OSSL_METHOD_STORE *store, int ret = 0; int j, best = -1, score, optional; -#ifndef FIPS_MODULE - if (!OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL)) + if (nid <= 0 || method == NULL || store == NULL) return 0; -#endif - if (nid <= 0 || method == NULL || store == NULL) +#ifndef FIPS_MODULE + if (ossl_lib_ctx_is_default(store->ctx) + && !OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL)) return 0; +#endif /* This only needs to be a read lock, because the query won't create anything */ if (!ossl_property_read_lock(store)) diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c index f341d915db76..0fcf4fe3bc1e 100644 --- a/crypto/rand/rand_lib.c +++ b/crypto/rand/rand_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -272,7 +272,13 @@ void RAND_add(const void *buf, int num, double randomness) # endif drbg = RAND_get0_primary(NULL); if (drbg != NULL && num > 0) +# ifdef OPENSSL_RAND_SEED_NONE + /* Without an entropy source, we have to rely on the user */ + EVP_RAND_reseed(drbg, 0, buf, num, NULL, 0); +# else + /* With an entropy source, we downgrade this to additional input */ EVP_RAND_reseed(drbg, 0, NULL, 0, buf, num); +# endif } # if !defined(OPENSSL_NO_DEPRECATED_1_1_0) diff --git a/crypto/rsa/rsa_chk.c b/crypto/rsa/rsa_chk.c index cccc2d5bac2a..c2549188f556 100644 --- a/crypto/rsa/rsa_chk.c +++ b/crypto/rsa/rsa_chk.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -124,13 +124,17 @@ static int rsa_validate_keypair_multiprime(const RSA *key, BN_GENCB *cb) ret = -1; goto err; } + if (!BN_div(m, NULL, l, m, ctx)) { /* remainder is 0 */ + ret = -1; + goto err; + } for (idx = 0; idx < ex_primes; idx++) { pinfo = sk_RSA_PRIME_INFO_value(key->prime_infos, idx); if (!BN_sub(k, pinfo->r, BN_value_one())) { ret = -1; goto err; } - if (!BN_mul(l, l, k, ctx)) { + if (!BN_mul(l, m, k, ctx)) { ret = -1; goto err; } @@ -138,12 +142,12 @@ static int rsa_validate_keypair_multiprime(const RSA *key, BN_GENCB *cb) ret = -1; goto err; } + if (!BN_div(m, NULL, l, m, ctx)) { /* remainder is 0 */ + ret = -1; + goto err; + } } - if (!BN_div(k, NULL, l, m, ctx)) { /* remainder is 0 */ - ret = -1; - goto err; - } - if (!BN_mod_mul(i, key->d, key->e, k, ctx)) { + if (!BN_mod_mul(i, key->d, key->e, m, ctx)) { ret = -1; goto err; } diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c index 96fed3ca597c..0fc642e777fd 100644 --- a/crypto/rsa/rsa_ossl.c +++ b/crypto/rsa/rsa_ossl.c @@ -234,6 +234,7 @@ static int rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, * will only read the modulus from BN_BLINDING. In both cases it's safe * to access the blinding without a lock. */ + BN_set_flags(f, BN_FLG_CONSTTIME); return BN_BLINDING_invert_ex(f, unblind, b, ctx); } @@ -416,6 +417,11 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, goto err; } + if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) + if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock, + rsa->n, ctx)) + goto err; + if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) { blinding = rsa_get_blinding(rsa, &local_blinding, ctx); if (blinding == NULL) { @@ -453,13 +459,6 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, goto err; } BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); - - if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) - if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock, - rsa->n, ctx)) { - BN_free(d); - goto err; - } if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, rsa->_method_mod_n)) { BN_free(d); @@ -469,20 +468,13 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, BN_free(d); } - if (blinding) { - /* - * ossl_bn_rsa_do_unblind() combines blinding inversion and - * 0-padded BN BE serialization - */ - j = ossl_bn_rsa_do_unblind(ret, blinding, unblind, rsa->n, ctx, - buf, num); - if (j == 0) - goto err; - } else { - j = BN_bn2binpad(ret, buf, num); - if (j < 0) + if (blinding) + if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) goto err; - } + + j = BN_bn2binpad(ret, buf, num); + if (j < 0) + goto err; switch (padding) { case RSA_PKCS1_PADDING: diff --git a/crypto/rsa/rsa_sp800_56b_gen.c b/crypto/rsa/rsa_sp800_56b_gen.c index df2240555bfd..f773d1e149de 100644 --- a/crypto/rsa/rsa_sp800_56b_gen.c +++ b/crypto/rsa/rsa_sp800_56b_gen.c @@ -1,5 +1,5 @@ /* - * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2018-2019, Oracle and/or its affiliates. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -361,6 +361,7 @@ int ossl_rsa_sp800_56b_generate_key(RSA *rsa, int nbits, const BIGNUM *efixed, BN_CTX *ctx = NULL; BIGNUM *e = NULL; RSA_ACVP_TEST *info = NULL; + BIGNUM *tmp; #if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS) info = rsa->acvp_test; @@ -392,6 +393,14 @@ int ossl_rsa_sp800_56b_generate_key(RSA *rsa, int nbits, const BIGNUM *efixed, /* (Step 2) Generate prime factors */ if (!ossl_rsa_fips186_4_gen_prob_primes(rsa, info, nbits, e, ctx, cb)) goto err; + + /* p>q check and skipping in case of acvp test */ + if (info == NULL && BN_cmp(rsa->p, rsa->q) < 0) { + tmp = rsa->p; + rsa->p = rsa->q; + rsa->q = tmp; + } + /* (Steps 3-5) Compute params d, n, dP, dQ, qInv */ ok = ossl_rsa_sp800_56b_derive_params_from_pq(rsa, nbits, e, ctx); if (ok < 0) diff --git a/crypto/sm2/sm2_sign.c b/crypto/sm2/sm2_sign.c index 5861f420fb66..ff5be9b73e9f 100644 --- a/crypto/sm2/sm2_sign.c +++ b/crypto/sm2/sm2_sign.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2017 Ribose Inc. All Rights Reserved. * Ported from Ribose contributions from Botan. * @@ -454,7 +454,7 @@ int ossl_sm2_internal_sign(const unsigned char *dgst, int dgstlen, goto done; } - sigleni = i2d_ECDSA_SIG(s, &sig); + sigleni = i2d_ECDSA_SIG(s, sig != NULL ? &sig : NULL); if (sigleni < 0) { ERR_raise(ERR_LIB_SM2, ERR_R_INTERNAL_ERROR); goto done; diff --git a/crypto/ui/ui_lib.c b/crypto/ui/ui_lib.c index 1ff8c6fa35f3..2ddf76cb5357 100644 --- a/crypto/ui/ui_lib.c +++ b/crypto/ui/ui_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -528,6 +528,10 @@ int UI_process(UI *ui) ok = 0; break; } + } else { + ui->flags &= ~UI_FLAG_REDOABLE; + ok = -2; + goto err; } } diff --git a/crypto/ui/ui_util.c b/crypto/ui/ui_util.c index 80297969ab1d..59b00b225adf 100644 --- a/crypto/ui/ui_util.c +++ b/crypto/ui/ui_util.c @@ -1,5 +1,5 @@ /* - * Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -32,7 +32,7 @@ int UI_UTIL_read_pw_string(char *buf, int length, const char *prompt, int UI_UTIL_read_pw(char *buf, char *buff, int size, const char *prompt, int verify) { - int ok = 0; + int ok = -2; UI *ui; if (size < 1) @@ -47,8 +47,6 @@ int UI_UTIL_read_pw(char *buf, char *buff, int size, const char *prompt, ok = UI_process(ui); UI_free(ui); } - if (ok > 0) - ok = 0; return ok; } diff --git a/crypto/x509/pcy_local.h b/crypto/x509/pcy_local.h index 18b53cc09ebf..523f3e35feeb 100644 --- a/crypto/x509/pcy_local.h +++ b/crypto/x509/pcy_local.h @@ -1,5 +1,5 @@ /* - * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st { }; struct X509_POLICY_TREE_st { + /* The number of nodes in the tree */ + size_t node_count; + /* The maximum number of nodes in the tree */ + size_t node_maximum; + /* This is the tree 'level' data */ X509_POLICY_LEVEL *levels; int nlevel; @@ -157,7 +162,8 @@ X509_POLICY_NODE *ossl_policy_tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk, X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, X509_POLICY_DATA *data, X509_POLICY_NODE *parent, - X509_POLICY_TREE *tree); + X509_POLICY_TREE *tree, + int extra_data); void ossl_policy_node_free(X509_POLICY_NODE *node); int ossl_policy_node_match(const X509_POLICY_LEVEL *lvl, const X509_POLICY_NODE *node, const ASN1_OBJECT *oid); diff --git a/crypto/x509/pcy_node.c b/crypto/x509/pcy_node.c index 9d9a7ea1799c..9b77e6e95e05 100644 --- a/crypto/x509/pcy_node.c +++ b/crypto/x509/pcy_node.c @@ -1,5 +1,5 @@ /* - * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -59,10 +59,15 @@ X509_POLICY_NODE *ossl_policy_level_find_node(const X509_POLICY_LEVEL *level, X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, X509_POLICY_DATA *data, X509_POLICY_NODE *parent, - X509_POLICY_TREE *tree) + X509_POLICY_TREE *tree, + int extra_data) { X509_POLICY_NODE *node; + /* Verify that the tree isn't too large. This mitigates CVE-2023-0464 */ + if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum) + return NULL; + node = OPENSSL_zalloc(sizeof(*node)); if (node == NULL) { ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE); @@ -70,7 +75,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, } node->data = data; node->parent = parent; - if (level) { + if (level != NULL) { if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) { if (level->anyPolicy) goto node_error; @@ -90,24 +95,33 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, } } - if (tree) { + if (extra_data) { if (tree->extra_data == NULL) tree->extra_data = sk_X509_POLICY_DATA_new_null(); if (tree->extra_data == NULL){ ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE); - goto node_error; + goto extra_data_error; } if (!sk_X509_POLICY_DATA_push(tree->extra_data, data)) { ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE); - goto node_error; + goto extra_data_error; } } + tree->node_count++; if (parent) parent->nchild++; return node; + extra_data_error: + if (level != NULL) { + if (level->anyPolicy == node) + level->anyPolicy = NULL; + else + (void) sk_X509_POLICY_NODE_pop(level->nodes); + } + node_error: ossl_policy_node_free(node); return NULL; diff --git a/crypto/x509/pcy_tree.c b/crypto/x509/pcy_tree.c index fa45da5117a1..2012810303ed 100644 --- a/crypto/x509/pcy_tree.c +++ b/crypto/x509/pcy_tree.c @@ -1,5 +1,5 @@ /* - * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -14,6 +14,19 @@ #include "pcy_local.h" +/* + * If the maximum number of nodes in the policy tree isn't defined, set it to + * a generous default of 1000 nodes. + * + * Defining this to be zero means unlimited policy tree growth which opens the + * door on CVE-2023-0464. + */ +#ifndef OPENSSL_POLICY_TREE_NODES_MAX +# define OPENSSL_POLICY_TREE_NODES_MAX 1000 +#endif + +static void exnode_free(X509_POLICY_NODE *node); + static void expected_print(BIO *channel, X509_POLICY_LEVEL *lev, X509_POLICY_NODE *node, int indent) @@ -163,6 +176,9 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, return X509_PCY_TREE_INTERNAL; } + /* Limit the growth of the tree to mitigate CVE-2023-0464 */ + tree->node_maximum = OPENSSL_POLICY_TREE_NODES_MAX; + /* * http://tools.ietf.org/html/rfc5280#section-6.1.2, figure 3. * @@ -180,7 +196,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, if ((data = ossl_policy_data_new(NULL, OBJ_nid2obj(NID_any_policy), 0)) == NULL) goto bad_tree; - if (ossl_policy_level_add_node(level, data, NULL, tree) == NULL) { + if (ossl_policy_level_add_node(level, data, NULL, tree, 1) == NULL) { ossl_policy_data_free(data); goto bad_tree; } @@ -239,7 +255,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, * Return value: 1 on success, 0 otherwise */ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, - X509_POLICY_DATA *data) + X509_POLICY_DATA *data, + X509_POLICY_TREE *tree) { X509_POLICY_LEVEL *last = curr - 1; int i, matched = 0; @@ -249,13 +266,13 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(last->nodes, i); if (ossl_policy_node_match(last, node, data->valid_policy)) { - if (ossl_policy_level_add_node(curr, data, node, NULL) == NULL) + if (ossl_policy_level_add_node(curr, data, node, tree, 0) == NULL) return 0; matched = 1; } } if (!matched && last->anyPolicy) { - if (ossl_policy_level_add_node(curr, data, last->anyPolicy, NULL) == NULL) + if (ossl_policy_level_add_node(curr, data, last->anyPolicy, tree, 0) == NULL) return 0; } return 1; @@ -268,7 +285,8 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, * Return value: 1 on success, 0 otherwise. */ static int tree_link_nodes(X509_POLICY_LEVEL *curr, - const X509_POLICY_CACHE *cache) + const X509_POLICY_CACHE *cache, + X509_POLICY_TREE *tree) { int i; @@ -276,7 +294,7 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr, X509_POLICY_DATA *data = sk_X509_POLICY_DATA_value(cache->data, i); /* Look for matching nodes in previous level */ - if (!tree_link_matching_nodes(curr, data)) + if (!tree_link_matching_nodes(curr, data, tree)) return 0; } return 1; @@ -307,7 +325,7 @@ static int tree_add_unmatched(X509_POLICY_LEVEL *curr, /* Curr may not have anyPolicy */ data->qualifier_set = cache->anyPolicy->qualifier_set; data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS; - if (ossl_policy_level_add_node(curr, data, node, tree) == NULL) { + if (ossl_policy_level_add_node(curr, data, node, tree, 1) == NULL) { ossl_policy_data_free(data); return 0; } @@ -370,7 +388,7 @@ static int tree_link_any(X509_POLICY_LEVEL *curr, /* Finally add link to anyPolicy */ if (last->anyPolicy && ossl_policy_level_add_node(curr, cache->anyPolicy, - last->anyPolicy, NULL) == NULL) + last->anyPolicy, tree, 0) == NULL) return 0; return 1; } @@ -553,15 +571,23 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree, extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS | POLICY_DATA_FLAG_EXTRA_NODE; node = ossl_policy_level_add_node(NULL, extra, anyPolicy->parent, - tree); + tree, 1); + if (node == NULL) { + ossl_policy_data_free(extra); + return 0; + } } if (!tree->user_policies) { tree->user_policies = sk_X509_POLICY_NODE_new_null(); - if (!tree->user_policies) - return 1; + if (!tree->user_policies) { + exnode_free(node); + return 0; + } } - if (!sk_X509_POLICY_NODE_push(tree->user_policies, node)) + if (!sk_X509_POLICY_NODE_push(tree->user_policies, node)) { + exnode_free(node); return 0; + } } return 1; } @@ -580,7 +606,7 @@ static int tree_evaluate(X509_POLICY_TREE *tree) for (i = 1; i < tree->nlevel; i++, curr++) { cache = ossl_policy_cache_set(curr->cert); - if (!tree_link_nodes(curr, cache)) + if (!tree_link_nodes(curr, cache, tree)) return X509_PCY_TREE_INTERNAL; if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY) diff --git a/crypto/x509/x509_txt.c b/crypto/x509/x509_txt.c index f25bb41acb52..61d41117e2c0 100644 --- a/crypto/x509/x509_txt.c +++ b/crypto/x509/x509_txt.c @@ -179,7 +179,7 @@ const char *X509_verify_cert_error_string(long n) case X509_V_ERR_SIGNATURE_ALGORITHM_MISMATCH: return "subject signature algorithm and issuer public key algorithm mismatch"; case X509_V_ERR_SIGNATURE_ALGORITHM_INCONSISTENCY: - return "cert info siganature and signature algorithm mismatch"; + return "cert info signature and signature algorithm mismatch"; case X509_V_ERR_INVALID_CA: return "invalid CA certificate"; case X509_V_ERR_PATHLEN_INVALID_FOR_NON_CA: @@ -213,6 +213,11 @@ const char *X509_verify_cert_error_string(long n) case X509_V_ERR_EC_KEY_EXPLICIT_PARAMS: return "Certificate public key has explicit ECC parameters"; + /* + * Entries must be kept consistent with include/openssl/x509_vfy.h.in + * and with doc/man3/X509_STORE_CTX_get_error.pod + */ + default: /* Printing an error number into a static buffer is not thread-safe */ return "unknown certificate verification error"; diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 9384f1da9bad..d19efeaa9919 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -1654,15 +1654,23 @@ static int check_policy(X509_STORE_CTX *ctx) goto memerr; /* Invalid or inconsistent extensions */ if (ret == X509_PCY_TREE_INVALID) { - int i; + int i, cbcalled = 0; /* Locate certificates with bad extensions and notify callback. */ - for (i = 1; i < sk_X509_num(ctx->chain); i++) { + for (i = 0; i < sk_X509_num(ctx->chain); i++) { X509 *x = sk_X509_value(ctx->chain, i); + if ((x->ex_flags & EXFLAG_INVALID_POLICY) != 0) + cbcalled = 1; CB_FAIL_IF((x->ex_flags & EXFLAG_INVALID_POLICY) != 0, ctx, x, i, X509_V_ERR_INVALID_POLICY_EXTENSION); } + if (!cbcalled) { + /* Should not be able to get here */ + ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR); + return 0; + } + /* The callback ignored the error so we return success */ return 1; } if (ret == X509_PCY_TREE_FAILURE) { @@ -3413,7 +3421,7 @@ static int check_curve(X509 *cert) ret = EVP_PKEY_get_int_param(pkey, OSSL_PKEY_PARAM_EC_DECODED_FROM_EXPLICIT_PARAMS, &val); - return ret < 0 ? ret : !val; + return ret == 1 ? !val : -1; } return 1; diff --git a/doc/build.info b/doc/build.info index ec8778f2ac69..00dc150721ac 100644 --- a/doc/build.info +++ b/doc/build.info @@ -4145,6 +4145,10 @@ DEPEND[html/man7/EVP_CIPHER-IDEA.html]=man7/EVP_CIPHER-IDEA.pod GENERATE[html/man7/EVP_CIPHER-IDEA.html]=man7/EVP_CIPHER-IDEA.pod DEPEND[man/man7/EVP_CIPHER-IDEA.7]=man7/EVP_CIPHER-IDEA.pod GENERATE[man/man7/EVP_CIPHER-IDEA.7]=man7/EVP_CIPHER-IDEA.pod +DEPEND[html/man7/EVP_CIPHER-NULL.html]=man7/EVP_CIPHER-NULL.pod +GENERATE[html/man7/EVP_CIPHER-NULL.html]=man7/EVP_CIPHER-NULL.pod +DEPEND[man/man7/EVP_CIPHER-NULL.7]=man7/EVP_CIPHER-NULL.pod +GENERATE[man/man7/EVP_CIPHER-NULL.7]=man7/EVP_CIPHER-NULL.pod DEPEND[html/man7/EVP_CIPHER-RC2.html]=man7/EVP_CIPHER-RC2.pod GENERATE[html/man7/EVP_CIPHER-RC2.html]=man7/EVP_CIPHER-RC2.pod DEPEND[man/man7/EVP_CIPHER-RC2.7]=man7/EVP_CIPHER-RC2.pod @@ -4289,6 +4293,10 @@ DEPEND[html/man7/EVP_MD-MDC2.html]=man7/EVP_MD-MDC2.pod GENERATE[html/man7/EVP_MD-MDC2.html]=man7/EVP_MD-MDC2.pod DEPEND[man/man7/EVP_MD-MDC2.7]=man7/EVP_MD-MDC2.pod GENERATE[man/man7/EVP_MD-MDC2.7]=man7/EVP_MD-MDC2.pod +DEPEND[html/man7/EVP_MD-NULL.html]=man7/EVP_MD-NULL.pod +GENERATE[html/man7/EVP_MD-NULL.html]=man7/EVP_MD-NULL.pod +DEPEND[man/man7/EVP_MD-NULL.7]=man7/EVP_MD-NULL.pod +GENERATE[man/man7/EVP_MD-NULL.7]=man7/EVP_MD-NULL.pod DEPEND[html/man7/EVP_MD-RIPEMD160.html]=man7/EVP_MD-RIPEMD160.pod GENERATE[html/man7/EVP_MD-RIPEMD160.html]=man7/EVP_MD-RIPEMD160.pod DEPEND[man/man7/EVP_MD-RIPEMD160.7]=man7/EVP_MD-RIPEMD160.pod @@ -4619,6 +4627,7 @@ html/man7/EVP_CIPHER-CAST.html \ html/man7/EVP_CIPHER-CHACHA.html \ html/man7/EVP_CIPHER-DES.html \ html/man7/EVP_CIPHER-IDEA.html \ +html/man7/EVP_CIPHER-NULL.html \ html/man7/EVP_CIPHER-RC2.html \ html/man7/EVP_CIPHER-RC4.html \ html/man7/EVP_CIPHER-RC5.html \ @@ -4655,6 +4664,7 @@ html/man7/EVP_MD-MD4.html \ html/man7/EVP_MD-MD5-SHA1.html \ html/man7/EVP_MD-MD5.html \ html/man7/EVP_MD-MDC2.html \ +html/man7/EVP_MD-NULL.html \ html/man7/EVP_MD-RIPEMD160.html \ html/man7/EVP_MD-SHA1.html \ html/man7/EVP_MD-SHA2.html \ @@ -4743,6 +4753,7 @@ man/man7/EVP_CIPHER-CAST.7 \ man/man7/EVP_CIPHER-CHACHA.7 \ man/man7/EVP_CIPHER-DES.7 \ man/man7/EVP_CIPHER-IDEA.7 \ +man/man7/EVP_CIPHER-NULL.7 \ man/man7/EVP_CIPHER-RC2.7 \ man/man7/EVP_CIPHER-RC4.7 \ man/man7/EVP_CIPHER-RC5.7 \ @@ -4779,6 +4790,7 @@ man/man7/EVP_MD-MD4.7 \ man/man7/EVP_MD-MD5-SHA1.7 \ man/man7/EVP_MD-MD5.7 \ man/man7/EVP_MD-MDC2.7 \ +man/man7/EVP_MD-NULL.7 \ man/man7/EVP_MD-RIPEMD160.7 \ man/man7/EVP_MD-SHA1.7 \ man/man7/EVP_MD-SHA2.7 \ diff --git a/doc/fingerprints.txt b/doc/fingerprints.txt index 4f95f2beaec8..9a26f7c66722 100644 --- a/doc/fingerprints.txt +++ b/doc/fingerprints.txt @@ -12,6 +12,9 @@ in the file named openssl-1.0.1h.tar.gz.asc. The following is the list of fingerprints for the keys that are currently in use to sign OpenSSL distributions: +OpenSSL OMC: +EFC0 A467 D613 CB83 C7ED 6D30 D894 E2CE 8B3D 79F5 + Richard Levitte: 7953 AC1F BC3D C8B3 B292 393E D5E9 E43F 7DF9 EE8C diff --git a/doc/internal/man3/ossl_cmp_certreq_new.pod b/doc/internal/man3/ossl_cmp_certreq_new.pod index 068e1b29b977..37a234066d36 100644 --- a/doc/internal/man3/ossl_cmp_certreq_new.pod +++ b/doc/internal/man3/ossl_cmp_certreq_new.pod @@ -30,8 +30,8 @@ ossl_cmp_error_new OSSL_CMP_MSG *ossl_cmp_rp_new(OSSL_CMP_CTX *ctx, const OSSL_CMP_PKISI *si, const OSSL_CRMF_CERTID *cid, int unprotectedErrors); - OSSL_CMP_MSG *ossl_cmp_certConf_new(OSSL_CMP_CTX *ctx, int fail_info, - const char *text); + OSSL_CMP_MSG *ossl_cmp_certConf_new(OSSL_CMP_CTX *ctx, int certReqId, + int fail_info, const char *text); OSSL_CMP_MSG *ossl_cmp_pkiconf_new(OSSL_CMP_CTX *ctx); OSSL_CMP_MSG *ossl_cmp_pollReq_new(OSSL_CMP_CTX *ctx, int crid); OSSL_CMP_MSG *ossl_cmp_pollRep_new(OSSL_CMP_CTX *ctx, int crid, int poll_after); @@ -124,8 +124,9 @@ It does not protect the message if the B<status> value in I<si> is B<rejected> and I<unprotectedErrors> is nonzero. ossl_cmp_certConf_new() creates a Certificate Confirmation message for the last -received certificate. PKIStatus defaults to B<accepted> if the I<fail_info> bit -field is 0. Else it is taken as the failInfo of the PKIStatusInfo, PKIStatus is +received certificate with the given I<certReqId>. +The PKIStatus defaults to B<accepted> if the I<fail_info> bit field is 0. +Otherwise it is taken as the failInfo of the PKIStatusInfo, PKIStatus is set to B<rejected>, and I<text> is copied to statusString unless it is NULL. ossl_cmp_pkiconf_new() creates a PKI Confirmation message. @@ -167,7 +168,7 @@ The OpenSSL CMP support was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/internal/man3/ossl_cmp_mock_srv_new.pod b/doc/internal/man3/ossl_cmp_mock_srv_new.pod index 837ca06bb34c..7bc449a84352 100644 --- a/doc/internal/man3/ossl_cmp_mock_srv_new.pod +++ b/doc/internal/man3/ossl_cmp_mock_srv_new.pod @@ -8,7 +8,7 @@ ossl_cmp_mock_srv_set1_certOut, ossl_cmp_mock_srv_set1_chainOut, ossl_cmp_mock_srv_set1_caPubsOut, ossl_cmp_mock_srv_set_statusInfo, -ossl_cmp_mock_srv_set_send_error, +ossl_cmp_mock_srv_set_sendError, ossl_cmp_mock_srv_set_pollCount, ossl_cmp_mock_srv_set_checkAfterTime - functions used for testing with CMP mock server @@ -27,7 +27,7 @@ ossl_cmp_mock_srv_set_checkAfterTime STACK_OF(X509) *caPubs); int ossl_cmp_mock_srv_set_statusInfo(OSSL_CMP_SRV_CTX *srv_ctx, int status, int fail_info, const char *text); - int ossl_cmp_mock_srv_set_send_error(OSSL_CMP_SRV_CTX *srv_ctx, int val); + int ossl_cmp_mock_srv_set_sendError(OSSL_CMP_SRV_CTX *srv_ctx, int bodytype); int ossl_cmp_mock_srv_set_pollCount(OSSL_CMP_SRV_CTX *srv_ctx, int count); int ossl_cmp_mock_srv_set_checkAfterTime(OSSL_CMP_SRV_CTX *srv_ctx, int sec); @@ -39,25 +39,27 @@ I<propq>, both of which may be NULL to select the defaults. ossl_cmp_mock_srv_free() deallocates the contexts for the CMP mock server. -OSSL_CMP_SRV_CTX_set1_certOut() sets the certificate to be returned in +ossl_cmp_mock_srv_set1_certOut() sets the certificate to be returned in cp/ip/kup. -OSSL_CMP_SRV_CTX_set1_chainOut() sets the certificate chain to be added to +ossl_cmp_mock_srv_set1_chainOut() sets the certificate chain to be added to the extraCerts in a cp/ip/kup. -It should to useful to validate B<certOut>. +It should be useful for the validation of the certificate given via +ossl_cmp_mock_srv_set1_certOut(). -OSSL_CMP_SRV_CTX_set1_caPubsOut() sets the caPubs to be returned in an ip. +ossl_cmp_mock_srv_set1_caPubsOut() sets the caPubs to be returned in an ip. -OSSL_CMP_SRV_CTX_set_statusInfo() sets the status info to be returned. +ossl_cmp_mock_srv_set_statusInfo() sets the status info to be returned. -OSSL_CMP_SRV_CTX_set_send_error() enables enforcement of error responses. +ossl_cmp_mock_srv_set_sendError() enables enforcement of error responses +for requests of the given I<bodytype>, or for all requests if I<bodytype> is 1. +A I<bodytype> of -1 can be used to disable this feature, which is the default. -OSSL_CMP_SRV_CTX_set_pollCount() sets the number of polls before cert response. +ossl_cmp_mock_srv_set_pollCount() sets the number of polls before cert response. -OSSL_CMP_SRV_CTX_set_checkAfterTime() sets the number of seconds +ossl_cmp_mock_srv_set_checkAfterTime() sets the number of seconds the client should wait for the next poll. - =head1 NOTES CMP is defined in RFC 4210 (and CRMF in RFC 4211). @@ -77,7 +79,7 @@ The OpenSSL CMP support was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/internal/man3/ossl_cmp_msg_protect.pod b/doc/internal/man3/ossl_cmp_msg_protect.pod index ae7771280763..744fbce576ca 100644 --- a/doc/internal/man3/ossl_cmp_msg_protect.pod +++ b/doc/internal/man3/ossl_cmp_msg_protect.pod @@ -25,7 +25,7 @@ using the credentials, library context, and property criteria in the I<ctx>. ossl_cmp_msg_protect() (re-)protects the given message I<msg> using an algorithm depending on the available context information given in the I<ctx>. If there is a secretValue it selects PBMAC, else if there is a protection cert -it selects Signature and uses L<ossl_cmp_msg_add_extraCerts(3)>. +it selects Signature and uses ossl_cmp_msg_add_extraCerts (see below). It also sets the protectionAlg field in the message header accordingly. ossl_cmp_msg_add_extraCerts() adds elements to the extraCerts field in I<msg>. @@ -40,6 +40,10 @@ of the chain, i.e, the trust anchor (unless it is part of extraCertsOut). CMP is defined in RFC 4210 (and CRMF in RFC 4211). +The I<ctx> parameter of ossl_cmp_msg_add_extraCerts() +and thus also of ossl_cmp_msg_protect() cannot be made I<const> +because I<ctx->chain> may get adapted to cache the chain of the CMP signer cert. + =head1 RETURN VALUES ossl_cmp_calc_protection() returns the protection on success, else NULL. @@ -52,7 +56,7 @@ The OpenSSL CMP support was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/internal/man3/ossl_cmp_pkisi_get_status.pod b/doc/internal/man3/ossl_cmp_pkisi_get_status.pod index 21f6f90b39d3..e44bfd3f0190 100644 --- a/doc/internal/man3/ossl_cmp_pkisi_get_status.pod +++ b/doc/internal/man3/ossl_cmp_pkisi_get_status.pod @@ -43,8 +43,8 @@ ossl_cmp_pkisi_check_pkifailureinfo # define OSSL_CMP_PKIFAILUREINFO_duplicateCertReq 26 # define OSSL_CMP_PKIFAILUREINFO_MAX 26 - X509 *ossl_cmp_certresponse_get1_cert(const OSSL_CMP_CERTRESPONSE *crep, - const OSSL_CMP_CTX *ctx, EVP_PKEY *pkey); + X509 *ossl_cmp_certresponse_get1_cert(const OSSL_CMP_CTX *ctx, + const OSSL_CMP_CERTRESPONSE *crep); int ossl_cmp_pkisi_get_status(const OSSL_CMP_PKISI *si); const char *ossl_cmp_PKIStatus_to_string(int status); OSSL_CMP_PKIFREETEXT *ossl_cmp_pkisi_get0_statusString(const OSSL_CMP_PKISI *si); @@ -55,7 +55,7 @@ ossl_cmp_pkisi_check_pkifailureinfo ossl_cmp_certresponse_get1_cert() returns a pointer to a copy of the newly enrolled certificate from the given certResponse I<crep>, or NULL on error. -In case of indirect POPO uses data from the I<ctx> and the private key I<pkey>. +Uses data from I<ctx>, which in case of indirect POPO includes the private key. ossl_cmp_pkisi_get_status() returns the PKIStatus of I<si>, or -1 on error. @@ -89,7 +89,7 @@ The OpenSSL CMP support was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in index 77e82091413b..4250deb426fc 100644 --- a/doc/man1/openssl-cmp.pod.in +++ b/doc/man1/openssl-cmp.pod.in @@ -248,12 +248,16 @@ e.g., C<1.2.3.4:int:56789>. =item B<-newkey> I<filename>|I<uri> -The source of the private or public key for the certificate requested -in Initialization Request (IR), Certification Request(CR), or -Key Update Request (KUR). +The source of the private or public key for the certificate being requested. Defaults to the public key in the PKCS#10 CSR given with the B<-csr> option, the public key of the reference certificate, or the current client key. +The public portion of the key is placed in the certification request. + +Unless B<-cmd> I<p10cr>, B<-popo> I<-1>, or B<-popo> I<0> is given, the +private key will be needed as well to provide the proof of possession (POPO), +where the B<-key> option may provide a fallback. + =item B<-newkeypass> I<arg> Pass phrase source for the key given with the B<-newkey> option. @@ -344,7 +348,7 @@ Flag the policies given with B<-policy_oids> as critical. =item B<-popo> I<number> -Proof-of-Possession (POPO) method to use for IR/CR/KUR; values: C<-1>..<2> where +Proof-of-possession (POPO) method to use for IR/CR/KUR; values: C<-1>..<2> where C<-1> = NONE, C<0> = RAVERIFIED, C<1> = SIGNATURE (default), C<2> = KEYENC. Note that a signature-based POPO can only be produced if a private key @@ -354,15 +358,22 @@ is provided via the B<-newkey> or B<-key> options. PKCS#10 CSR in PEM or DER format containing a certificate request. With B<-cmd> I<p10cr> it is used directly in a legacy P10CR message. + When used with B<-cmd> I<ir>, I<cr>, or I<kur>, -it is transformed into the respective regular CMP request, -while its public key is ignored if I<-newkey> is given. -It may also be used with B<-cmd> I<rr> to specify the certificate to be revoked +it is transformed into the respective regular CMP request. +In this case, a private key must be provided (with B<-newkey> or B<-key>) +for the proof of possession (unless B<-popo> I<-1> or B<-popo> I<0> is used) +and the respective public key is placed in the certification request +(rather than taking over the public key contained in the PKCS#10 CSR). + +PKCS#10 CSR input may also be used with B<-cmd> I<rr> +to specify the certificate to be revoked via the included subject name and public key. =item B<-out_trusted> I<filenames>|I<uris> Trusted certificate(s) to use for validating the newly enrolled certificate. +During this verification, any certificate status checking is disabled. Multiple sources may be given, separated by commas and/or whitespace (where in the latter case the whole argument must be enclosed in "..."). @@ -408,6 +419,7 @@ For RR the certificate to be revoked can also be specified using B<-csr>. The reference certificate, if any, is also used for deriving default subject DN and Subject Alternative Names and the default issuer entry in the requested certificate template of an IR/CR/KUR. +Its public key is used as a fallback in the template of certification requests. Its subject is used as sender of outgoing messages if B<-cert> is not given. Its issuer is used as default recipient in CMP message headers if neither B<-recipient>, B<-srvcert>, nor B<-issuer> is given. @@ -443,7 +455,8 @@ Reason numbers defined in RFC 5280 are: The DNS hostname or IP address and optionally port of the CMP server to connect to using HTTP(S). -This excludes I<-port> and I<-use_mock_srv> and is ignored with I<-rspin>. +This option excludes I<-port> and I<-use_mock_srv>. +It is ignored if I<-rspin> is given with enough filename arguments. The scheme C<https> may be given only if the B<-tls_used> option is used. In this case the default port is 443, else 80. @@ -523,15 +536,15 @@ Default is 0. =item B<-trusted> I<filenames>|I<uris> -When validating signature-based protection of CMP response messages, -these are the CA certificate(s) to trust while checking certificate chains -during CMP server authentication. -This option gives more flexibility than the B<-srvcert> option because the -server-side CMP signer certificate is not pinned but may be any certificate -for which a chain to one of the given trusted certificates can be constructed. +The certificate(s), typically of root CAs, the client shall use as trust anchors +when validating signature-based protection of CMP response messages. +This option is ignored if the B<-srvcert> option is given as well. +It provides more flexibility than B<-srvcert> because the CMP protection +certificate of the server is not pinned but may be any certificate +from which a chain to one of the given trust anchors can be constructed. -If no B<-trusted>, B<-srvcert>, and B<-secret> option is given -then protected response messages from the server are not authenticated. +If none of B<-trusted>, B<-srvcert>, and B<-secret> is given, message validation +errors will be thrown unless B<-unprotected_errors> permits an exception. Multiple sources may be given, separated by commas and/or whitespace (where in the latter case the whole argument must be enclosed in "..."). @@ -546,24 +559,24 @@ have no effect on the certificate verification enabled via this option. Non-trusted intermediate CA certificate(s). Any extra certificates given with the B<-cert> option are appended to it. All these certificates may be useful for cert path construction -for the CMP client certificate (to include in the extraCerts field of outgoing -messages) and for the TLS client certificate (if TLS is enabled) +for the own CMP signer certificate (to include in the extraCerts field of +request messages) and for the TLS client certificate (if TLS is enabled) as well as for chain building -when validating the CMP server certificate (checking signature-based +when validating server certificates (checking signature-based CMP message protection) and when validating newly enrolled certificates. -Multiple sources may be given, separated by commas and/or whitespace. -Each file may contain multiple certificates. +Multiple filenames or URLs may be given, separated by commas and/or whitespace. +Each source may contain multiple certificates. =item B<-srvcert> I<filename>|I<uri> The specific CMP server certificate to expect and directly trust (even if it is -expired) when validating signature-based protection of CMP response messages. -May be set alternatively to the B<-trusted> option to pin the accepted server. +expired) when verifying signature-based protection of CMP response messages. +This pins the accepted server and results in ignoring the B<-trusted> option. If set, the subject of the certificate is also used as default value for the recipient of CMP requests -and as default value for the expected sender of incoming CMP messages. +and as default value for the expected sender of CMP responses. =item B<-expect_sender> I<name> @@ -583,8 +596,8 @@ For details see the description of the B<-subject> option. =item B<-ignore_keyusage> Ignore key usage restrictions in CMP signer certificates when validating -signature-based protection of incoming CMP messages, -else C<digitalSignature> must be allowed for signer certificate. +signature-based protection of incoming CMP messages. +By default, C<digitalSignature> must be allowed by CMP signer certificates. =item B<-unprotected_errors> @@ -659,17 +672,25 @@ L<openssl-passphrase-options(1)>. The client's current CMP signer certificate. Requires the corresponding key to be given with B<-key>. + +The subject and the public key contained in this certificate +serve as fallback values in the certificate template of IR/CR/KUR messages. + The subject of this certificate will be used as sender of outgoing CMP messages, while the subject of B<-oldcert> or B<-subjectName> may provide fallback values. + The issuer of this certificate is used as one of the recipient fallback values -and as fallback issuer entry in the certificate template of IR/CR/KUR. +and as fallback issuer entry in the certificate template of IR/CR/KUR messages. + When using signature-based message protection, this "protection certificate" will be included first in the extraCerts field of outgoing messages and the signature is done with the corresponding key. In Initialization Request (IR) messages this can be used for authenticating using an external entity certificate as defined in appendix E.7 of RFC 4210. + For Key Update Request (KUR) messages this is also used as the certificate to be updated if the B<-oldcert> option is not given. + If the file includes further certs, they are appended to the untrusted certs because they typically constitute the chain of the client certificate, which is included in the extraCerts field in signature-protected request messages. @@ -695,6 +716,8 @@ the B<-cert> option. This will be used for signature-based message protection unless the B<-secret> option indicating PBM or B<-unprotected_requests> is given. +It is also used as a fallback for the B<-newkey> option with IR/CR/KUR messages. + =item B<-keypass> I<arg> Pass phrase source for the private key given with the B<-key> option. @@ -709,7 +732,7 @@ L<openssl-passphrase-options(1)>. Specifies name of supported digest to use in RFC 4210's MSG_SIG_ALG and as the one-way function (OWF) in MSG_MAC_ALG. If applicable, this is used for message protection and -Proof-of-Possession (POPO) signatures. +proof-of-possession (POPO) signatures. To see the list of supported digests, use C<openssl list -digest-commands>. Defaults to C<sha256>. @@ -732,7 +755,7 @@ Each source may contain multiple certificates. =item B<-unprotected_requests> -Send messages without CMP-level protection. +Send request messages without CMP-level protection. =back @@ -801,11 +824,14 @@ B<-tls_key>. =item B<-tls_used> -Enable using TLS (even when other TLS_related options are not set) -when connecting to CMP server via HTTP. -This option is not supported with the I<-port> option -and is ignored with the I<-use_mock_srv> and I<-rspin> options -or if the I<-server> option is not given. +Enable using TLS (even when other TLS-related options are not set) +for message exchange with CMP server via HTTP. +This option is not supported with the I<-port> option. +It is ignored if the I<-server> option is not given or I<-use_mock_srv> is given +or I<-rspin> is given with enough filename arguments. + +The following TLS-related options are ignored +if B<-tls_used> is not given or does not take effect. =item B<-tls_cert> I<filename>|I<uri> @@ -867,46 +893,71 @@ Default is one invocation. =item B<-reqin> I<filenames> -Take sequence of CMP requests from file(s). +Take the sequence of CMP requests to send to the server from the given file(s) +rather than from the sequence of requests produced internally. + +This option is ignored if the B<-rspin> option is given +because in the latter case no requests are actually sent. Multiple filenames may be given, separated by commas and/or whitespace (where in the latter case the whole argument must be enclosed in "..."). -As many files are read as needed for a complete transaction. + +The files are read as far as needed to complete the transaction +and filenames have been provided. If more requests are needed, +the remaining ones are taken from the items at the respective position +in the sequence of requests produced internally. + +The client needs to update the recipNonce field in the given requests (except +for the first one) in order to satisfy the checks to be performed by the server. +This causes re-protection (if protecting requests is required). =item B<-reqin_new_tid> Use a fresh transactionID for CMP request messages read using B<-reqin>, -which requires re-protecting them as far as they were protected before. +which causes their reprotection (if protecting requests is required). This may be needed in case the sequence of requests is reused and the CMP server complains that the transaction ID has already been used. =item B<-reqout> I<filenames> -Save sequence of CMP requests to file(s). +Save the sequence of CMP requests created by the client to the given file(s). +These requests are not sent to the server if the B<-reqin> option is used, too. Multiple filenames may be given, separated by commas and/or whitespace. -As many files are written as needed to store the complete transaction. + +Files are written as far as needed to save the transaction +and filenames have been provided. +If the transaction contains more requests, the remaining ones are not saved. =item B<-rspin> I<filenames> -Process sequence of CMP responses provided in file(s), skipping server. -This excludes I<-server>, I<-port>, and I<-use_mock_srv>. +Process the sequence of CMP responses provided in the given file(s), +not contacting any given server, +as long as enough filenames are provided to complete the transaction. Multiple filenames may be given, separated by commas and/or whitespace. -As many files are read as needed for the complete transaction. + +Any server specified via the I<-server> or I<-use_mock_srv> options is contacted +only if more responses are needed to complete the transaction. +In this case the transaction will fail +unless the server has been prepared to continue the already started transaction. =item B<-rspout> I<filenames> -Save sequence of CMP responses to file(s). +Save the sequence of actually used CMP responses to the given file(s). +These have been received from the server unless B<-rspin> takes effect. Multiple filenames may be given, separated by commas and/or whitespace. -As many files are written as needed to store the complete transaction. + +Files are written as far as needed to save the responses +contained in the transaction and filenames have been provided. +If the transaction contains more responses, the remaining ones are not saved. =item B<-use_mock_srv> Test the client using the internal CMP server mock-up at API level, bypassing socket-based transfer via HTTP. -This excludes I<-server>, I<-port>, and I<-rspin>. +This excludes the B<-server> and B<-port> options. =back @@ -917,7 +968,9 @@ This excludes I<-server>, I<-port>, and I<-rspin>. =item B<-port> I<number> Act as HTTP-based CMP server mock-up listening on the given port. -This excludes I<-server>, I<-rspin>, and I<-use_mock_srv>. +This excludes the B<-server> and B<-use_mock_srv> options. +The B<-rspin>, B<-rspout>, B<-reqin>, and B<-reqout> options +so far are not supported in this mode. =item B<-max_msgs> I<number> @@ -1022,10 +1075,11 @@ Accept missing or invalid protection of requests. =item B<-accept_unprot_err> Accept unprotected error messages from client. +So far this has no effect because the server does not accept any error messages. =item B<-accept_raverified> -Accept RAVERIFED as proof-of-possession (POPO). +Accept RAVERIFED as proof of possession (POPO). =back diff --git a/doc/man1/openssl-enc.pod.in b/doc/man1/openssl-enc.pod.in index fdfa7f67d3ee..e6d5103bd91a 100644 --- a/doc/man1/openssl-enc.pod.in +++ b/doc/man1/openssl-enc.pod.in @@ -129,7 +129,8 @@ This option enables the use of PBKDF2 algorithm to derive the key. =item B<-pbkdf2> -Use PBKDF2 algorithm with default iteration count unless otherwise specified. +Use PBKDF2 algorithm with a default iteration count of 10000 +unless otherwise specified by the B<-iter> command line option. =item B<-nosalt> diff --git a/doc/man1/openssl.pod b/doc/man1/openssl.pod index 869e8e5ad8a1..201428e87004 100644 --- a/doc/man1/openssl.pod +++ b/doc/man1/openssl.pod @@ -568,10 +568,12 @@ When a specific TLS version is required, only that version will be offered or accepted. Only one specific protocol can be given and it cannot be combined with any of the B<no_> options. +The B<no_*> options do not work with B<s_time> and B<ciphers> commands but work with +B<s_client> and B<s_server> commands. =item B<-dtls>, B<-dtls1>, B<-dtls1_2> -These options specify to use DTLS instead of DLTS. +These options specify to use DTLS instead of TLS. With B<-dtls>, clients will negotiate any supported DTLS protocol version. Use the B<-dtls1> or B<-dtls1_2> options to support only DTLS1.0 or DTLS1.2, respectively. @@ -831,7 +833,7 @@ that program with no arguments is now equivalent to C<openssl help>. =head1 COPYRIGHT -Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/ASN1_STRING_new.pod b/doc/man3/ASN1_STRING_new.pod index ff20de73b7b9..642b6f47777b 100644 --- a/doc/man3/ASN1_STRING_new.pod +++ b/doc/man3/ASN1_STRING_new.pod @@ -27,7 +27,7 @@ If I<a> is NULL nothing is done. =head1 NOTES Other string types call the B<ASN1_STRING> functions. For example -ASN1_OCTET_STRING_new() calls ASN1_STRING_type(V_ASN1_OCTET_STRING). +ASN1_OCTET_STRING_new() calls ASN1_STRING_type_new(V_ASN1_OCTET_STRING). =head1 RETURN VALUES @@ -42,7 +42,7 @@ L<ERR_get_error(3)> =head1 COPYRIGHT -Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/CMS_EncryptedData_decrypt.pod b/doc/man3/CMS_EncryptedData_decrypt.pod index 17850a98af3f..3aa3f474fc5a 100644 --- a/doc/man3/CMS_EncryptedData_decrypt.pod +++ b/doc/man3/CMS_EncryptedData_decrypt.pod @@ -21,10 +21,10 @@ to and I<flags> is an optional set of flags. I<dcont> is used in the rare case where the encrypted content is detached. It will normally be set to NULL. -The following flags can be passed in the B<flags> parameter. +The following flags can be passed in the I<flags> parameter. -If the B<CMS_TEXT> flag is set MIME headers for type B<text/plain> are deleted -from the content. If the content is not of type B<text/plain> then an error is +If the B<CMS_TEXT> flag is set MIME headers for type C<text/plain> are deleted +from the content. If the content is not of type C<text/plain> then an error is returned. =head1 RETURN VALUES @@ -39,7 +39,7 @@ L<ERR_get_error(3)>, L<CMS_EncryptedData_encrypt(3)> =head1 COPYRIGHT -Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/CMS_add0_cert.pod b/doc/man3/CMS_add0_cert.pod index 734db9f7b972..8908ff2f1fc0 100644 --- a/doc/man3/CMS_add0_cert.pod +++ b/doc/man3/CMS_add0_cert.pod @@ -20,6 +20,8 @@ CMS_add0_cert, CMS_add1_cert, CMS_get1_certs, CMS_add0_crl, CMS_add1_crl, CMS_ge =head1 DESCRIPTION CMS_add0_cert() and CMS_add1_cert() add certificate I<cert> to I<cms>. +This is used by L<CMS_sign_ex(3)> and L<CMS_sign(3)> and may be used before +calling L<CMS_verify(3)> to help chain building in certificate validation. I<cms> must be of type signed data or (authenticated) enveloped data. For signed data, such a certificate can be used when signing or verifying to fill in the signer certificate or to provide an extra CA certificate @@ -29,7 +31,8 @@ CMS_get1_certs() returns all certificates in I<cms>. CMS_add0_crl() and CMS_add1_crl() add CRL I<crl> to I<cms>. I<cms> must be of type signed data or (authenticated) enveloped data. -For signed data, such a CRL may be used in certificate validation. +For signed data, such a CRL may be used in certificate validation +with L<CMS_verify(3)>. It may be given both for inclusion when signing a CMS message and when verifying a signed CMS message. @@ -48,8 +51,7 @@ As the I<0> implies CMS_add0_cert() adds I<cert> internally to I<cms> and it must not be freed up after the call as opposed to CMS_add1_cert() where I<cert> must be freed up. -The same certificate or CRL must not be added to the same cms structure more -than once. +The same certificate must not be added to the same cms structure more than once. =head1 RETURN VALUES @@ -63,12 +65,12 @@ in practice is if the I<cms> type is invalid. =head1 SEE ALSO L<ERR_get_error(3)>, -L<CMS_sign(3)>, +L<CMS_sign(3)>, L<CMS_sign_ex(3)>, L<CMS_verify(3)>, L<CMS_encrypt(3)> =head1 COPYRIGHT -Copyright 2008-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/CMS_decrypt.pod b/doc/man3/CMS_decrypt.pod index 4f8d32fbbb24..75c33a91d176 100644 --- a/doc/man3/CMS_decrypt.pod +++ b/doc/man3/CMS_decrypt.pod @@ -2,8 +2,9 @@ =head1 NAME -CMS_decrypt, CMS_decrypt_set1_pkey_and_peer, CMS_decrypt_set1_pkey - decrypt -content from a CMS envelopedData structure +CMS_decrypt, CMS_decrypt_set1_pkey_and_peer, +CMS_decrypt_set1_pkey, CMS_decrypt_set1_password +- decrypt content from a CMS envelopedData structure =head1 SYNOPSIS @@ -14,23 +15,41 @@ content from a CMS envelopedData structure int CMS_decrypt_set1_pkey_and_peer(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert, X509 *peer); int CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert); + int CMS_decrypt_set1_password(CMS_ContentInfo *cms, + unsigned char *pass, ossl_ssize_t passlen); =head1 DESCRIPTION -CMS_decrypt() extracts and decrypts the content from a CMS EnvelopedData -or AuthEnvelopedData structure. B<pkey> is the private key of the recipient, -B<cert> is the recipient's certificate, B<out> is a BIO to write the content to -and B<flags> is an optional set of flags. - -The B<dcont> parameter is used in the rare case where the encrypted content +CMS_decrypt() extracts the decrypted content from a CMS EnvelopedData +or AuthEnvelopedData structure. +It uses CMS_decrypt_set1_pkey() to decrypt the content +with the recipient private key I<pkey> if I<pkey> is not NULL. +In this case, it is recommended to provide the associated certificate +in I<cert> - see the NOTES below. +I<out> is a BIO to write the content to and +I<flags> is an optional set of flags. +If I<pkey> is NULL the function assumes that decryption was already done +(e.g., using CMS_decrypt_set1_pkey() or CMS_decrypt_set1_password()) and just +provides the content unless I<cert>, I<dcont>, and I<out> are NULL as well. +The I<dcont> parameter is used in the rare case where the encrypted content is detached. It will normally be set to NULL. -CMS_decrypt_set1_pkey_and_peer() associates the private key B<pkey>, the -corresponding certificate B<cert> and the originator certificate B<peer> with -the CMS_ContentInfo structure B<cms>. +CMS_decrypt_set1_pkey_and_peer() decrypts the CMS_ContentInfo structure I<cms> +using the private key I<pkey>, the corresponding certificate I<cert>, which is +recommended to be supplied but may be NULL, +and the (optional) originator certificate I<peer>. +On success, it also records in I<cms> the decryption key I<pkey>, and this +should be followed by C<CMS_decrypt(cms, NULL, NULL, dcont, out, flags)>. +This call deallocates any decryption key stored in I<cms>. + +CMS_decrypt_set1_pkey() is the same as +CMS_decrypt_set1_pkey_and_peer() with I<peer> being NULL. -CMS_decrypt_set1_pkey() associates the private key B<pkey>, corresponding -certificate B<cert> with the CMS_ContentInfo structure B<cms>. +CMS_decrypt_set1_password() decrypts the CMS_ContentInfo structure I<cms> +using the secret I<pass> of length I<passlen>. +On success, it also records in I<cms> the decryption key used, and this +should be followed by C<CMS_decrypt(cms, NULL, NULL, dcont, out, flags)>. +This call deallocates any decryption key stored in I<cms>. =head1 NOTES @@ -38,7 +57,7 @@ Although the recipients certificate is not needed to decrypt the data it is needed to locate the appropriate (of possible several) recipients in the CMS structure. -If B<cert> is set to NULL all possible recipients are tried. This case however +If I<cert> is set to NULL all possible recipients are tried. This case however is problematic. To thwart the MMA attack (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) all recipients are tried whether they succeed or not. If no recipient succeeds then a random symmetric key is used to decrypt @@ -54,26 +73,32 @@ open to attack. It is possible to determine the correct recipient key by other means (for example looking them up in a database) and setting them in the CMS structure -in advance using the CMS utility functions such as CMS_set1_pkey(). In this -case both B<cert> and B<pkey> should be set to NULL. +in advance using the CMS utility functions such as CMS_set1_pkey(), +or use CMS_decrypt_set1_password() if the recipient has a symmetric key. +In these cases both I<cert> and I<pkey> should be set to NULL. To process KEKRecipientInfo types CMS_set1_key() or CMS_RecipientInfo_set0_key() and CMS_RecipientInfo_decrypt() should be called before CMS_decrypt() and -B<cert> and B<pkey> set to NULL. +I<cert> and I<pkey> set to NULL. -The following flags can be passed in the B<flags> parameter. +The following flags can be passed in the I<flags> parameter. -If the B<CMS_TEXT> flag is set MIME headers for type B<text/plain> are deleted -from the content. If the content is not of type B<text/plain> then an error is +If the B<CMS_TEXT> flag is set MIME headers for type C<text/plain> are deleted +from the content. If the content is not of type C<text/plain> then an error is returned. =head1 RETURN VALUES -CMS_decrypt() returns either 1 for success or 0 for failure. -The error can be obtained from ERR_get_error(3) +CMS_decrypt(), CMS_decrypt_set1_pkey_and_peer(), +CMS_decrypt_set1_pkey(), and CMS_decrypt_set1_password() +return either 1 for success or 0 for failure. +The error can be obtained from ERR_get_error(3). =head1 BUGS +The B<set1_> part of these function names is misleading +and should better read: B<with_>. + The lack of single pass processing and the need to hold all data in memory as mentioned in CMS_verify() also applies to CMS_decrypt(). @@ -83,11 +108,12 @@ L<ERR_get_error(3)>, L<CMS_encrypt(3)> =head1 HISTORY -B<CMS_decrypt_set1_pkey_and_peer> was added in OpenSSL 3.0. +CMS_decrypt_set1_pkey_and_peer() and CMS_decrypt_set1_password() +were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EC_GROUP_copy.pod b/doc/man3/EC_GROUP_copy.pod index 651f059d4fd5..e525fad0bf6b 100644 --- a/doc/man3/EC_GROUP_copy.pod +++ b/doc/man3/EC_GROUP_copy.pod @@ -129,7 +129,7 @@ point_conversion_form_t is an enum defined as follows: For POINT_CONVERSION_UNCOMPRESSED the point is encoded as an octet signifying the UNCOMPRESSED form has been used followed by the octets for x, followed by the octets for y. -For any given x co-ordinate for a point on a curve it is possible to derive two possible y values. For +For any given x coordinate for a point on a curve it is possible to derive two possible y values. For POINT_CONVERSION_COMPRESSED the point is encoded as an octet signifying that the COMPRESSED form has been used AND which of the two possible solutions for y has been used, followed by the octets for x. diff --git a/doc/man3/EC_KEY_new.pod b/doc/man3/EC_KEY_new.pod index e611b4d691f1..d93586b1d01e 100644 --- a/doc/man3/EC_KEY_new.pod +++ b/doc/man3/EC_KEY_new.pod @@ -128,7 +128,7 @@ EC_KEY_check_key() performs various sanity checks on the EC_KEY object to confirm that it is valid. EC_KEY_set_public_key_affine_coordinates() sets the public key for I<key> based -on its affine co-ordinates; i.e., it constructs an EC_POINT object based on +on its affine coordinates; i.e., it constructs an EC_POINT object based on the supplied I<x> and I<y> values and sets the public key to be this EC_POINT. It also performs certain sanity checks on the key to confirm that it is valid. @@ -235,7 +235,7 @@ For replacement see L<EVP_PKEY-EC(7)>. =head1 COPYRIGHT -Copyright 2013-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2013-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EC_POINT_add.pod b/doc/man3/EC_POINT_add.pod index 97bd34c3932e..591308be3fc2 100644 --- a/doc/man3/EC_POINT_add.pod +++ b/doc/man3/EC_POINT_add.pod @@ -44,7 +44,7 @@ EC_POINT_is_on_curve tests whether the supplied point is on the curve or not. EC_POINT_cmp compares the two supplied points and tests whether or not they are equal. The functions EC_POINT_make_affine and EC_POINTs_make_affine force the internal representation of the EC_POINT(s) into the affine -co-ordinate system. In the case of EC_POINTs_make_affine the value B<num> provides the number of points in the array B<points> to be +coordinate system. In the case of EC_POINTs_make_affine the value B<num> provides the number of points in the array B<points> to be forced. These functions were deprecated in OpenSSL 3.0 and should no longer be used. Modern versions automatically perform this conversion when needed. @@ -90,7 +90,7 @@ were deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2013-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2013-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EC_POINT_new.pod b/doc/man3/EC_POINT_new.pod index f92cc2c8e229..3bbf8bb089ac 100644 --- a/doc/man3/EC_POINT_new.pod +++ b/doc/man3/EC_POINT_new.pod @@ -124,9 +124,9 @@ public concept. A valid point on a curve is the special point at infinity. A point is set to be at infinity by calling EC_POINT_set_to_infinity(). -The affine co-ordinates for a point describe a point in terms of its x and y +The affine coordinates for a point describe a point in terms of its x and y position. The function EC_POINT_set_affine_coordinates() sets the B<x> and B<y> -co-ordinates for the point B<p> defined over the curve given in B<group>. The +coordinates for the point B<p> defined over the curve given in B<group>. The function EC_POINT_get_affine_coordinates() sets B<x> and B<y>, either of which may be NULL, to the corresponding coordinates of B<p>. @@ -140,27 +140,27 @@ EC_POINT_get_affine_coordinates_GF2m() are synonyms for EC_POINT_get_affine_coordinates(). They are defined for backwards compatibility only and should not be used. -As well as the affine co-ordinates, a point can alternatively be described in -terms of its Jacobian projective co-ordinates (for Fp curves only). Jacobian -projective co-ordinates are expressed as three values x, y and z. Working in -this co-ordinate system provides more efficient point multiplication -operations. A mapping exists between Jacobian projective co-ordinates and -affine co-ordinates. A Jacobian projective co-ordinate (x, y, z) can be written -as an affine co-ordinate as (x/(z^2), y/(z^3)). Conversion to Jacobian -projective from affine co-ordinates is simple. The co-ordinate (x, y) is mapped +As well as the affine coordinates, a point can alternatively be described in +terms of its Jacobian projective coordinates (for Fp curves only). Jacobian +projective coordinates are expressed as three values x, y and z. Working in +this coordinate system provides more efficient point multiplication +operations. A mapping exists between Jacobian projective coordinates and +affine coordinates. A Jacobian projective coordinate (x, y, z) can be written +as an affine coordinate as (x/(z^2), y/(z^3)). Conversion to Jacobian +projective from affine coordinates is simple. The coordinate (x, y) is mapped to (x, y, 1). Although deprecated in OpenSSL 3.0 and should no longer be used, -to set or get the projective co-ordinates in older versions use +to set or get the projective coordinates in older versions use EC_POINT_set_Jprojective_coordinates_GFp() and EC_POINT_get_Jprojective_coordinates_GFp() respectively. Modern versions should instead use EC_POINT_set_affine_coordinates() and EC_POINT_get_affine_coordinates(), performing the conversion manually using the above maps in such rare circumstances. -Points can also be described in terms of their compressed co-ordinates. For a +Points can also be described in terms of their compressed coordinates. For a point (x, y), for any given value for x such that the point is on the curve there will only ever be two possible values for y. Therefore, a point can be set using the EC_POINT_set_compressed_coordinates() function where B<x> is the x -co-ordinate and B<y_bit> is a value 0 or 1 to identify which of the two +coordinate and B<y_bit> is a value 0 or 1 to identify which of the two possible values for y should be used. The functions EC_POINT_set_compressed_coordinates_GFp() and @@ -269,7 +269,7 @@ added in OpenSSL 1.1.1. =head1 COPYRIGHT -Copyright 2013-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2013-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_EncryptInit.pod b/doc/man3/EVP_EncryptInit.pod index 7d7db3c9f708..e469f28a7b54 100644 --- a/doc/man3/EVP_EncryptInit.pod +++ b/doc/man3/EVP_EncryptInit.pod @@ -1065,7 +1065,7 @@ with an L<OSSL_PARAM(3)> item with the key When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() get called with an L<OSSL_PARAM(3)> item with the key -"tlsaadpad" (B<OSSL_CIPHER_PARAM_AEAD_TLS1_AAD>) +"tlsaad" (B<OSSL_CIPHER_PARAM_AEAD_TLS1_AAD>) followed by EVP_CIPHER_CTX_get_params() with a key of "tlsaadpad" (B<OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD>). diff --git a/doc/man3/EVP_PKEY_set1_RSA.pod b/doc/man3/EVP_PKEY_set1_RSA.pod index c0366d34fcee..6489b1189403 100644 --- a/doc/man3/EVP_PKEY_set1_RSA.pod +++ b/doc/man3/EVP_PKEY_set1_RSA.pod @@ -62,13 +62,16 @@ see L<openssl_user_macros(7)>: EVP_PKEY_get_base_id() returns the type of I<pkey>. For example an RSA key will return B<EVP_PKEY_RSA>. -EVP_PKEY_get_id() returns the actual OID associated with I<pkey>. -Historically keys using the same algorithm could use different OIDs. -For example an RSA key could use the OIDs corresponding to +EVP_PKEY_get_id() returns the actual NID associated with I<pkey> +only if the I<pkey> type isn't implemented just in a L<provider(7)>. +Historically keys using the same algorithm could use different NIDs. +For example an RSA key could use the NIDs corresponding to the NIDs B<NID_rsaEncryption> (equivalent to B<EVP_PKEY_RSA>) or B<NID_rsa> (equivalent to B<EVP_PKEY_RSA2>). The use of -alternative non-standard OIDs is now rare so B<EVP_PKEY_RSA2> et al are not +alternative non-standard NIDs is now rare so B<EVP_PKEY_RSA2> et al are not often seen in practice. +EVP_PKEY_get_id() returns -1 (B<EVP_PKEY_KEYMGMT>) if the I<pkey> is +only implemented in a L<provider(7)>. EVP_PKEY_type() returns the underlying type of the NID I<type>. For example EVP_PKEY_type(EVP_PKEY_RSA2) will return B<EVP_PKEY_RSA>. @@ -142,6 +145,9 @@ EVP_PKEY_get_id(), EVP_PKEY_get_base_id(), EVP_PKEY_type() For EVP_PKEY key type checking purposes, L<EVP_PKEY_is_a(3)> is more generic. +For purposes of retrieving the name of the B<EVP_PKEY> the function +L<EVP_PKEY_get0_type_name(3)> is more generally useful. + The keys returned from the functions EVP_PKEY_get0_RSA(), EVP_PKEY_get0_DSA(), EVP_PKEY_get0_DH() and EVP_PKEY_get0_EC_KEY() were changed to have a "const" return type in OpenSSL 3.0. As described above the keys returned may be cached @@ -222,7 +228,7 @@ It was removed in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_RAND.pod b/doc/man3/EVP_RAND.pod index a4d72b70432f..11ea807cc330 100644 --- a/doc/man3/EVP_RAND.pod +++ b/doc/man3/EVP_RAND.pod @@ -332,6 +332,18 @@ or the properties in the case of B<OSSL_RAND_PARAM_PROPERTIES>. =head1 NOTES +The use of a nonzero value for the I<prediction_resistance> argument to +EVP_RAND_instantiate(), EVP_RAND_generate() or EVP_RAND_reseed() should +be used sparingly. In the default setup, this will cause all public and +private DRBGs to be reseeded on next use. Since, by default, public and +private DRBGs are allocated on a per thread basis, this can result in +significant overhead for highly multi-threaded applications. For normal +use-cases, the default "reseed_requests" and "reseed_time_interval" +thresholds ensure sufficient prediction resistance over time and you +can reduce those values if you think they are too high. Explicitly +requesting prediction resistance is intended for more special use-cases +like generating long-term secrets. + An B<EVP_RAND_CTX> needs to have locking enabled if it acts as the parent of more than one child and the children can be accessed concurrently. This must be done by explicitly calling EVP_RAND_enable_locking(). @@ -394,7 +406,7 @@ This functionality was added to OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_aes_128_gcm.pod b/doc/man3/EVP_aes_128_gcm.pod index 0575901503b2..09cae9912950 100644 --- a/doc/man3/EVP_aes_128_gcm.pod +++ b/doc/man3/EVP_aes_128_gcm.pod @@ -169,6 +169,13 @@ the XTS "tweak" value. =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling these functions multiple times and should consider using +L<EVP_CIPHER_fetch(3)> instead. +See L<crypto(7)/Performance> for further information. + =head1 RETURN VALUES These functions return an B<EVP_CIPHER> structure that contains the @@ -183,7 +190,7 @@ L<EVP_CIPHER_meth_new(3)> =head1 COPYRIGHT -Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_aria_128_gcm.pod b/doc/man3/EVP_aria_128_gcm.pod index 6471acb24954..92913652630d 100644 --- a/doc/man3/EVP_aria_128_gcm.pod +++ b/doc/man3/EVP_aria_128_gcm.pod @@ -92,6 +92,13 @@ correctly, see the L<EVP_EncryptInit(3)/AEAD Interface> section for details. =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling these functions multiple times and should consider using +L<EVP_CIPHER_fetch(3)> instead. +See L<crypto(7)/Performance> for further information. + =head1 RETURN VALUES These functions return an B<EVP_CIPHER> structure that contains the @@ -106,7 +113,7 @@ L<EVP_CIPHER_meth_new(3)> =head1 COPYRIGHT -Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_bf_cbc.pod b/doc/man3/EVP_bf_cbc.pod index 03385620873e..4df98f4bdf47 100644 --- a/doc/man3/EVP_bf_cbc.pod +++ b/doc/man3/EVP_bf_cbc.pod @@ -37,6 +37,13 @@ Blowfish encryption algorithm in CBC, CFB, ECB and OFB modes respectively. =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling these functions multiple times and should consider using +L<EVP_CIPHER_fetch(3)> instead. +See L<crypto(7)/Performance> for further information. + =head1 RETURN VALUES These functions return an B<EVP_CIPHER> structure that contains the @@ -51,7 +58,7 @@ L<EVP_CIPHER_meth_new(3)> =head1 COPYRIGHT -Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_blake2b512.pod b/doc/man3/EVP_blake2b512.pod index 649a29c98717..98e1899f6a93 100644 --- a/doc/man3/EVP_blake2b512.pod +++ b/doc/man3/EVP_blake2b512.pod @@ -31,6 +31,17 @@ The BLAKE2b algorithm that produces a 512-bit output from a given input. =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling these functions multiple times and should consider using +L<EVP_MD_fetch(3)> instead. +See L<crypto(7)/Performance> for further information. + +While the BLAKE2b and BLAKE2s algorithms supports a variable length digest, +this implementation outputs a digest of a fixed length (the maximum length +supported), which is 512-bits for BLAKE2b and 256-bits for BLAKE2s. + =head1 RETURN VALUES These functions return a B<EVP_MD> structure that contains the @@ -41,12 +52,6 @@ details of the B<EVP_MD> structure. RFC 7693. -=head1 NOTES - -While the BLAKE2b and BLAKE2s algorithms supports a variable length digest, -this implementation outputs a digest of a fixed length (the maximum length -supported), which is 512-bits for BLAKE2b and 256-bits for BLAKE2s. - =head1 SEE ALSO L<evp(7)>, @@ -54,7 +59,7 @@ L<EVP_DigestInit(3)> =head1 COPYRIGHT -Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_camellia_128_ecb.pod b/doc/man3/EVP_camellia_128_ecb.pod index 4a57f79512c4..a6b597156a77 100644 --- a/doc/man3/EVP_camellia_128_ecb.pod +++ b/doc/man3/EVP_camellia_128_ecb.pod @@ -75,6 +75,13 @@ Camellia for 128, 192 and 256 bit keys in the following modes: CBC, CFB with =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling these functions multiple times and should consider using +L<EVP_CIPHER_fetch(3)> instead. +See L<crypto(7)/Performance> for further information. + =head1 RETURN VALUES These functions return an B<EVP_CIPHER> structure that contains the @@ -89,7 +96,7 @@ L<EVP_CIPHER_meth_new(3)> =head1 COPYRIGHT -Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_cast5_cbc.pod b/doc/man3/EVP_cast5_cbc.pod index e823a197f959..85ff2ad01488 100644 --- a/doc/man3/EVP_cast5_cbc.pod +++ b/doc/man3/EVP_cast5_cbc.pod @@ -37,6 +37,13 @@ CAST encryption algorithm in CBC, ECB, CFB and OFB modes respectively. =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling these functions multiple times and should consider using +L<EVP_CIPHER_fetch(3)> instead. +See L<crypto(7)/Performance> for further information. + =head1 RETURN VALUES These functions return an B<EVP_CIPHER> structure that contains the @@ -51,7 +58,7 @@ L<EVP_CIPHER_meth_new(3)> =head1 COPYRIGHT -Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_chacha20.pod b/doc/man3/EVP_chacha20.pod index 060b1bfc254f..28ab25bf7188 100644 --- a/doc/man3/EVP_chacha20.pod +++ b/doc/man3/EVP_chacha20.pod @@ -40,6 +40,13 @@ L<EVP_EncryptInit(3)/AEAD Interface> section for more information. =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling these functions multiple times and should consider using +L<EVP_CIPHER_fetch(3)> instead. +See L<crypto(7)/Performance> for further information. + =head1 RETURN VALUES These functions return an B<EVP_CIPHER> structure that contains the @@ -54,7 +61,7 @@ L<EVP_CIPHER_meth_new(3)> =head1 COPYRIGHT -Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_des_cbc.pod b/doc/man3/EVP_des_cbc.pod index fe9d5e6a0e07..501216cd6d77 100644 --- a/doc/man3/EVP_des_cbc.pod +++ b/doc/man3/EVP_des_cbc.pod @@ -85,6 +85,13 @@ Triple-DES key wrap according to RFC 3217 Section 3. =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling these functions multiple times and should consider using +L<EVP_CIPHER_fetch(3)> instead. +See L<crypto(7)/Performance> for further information. + =head1 RETURN VALUES These functions return an B<EVP_CIPHER> structure that contains the @@ -99,7 +106,7 @@ L<EVP_CIPHER_meth_new(3)> =head1 COPYRIGHT -Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_desx_cbc.pod b/doc/man3/EVP_desx_cbc.pod index 01987bf28cfb..fae827192ee9 100644 --- a/doc/man3/EVP_desx_cbc.pod +++ b/doc/man3/EVP_desx_cbc.pod @@ -29,6 +29,11 @@ implementation. =back +Developers should be aware of the negative performance implications of +calling this function multiple times and should consider using +L<EVP_CIPHER_fetch(3)> instead. +See L<crypto(7)/Performance> for further information. + =head1 RETURN VALUES These functions return an B<EVP_CIPHER> structure that contains the @@ -43,7 +48,7 @@ L<EVP_CIPHER_meth_new(3)> =head1 COPYRIGHT -Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_idea_cbc.pod b/doc/man3/EVP_idea_cbc.pod index 2fa5a2925f0f..5a9adaedc446 100644 --- a/doc/man3/EVP_idea_cbc.pod +++ b/doc/man3/EVP_idea_cbc.pod @@ -35,6 +35,13 @@ The IDEA encryption algorithm in CBC, CFB, ECB and OFB modes respectively. =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling these functions multiple times and should consider using +L<EVP_CIPHER_fetch(3)> instead. +See L<crypto(7)/Performance> for further information. + =head1 RETURN VALUES These functions return an B<EVP_CIPHER> structure that contains the @@ -49,7 +56,7 @@ L<EVP_CIPHER_meth_new(3)> =head1 COPYRIGHT -Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_md2.pod b/doc/man3/EVP_md2.pod index 420bb1545316..0b473887e01b 100644 --- a/doc/man3/EVP_md2.pod +++ b/doc/man3/EVP_md2.pod @@ -24,6 +24,12 @@ The MD2 algorithm which produces a 128-bit output from a given input. =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling this function multiple times and should consider using +L<EVP_MD_fetch(3)> instead. +See L<crypto(7)/Performance> for further information. =head1 RETURN VALUES @@ -43,7 +49,7 @@ L<EVP_DigestInit(3)> =head1 COPYRIGHT -Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_md4.pod b/doc/man3/EVP_md4.pod index a3d3beaaf83d..baaff9e4eaa2 100644 --- a/doc/man3/EVP_md4.pod +++ b/doc/man3/EVP_md4.pod @@ -25,6 +25,12 @@ The MD4 algorithm which produces a 128-bit output from a given input. =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling this function multiple times and should consider using +L<EVP_MD_fetch(3)> instead. +See L<crypto(7)/Performance> for further information. =head1 RETURN VALUES @@ -44,7 +50,7 @@ L<EVP_DigestInit(3)> =head1 COPYRIGHT -Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_md5.pod b/doc/man3/EVP_md5.pod index 9d729601a066..752fdd1f6c37 100644 --- a/doc/man3/EVP_md5.pod +++ b/doc/man3/EVP_md5.pod @@ -36,6 +36,12 @@ WARNING: this algorithm is not intended for non-SSL usage. =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling these functions multiple times and should consider using +L<EVP_MD_fetch(3)> instead. +See L<crypto(7)/Performance> for further information. =head1 RETURN VALUES @@ -54,7 +60,7 @@ L<EVP_DigestInit(3)> =head1 COPYRIGHT -Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_mdc2.pod b/doc/man3/EVP_mdc2.pod index 7ebed04c700d..e9de6f3c560a 100644 --- a/doc/man3/EVP_mdc2.pod +++ b/doc/man3/EVP_mdc2.pod @@ -26,6 +26,13 @@ The MDC-2DES algorithm of using MDC-2 with the DES block cipher. It produces a =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling this function multiple times and should consider using +L<EVP_MD_fetch(3)> instead. +See L<crypto(7)/Performance> for further information. + =head1 RETURN VALUES These functions return a B<EVP_MD> structure that contains the @@ -44,7 +51,7 @@ L<EVP_DigestInit(3)> =head1 COPYRIGHT -Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_rc2_cbc.pod b/doc/man3/EVP_rc2_cbc.pod index e6111ff3afc5..bf4a13ba45c1 100644 --- a/doc/man3/EVP_rc2_cbc.pod +++ b/doc/man3/EVP_rc2_cbc.pod @@ -51,6 +51,13 @@ functions to set the key length and effective key length. =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling these functions multiple times and should consider using +L<EVP_CIPHER_fetch(3)> instead. +See L<crypto(7)/Performance> for further information. + =head1 RETURN VALUES These functions return an B<EVP_CIPHER> structure that contains the @@ -65,7 +72,7 @@ L<EVP_CIPHER_meth_new(3)> =head1 COPYRIGHT -Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_rc4.pod b/doc/man3/EVP_rc4.pod index 9deaab97f82c..f22e88a65214 100644 --- a/doc/man3/EVP_rc4.pod +++ b/doc/man3/EVP_rc4.pod @@ -43,6 +43,13 @@ interface. =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling these functions multiple times and should consider using +L<EVP_CIPHER_fetch(3)> instead. +See L<crypto(7)/Performance> for further information. + =head1 RETURN VALUES These functions return an B<EVP_CIPHER> structure that contains the @@ -57,7 +64,7 @@ L<EVP_CIPHER_meth_new(3)> =head1 COPYRIGHT -Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_rc5_32_12_16_cbc.pod b/doc/man3/EVP_rc5_32_12_16_cbc.pod index 8ac23b4a9ed1..c177b1845196 100644 --- a/doc/man3/EVP_rc5_32_12_16_cbc.pod +++ b/doc/man3/EVP_rc5_32_12_16_cbc.pod @@ -56,6 +56,13 @@ is an int. =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling these functions multiple times and should consider using +L<EVP_CIPHER_fetch(3)> instead. +See L<crypto(7)/Performance> for further information. + =head1 RETURN VALUES These functions return an B<EVP_CIPHER> structure that contains the @@ -71,7 +78,7 @@ L<EVP_CIPHER_meth_new(3)> =head1 COPYRIGHT -Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_ripemd160.pod b/doc/man3/EVP_ripemd160.pod index e559b0344942..6ad2d3e01869 100644 --- a/doc/man3/EVP_ripemd160.pod +++ b/doc/man3/EVP_ripemd160.pod @@ -25,6 +25,13 @@ The RIPEMD-160 algorithm which produces a 160-bit output from a given input. =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling this function multiple times and should consider using +L<EVP_MD_fetch(3)> instead. +See L<crypto(7)/Performance> for further information. + =head1 RETURN VALUES These functions return a B<EVP_MD> structure that contains the @@ -43,7 +50,7 @@ L<EVP_DigestInit(3)> =head1 COPYRIGHT -Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_seed_cbc.pod b/doc/man3/EVP_seed_cbc.pod index eef7dd540db2..010607e57405 100644 --- a/doc/man3/EVP_seed_cbc.pod +++ b/doc/man3/EVP_seed_cbc.pod @@ -37,6 +37,13 @@ The SEED encryption algorithm in CBC, CFB, ECB and OFB modes respectively. =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling these functions multiple times and should consider using +L<EVP_CIPHER_fetch(3)> instead. +See L<crypto(7)/Performance> for further information. + =head1 RETURN VALUES These functions return an B<EVP_CIPHER> structure that contains the @@ -51,7 +58,7 @@ L<EVP_CIPHER_meth_new(3)> =head1 COPYRIGHT -Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_sha1.pod b/doc/man3/EVP_sha1.pod index f3e9e8d4fa19..264ddd1addb7 100644 --- a/doc/man3/EVP_sha1.pod +++ b/doc/man3/EVP_sha1.pod @@ -25,6 +25,12 @@ The SHA-1 algorithm which produces a 160-bit output from a given input. =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling this function multiple times and should consider using +L<EVP_MD_fetch(3)> instead. +See L<crypto(7)/Performance> for further information. =head1 RETURN VALUES @@ -43,7 +49,7 @@ L<EVP_DigestInit(3)> =head1 COPYRIGHT -Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_sha224.pod b/doc/man3/EVP_sha224.pod index 97881b54635c..7a50cf9b6c3f 100644 --- a/doc/man3/EVP_sha224.pod +++ b/doc/man3/EVP_sha224.pod @@ -45,6 +45,12 @@ their outputs are of the same size. =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling these functions multiple times and should consider using +L<EVP_MD_fetch(3)> instead. +See L<crypto(7)/Performance> for further information. =head1 RETURN VALUES @@ -63,7 +69,7 @@ L<EVP_DigestInit(3)> =head1 COPYRIGHT -Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_sha3_224.pod b/doc/man3/EVP_sha3_224.pod index 4c349f55d32f..5bb9ae1b89e5 100644 --- a/doc/man3/EVP_sha3_224.pod +++ b/doc/man3/EVP_sha3_224.pod @@ -50,6 +50,12 @@ B<EVP_shake256> provides that of 256 bits. =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling these functions multiple times and should consider using +L<EVP_MD_fetch(3)> instead. +See L<crypto(7)/Performance> for further information. =head1 RETURN VALUES @@ -68,7 +74,7 @@ L<EVP_DigestInit(3)> =head1 COPYRIGHT -Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_sm3.pod b/doc/man3/EVP_sm3.pod index 96997b1128ae..4e8112dc0afe 100644 --- a/doc/man3/EVP_sm3.pod +++ b/doc/man3/EVP_sm3.pod @@ -24,6 +24,12 @@ The SM3 hash function. =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling this function multiple times and should consider using +L<EVP_MD_fetch(3)> instead. +See L<crypto(7)/Performance> for further information. =head1 RETURN VALUES @@ -42,7 +48,7 @@ L<EVP_DigestInit(3)> =head1 COPYRIGHT -Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Copyright 2017 Ribose Inc. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/doc/man3/EVP_sm4_cbc.pod b/doc/man3/EVP_sm4_cbc.pod index 51df4435bc08..b67ade549968 100644 --- a/doc/man3/EVP_sm4_cbc.pod +++ b/doc/man3/EVP_sm4_cbc.pod @@ -41,6 +41,13 @@ respectively. =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling these functions multiple times and should consider using +L<EVP_CIPHER_fetch(3)> instead. +See L<crypto(7)/Performance> for further information. + =head1 RETURN VALUES These functions return a B<EVP_CIPHER> structure that contains the @@ -55,7 +62,7 @@ L<EVP_CIPHER_meth_new(3)> =head1 COPYRIGHT -Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Copyright 2017 Ribose Inc. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/doc/man3/EVP_whirlpool.pod b/doc/man3/EVP_whirlpool.pod index 3aaf1d50add4..a9826e290a42 100644 --- a/doc/man3/EVP_whirlpool.pod +++ b/doc/man3/EVP_whirlpool.pod @@ -26,6 +26,12 @@ input. =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling this function multiple times and should consider using +L<EVP_MD_fetch(3)> instead. +See L<crypto(7)/Performance> for further information. =head1 RETURN VALUES @@ -45,7 +51,7 @@ L<EVP_DigestInit(3)> =head1 COPYRIGHT -Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_CMP_CTX_new.pod b/doc/man3/OSSL_CMP_CTX_new.pod index 3c4e2d3f7d06..c0c41a226bfe 100644 --- a/doc/man3/OSSL_CMP_CTX_new.pod +++ b/doc/man3/OSSL_CMP_CTX_new.pod @@ -111,8 +111,8 @@ OSSL_CMP_CTX_set1_senderNonce int OSSL_CMP_CTX_set1_pkey(OSSL_CMP_CTX *ctx, EVP_PKEY *pkey); int OSSL_CMP_CTX_set1_referenceValue(OSSL_CMP_CTX *ctx, const unsigned char *ref, int len); - int OSSL_CMP_CTX_set1_secretValue(OSSL_CMP_CTX *ctx, const unsigned char *sec, - const int len); + int OSSL_CMP_CTX_set1_secretValue(OSSL_CMP_CTX *ctx, + const unsigned char *sec, int len); /* CMP message header and extra certificates: */ int OSSL_CMP_CTX_set1_recipient(OSSL_CMP_CTX *ctx, const X509_NAME *name); @@ -290,7 +290,7 @@ RFC 4210. =item B<OSSL_CMP_OPT_UNPROTECTED_SEND> - Send messages without CMP-level protection. + Send request or response messages without CMP-level protection. =item B<OSSL_CMP_OPT_UNPROTECTED_ERRORS> @@ -410,8 +410,8 @@ OSSL_CMP_CTX_set_transfer_cb_arg() or NULL if unset. OSSL_CMP_CTX_set1_srvCert() sets the expected server cert in I<ctx> and trusts it directly (even if it is expired) when verifying signed response messages. -May be used alternatively to OSSL_CMP_CTX_set0_trustedStore() -to pin the accepted server. +This pins the accepted CMP server and +results in ignoring whatever may be set using OSSL_CMP_CTX_set0_trustedStore(). Any previously set value is freed. The I<cert> argument may be NULL to clear the entry. If set, the subject of the certificate is also used @@ -419,7 +419,7 @@ as default value for the recipient of CMP requests and as default value for the expected sender of CMP responses. OSSL_CMP_CTX_set1_expected_sender() sets the Distinguished Name (DN) -expected in the sender field of CMP response messages. +expected in the sender field of incoming CMP messages. Defaults to the subject of the pinned server certificate, if any. This can be used to make sure that only a particular entity is accepted as CMP message signer, and attackers are not able to use arbitrary certificates @@ -428,27 +428,30 @@ Note that this gives slightly more freedom than OSSL_CMP_CTX_set1_srvCert(), which pins the server to the holder of a particular certificate, while the expected sender name will continue to match after updates of the server cert. -OSSL_CMP_CTX_set0_trustedStore() sets the certificate store of type X509_STORE -containing trusted (root) CA certificates. -The store may also hold CRLs and -a certificate verification callback function used for CMP server authentication. +OSSL_CMP_CTX_set0_trustedStore() +sets in the CMP context I<ctx> the certificate store of type X509_STORE +containing trusted certificates, typically of root CAs. +This is ignored when a certificate is pinned using OSSL_CMP_CTX_set1_srvCert(). +The store may also hold CRLs and a certificate verification callback function +used for signature-based peer authentication. Any store entry already set before is freed. When given a NULL parameter the entry is cleared. -OSSL_CMP_CTX_get0_trustedStore() returns a pointer to the currently set -certificate store containing trusted cert etc., or an empty store if unset. +OSSL_CMP_CTX_get0_trustedStore() +extracts from the CMP context I<ctx> the pointer to the currently set +certificate store containing trust anchors etc., or an empty store if unset. OSSL_CMP_CTX_set1_untrusted() sets up a list of non-trusted certificates -of intermediate CAs that may be useful for path construction for the CMP client -certificate, for the TLS client certificate (if any), when verifying -the CMP server certificate, and when verifying newly enrolled certificates. +of intermediate CAs that may be useful for path construction for the own CMP +signer certificate, for the own TLS certificate (if any), when verifying peer +CMP protection certificates, and when verifying newly enrolled certificates. The reference counts of those certificates handled successfully are increased. OSSL_CMP_CTX_get0_untrusted(OSSL_CMP_CTX *ctx) returns a pointer to the list of untrusted certs, which may be empty if unset. -OSSL_CMP_CTX_set1_cert() sets the certificate related to the client's private key -used for CMP message protection. +OSSL_CMP_CTX_set1_cert() sets the CMP signer certificate +related to the private key used for CMP message protection. Therefore the public key of this I<cert> must correspond to the private key set before or thereafter via OSSL_CMP_CTX_set1_pkey(). When using signature-based protection of CMP request messages @@ -464,7 +467,7 @@ OSSL_CMP_CTX_build_cert_chain() builds a certificate chain for the CMP signer certificate previously set in the I<ctx>. It adds the optional I<candidates>, a list of intermediate CA certs that may already constitute the targeted chain, to the untrusted certs that may already exist in the I<ctx>. -Then the function uses this augumented set of certs for chain construction. +Then the function uses this augmented set of certs for chain construction. If I<own_trusted> is NULL it builds the chain as far down as possible and ignores any verification errors. Else the CMP signer certificate must be verifiable where the chain reaches a trust anchor contained in I<own_trusted>. @@ -587,6 +590,7 @@ If the callback argument is not NULL it must point to a trust store. In this case the function checks that the newly enrolled certificate can be verified using this trust store and untrusted certificates from the I<ctx>, which have been augmented by the list of extraCerts received. +During this verification, any certificate status checking is disabled. If the callback argument is NULL the function tries building an approximate chain as far as possible using the same untrusted certificates from the I<ctx>, and if this fails it takes the received extraCerts as fallback. diff --git a/doc/man3/OSSL_CMP_MSG_get0_header.pod b/doc/man3/OSSL_CMP_MSG_get0_header.pod index c3297a3577ac..b3175683c782 100644 --- a/doc/man3/OSSL_CMP_MSG_get0_header.pod +++ b/doc/man3/OSSL_CMP_MSG_get0_header.pod @@ -5,6 +5,7 @@ OSSL_CMP_MSG_get0_header, OSSL_CMP_MSG_get_bodytype, OSSL_CMP_MSG_update_transactionID, +OSSL_CMP_MSG_update_recipNonce, OSSL_CMP_CTX_setup_CRM, OSSL_CMP_MSG_read, OSSL_CMP_MSG_write, @@ -19,6 +20,7 @@ i2d_OSSL_CMP_MSG_bio OSSL_CMP_PKIHEADER *OSSL_CMP_MSG_get0_header(const OSSL_CMP_MSG *msg); int OSSL_CMP_MSG_get_bodytype(const OSSL_CMP_MSG *msg); int OSSL_CMP_MSG_update_transactionID(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg); + int OSSL_CMP_MSG_update_recipNonce(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg); OSSL_CRMF_MSG *OSSL_CMP_CTX_setup_CRM(OSSL_CMP_CTX *ctx, int for_KUR, int rid); OSSL_CMP_MSG *OSSL_CMP_MSG_read(const char *file, OSSL_LIB_CTX *libctx, const char *propq); int OSSL_CMP_MSG_write(const char *file, const OSSL_CMP_MSG *msg); @@ -33,7 +35,12 @@ OSSL_CMP_MSG_get_bodytype() returns the body type of the given CMP message. OSSL_CMP_MSG_update_transactionID() updates the transactionID field in the header of the given message according to the CMP_CTX. -This requires re-protecting the message (if it was protected). +If I<ctx> does not contain a transaction ID, a fresh one is created before. +The message gets re-protected (if protecting requests is required). + +OSSL_CMP_MSG_update_recipNonce() updates the recipNonce field +in the header of the given message according to the CMP_CTX. +The message gets re-protected (if protecting requests is required). OSSL_CMP_CTX_setup_CRM() creates a CRMF certificate request message from various information provided in the CMP context argument I<ctx> @@ -65,7 +72,8 @@ The public key included is the first available value of these: =item the public key of any PKCS#10 CSR given in I<ctx>, -=item the public key of any reference certificate given in I<ctx>, +=item the public key of any reference certificate given in I<ctx> +(see L<OSSL_CMP_CTX_set1_oldCert(3)>), =item the public key derived from any client's private key set via L<OSSL_CMP_CTX_set1_pkey(3)>. @@ -121,8 +129,9 @@ return the parsed CMP message or NULL on error. OSSL_CMP_MSG_write() returns the number of bytes successfully encoded or a negative value if an error occurs. -i2d_OSSL_CMP_MSG_bio() and OSSL_CMP_MSG_update_transactionID() return 1 on -success, 0 on error. +i2d_OSSL_CMP_MSG_bio(), OSSL_CMP_MSG_update_transactionID(), +and OSSL_CMP_MSG_update_recipNonce() +return 1 on success, 0 on error. =head1 SEE ALSO @@ -135,9 +144,11 @@ L<OSSL_CMP_CTX_push1_subjectAltName(3)>, L<OSSL_CMP_CTX_push0_policy(3)> The OpenSSL CMP support was added in OpenSSL 3.0. +OSSL_CMP_MSG_update_recipNonce() was added in OpenSSL 3.0.9. + =head1 COPYRIGHT -Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_CRMF_MSG_set0_validity.pod b/doc/man3/OSSL_CRMF_MSG_set0_validity.pod index a87b7d530715..93185a5528d8 100644 --- a/doc/man3/OSSL_CRMF_MSG_set0_validity.pod +++ b/doc/man3/OSSL_CRMF_MSG_set0_validity.pod @@ -68,7 +68,7 @@ may be NULL to select the defaults. In case the method is OSSL_CRMF_POPO_SIGNATURE the POPO is calculated using the private key I<pkey> and the digest method I<digest>, where the I<digest> argument is ignored if I<pkey> is of a type (such as -Ed25519 and Ed448) that is implicitly associated with a digest alorithm. +Ed25519 and Ed448) that is implicitly associated with a digest algorithm. I<meth> can be one of the following: @@ -110,7 +110,7 @@ The OpenSSL CRMF support was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_DECODER_from_bio.pod b/doc/man3/OSSL_DECODER_from_bio.pod index 5118dee9ac8b..0cefeb2bf545 100644 --- a/doc/man3/OSSL_DECODER_from_bio.pod +++ b/doc/man3/OSSL_DECODER_from_bio.pod @@ -42,8 +42,8 @@ except that the input is coming from the B<FILE> I<fp>. =head1 RETURN VALUES -OSSL_DECODER_from_bio() and OSSL_DECODER_from_fp() return 1 on success, or 0 -on failure. +OSSL_DECODER_from_bio(), OSSL_DECODER_from_data() and OSSL_DECODER_from_fp() +return 1 on success, or 0 on failure. =head1 EXAMPLES @@ -110,7 +110,7 @@ The functions described here were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_PARAM.pod b/doc/man3/OSSL_PARAM.pod index 0aad61924f79..3939ddc74296 100644 --- a/doc/man3/OSSL_PARAM.pod +++ b/doc/man3/OSSL_PARAM.pod @@ -40,11 +40,11 @@ suitable form for the internal structure of the object. =item * Request parameters of some object -The caller (the I<requestor>) sets up the B<OSSL_PARAM> array and +The caller (the I<requester>) sets up the B<OSSL_PARAM> array and calls some function (the I<responder>) that has intimate knowledge about the object, which can take the internal data of the object and copy (possibly convert) that to the memory prepared by the -I<requestor> and pointed at with the B<OSSL_PARAM> I<data>. +I<requester> and pointed at with the B<OSSL_PARAM> I<data>. =item * Request parameter descriptors @@ -111,7 +111,7 @@ size should be set to the size of the buffer to be populated, which should accomodate enough space for a terminating NUL byte. When I<requesting parameters>, it's acceptable for I<data> to be NULL. -This can be used by the I<requestor> to figure out dynamically exactly +This can be used by the I<requester> to figure out dynamically exactly how much buffer space is needed to store the parameter data. In this case, I<data_size> is ignored. @@ -267,6 +267,14 @@ B<OSSL_PARAM_OCTET_STRING>), but this is in no way mandatory. =item * +If I<data> for a B<OSSL_PARAM_OCTET_STRING> or a +B<OSSL_PARAM_UTF8_STRING> is NULL, the I<responder> should +set I<return_size> to the size of the item to be returned +and return success. Later the responder will be called again +with I<data> pointing at the place for the value to be put. + +=item * + If a I<responder> finds that some data sizes are too small for the requested data, it must set I<return_size> for each such B<OSSL_PARAM> item to the minimum required size, and eventually return @@ -356,7 +364,7 @@ B<OSSL_PARAM> was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_PARAM_int.pod b/doc/man3/OSSL_PARAM_int.pod index 8864404a7a15..c03e30f83965 100644 --- a/doc/man3/OSSL_PARAM_int.pod +++ b/doc/man3/OSSL_PARAM_int.pod @@ -368,7 +368,7 @@ This example is for setting parameters on some object: =head2 Example 2 This example is for requesting parameters on some object, and also -demonstrates that the requestor isn't obligated to request all +demonstrates that the requester isn't obligated to request all available parameters: const char *foo = NULL; @@ -403,7 +403,7 @@ These APIs were introduced in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/PEM_read_CMS.pod b/doc/man3/PEM_read_CMS.pod index 2b96db9c31a3..dbccf26cd893 100644 --- a/doc/man3/PEM_read_CMS.pod +++ b/doc/man3/PEM_read_CMS.pod @@ -122,8 +122,7 @@ B<PEM_read_I<TYPE>>() and B<PEM_read_bio_I<TYPE>>() return a pointer to an allocated object, which should be released by calling B<I<TYPE>_free>(), or NULL on error. -B<PEM_write_I<TYPE>>() and B<PEM_write_bio_I<TYPE>>() return the number of bytes -written or zero on error. +B<PEM_write_I<TYPE>>() and B<PEM_write_bio_I<TYPE>>() return 1 for success or 0 for failure. =head1 SEE ALSO @@ -143,7 +142,7 @@ were deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 1998-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 1998-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/PKCS7_sign.pod b/doc/man3/PKCS7_sign.pod index c0a07090759b..1d997045fe14 100644 --- a/doc/man3/PKCS7_sign.pod +++ b/doc/man3/PKCS7_sign.pod @@ -96,7 +96,7 @@ not be NULL. PKCS7_sign() is like PKCS7_sign_ex() except that it uses default values of NULL for the library context I<libctx> and the property query I<propq>. -This is retained for API backward compatibiliy. +This is retained for API backward compatibility. =head1 BUGS @@ -122,7 +122,7 @@ The B<PKCS7_STREAM> flag was added in OpenSSL 1.0.0. =head1 COPYRIGHT -Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_CTX_set_options.pod b/doc/man3/SSL_CTX_set_options.pod index 08522522cd0b..176f8d25fc31 100644 --- a/doc/man3/SSL_CTX_set_options.pod +++ b/doc/man3/SSL_CTX_set_options.pod @@ -211,7 +211,7 @@ description of the replay protection feature. Anti-replay measures are required to comply with the TLSv1.3 specification. Some applications may be able to mitigate the replay risks in other ways and in such cases the built in OpenSSL functionality is not required. Those applications can turn this feature off by -setting this option. This is a server-side opton only. It is ignored by +setting this option. This is a server-side option only. It is ignored by clients. =item SSL_OP_NO_COMPRESSION @@ -352,6 +352,10 @@ retained for compatibility purposes: =item SSL_OP_EPHEMERAL_RSA +=item SSL_OP_NETSCAPE_CA_DN_BUG + +=item SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG + =back =head1 SECURE RENEGOTIATION @@ -452,7 +456,7 @@ whether these macros are defined or not. =head1 COPYRIGHT -Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_CTX_set_split_send_fragment.pod b/doc/man3/SSL_CTX_set_split_send_fragment.pod index 5097404398b2..2231f5b127e5 100644 --- a/doc/man3/SSL_CTX_set_split_send_fragment.pod +++ b/doc/man3/SSL_CTX_set_split_send_fragment.pod @@ -56,7 +56,7 @@ of pipelines that will be used at any one time. This value applies to both used (i.e. normal non-parallel operation). The number of pipelines set must be in the range 1 - SSL_MAX_PIPELINES (32). Setting this to a value > 1 will also automatically turn on "read_ahead" (see L<SSL_CTX_set_read_ahead(3)>). This is -explained further below. OpenSSL will only every use more than one pipeline if +explained further below. OpenSSL will only ever use more than one pipeline if a cipher suite is negotiated that uses a pipeline capable cipher provided by an engine. @@ -96,7 +96,10 @@ into the buffer. Without this set data is read into the read buffer one record at a time. The more data that can be read, the more opportunity there is for parallelising the processing at the cost of increased memory overhead per connection. Setting B<read_ahead> can impact the behaviour of the SSL_pending() -function (see L<SSL_pending(3)>). +function (see L<SSL_pending(3)>). In addition the default size of the internal +read buffer is multiplied by the number of pipelines available to ensure that we +can read multiple records in one go. This can therefore have a significant +impact on memory usage. The SSL_CTX_set_default_read_buffer_len() and SSL_set_default_read_buffer_len() functions control the size of the read buffer that will be used. The B<len> @@ -179,7 +182,7 @@ and SSL_SESSION_get_max_fragment_length() functions were added in OpenSSL 1.1.1. =head1 COPYRIGHT -Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_SESSION_free.pod b/doc/man3/SSL_SESSION_free.pod index 74c6ec2a29cb..4af750a358ba 100644 --- a/doc/man3/SSL_SESSION_free.pod +++ b/doc/man3/SSL_SESSION_free.pod @@ -21,8 +21,8 @@ SSL_SESSION_free - create, free and manage SSL_SESSION structures SSL_SESSION_new() creates a new SSL_SESSION structure and returns a pointer to it. -SSL_SESSION_dup() copies the contents of the SSL_SESSION structure in B<src> -and returns a pointer to it. +SSL_SESSION_dup() creates a new SSL_SESSION structure that is a copy of B<src>. +The copy is not owned by any cache that B<src> may have been in. SSL_SESSION_up_ref() increments the reference count on the given SSL_SESSION structure. @@ -62,6 +62,8 @@ incorrect reference counts and therefore program failures. SSL_SESSION_new returns a pointer to the newly allocated SSL_SESSION structure or NULL on error. +SSL_SESSION_dup returns a pointer to the new copy or NULL on error. + SSL_SESSION_up_ref returns 1 on success or 0 on error. =head1 SEE ALSO @@ -77,7 +79,7 @@ The SSL_SESSION_dup() function was added in OpenSSL 1.1.1. =head1 COPYRIGHT -Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/X509_STORE_CTX_get_error.pod b/doc/man3/X509_STORE_CTX_get_error.pod index d0036b38b6a6..c992d5da27de 100644 --- a/doc/man3/X509_STORE_CTX_get_error.pod +++ b/doc/man3/X509_STORE_CTX_get_error.pod @@ -220,10 +220,10 @@ The certificate chain length is greater than the supplied maximum depth. The certificate has been revoked. -=item B<X509_V_ERR_INVALID_CA: invalid CA certificate> +=item B<X509_V_ERR_NO_ISSUER_PUBLIC_KEY: + issuer certificate doesn't have a public key> -A CA certificate is invalid. Either it is not a CA or its extensions are not -consistent with the supplied purpose. +The issuer certificate does not have a public key. =item B<X509_V_ERR_PATH_LENGTH_EXCEEDED: path length constraint exceeded> @@ -266,6 +266,44 @@ key usage does not include certificate signing> The current candidate issuer certificate was rejected because its C<keyUsage> extension does not permit certificate signing. +=item B<X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER: +unable to get CRL issuer certificate> + +Unable to get CRL issuer certificate. + +=item B<X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION: unhandled critical extension> + +Unhandled critical extension. + +=item B<X509_V_ERR_KEYUSAGE_NO_CRL_SIGN: key usage does not include CRL signing> + +Key usage does not include CRL signing. + +=item B<X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION: unhandled critical CRL extension> + +Unhandled critical CRL extension. + +=item B<X509_V_ERR_INVALID_NON_CA: invalid non-CA certificate (has CA markings)> + +Invalid non-CA certificate has CA markings. + +=item B<X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED: +proxy path length constraint exceeded> + +Proxy path length constraint exceeded. + +=item B<X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE: +key usage does not include digital signature> + +Key usage does not include digital signature, and therefore cannot sign +certificates. + +=item B<X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED: + proxy certificates not allowed, please set the appropriate flag> + +Proxy certificates not allowed unless the B<X509_V_FLAG_ALLOW_PROXY_CERTS> flag +is set. + =item B<X509_V_ERR_INVALID_EXTENSION: invalid or inconsistent certificate extension> @@ -288,10 +326,14 @@ present. The only CRLs that could be found did not match the scope of the certificate. -=item B<X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE: Unsupported extension feature> +=item B<X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE: unsupported extension feature> Some feature of a certificate extension is not supported. Unused. +=item B<X509_V_ERR_UNNESTED_RESOURCE: RFC 3779 resource not subset of parent's resources> + +See RFC 3779 for details. + =item B<X509_V_ERR_PERMITTED_VIOLATION: permitted subtree violation> A name constraint violation occurred in the permitted subtrees. @@ -306,6 +348,11 @@ name constraints minimum and maximum not supported> A certificate name constraints extension included a minimum or maximum field: this is not supported. +=item B<X509_V_ERR_APPLICATION_VERIFICATION: application verification failure> + +An application specific error. This will never be returned unless explicitly +set by an application callback. + =item B<X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: unsupported name constraint type> @@ -319,58 +366,15 @@ The format of the name constraint is not recognised: for example an email address format of a form not mentioned in RFC3280. This could be caused by a garbage extension or some new feature not currently supported. +=item B<X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: unsupported or invalid name syntax> + +Unsupported or invalid name syntax. + =item B<X509_V_ERR_CRL_PATH_VALIDATION_ERROR: CRL path validation error> An error occurred when attempting to verify the CRL path. This error can only happen if extended CRL checking is enabled. -=item B<X509_V_ERR_APPLICATION_VERIFICATION: application verification failure> - -An application specific error. This will never be returned unless explicitly -set by an application callback. - -=item B<X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER: unable to get CRL issuer certificate> - -Unable to get CRL issuer certificate. - -=item B<X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION: unhandled critical extension> - -Unhandled critical extension. - -=item B<X509_V_ERR_KEYUSAGE_NO_CRL_SIGN: key usage does not include CRL signing> - -Key usage does not include CRL signing. - -=item B<X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION: unhandled critical CRL extension> - -Unhandled critical CRL extension. - -=item B<X509_V_ERR_INVALID_NON_CA: invalid non-CA certificate (has CA markings)> - -Invalid non-CA certificate has CA markings. - -=item B<X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED: proxy path length constraint exceeded> - -Proxy path length constraint exceeded. - -=item B<X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE: key usage does not include digital signature> - -Key usage does not include digital signature, and therefore cannot sign -certificates. - -=item B<X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED: proxy certificates not allowed, please set the appropriate flag> - -Proxy certificates not allowed unless the B<X509_V_FLAG_ALLOW_PROXY_CERTS> flag -is set. - -=item B<X509_V_ERR_UNNESTED_RESOURCE: RFC 3779 resource not subset of parent's resources> - -See RFC 3779 for details. - -=item B<X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: unsupported or invalid name syntax> - -Unsupported or invalid name syntax. - =item B<X509_V_ERR_PATH_LOOP: path loop> Path loop. @@ -434,15 +438,28 @@ Returned by the verify callback to indicate OCSP verification failed. Returned by the verify callback to indicate that the certificate is not recognized by the OCSP responder. -=item B<X509_V_ERR_NO_ISSUER_PUBLIC_KEY: issuer certificate doesn't have a public key> +=item B<X509_V_ERR_UNSUPPORTED_SIGNATURE_ALGORITHM: +unsupported signature algorithm> -The issuer certificate does not have a public key. +Cannot find certificate signature algorithm. -=item B<X509_V_ERR_SIGNATURE_ALGORITHM_MISMATCH: subject signature algorithm and issuer public key algorithm mismatch> +=item B<X509_V_ERR_SIGNATURE_ALGORITHM_MISMATCH: +subject signature algorithm and issuer public key algorithm mismatch> The issuer's public key is not of the type required by the signature in the subject's certificate. +=item B<X509_V_ERR_SIGNATURE_ALGORITHM_INCONSISTENCY: +cert info signature and signature algorithm mismatch> + +The algorithm given in the certificate info is inconsistent + with the one used for the certificate signature. + +=item B<X509_V_ERR_INVALID_CA: invalid CA certificate> + +A CA certificate is invalid. Either it is not a CA or its extensions are not +consistent with the supplied purpose. + =back =head1 NOTES diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod index 75a167702296..43c1900bca78 100644 --- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod +++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod @@ -98,8 +98,9 @@ B<trust>. X509_VERIFY_PARAM_set_time() sets the verification time in B<param> to B<t>. Normally the current time is used. -X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled -by default) and adds B<policy> to the acceptable policy set. +X509_VERIFY_PARAM_add0_policy() adds B<policy> to the acceptable policy set. +Contrary to preexisting documentation of this function it does not enable +policy checking. X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled by default) and sets the acceptable policy set to B<policies>. Any existing @@ -400,6 +401,10 @@ The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i. The X509_VERIFY_PARAM_get0_host(), X509_VERIFY_PARAM_get0_email(), and X509_VERIFY_PARAM_get1_ip_asc() functions were added in OpenSSL 3.0. +The function X509_VERIFY_PARAM_add0_policy() was historically documented as +enabling policy checking however the implementation has never done this. +The documentation was changed to align with the implementation. + =head1 COPYRIGHT Copyright 2009-2023 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man5/config.pod b/doc/man5/config.pod index 77a8055e81fa..a78ff4dc0657 100644 --- a/doc/man5/config.pod +++ b/doc/man5/config.pod @@ -73,7 +73,7 @@ done with the following directive: The default behavior, where the B<value> is B<false> or B<off>, is to treat the dollarsign as indicating a variable name; C<foo$bar> is interpreted as C<foo> followed by the expansion of the variable C<bar>. If B<value> is -B<true> or B<on>, then C<foo$bar> is a single seven-character name nad +B<true> or B<on>, then C<foo$bar> is a single seven-character name and variable expansions must be specified using braces or parentheses. .pragma [=] includedir:value @@ -575,7 +575,7 @@ L<x509v3_config(5)>. =head1 COPYRIGHT -Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/EVP_CIPHER-NULL.pod b/doc/man7/EVP_CIPHER-NULL.pod new file mode 100644 index 000000000000..44e07dcf1b05 --- /dev/null +++ b/doc/man7/EVP_CIPHER-NULL.pod @@ -0,0 +1,72 @@ +=pod + +=head1 NAME + +EVP_CIPHER-NULL - The NULL EVP_CIPHER implementation + +=head1 DESCRIPTION + +Support for a NULL symmetric encryption using the B<EVP_CIPHER> API. +This is used when the TLS cipher suite is TLS_NULL_WITH_NULL_NULL. +This does no encryption (just copies the data) and has a mac size of zero. + +=head2 Algorithm Name + +The following algorithm is available in the default provider: + +=over 4 + +=item "NULL" + +=back + +=head2 Parameters + +This implementation supports the following parameters: + +=head3 Gettable EVP_CIPHER parameters + +See L<EVP_EncryptInit(3)/Gettable EVP_CIPHER parameters> + +=head3 Gettable EVP_CIPHER_CTX parameters + +=over 4 + +=item "keylen" (B<OSSL_CIPHER_PARAM_KEYLEN>) <unsigned integer> + +=item "ivlen" (B<OSSL_CIPHER_PARAM_IVLEN> and <B<OSSL_CIPHER_PARAM_AEAD_IVLEN>) <unsigned integer> + +=item "tls-mac" (B<OSSL_CIPHER_PARAM_TLS_MAC>) <octet ptr> + +=back + +See L<EVP_EncryptInit(3)/PARAMETERS> for further information. + +=head3 Settable EVP_CIPHER_CTX parameters + +=over 4 + +=item "tls-mac-size" (B<OSSL_CIPHER_PARAM_TLS_MAC_SIZE>) <unsigned integer> + +=back + +See L<EVP_EncryptInit(3)/PARAMETERS> for further information. + +=head1 CONFORMING TO + +RFC 5246 section-6.2.3.1 + +=head1 SEE ALSO + +L<provider-cipher(7)>, L<OSSL_PROVIDER-default(7)> + +=head1 COPYRIGHT + +Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L<https://www.openssl.org/source/license.html>. + +=cut diff --git a/doc/man7/EVP_MD-NULL.pod b/doc/man7/EVP_MD-NULL.pod new file mode 100644 index 000000000000..bce399a1e121 --- /dev/null +++ b/doc/man7/EVP_MD-NULL.pod @@ -0,0 +1,42 @@ +=pod + +=head1 NAME + +EVP_MD-NULL - The NULL EVP_MD implementation + +=head1 DESCRIPTION + +Support for a NULL digest through the B<EVP_MD> API. +This algorithm does nothing and returns 1 for its init, +update and final methods. + +=head2 Algorithm Name + +The following algorithm is available in the default provider: + +=over 4 + +=item "NULL" + +=back + +=head2 Gettable Parameters + +This implementation supports the common gettable parameters described +in L<EVP_MD-common(7)>. + +=head1 SEE ALSO + +L<EVP_MD_CTX_set_params(3)>, L<provider-digest(7)>, +L<OSSL_PROVIDER-default(7)> + +=head1 COPYRIGHT + +Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L<https://www.openssl.org/source/license.html>. + +=cut diff --git a/doc/man7/EVP_PKEY-EC.pod b/doc/man7/EVP_PKEY-EC.pod index 668a024014b4..4b6dec35862c 100644 --- a/doc/man7/EVP_PKEY-EC.pod +++ b/doc/man7/EVP_PKEY-EC.pod @@ -142,7 +142,7 @@ Used for getting the EC public key X component. Used for getting the EC public key Y component. -=item (B<OSSL_PKEY_PARAM_DEFAULT_DIGEST>) <UTF8 string> +=item "default-digest" (B<OSSL_PKEY_PARAM_DEFAULT_DIGEST>) <UTF8 string> Getter that returns the default digest name. (Currently returns "SHA256" as of OpenSSL 3.0). @@ -272,7 +272,7 @@ L<EVP_KEYEXCH-ECDH(7)> =head1 COPYRIGHT -Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/OSSL_PROVIDER-FIPS.pod b/doc/man7/OSSL_PROVIDER-FIPS.pod index 58008ae59f19..2f34866d998b 100644 --- a/doc/man7/OSSL_PROVIDER-FIPS.pod +++ b/doc/man7/OSSL_PROVIDER-FIPS.pod @@ -172,6 +172,22 @@ The OpenSSL FIPS provider supports these operations and algorithms: =back +=head2 Random Number Generation + +=over 4 + +=item CTR-DRBG, see L<EVP_RAND-CTR-DRBG(7)> + +=item HASH-DRBG, see L<EVP_RAND-HASH-DRBG(7)> + +=item HMAC-DRBG, see L<EVP_RAND-HMAC-DRBG(7)> + +=item TEST-RAND, see L<EVP_RAND-TEST-RAND(7)> + +TEST-RAND is an unapproved algorithm. + +=back + =head1 SELF TESTING One of the requirements for the FIPS module is self testing. An optional callback @@ -409,7 +425,7 @@ This functionality was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/OSSL_PROVIDER-default.pod b/doc/man7/OSSL_PROVIDER-default.pod index 43ba0ef02d52..e39d76abdbb8 100644 --- a/doc/man7/OSSL_PROVIDER-default.pod +++ b/doc/man7/OSSL_PROVIDER-default.pod @@ -71,6 +71,8 @@ The OpenSSL default provider supports these operations and algorithms: =item RIPEMD160, see L<EVP_MD-RIPEMD160(7)> +=item NULL, see L<EVP_MD-NULL(7)> + =back =head2 Symmetric Ciphers @@ -93,6 +95,8 @@ The OpenSSL default provider supports these operations and algorithms: =item ChaCha20-Poly1305, see L<EVP_CIPHER-CHACHA(7)> +=item NULL, see L<EVP_CIPHER-NULL(7)> + =back =head2 Message Authentication Code (MAC) @@ -216,6 +220,22 @@ The OpenSSL default provider supports these operations and algorithms: =back +=head2 Random Number Generation + +=over 4 + +=item CTR-DRBG, see L<EVP_RAND-CTR-DRBG(7)> + +=item HASH-DRBG, see L<EVP_RAND-HASH-DRBG(7)> + +=item HMAC-DRBG, see L<EVP_RAND-HMAC-DRBG(7)> + +=item SEED-SRC, see L<EVP_RAND-SEED-SRC(7)> + +=item TEST-RAND, see L<EVP_RAND-TEST-RAND(7)> + +=back + =head2 Asymmetric Key Encoder The default provider also includes all of the encoding algorithms @@ -251,7 +271,7 @@ All other functionality was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/crypto.pod b/doc/man7/crypto.pod index 59c60e4b5f92..ea81c91d3aff 100644 --- a/doc/man7/crypto.pod +++ b/doc/man7/crypto.pod @@ -116,7 +116,8 @@ algorithm implementations in the default provider. Property query strings can be specified explicitly as an argument to a function. It is also possible to specify a default property query string for the whole -library context using the L<EVP_set_default_properties(3)> function. Where both +library context using the L<EVP_set_default_properties(3)> or +L<EVP_default_properties_enable_fips(3)> functions. Where both default properties and function specific properties are specified then they are combined. Function specific properties will override default properties where there is a conflict. @@ -164,7 +165,7 @@ functions that use them. For example the L<EVP_DigestInit_ex(3)> function takes as a parameter an B<EVP_MD> object which may have been returned from an earlier call to L<EVP_MD_fetch(3)>. -=head2 Implicit fetch +=head2 Implicit fetching OpenSSL has a number of functions that return an algorithm object with no associated implementation, such as L<EVP_sha256(3)>, L<EVP_aes_128_cbc(3)>, @@ -210,6 +211,69 @@ propery string from the B<EVP_PKEY_CTX>. =back +=head2 Performance + +If you perform the same operation many times then it is recommended to use +L</Explicit fetching> to prefetch an algorithm once initially, +and then pass this created object to any operations that are currently +using L</Implicit fetching>. +See an example of Explicit fetching in L</USING ALGORITHMS IN APPLICATIONS>. + +Prior to OpenSSL 3.0, constant method tables (such as EVP_sha256()) were used +directly to access methods. If you pass one of these convenience functions +to an operation the fixed methods are ignored, and only the name is used to +internally fetch methods from a provider. + +If the prefetched object is not passed to operations, then any implicit +fetch will use the internally cached prefetched object, but it will +still be slower than passing the prefetched object directly. + +Fetching via a provider offers more flexibility, but it is slower than the +old method, since it must search for the algorithm in all loaded providers, +and then populate the method table using provider supplied methods. +Internally OpenSSL caches similar algorithms on the first fetch +(so loading a digest caches all digests). + +The following methods can be used for prefetching: + +=over 4 + +=item L<EVP_MD_fetch(3)> + +=item L<EVP_CIPHER_fetch(3)> + +=item L<EVP_KDF_fetch(3)> + +=item L<EVP_MAC_fetch(3)> + +=item L<EVP_KEM_fetch(3)> + +=item L<OSSL_ENCODER_fetch(3)> + +=item L<OSSL_DECODER_fetch(3)> + +=item L<EVP_RAND_fetch(3)> + +=back + +The following methods are used internally when performing operations: + +=over 4 + +=item L<EVP_KEYMGMT_fetch(3)> + +=item L<EVP_KEYEXCH_fetch(3)> + +=item L<EVP_SIGNATURE_fetch(3)> + +=item L<OSSL_STORE_LOADER_fetch(3)> + +=back + +See L<OSSL_PROVIDER-default(7)>, <OSSL_PROVIDER-fips(7)> and +<OSSL_PROVIDER-legacy(7)>for a list of algorithm names that +can be fetched. + =head1 FETCHING EXAMPLES The following section provides a series of examples of fetching algorithm @@ -404,6 +468,8 @@ encryption/decryption, signatures, message authentication codes, etc. * we're not supplying any particular search criteria for our SHA256 * implementation (second NULL parameter). Any SHA256 implementation will * do. + * In a larger application this fetch would just be done once, and could + * be used for multiple calls to other operations such as EVP_DigestInit_ex(). */ sha256 = EVP_MD_fetch(NULL, "SHA256", NULL); if (sha256 == NULL) @@ -504,7 +570,7 @@ L<openssl-glossary(7)>, L<provider(7)> =head1 COPYRIGHT -Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/migration_guide.pod b/doc/man7/migration_guide.pod index a234147f46a0..9eb4a031aa32 100644 --- a/doc/man7/migration_guide.pod +++ b/doc/man7/migration_guide.pod @@ -189,6 +189,15 @@ All new applications should use the new L<EVP_MAC(3)> interface. See also L<OSSL_PROVIDER-default(7)/Message Authentication Code (MAC)> and L<OSSL_PROVIDER-FIPS(7)/Message Authentication Code (MAC)>. +=head4 Algorithm Fetching + +Using calls to convenience functions such as EVP_sha256() and EVP_aes_256_gcm() may +incur a performance penalty when using providers. +Retrieving algorithms from providers involves searching for an algorithm by name. +This is much slower than directly accessing a method table. +It is recommended to prefetch algorithms if an algorithm is used many times. +See L<crypto(7)/Performance>, L<crypto(7)/Explicit fetching> and L<crypto(7)/Implicit fetching>. + =head4 Support for Linux Kernel TLS In order to use KTLS, support for it must be compiled in using the @@ -2213,6 +2222,28 @@ Use L<X509_load_http(3)> and L<X509_CRL_load_http(3)> instead. =back +=head3 NID handling for provided keys and algorithms + +The following functions for NID (numeric id) handling have changed semantics. + +=over 4 + +=item * + +EVP_PKEY_id(), EVP_PKEY_get_id() + +This function was previously used to reliably return the NID of +an EVP_PKEY object, e.g., to look up the name of the algorithm of +such EVP_PKEY by calling L<OBJ_nid2sn(3)>. With the introduction +of L<provider(7)>s EVP_PKEY_id() or its new equivalent +L<EVP_PKEY_get_id(3)> might now also return the value -1 +(B<EVP_PKEY_KEYMGMT>) indicating the use of a provider to +implement the EVP_PKEY object. Therefore, the use of +L<EVP_PKEY_get0_type_name(3)> is recommended for retrieving +the name of the EVP_PKEY algorithm. + +=back + =head2 Using the FIPS Module in applications See L<fips_module(7)> and L<OSSL_PROVIDER-FIPS(7)> for details. diff --git a/doc/man7/provider-asym_cipher.pod b/doc/man7/provider-asym_cipher.pod index ac3f6271969d..0976a263a883 100644 --- a/doc/man7/provider-asym_cipher.pod +++ b/doc/man7/provider-asym_cipher.pod @@ -127,8 +127,7 @@ pointer to a provider key object in the I<provkey> parameter. The I<params>, if not NULL, should be set on the context in a manner similar to using OSSL_FUNC_asym_cipher_set_ctx_params(). The key object should have been previously generated, loaded or imported into -the provider using the key management (OSSL_OP_KEYMGMT) operation (see -provider-keymgmt(7)>. +the provider using the key management (OSSL_OP_KEYMGMT) operation (see L<provider-keymgmt(7)>). OSSL_FUNC_asym_cipher_encrypt() performs the actual encryption itself. A previously initialised asymmetric cipher context is passed in the I<ctx> parameter. @@ -150,7 +149,7 @@ The I<params>, if not NULL, should be set on the context in a manner similar to using OSSL_FUNC_asym_cipher_set_ctx_params(). The key object should have been previously generated, loaded or imported into the provider using the key management (OSSL_OP_KEYMGMT) operation (see -provider-keymgmt(7)>. +L<provider-keymgmt(7)>). OSSL_FUNC_asym_cipher_decrypt() performs the actual decryption itself. A previously initialised asymmetric cipher context is passed in the I<ctx> @@ -259,7 +258,7 @@ The provider ASYM_CIPHER interface was introduced in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/provider-base.pod b/doc/man7/provider-base.pod index c587e0e529b6..2fd803bb96b6 100644 --- a/doc/man7/provider-base.pod +++ b/doc/man7/provider-base.pod @@ -312,7 +312,7 @@ get_nonce() retrieves a nonce using the passed I<salt> parameter of length I<salt_len> and operating system specific information. The I<salt> should contain uniquely identifying information and this is included, in an unspecified manner, as part of the output. -The output is stored in a buffer which contrains at least I<min_len> and at +The output is stored in a buffer which contains at least I<min_len> and at most I<max_len> bytes. The buffer address is stored in I<*pout> and the buffer length returned to the caller. On error, zero is returned. @@ -779,7 +779,7 @@ This relies on a few things existing in F<openssl/core_dispatch.h>: #define OSSL_FUNC_BAR_FREECTX 2 typedef void (OSSL_FUNC_bar_freectx_fn)(void *ctx); - static ossl_inline OSSL_FUNC_bar_newctx(const OSSL_DISPATCH *opf) + static ossl_inline OSSL_FUNC_bar_freectx(const OSSL_DISPATCH *opf) { return (OSSL_FUNC_bar_freectx_fn *)opf->function; } #define OSSL_FUNC_BAR_INIT 3 @@ -809,7 +809,7 @@ introduced in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/provider-cipher.pod b/doc/man7/provider-cipher.pod index 1faf698107be..14ff581c72c4 100644 --- a/doc/man7/provider-cipher.pod +++ b/doc/man7/provider-cipher.pod @@ -228,7 +228,7 @@ L<EVP_CIPHER-AES(7)>, L<EVP_CIPHER-ARIA(7)>, L<EVP_CIPHER-BLOWFISH(7)>, L<EVP_CIPHER-CAMELLIA(7)>, L<EVP_CIPHER-CAST(7)>, L<EVP_CIPHER-CHACHA(7)>, L<EVP_CIPHER-DES(7)>, L<EVP_CIPHER-IDEA(7)>, L<EVP_CIPHER-RC2(7)>, L<EVP_CIPHER-RC4(7)>, L<EVP_CIPHER-RC5(7)>, L<EVP_CIPHER-SEED(7)>, -L<EVP_CIPHER-SM4(7)>, +L<EVP_CIPHER-SM4(7)>, L<EVP_CIPHER-NULL(7)>, L<life_cycle-cipher(7)>, L<EVP_EncryptInit(3)> =head1 HISTORY @@ -237,7 +237,7 @@ The provider CIPHER interface was introduced in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/provider-decoder.pod b/doc/man7/provider-decoder.pod index f279955a6088..e968e661f7cf 100644 --- a/doc/man7/provider-decoder.pod +++ b/doc/man7/provider-decoder.pod @@ -34,7 +34,7 @@ provider-decoder - The OSSL_DECODER library E<lt>-E<gt> provider functions OSSL_PASSPHRASE_CALLBACK *cb, void *cbarg); /* Functions to export a decoded object */ - void *OSSL_FUNC_decoder_export_object(void *ctx, + int OSSL_FUNC_decoder_export_object(void *ctx, const void *objref, size_t objref_sz, OSSL_CALLBACK *export_cb, void *export_cbarg); @@ -83,7 +83,7 @@ For example, the "function" OSSL_FUNC_decoder_decode() has these: int selection, OSSL_CALLBACK *data_cb, void *data_cbarg, OSSL_PASSPHRASE_CALLBACK *cb, void *cbarg); - static ossl_inline OSSL_FUNC_decoder_decode_fn + static ossl_inline OSSL_FUNC_decoder_decode_fn* OSSL_FUNC_decoder_decode(const OSSL_DISPATCH *opf); L<OSSL_DISPATCH(3)> arrays are indexed by numbers that are provided as @@ -302,7 +302,7 @@ The DECODER interface was introduced in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/provider-digest.pod b/doc/man7/provider-digest.pod index c96dfe396676..cac53ac291fe 100644 --- a/doc/man7/provider-digest.pod +++ b/doc/man7/provider-digest.pod @@ -268,6 +268,7 @@ L<EVP_MD-MD4(7)>, L<EVP_MD-MD5(7)>, L<EVP_MD-MD5-SHA1(7)>, L<EVP_MD-MDC2(7)>, L<EVP_MD-RIPEMD160(7)>, L<EVP_MD-SHA1(7)>, L<EVP_MD-SHA2(7)>, L<EVP_MD-SHA3(7)>, L<EVP_MD-SHAKE(7)>, L<EVP_MD-SM3(7)>, L<EVP_MD-WHIRLPOOL(7)>, +L<EVP_MD-NULL(7)>, L<life_cycle-digest(7)>, L<EVP_DigestInit(3)> =head1 HISTORY @@ -276,7 +277,7 @@ The provider DIGEST interface was introduced in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/provider-keymgmt.pod b/doc/man7/provider-keymgmt.pod index be3a65e31978..c6399b8373b9 100644 --- a/doc/man7/provider-keymgmt.pod +++ b/doc/man7/provider-keymgmt.pod @@ -374,6 +374,36 @@ dimensions handled in the rest of the same provider. The value should be the number of security bits of the given key. Bits of security is defined in SP800-57. +=item "mandatory-digest" (B<OSSL_PKEY_PARAM_MANDATORY_DIGEST>) <UTF8 string> + +If there is a mandatory digest for performing a signature operation with +keys from this keymgmt, this parameter should get its name as value. + +When EVP_PKEY_get_default_digest_name() queries this parameter and it's +filled in by the implementation, its return value will be 2. + +If the keymgmt implementation fills in the value C<""> or C<"UNDEF">, +L<EVP_PKEY_get_default_digest_name(3)> will place the string C<"UNDEF"> into +its argument I<mdname>. This signifies that no digest should be specified +with the corresponding signature operation. + +=item "default-digest" (B<OSSL_PKEY_PARAM_DEFAULT_DIGEST>) <UTF8 string> + +If there is a default digest for performing a signature operation with +keys from this keymgmt, this parameter should get its name as value. + +When L<EVP_PKEY_get_default_digest_name(3)> queries this parameter and it's +filled in by the implementation, its return value will be 1. Note that if +B<OSSL_PKEY_PARAM_MANDATORY_DIGEST> is responded to as well, +L<EVP_PKEY_get_default_digest_name(3)> ignores the response to this +parameter. + +If the keymgmt implementation fills in the value C<""> or C<"UNDEF">, +L<EVP_PKEY_get_default_digest_name(3)> will place the string C<"UNDEF"> into +its argument I<mdname>. This signifies that no digest has to be specified +with the corresponding signature operation, but may be specified as an +option. + =back =head1 RETURN VALUES @@ -412,7 +442,7 @@ The KEYMGMT interface was introduced in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/provider-signature.pod b/doc/man7/provider-signature.pod index fa38be1b16da..1a9859eac367 100644 --- a/doc/man7/provider-signature.pod +++ b/doc/man7/provider-signature.pod @@ -155,7 +155,7 @@ set of "signature" functions, i.e. at least one of: =item OSSL_FUNC_signature_verify_init and OSSL_FUNC_signature_verify -=item OSSL_FUNC_signature_verify_recover_init and OSSL_FUNC_signature_verify_init +=item OSSL_FUNC_signature_verify_recover_init and OSSL_FUNC_signature_verify_recover =item OSSL_FUNC_signature_digest_sign_init, OSSL_FUNC_signature_digest_sign_update and OSSL_FUNC_signature_digest_sign_final @@ -411,7 +411,7 @@ respectively. =head1 RETURN VALUES OSSL_FUNC_signature_newctx() and OSSL_FUNC_signature_dupctx() should return the newly created -provider side signature, or NULL on failure. +provider side signature context, or NULL on failure. OSSL_FUNC_signature_gettable_ctx_params(), OSSL_FUNC_signature_settable_ctx_params(), OSSL_FUNC_signature_gettable_md_ctx_params() and OSSL_FUNC_signature_settable_md_ctx_params(), @@ -429,7 +429,7 @@ The provider SIGNATURE interface was introduced in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/engines/e_padlock.c b/engines/e_padlock.c index 9ad1c48c71a5..7e0cfc21fc9b 100644 --- a/engines/e_padlock.c +++ b/engines/e_padlock.c @@ -1,5 +1,5 @@ /* - * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -146,6 +146,19 @@ static int padlock_init(ENGINE *e) return (padlock_use_rng || padlock_use_ace); } +# ifndef AES_ASM +static int padlock_aes_set_encrypt_key(const unsigned char *userKey, + const int bits, + AES_KEY *key); +static int padlock_aes_set_decrypt_key(const unsigned char *userKey, + const int bits, + AES_KEY *key); +# define AES_ASM +# define AES_set_encrypt_key padlock_aes_set_encrypt_key +# define AES_set_decrypt_key padlock_aes_set_decrypt_key +# include "../crypto/aes/aes_core.c" +# endif + /* * This stuff is needed if this ENGINE is being compiled into a * self-contained shared-library. @@ -646,12 +659,10 @@ padlock_aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, AES_set_decrypt_key(key, key_len, &cdata->ks); else AES_set_encrypt_key(key, key_len, &cdata->ks); -# ifndef AES_ASM /* * OpenSSL C functions use byte-swapped extended key. */ padlock_key_bswap(&cdata->ks); -# endif cdata->cword.b.keygen = 1; break; diff --git a/include/crypto/bn.h b/include/crypto/bn.h index 390e5ac07c2b..fd1c09d997de 100644 --- a/include/crypto/bn.h +++ b/include/crypto/bn.h @@ -114,10 +114,4 @@ OSSL_LIB_CTX *ossl_bn_get_libctx(BN_CTX *ctx); extern const BIGNUM ossl_bn_inv_sqrt_2; -int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate, - const BN_BLINDING *blinding, - const BIGNUM *possible_arg2, - const BIGNUM *to_mod, BN_CTX *ctx, - unsigned char *buf, int num); - #endif diff --git a/include/crypto/cmperr.h b/include/crypto/cmperr.h index ac61dd4875c2..2bd163738466 100644 --- a/include/crypto/cmperr.h +++ b/include/crypto/cmperr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/crypto/dsaerr.h b/include/crypto/dsaerr.h index 9898097d0dd1..fde8358fc96d 100644 --- a/include/crypto/dsaerr.h +++ b/include/crypto/dsaerr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/crypto/ecerr.h b/include/crypto/ecerr.h index 4658ae8fb2cd..782526bf8565 100644 --- a/include/crypto/ecerr.h +++ b/include/crypto/ecerr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/refcount.h b/include/internal/refcount.h index 7412d62f56fd..3392d3b490d5 100644 --- a/include/internal/refcount.h +++ b/include/internal/refcount.h @@ -1,5 +1,5 @@ /* - * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -13,7 +13,7 @@ # include <openssl/e_os2.h> # include <openssl/trace.h> -# ifndef OPENSSL_DEV_NO_ATOMICS +# if defined(OPENSSL_THREADS) && !defined(OPENSSL_DEV_NO_ATOMICS) # if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 201112L \ && !defined(__STDC_NO_ATOMICS__) # include <stdatomic.h> diff --git a/include/openssl/cmp.h.in b/include/openssl/cmp.h.in index f05cb3e54851..fb5ae6717f8e 100644 --- a/include/openssl/cmp.h.in +++ b/include/openssl/cmp.h.in @@ -1,7 +1,7 @@ /* * {- join("\n * ", @autowarntext) -} * - * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * @@ -323,8 +323,8 @@ int OSSL_CMP_CTX_build_cert_chain(OSSL_CMP_CTX *ctx, X509_STORE *own_trusted, int OSSL_CMP_CTX_set1_pkey(OSSL_CMP_CTX *ctx, EVP_PKEY *pkey); int OSSL_CMP_CTX_set1_referenceValue(OSSL_CMP_CTX *ctx, const unsigned char *ref, int len); -int OSSL_CMP_CTX_set1_secretValue(OSSL_CMP_CTX *ctx, const unsigned char *sec, - const int len); +int OSSL_CMP_CTX_set1_secretValue(OSSL_CMP_CTX *ctx, + const unsigned char *sec, int len); /* CMP message header and extra certificates: */ int OSSL_CMP_CTX_set1_recipient(OSSL_CMP_CTX *ctx, const X509_NAME *name); int OSSL_CMP_CTX_push0_geninfo_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav); @@ -384,6 +384,7 @@ ASN1_OCTET_STRING *OSSL_CMP_HDR_get0_recipNonce(const OSSL_CMP_PKIHEADER *hdr); OSSL_CMP_PKIHEADER *OSSL_CMP_MSG_get0_header(const OSSL_CMP_MSG *msg); int OSSL_CMP_MSG_get_bodytype(const OSSL_CMP_MSG *msg); int OSSL_CMP_MSG_update_transactionID(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg); +int OSSL_CMP_MSG_update_recipNonce(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg); OSSL_CRMF_MSG *OSSL_CMP_CTX_setup_CRM(OSSL_CMP_CTX *ctx, int for_KUR, int rid); OSSL_CMP_MSG *OSSL_CMP_MSG_read(const char *file, OSSL_LIB_CTX *libctx, const char *propq); diff --git a/include/openssl/cmperr.h b/include/openssl/cmperr.h index 06e9dbff363d..49fd5e392a17 100644 --- a/include/openssl/cmperr.h +++ b/include/openssl/cmperr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -67,7 +67,9 @@ # define CMP_R_MISSING_P10CSR 121 # define CMP_R_MISSING_PBM_SECRET 166 # define CMP_R_MISSING_PRIVATE_KEY 131 +# define CMP_R_MISSING_PRIVATE_KEY_FOR_POPO 190 # define CMP_R_MISSING_PROTECTION 143 +# define CMP_R_MISSING_PUBLIC_KEY 183 # define CMP_R_MISSING_REFERENCE_CERT 168 # define CMP_R_MISSING_SECRET 178 # define CMP_R_MISSING_SENDER_IDENTIFICATION 111 diff --git a/include/openssl/dsaerr.h b/include/openssl/dsaerr.h index 5f0ca8d12a30..26ada57d80ab 100644 --- a/include/openssl/dsaerr.h +++ b/include/openssl/dsaerr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -38,6 +38,7 @@ # define DSA_R_P_NOT_PRIME 115 # define DSA_R_Q_NOT_PRIME 113 # define DSA_R_SEED_LEN_SMALL 110 +# define DSA_R_TOO_MANY_RETRIES 116 # endif #endif diff --git a/include/openssl/ecerr.h b/include/openssl/ecerr.h index 46405ac62d91..f15f91f6bf05 100644 --- a/include/openssl/ecerr.h +++ b/include/openssl/ecerr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -90,6 +90,7 @@ # define EC_R_RANDOM_NUMBER_GENERATION_FAILED 158 # define EC_R_SHARED_INFO_ERROR 150 # define EC_R_SLOT_FULL 108 +# define EC_R_TOO_MANY_RETRIES 176 # define EC_R_UNDEFINED_GENERATOR 113 # define EC_R_UNDEFINED_ORDER 128 # define EC_R_UNKNOWN_COFACTOR 164 diff --git a/providers/fips-sources.checksums b/providers/fips-sources.checksums index 10076d9d2e05..dea6ef04e23d 100644 --- a/providers/fips-sources.checksums +++ b/providers/fips-sources.checksums @@ -21,13 +21,17 @@ c56c324667b67d726e040d70379efba5b270e2937f403c1b5979018b836903c7 crypto/aes/asm c7c6694480bb5319690f94826139a93f5c460ebea6dba101b520a76cb956ec93 crypto/aes/asm/aesni-x86_64.pl f3a8f3c960c0f47aaa8fc2633d18b14e7c7feeccc536b0115a08bc58333122b6 crypto/aes/asm/aesp8-ppc.pl e397a5781893e97dd90a5a52049633be12a43f379ec5751bca2a6350c39444c8 crypto/aes/asm/aest4-sparcv9.pl -90d53250761de35280f57463855b1a41403c68dfe22771b2f622c5c9b3418eb4 crypto/aes/asm/aesv8-armx.pl -15cf92ba0ea6fb216c75bb0c134fa1e1b4159a3f9d3c571b2a8319252c4ae633 crypto/aes/asm/bsaes-armv7.pl +a097f9d71de7cefa8e93629033ff1986fb01128623ec051d9b5afef55c0e5ebb crypto/aes/asm/aesv8-armx.pl +5e8005fdb6641df465bdda20c3476f7176e6bcd63d5073044a0c02a327c7f172 crypto/aes/asm/bsaes-armv7.pl 0726a2c4c15c27a12b2f7d5e16863df4a1b1daa7b7d9b728f621b2b224d290e6 crypto/aes/asm/bsaes-x86_64.pl 1ff94d6bf6c8ae4809f64657eb89260fe3cb22137f649d3c73f72cb190258196 crypto/aes/asm/vpaes-armv8.pl c3541865cd02d81101cdbab4877ed82772e6980d2c677b9008b38fa1b26d36d4 crypto/aes/asm/vpaes-ppc.pl 3ec24185750a995377516bc2fb2eae8b1c52094c6fff093bff591837fc12d6c3 crypto/aes/asm/vpaes-x86.pl 060bb6620f50af9afecdf97df051b45b9a50be9daf343dfec1cbb29693ce00a4 crypto/aes/asm/vpaes-x86_64.pl +2bc67270155e2d6c7da87d9070e005ee79cea18311004907edfd6a078003532a crypto/alphacpuid.pl +0255a480b78bdcc71f76676f496962a9828eb900f53b7be13be96ae3f67fe6db crypto/arm64cpuid.pl +e0daf54f72dd8fd1bc537d93f34e2a6a887a9ed6027bb33e15a327ef5ff37a42 crypto/armcap.c +a43f2c1eef16146943745f684f2add7d186924932a47abf7fb0760cba02804e6 crypto/armv4cpuid.pl 16739d54200fb81ca7835b5814f965022a2ab41589c7787e2697e3ea72d4fafa crypto/asn1_dsa.c 819c9fd2b0cae9aab81c3cbd1815c2e22949d75f132f649b5883812d0bbaa39a crypto/bn/asm/alpha-mont.pl 0070595128b250b9ebdebe48ce53d2d27ca16ec4f7c6c8bd169ab2e4a913b2d1 crypto/bn/asm/armv4-gf2m.pl @@ -66,8 +70,8 @@ d444ca73875e97e0ea88b20e4c02f2fcf3850e8b9311e3b67a2d04fe2796d543 crypto/bn/asm/ da7f7780d27eed164797e5334cd45b35d9c113e86afaca051463aef9a8fd787c crypto/bn/asm/x86_64-mont.pl 259fb8d7f40c0dba46920b1f169d5b37de03b0fda645463d19e3ae2b56de851d crypto/bn/asm/x86_64-mont5.pl 0ea8185a037a2951bb3d1e590bbbdeac305176d5e618f3e43a04c09733a9de34 crypto/bn/bn_add.c -3962dfaa0142e67115ab84f7809d46d59bd122758be09a081b08b2e0d4743b2e crypto/bn/bn_asm.c -01a35f971062b97b4953604151d3b6a411be439743b5540aa25b638d2186db6f crypto/bn/bn_blind.c +759c2b9df808b3562fe8b0c7778dbadbf35f261e14fc2d5090d18c35b4181760 crypto/bn/bn_asm.c +14bd5a35c05fcf454854b92fb30b356d7ac618c1eb699dd798f6ad2936d1f5ee crypto/bn/bn_blind.c 7b761d541e3b7f6a3f2b14a09b2b3836a079a845cf67a54db4853e3fd38277c6 crypto/bn/bn_const.c 58b587e20404efa408b31a88ba9c357059ced709bea78c07deb91df7b687db81 crypto/bn/bn_conv.c 2893b6d03d4850d09c15959941b0759bbb50d8c20e873bed088e7cde4e15a65a crypto/bn/bn_ctx.c @@ -79,28 +83,28 @@ ec2b6e3af6df473a23e7f1a8522f2554cb0eb5d34e3282458c4a66d242278434 crypto/bn/bn_e 4d6cc7ed36978247a191df1eea0120f8ee97b639ba228793dabe5a8355a1a609 crypto/bn/bn_gf2m.c 081e8a6abc23599307dab3b1a92113a65e0bf8717cbc40c970c7469350bc4581 crypto/bn/bn_intern.c 602ed46fbfe12c899dfb7d9d99ff0dbfff96b454fce3cd02817f3e2488dd9192 crypto/bn/bn_kron.c -b33295765dc6d3843e3571007e2d6dbe75564645ebf181191a91464706d9fadb crypto/bn/bn_lib.c -0567e3881c4577f25eb7b93070ac1914251d5ef98e3ac4ebacec09a65a12868c crypto/bn/bn_local.h +bf73a1788a92142963177fb698bc518af9981bbf0ad9784701fbb2462ca10607 crypto/bn/bn_lib.c +d5beb9fbac2ff5dc3ccbdfa4d1aabca7225c778cff4e3b05b6d6c63e182637f5 crypto/bn/bn_local.h 07247dc2ccc55f3be525baed92fd20031bbaa80fd0bc56155e80ee0da3fc943d crypto/bn/bn_mod.c f60f3d49b183b04bcdf9b82f7c961b8c1bcb00e68a2c1166fe9edd95a783356e crypto/bn/bn_mont.c 2da73a76b746a47d8cf8ec8b3e0708c2a34e810abde4b4f1241a49e7f5bb2b60 crypto/bn/bn_mpi.c 76982b18b0803d59b33168b260677e7412970757d3b9513de5c80025290f211d crypto/bn/bn_mul.c -4e3bf49a788ec36cd1d919475bc410a743931aa144e7c60d603e9c0b448faab4 crypto/bn/bn_nist.c +1f65ad369352d51af1a75eccf598cb497b400ebd86252f5ca8aac54bbb3cc7bd crypto/bn/bn_nist.c c6760a724d696b7209f0a71f8483fabcf4f081f7e93e2628284c32ef78f69365 crypto/bn/bn_prime.c c56ad3073108a0de21c5820a48beae2bccdbf5aa8075ec21738878222eb9adc3 crypto/bn/bn_prime.h 628419eabdb88b265823e43a7a1c88fdfecef79771180836f6089050dc9eadb1 crypto/bn/bn_rand.c 1f6e13da1d9965b341f81bc0842a987a7db9b7de0fa7f7040d49be01b92d282b crypto/bn/bn_recp.c -626226d4dae8e19530a60d8a94b270b262740550787fc46f686b301a043c705b crypto/bn/bn_rsa_fips186_4.c +a5c5c9f99961a5a7f22a3dcdce964c8a330f822be17f08652223a20fed747d0a crypto/bn/bn_rsa_fips186_4.c 704b0b4723e5c9e9bae5f3e35f9ae8ae8dca3383929e954de9e5169845abfdb2 crypto/bn/bn_shift.c 622e90766b29e0d25f46474429aebda8eba2246835b9e85dc26da7cdbd49334f crypto/bn/bn_sqr.c 42c8ce944c889abcfcf089d0ad2744b7587696d8d7785efa91b3f7ec53dc062a crypto/bn/bn_sqrt.c 24e62baa56e02f2db6454e10168b7c7fa7638db9221b9acda1803d43f38f36e0 crypto/bn/bn_word.c -2e69544977adab07422acab5cbb32f4efb7ab68bc160dde711e3f7a8e755b43d crypto/bn/rsa_sup_mul.c be27115efd36f0077a3ec26b1ff1f586b0b8969ba05d8ffa34b2ff4badf227bf crypto/bn/rsaz_exp.c c4d64da1cdc732ea918fccd6a7bb2746b03365dd26f7ba1e74e08c307ca4c58e crypto/bn/rsaz_exp.h 5b82cb8dbf3087c2e671871cb0a92e4039223a51af533a2ee996f3bfd47453a7 crypto/bn/rsaz_exp_x2.c 834db8ff36006e5cb53e09ca6c44290124bd23692f4341ea6563b66fcade4cea crypto/bsearch.c c39334b70e1394e43f378ae8d31b6e6dc125e4d9181e6536d38e649c4eaadb75 crypto/buffer/buffer.c +5f43844b5d8665de9ab895f93599150a327d73ec2674bbf7d7c512d30163022d crypto/c64xpluscpuid.pl 0e1a41a2d81b5765bca3df448f60bf1fad91e485fe89dd65a7300ffc419e316d crypto/cmac/cmac.c ff9be205d6d7ff00b0e64508f0eb8d9ec0415fbabc0948d26e308212b3f7b2d8 crypto/context.c c309d81ea991ddf5be4337afad2fd132169f7443c76f863349d3f3c82f3374e4 crypto/core_algorithm.c @@ -131,10 +135,10 @@ ae727bf6319eb57e682de35d75ea357921987953b3688365c710e7fba51c7c58 crypto/dsa/dsa b1de1624e590dbf76f76953802ff162cc8de7c5e2eaba897313c866424d6902b crypto/dsa/dsa_key.c 9e436a2e0867920c3a5ac58bc14300cad4ab2c4c8fe5e40b355dfd21bfdfe146 crypto/dsa/dsa_lib.c f4d52d3897219786c6046bf76abb2f174655c584caa50272bf5d281720df5022 crypto/dsa/dsa_local.h -f88db9fd73a78e66967e56df442b55230f405b4cd804f31f8696324f0b702f15 crypto/dsa/dsa_ossl.c -6222aa8f60d7451d974dd87c66995033919f36d7f858cbe609cf731ad1eee34e crypto/dsa/dsa_sign.c +38062c6eebdb2f88fa0c6592837a96a49de2ae520d3ad483a3e02921c8adb094 crypto/dsa/dsa_ossl.c +d612fd05ff98816ba6cf37f84c0e31443ad9d840ed587a7ab2066027da390325 crypto/dsa/dsa_sign.c 53fa10cc87ac63e35df661882852dc46ae68e6fee83b842f1aeefe00b8900ee1 crypto/dsa/dsa_vrf.c -0a206e4c4de4702808cba7c9304bedb66abcbc33e513bc25574a795cd5fa3db0 crypto/ec/asm/ecp_nistp521-ppc64.pl +d9722ad8c6b6e209865a921f3cda831d09bf54a55cacd1edd9802edb6559190a crypto/ec/asm/ecp_nistp521-ppc64.pl 78ad06b88fcc8689a3a846b82f9ee01546e5734acd1bccf2494e523b71dc74d1 crypto/ec/asm/ecp_nistz256-armv4.pl 4617351d2de4d0b2abfd358c58050cee00702d0b4c1acca09312ec870e351c7d crypto/ec/asm/ecp_nistz256-armv8.pl 3715ddd921425f3018741037f01455ed26a840ace08691a800708170a66cf4d2 crypto/ec/asm/ecp_nistz256-ppc64.pl @@ -174,7 +178,7 @@ fa901b996eb0e460359cd470843bdb03af7a77a2f1136c5e1d30daef70f3e4d2 crypto/ec/ec_m 129c6b42417bfcf582f4a959cfd65433e6f85b158274f4fa38f9c62615ac9166 crypto/ec/ec_oct.c c7fba2f2c33f67dafa23caef8c3abd12f5336274a9a07d412b83be0366969ee6 crypto/ec/ecdh_kdf.c b2cf8f052a5716137da7b0e857ed7a5df5fb513b6d14534199a05e32f2b5a866 crypto/ec/ecdh_ossl.c -c3750d77c287500884a1ab01def8a6a8500c345d5de1c0f6a70e614fff1b9755 crypto/ec/ecdsa_ossl.c +099f7836a31643c58bda3829090ea81fe3d5acaa4c6f7b145d8355a4293d0ccc crypto/ec/ecdsa_ossl.c b6baa42b16e8df69a12e0ab101033100cddc808ec2682ba1574373e6ec86ae93 crypto/ec/ecdsa_sign.c f686cea8c8a3259d95c1e6142813d9da47b6d624c62f26c7e4a16d5607cddb35 crypto/ec/ecdsa_vrf.c 141cfc1459214555b623517a054a9e8d5e4065a11301237b7247be2c6f397a0a crypto/ec/ecp_mont.c @@ -187,7 +191,7 @@ b4b7c683279454ba41438f50a015cb63ef056ccb9be0168918dfbae00313dc68 crypto/ec/ecp_ 22c44f561ab42d1bd7fd3a3c538ebaba375a704f98056b035e7949d73963c580 crypto/ec/ecx_key.c 28abc295dad8888b5482eb61d31cd78dd80545ecb67dc6f9446a36deb8c40a5e crypto/evp/asymcipher.c 0e75a058dcbbb62cfe39fec6c4a85385dc1a8fce794e4278ce6cebb29763b82b crypto/evp/dh_support.c -59d514629005748901718e82f2646ecb1d7fbedbc872726749ce9a5af0d205f2 crypto/evp/digest.c +1af3872164b4a4757bc7896a24b4d2f8eb2cfb4cba0d872a93db69975693e0a6 crypto/evp/digest.c 838277f228cd3025cf95a9cd435e5606ad1fb5d207bbb057aa29892e6a657c55 crypto/evp/ec_support.c 1c3d1b1f800b1f1f5adb1fdbdd67cdf37ca7ea93b264d1468c72a63c140873ce crypto/evp/evp_enc.c 7f10367f9b6191c4a8c01784130d26b2d778485a41cdac5fa17c9a1c4096f132 crypto/evp/evp_fetch.c @@ -200,30 +204,31 @@ ca8c6cfd30efd53f2e5d1f19bcf09a3a3d0dff6d8947c3943d07a3f4b354aa86 crypto/evp/exc 1d72f5506984df1df8606e8c7045f041cf517223e2e1b50c4da8ba8bf1c6c186 crypto/evp/kdf_meth.c 5179624b8e03615dc9caedc9ec16d094fa081495613dd552d71c2c39475bcd83 crypto/evp/kem.c 5016dd7ef8b4cf7e9ea8465c18d1daa4c8808cb589261cf236058ee75bc868d7 crypto/evp/keymgmt_lib.c -a976cf4e7bfb61e06a147360b748238010d23efb069d191fd023abc38d9a2af9 crypto/evp/keymgmt_meth.c +46ffdc73f8a7fc314dc8988f2751a6e9f9784719f4f162dc4be2450b65b55261 crypto/evp/keymgmt_meth.c e1a052839b8b70dca20dbac1282d61abd1c415bf4fb6afb56b811e8770d8a2e1 crypto/evp/m_sigver.c 4290c95f63b43688a8da57690d122add5161a6811f9753da1444d28f46739961 crypto/evp/mac_lib.c e7e8eb5683cd3fbd409df888020dc353b65ac291361829cc4131d5bc86c9fcb3 crypto/evp/mac_meth.c -b3eebfe75d050bef62a2ce6c13399a2b72bdf60bb540666d01a47691f68931b3 crypto/evp/p_lib.c +546d83abecf8973e2d872102a03bde5a46552909fa9e7d1402e1464a27453801 crypto/evp/p_lib.c 3b4228b92eebd04616ecc3ee58684095313dd5ffd1b43cf698a7d6c202cb4622 crypto/evp/pmeth_check.c 1f0e9e94e9b0ad322956521b438b78d44cfcd8eb974e8921d05f9e21ba1c05cf crypto/evp/pmeth_gn.c 76511fba789089a50ef87774817a5482c33633a76a94ecf7b6e8eb915585575d crypto/evp/pmeth_lib.c 4b2dbddf0f9ceed34c3822347138be754fb194febca1c21c46bcc3a5cce33674 crypto/evp/signature.c b06cb8fd4bd95aae1f66e1e145269c82169257f1a60ef0f78f80a3d4c5131fac crypto/ex_data.c -709d40d5096497349b8b9e2917e949a0a75e6065df62798d1816866ca7e7b4ca crypto/ffc/ffc_backend.c +1c8389c5d49616d491978f0f2b2a54ba82d805ec41c8f75c67853216953cf46a crypto/ffc/ffc_backend.c a12af33e605315cdddd6d759e70cd9632f0f33682b9aa7103ed1ecd354fc7e55 crypto/ffc/ffc_dh.c 854378f57707e31ad02cca6eec94369f91f327288d3665713e249c12f7b13211 crypto/ffc/ffc_key_generate.c 2695c9c8ad9193a8c1ab53d5d09712d50d12c91eb8d62e8a15cbc78f327afe84 crypto/ffc/ffc_key_validate.c -b18d5d7cfc95163defea41f5a081e90f6a7163a6b81c6cfadb8b470ef2e83fc5 crypto/ffc/ffc_params.c +8b72d5a7452b2c15aec6d20027053a83f7df89d49a3b6cfedd77e2b1a29e9fc1 crypto/ffc/ffc_params.c 1a1d227f9a0f427d2ec93bc646c726c9cd49a84a343b4aff0c9c744fa6df05a9 crypto/ffc/ffc_params_generate.c 73dac805abab36cd9df53a421221c71d06a366a4ce479fa788be777f11b47159 crypto/ffc/ffc_params_validate.c 0a4fc92e408b0562cf95c480df93a9907a318a2c92356642903a5d50ed04fd88 crypto/hmac/hmac.c 0395c1b0834f2f4a0ca1756385f4dc1a4ef6fb925b2db3743df7f57256c5166f crypto/hmac/hmac_local.h +0e2d6129504d15ffaf5baa63158ccec0e4b6193a8275333956d8f868ef35127e crypto/ia64cpuid.S f897493b50f4e9dd4cacb2a7accda6683c10ece602641874cdff1dac7128a751 crypto/initthread.c 5482c47c266523129980302426d25839fda662f1544f4b684707e6b272a952c9 crypto/lhash/lhash.c 5d49ce00fc06df1b64cbc139ef45c71e0faf08a33f966bc608c82d574521a49e crypto/lhash/lhash_local.h f866aafae928db1b439ac950dc90744a2397dfe222672fe68b3798396190c8b0 crypto/mem_clr.c -183bdca6f855182d7d2c78a5c961b34283f85ea69ac828b700605ee82546397d crypto/modes/asm/aes-gcm-armv8_64.pl +e14f48d4112c0efe3826b4aa390cc24045a85298cc551ec7f3f36ac4236d7d81 crypto/modes/asm/aes-gcm-armv8_64.pl 1d686af304f94743038f916125effcb51790c025f3165d8d37b526bbeee781f0 crypto/modes/asm/aesni-gcm-x86_64.pl c2e874a8deb418b5d8c935b2e256370566a5150e040c9fa008cdb5b463c26904 crypto/modes/asm/ghash-alpha.pl 6bc7d63569c73d7020ede481f2de05221ac92403c7cc11e7263ada7644f6aa9b crypto/modes/asm/ghash-armv4.pl @@ -251,6 +256,8 @@ c2fe815fb3fd5efe9a6544cae55f9469063a0f6fb728361737b927f6182ae0bb crypto/param_b 06e67fdd2a308bf355c8dae2e0acd9af94f6e53d428a7d31966311eb5c0aebc1 crypto/params.c 4fda13f6af05d80b0ab89ec4f5813c274a21a9b4565be958a02d006236cef05c crypto/params_dup.c a0097ff2da8955fe15ba204cb54f3fd48a06f846e2b9826f507b26acf65715c3 crypto/params_from_text.c +97cb7414dc2f165d5849ee3b46cdfff0afb067729435d9c01a747e0ca41e230c crypto/ppccap.c +3ca43596a7528dec8ff9d1a3cd0d68b62640f84b1d6a8b5e4842cfd0be1133ad crypto/ppccpuid.pl b4d34272a0bd1fbe6562022bf7ea6259b6a5a021a48222d415be47ef5ef2a905 crypto/property/defn_cache.c 7da6ae864beb1a4daa4be31eb41d48141a3a7eb7a263a4937a6889e05656a595 crypto/property/property.c 66da4f28d408133fb544b14aeb9ad4913e7c5c67e2826e53f0dc5bf4d8fada26 crypto/property/property_local.h @@ -272,14 +279,16 @@ a65e85be5269d8cb88e86b3413c978fa8994419a671092cbf104ff1a08fda23b crypto/rsa/rsa cf0b75cd54b61b9b9a290ef18d0ddce9fb26a029a54eb3f720d9b25188440f00 crypto/rsa/rsa_mp_names.c 5c60f6e05db82e13178d805deb1947b8eee4a905e6e77523d3b288da70a46bb5 crypto/rsa/rsa_none.c 33de2accc3af530fd0a4758eb83d5e1d994bf49bac4512b01387dbae656e1a7d crypto/rsa/rsa_oaep.c -178c98421b54ec50ee55470a7b1acb771ed22efef2c2c0e059544baa7e6d387e crypto/rsa/rsa_ossl.c +e05fcad237b7e4e7842ad6e142789fe25d060247283c337c78703be6ecc31ed9 crypto/rsa/rsa_ossl.c be3f39c1fcb777d6c0122061f9ef735d10a6bee95d67fcc1ca6ae2a664022d2b crypto/rsa/rsa_pk1.c 174a42e156be48927fe6d6bf0d95575619b8e643a99761275bff933bc3449722 crypto/rsa/rsa_pss.c bf6d300b7e7e9e512a47c5bd1f8713806ae3033a140d83dfae4a16ad58d11170 crypto/rsa/rsa_schemes.c f01af62704dbf9457e2669c3e7c1d4d740f0388faa49df93611b987a8aa2bf11 crypto/rsa/rsa_sign.c 740c022caff3b2487c5838b581cdddcc7de2ceabb504aad72dc0dd70a67bf7cf crypto/rsa/rsa_sp800_56b_check.c -20e54cf2a8fd23ced0962c5f358cedd8ec0c398a87d33b34f1a4326d11e4892e crypto/rsa/rsa_sp800_56b_gen.c +3aba73dacebb046faf8d09dc279149b52c629004b524ec33e6d81c8ad0bc31a8 crypto/rsa/rsa_sp800_56b_gen.c 1c1c2aeeb18bf1d69e8f134315b7e50d8f43d30eb1aa5bf42983eec9136a2fdc crypto/rsa/rsa_x931.c +0acbebed48f6242d595c21e3c1ad69da0daa960d62062e8970209deda144f337 crypto/s390xcap.c +22205848cfb55116ebf999dced8331b575886a609ce29e6886e6267b2310c337 crypto/s390xcpuid.pl 5fa59240ca885cbc0c1cd026934b226d44fc9c3fdf0c2e7e3a7bd7f4963ca2e5 crypto/self_test_core.c 05c533fde7fdba0c76103e97d881b7224c8427451b453e2f6413552996063e31 crypto/sha/asm/keccak1600-armv4.pl ca3b2b654f9a8c4bc2fa2538c1f19d17acd4a6b9e0df6a4b81df04efa697e67e crypto/sha/asm/keccak1600-armv8.pl @@ -329,17 +338,20 @@ f64d16c1e5c3fa4a7969de494a8372127502171a517c14be7a1e3a43a7308699 crypto/sha/asm 3d972a11be18bfbfcd45790028635d63548bfe0a2e45d2fc56b6051b759d22f0 crypto/sha/sha3.c 8038a5a97f826f519424db634be5b082b3f7eca3ccb89875ca40fa6bd7dfdcfd crypto/sha/sha512.c 6c6f0e6069ac98e407a5810b84deace2d1396d252c584703bcd154d1a015c3ea crypto/sha/sha_local.h +9ef5a01caccc2eb15f72e367d0424737040ac8018479bbbbce3d216c655765c2 crypto/sparccpuid.S +5056b14a55665ffa342a9a1bb32c1c36886add5d0819869193427f33cee028f7 crypto/sparcv9cap.c c50c584c55e56347bb43aca4b796b5344d70daece3061f586b79c871c21f5d1a crypto/sparse_array.c 8da78169fa8c09dc3c29c9bf1602b22e88c5eac4815e274ba1864c166e31584b crypto/stack/stack.c 7b4efa594d8d1f3ecbf4605cf54f72fb296a3b1d951bdc69e415aaa08f34e5c8 crypto/threads_lib.c a41ae93a755e2ec89b3cb5b4932e2b508fdda92ace2e025a2650a6da0e9e972c crypto/threads_none.c 2637a8727dee790812b000f2e02b336f7907949df633dda72938bbaafdb204fe crypto/threads_pthread.c -7959c65c27280cdb1166a30a27c931befd6cfa4ed109094c40eb5a6d253c790c crypto/threads_win.c +88423960f0414f6fd41fba4f4c67f9f7260c2741e4788adcd52493e895ec8027 crypto/threads_win.c fd6c27cf7c6b5449b17f2b725f4203c4c10207f1973db09fd41571efe5de08fd crypto/x86_64cpuid.pl +bbec287bb9bf35379885f8f8998b7fd9e8fc22efee9e1b299109af0f33a7ee16 crypto/x86cpuid.pl 0a9c484f640d96e918921f57f592e82e99ccdbe35d3138d64b10c7af839e9a07 e_os.h 6f353dc7c8c4d8f24f7ffbf920668ccb224ebb5810805a7c80d96770cd858005 include/crypto/aes_platform.h 8c6f308c1ca774e6127e325c3b80511dbcdc99631f032694d8db53a5c02364ee include/crypto/asn1_dsa.h -f49a26fc4348f3b79507dc4a04fade82cf870f7c22e6c977f402c859fdd1b98b include/crypto/bn.h +8ce1b35c6924555ef316c7c51d6c27656869e6da7f513f45b7a7051579e3e54d include/crypto/bn.h 1c46818354d42bd1b1c4e5fdae9e019814936e775fd8c918ca49959c2a6416df include/crypto/bn_conf.h.in 7a43a4898fcc8446065e6c99249bcc14e475716e8c1d40d50408c0ab179520e6 include/crypto/bn_dh.h e69b2b20fb415e24b970941c84a62b752b5d0175bc68126e467f7cc970495504 include/crypto/cryptlib.h @@ -378,7 +390,7 @@ dd7ddecf30bef3002313e6b776ce34d660931e783b2f6edacf64c7c6e729e688 include/intern d4ac19b28ea61f03383364cfad1e941cac44fc36787d80882c5b76ecc9d34e29 include/internal/property.h 727326afb3d33fdffdf26471e313f27892708318c0934089369e4b28267e2635 include/internal/propertyerr.h 6a899ef3e360c7144d84d3c3dbbd14aa457f5d38b83b13c0be7ec7f372076595 include/internal/provider.h -5af9a40c44def13576fe2c0eb082fb73c3565c5e00f902d51b1ed1593d481ccb include/internal/refcount.h +80d7d12b8b3d9945bde3991cb0d1413d120a58a04b17ac673549789e3f37b18a include/internal/refcount.h 11ee9893f7774c83fcfdee6e0ca593af3d28b779107883553facdbfdae3a68f5 include/internal/sha3.h 494ab5c802716bf38032986674fb094dde927a21752fe395d82e6044d81801d1 include/internal/sizes.h 24f41a1985fa305833c3f58030c494d2563d15fc922cdf3eeb6a7ea8c135a880 include/internal/symhacks.h @@ -410,11 +422,11 @@ fa3e6b6c2e6222424b9cd7005e3c5499a2334c831cd5d6a29256ce945be8cb1d include/openss 3a57eceec58ab781d79cb0458c2251a233f45ba0ef8f414d148c55ac2dff1bc8 include/openssl/dh.h 836130f5a32bbdce51b97b34758ed1b03a9d06065c187418eaf323dca6adfc6d include/openssl/dherr.h 92ae2c907fd56859e3ae28a085071611be5c9245879305cdf8bad027219e64b6 include/openssl/dsa.h -335eb40a33cd1e95e7783bda2d031ec2bcf02cff8aa804ba3484d1354452b7ea include/openssl/dsaerr.h +276d1f6e111ba933bc708e6a0670047cbe0d0b67aabe31807abbbc231de4d8cf include/openssl/dsaerr.h 41bf49e64e1c341a8c17778147ddeba35e88dfd7ff131db6210e801ef25a8fd5 include/openssl/e_os2.h bc9ec2be442a4f49980ba2c63c8f0da701de1f6e23d7db35d781658f833dd7b9 include/openssl/ebcdic.h 33b6321d1c6b7b1621198346946401bb81472054aa236b03c6f22f247248d2ad include/openssl/ec.h -dad1943d309aaadb800be4a3056096abec611d81982b83c601b482405e11d5c0 include/openssl/ecerr.h +7aa8c5bee779af59d4733f6a50f7f6be39f1eb43409e5b3357440f9a7d0ca115 include/openssl/ecerr.h 61c76ee3f12ed0e42503a56421ca00f1cb9a0f4caa5f9c4421c374bcd45917d7 include/openssl/encoder.h 69dd983f45b8ccd551f084796519446552963a18c52b70470d978b597c81b2dc include/openssl/encodererr.h c6ee8f17d7252bdd0807a124dc6d50a95c32c04e17688b7c2e061998570b7028 include/openssl/err.h.in @@ -488,7 +500,7 @@ abd5997bc33b681a4ab275978b92aebca0806a4a3f0c2f41dacf11b3b6f4e101 providers/fips f822a03138e8b83ccaa910b89d72f31691da6778bf6638181f993ec7ae1167e3 providers/fips/self_test.h d3c95c9c6cc4e3b1a5e4b2bfb2ae735a4109d763bcda7b1e9b8f9eb253f79820 providers/fips/self_test_data.inc 629f619ad055723e42624230c08430a3ef53e17ab405dc0fd35499e9ca4e389c providers/fips/self_test_kats.c -6b082c1af446ef9a2bfe68a9ee4362dfa4f1f09f975f11f9ba2e5010493039c6 providers/implementations/asymciphers/rsa_enc.c +cd784a44a01a8a30a6be63381344a7f5432e74d40b02ea471c5b0dc943a7ac9d providers/implementations/asymciphers/rsa_enc.c 4db1826ecce8b60cb641bcd7a61430ec8cef73d2fe3cbc06aa33526afe1c954a providers/implementations/ciphers/cipher_aes.c f9d4b30e7110c90064b990c07430bb79061f4436b06ccaa981b25c306cfbfaa2 providers/implementations/ciphers/cipher_aes.h 89378cce6d31e8c2f221f9f29d0b17622624eb83e4ecec8465f7641f68352917 providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c @@ -518,7 +530,7 @@ f358c4121a8a223e2c6cf009fd28b8a195520279016462890214e8858880f632 providers/impl 74640ce402acc704af72e055fb7f27e6aa8efd417babc56f710478e571d8631c providers/implementations/ciphers/cipher_cts.h fcc3bb0637864252402aaa9d543209909df9a39611127f777b168bc888498dc0 providers/implementations/ciphers/cipher_tdes.c 77709f7fc3f7c08986cd4f0ebf2ef6e44bacb975c1483ef444b3cf5e5071f9d6 providers/implementations/ciphers/cipher_tdes.h -9e07260067083c76d26eb0dd8a8bb4a8dac678812644ff88951a0661be70d9fd providers/implementations/ciphers/cipher_tdes_common.c +6fc41326c5f464f27b7d31c16d5ad7116d6244b99e242893f6c96d0c61f3639a providers/implementations/ciphers/cipher_tdes_common.c 50645122f08ef4891cd96cace833bd550be7f5278ab785515fd61fe8993c8c25 providers/implementations/ciphers/cipher_tdes_hw.c 6bb3c24bfd872e3b4c779b29e9f962348f6ae3effeb4f243c8ea66abefe8a4fa providers/implementations/ciphers/ciphercommon.c dd72ea861edf70b94197821ceb00e07165d550934a2e851d62afa5034b79f468 providers/implementations/ciphers/ciphercommon_block.c @@ -545,7 +557,7 @@ b9a61ce951c1904d8315b1bb26c0ab0aaadb47e71d4ead5df0a891608c728c4b providers/impl c95ce5498e724b9b3d58e3c2f4723e7e3e4beb07f9bea9422e43182cbadb43af providers/implementations/include/prov/macsignature.h 29d1a112b799e1f45fdf8bcee8361c2ed67428c250c1cdf408a9fbb7ebf4cce1 providers/implementations/include/prov/names.h 2187713b446d8b6d24ee986748b941ac3e24292c71e07ff9fb53a33021decdda providers/implementations/include/prov/seeding.h -04f22d6afbad5a6e806cf3af9a25843ccfefb748e24d97a09830a1677706acd5 providers/implementations/kdfs/hkdf.c +4e71ffd329f1715d14b54e14036b4b2618deb2fd81675287ce5eeb6c76a31d54 providers/implementations/kdfs/hkdf.c a62e3af09f5af84dcf36f951ba4ac90ca1694adaf3747126186020b155f94186 providers/implementations/kdfs/kbkdf.c e0644e727aacfea4da3cf2c4d2602d7ef0626ebb760b6467432ffd54d5fbb24d providers/implementations/kdfs/pbkdf2.c c0778565abff112c0c5257329a7750ec4605e62f26cc36851fa1fbee6e03c70c providers/implementations/kdfs/pbkdf2.h @@ -557,18 +569,18 @@ abe2b0f3711eaa34846e155cffc9242e4051c45de896f747afd5ac9d87f637dc providers/impl 6b6c776b12664164f3cb54c21df61e1c4477c7855d89431a16fb338cdae58d43 providers/implementations/kem/rsa_kem.c 37120f8a420de0e44b7dc1f31b50d59520e5318cf546e83684e0c3de5c7b76c5 providers/implementations/keymgmt/dh_kmgmt.c 2a4493c9e68f41d37d7ec69c272005c6df7b1a34db2d49663f52e836e4fd888c providers/implementations/keymgmt/dsa_kmgmt.c -ed6825fb92d0ab30f9f858ee29dfa403caa22430cccf493f850f993fd03a975e providers/implementations/keymgmt/ec_kmgmt.c +9bc88451d3ae110c7a108ee73d3b3b6bda801ec3494d2dfb9c9970b85c2d34fe providers/implementations/keymgmt/ec_kmgmt.c 258ae17bb2dd87ed1511a8eb3fe99eed9b77f5c2f757215ff6b3d0e8791fc251 providers/implementations/keymgmt/ec_kmgmt_imexport.inc d77ece2494e6b12a6201a2806ee5fb24a6dc2fa3e1891a46012a870e0b781ab1 providers/implementations/keymgmt/ecx_kmgmt.c 053a2be39a87f50b877ebdbbf799cf5faf8b2de33b04311d819d212ee1ea329b providers/implementations/keymgmt/kdf_legacy_kmgmt.c e30357311e4a3e1c78266af6315fd1fc99584bfb09f4a7cd0ddc7261cf1e17e1 providers/implementations/keymgmt/mac_legacy_kmgmt.c -96b47ba54dcbc05f7ee98c7f78df04e9671b6dbddbc85e3ea53e74ad04663e7a providers/implementations/keymgmt/rsa_kmgmt.c +19f22fc70a6321441e56d5bd4aab3d01d52d17069d4e4b5cefce0f411ecece75 providers/implementations/keymgmt/rsa_kmgmt.c aeb42590728ca87b916b8a3d337351b1c82ee0747213e5ce740c2350b3db7185 providers/implementations/macs/cmac_prov.c e69aa06f8f3c6f5a26702b9f44a844b8589b99dc0ee590953a29e8b9ef10acbe providers/implementations/macs/gmac_prov.c 895c8dc7235b9ad5ff893be0293cbc245a5455e8850195ac7d446646e4ea71d0 providers/implementations/macs/hmac_prov.c f75fbfe5348f93ad610da7d310f4e8fecf18c0549f27605da25d393c33e0edc2 providers/implementations/macs/kmac_prov.c bf30274dd6b528ae913984775bd8f29c6c48c0ef06d464d0f738217727b7aa5c providers/implementations/rands/crngt.c -c7236e6e2e8adce14f8206da0ceef63c7974d4ba1a7dd71b94fa100cac6b46ba providers/implementations/rands/drbg.c +9d23df7f99beec7392c9d4ed813407050bc2d150098888fe802e2c9705fc33fa providers/implementations/rands/drbg.c bb5f8161a80d0d1a7ee919af2b167972b00afd62e326252ca6aa93101f315f19 providers/implementations/rands/drbg_ctr.c a05adc3f6d9d6f948e5ead75f0522ed3164cb5b2d301169242f3cb97c4a7fac3 providers/implementations/rands/drbg_hash.c 0876dfae991028c569631938946e458e6829cacf4cfb673d2b144ae50a3160bb providers/implementations/rands/drbg_hmac.c @@ -578,6 +590,6 @@ cafb9e6f54ad15889fcebddac6df61336bff7d78936f7de3bb5aab8aee5728d2 providers/impl a30dc6308de0ca33406e7ce909f3bcf7580fb84d863b0976b275839f866258df providers/implementations/signature/ecdsa_sig.c 02e833a767afbe98247d6f09dfb1eb5a5cf7304a93f2c5427a9f6af9c8a3b549 providers/implementations/signature/eddsa_sig.c 3bb0f342b4cc1b4594ed0986adc47791c0a7b5c1ae7b1888c1fb5edb268a78d9 providers/implementations/signature/mac_legacy_sig.c -2334c8bba705032b8c1db5dd28e024a45a73b72cae82a2d815fe855445a49d10 providers/implementations/signature/rsa_sig.c +5b5e51acce1f6e86581de9ee870e64772f69562362b34079ac65c5d6fffaddef providers/implementations/signature/rsa_sig.c a14e901b02fe095713624db4080b3aa3ca685d43f9ebec03041f992240973346 ssl/record/tls_pad.c 3f2e01a98d9e3fda6cc5cb4b44dd43f6cae4ec34994e8f734d11b1e643e58636 ssl/s3_cbc.c diff --git a/providers/fips.checksum b/providers/fips.checksum index 7f7abb3eaa22..077e225c6d93 100644 --- a/providers/fips.checksum +++ b/providers/fips.checksum @@ -1 +1 @@ -fd6bce79efec94a99e40c919e0a5ee392514b81cac01d4d46b5c76f27fb1b839 providers/fips-sources.checksums +d4b8aaf04173ffd7bdd7d64e823002a988146d85c193a4bb8217dc8225583169 providers/fips-sources.checksums diff --git a/providers/fips.module.sources b/providers/fips.module.sources index 8861ceaca311..88e918878fc2 100644 --- a/providers/fips.module.sources +++ b/providers/fips.module.sources @@ -28,6 +28,10 @@ crypto/aes/asm/vpaes-armv8.pl crypto/aes/asm/vpaes-ppc.pl crypto/aes/asm/vpaes-x86.pl crypto/aes/asm/vpaes-x86_64.pl +crypto/alphacpuid.pl +crypto/arm64cpuid.pl +crypto/armcap.c +crypto/armv4cpuid.pl crypto/asn1_dsa.c crypto/bn/asm/alpha-mont.pl crypto/bn/asm/armv4-gf2m.pl @@ -95,12 +99,12 @@ crypto/bn/bn_shift.c crypto/bn/bn_sqr.c crypto/bn/bn_sqrt.c crypto/bn/bn_word.c -crypto/bn/rsa_sup_mul.c crypto/bn/rsaz_exp.c crypto/bn/rsaz_exp.h crypto/bn/rsaz_exp_x2.c crypto/bsearch.c crypto/buffer/buffer.c +crypto/c64xpluscpuid.pl crypto/cmac/cmac.c crypto/context.c crypto/core_algorithm.c @@ -219,6 +223,7 @@ crypto/ffc/ffc_params_generate.c crypto/ffc/ffc_params_validate.c crypto/hmac/hmac.c crypto/hmac/hmac_local.h +crypto/ia64cpuid.S crypto/initthread.c crypto/lhash/lhash.c crypto/lhash/lhash_local.h @@ -251,6 +256,8 @@ crypto/param_build_set.c crypto/params.c crypto/params_dup.c crypto/params_from_text.c +crypto/ppccap.c +crypto/ppccpuid.pl crypto/property/defn_cache.c crypto/property/property.c crypto/property/property_local.h @@ -280,6 +287,8 @@ crypto/rsa/rsa_sign.c crypto/rsa/rsa_sp800_56b_check.c crypto/rsa/rsa_sp800_56b_gen.c crypto/rsa/rsa_x931.c +crypto/s390xcap.c +crypto/s390xcpuid.pl crypto/self_test_core.c crypto/sha/asm/keccak1600-armv4.pl crypto/sha/asm/keccak1600-armv8.pl @@ -329,6 +338,8 @@ crypto/sha/sha256.c crypto/sha/sha3.c crypto/sha/sha512.c crypto/sha/sha_local.h +crypto/sparccpuid.S +crypto/sparcv9cap.c crypto/sparse_array.c crypto/stack/stack.c crypto/threads_lib.c @@ -336,6 +347,7 @@ crypto/threads_none.c crypto/threads_pthread.c crypto/threads_win.c crypto/x86_64cpuid.pl +crypto/x86cpuid.pl e_os.h include/crypto/aes_platform.h include/crypto/asn1_dsa.h diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c index 568452ec56a2..d8659680587e 100644 --- a/providers/implementations/asymciphers/rsa_enc.c +++ b/providers/implementations/asymciphers/rsa_enc.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -161,10 +161,12 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen, return 0; } if (prsactx->oaep_md == NULL) { - OPENSSL_free(tbuf); prsactx->oaep_md = EVP_MD_fetch(prsactx->libctx, "SHA-1", NULL); - ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); - return 0; + if (prsactx->oaep_md == NULL) { + OPENSSL_free(tbuf); + ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); + return 0; + } } ret = ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(prsactx->libctx, tbuf, diff --git a/providers/implementations/ciphers/cipher_tdes_common.c b/providers/implementations/ciphers/cipher_tdes_common.c index 346aec05a1cc..af2f5b98415c 100644 --- a/providers/implementations/ciphers/cipher_tdes_common.c +++ b/providers/implementations/ciphers/cipher_tdes_common.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -123,13 +123,12 @@ static int tdes_generatekey(PROV_CIPHER_CTX *ctx, void *ptr) if (kl == 0 || RAND_priv_bytes_ex(ctx->libctx, ptr, kl, 0) <= 0) return 0; DES_set_odd_parity(deskey); - if (kl >= 16) + if (kl >= 16) { DES_set_odd_parity(deskey + 1); - if (kl >= 24) { - DES_set_odd_parity(deskey + 2); - return 1; + if (kl >= 24) + DES_set_odd_parity(deskey + 2); } - return 0; + return 1; } int ossl_tdes_get_ctx_params(void *vctx, OSSL_PARAM params[]) diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c index dfa7786bde0c..25819ea23977 100644 --- a/providers/implementations/kdfs/hkdf.c +++ b/providers/implementations/kdfs/hkdf.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -554,7 +554,7 @@ static int HKDF_Expand(const EVP_MD *evp_md, if (!HMAC_Final(hmac, prev, NULL)) goto err; - copy_len = (done_len + dig_len > okm_len) ? + copy_len = (dig_len > okm_len - done_len) ? okm_len - done_len : dig_len; diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c index 3f1dc9e191be..a37cbbdba809 100644 --- a/providers/implementations/keymgmt/ec_kmgmt.c +++ b/providers/implementations/keymgmt/ec_kmgmt.c @@ -745,7 +745,7 @@ int common_get_params(void *key, OSSL_PARAM params[], int sm2) } p->return_size = EC_POINT_point2oct(ecg, ecp, POINT_CONVERSION_UNCOMPRESSED, - p->data, p->return_size, bnctx); + p->data, p->data_size, bnctx); if (p->return_size == 0) goto err; } diff --git a/providers/implementations/keymgmt/rsa_kmgmt.c b/providers/implementations/keymgmt/rsa_kmgmt.c index b76835ccc437..3ba12c4889a8 100644 --- a/providers/implementations/keymgmt/rsa_kmgmt.c +++ b/providers/implementations/keymgmt/rsa_kmgmt.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -124,9 +124,9 @@ static int rsa_has(const void *keydata, int selection) /* OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS are always available even if empty */ if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) - ok = ok && (RSA_get0_e(rsa) != NULL); - if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) ok = ok && (RSA_get0_n(rsa) != NULL); + if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) + ok = ok && (RSA_get0_e(rsa) != NULL); if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) ok = ok && (RSA_get0_d(rsa) != NULL); return ok; diff --git a/providers/implementations/rands/drbg.c b/providers/implementations/rands/drbg.c index c8fe66aa573f..e30836c53cab 100644 --- a/providers/implementations/rands/drbg.c +++ b/providers/implementations/rands/drbg.c @@ -1,5 +1,5 @@ /* - * Copyright 2011-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2011-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -256,7 +256,7 @@ static void cleanup_entropy(PROV_DRBG *drbg, unsigned char *out, size_t outlen) } else if (drbg->parent_clear_seed != NULL) { if (!ossl_drbg_lock_parent(drbg)) return; - drbg->parent_clear_seed(drbg, out, outlen); + drbg->parent_clear_seed(drbg->parent, out, outlen); ossl_drbg_unlock_parent(drbg); } } diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c index 7023a866131e..76516d9a0987 100644 --- a/providers/implementations/signature/rsa_sig.c +++ b/providers/implementations/signature/rsa_sig.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -823,14 +823,17 @@ static int rsa_verify(void *vprsactx, const unsigned char *sig, size_t siglen, return 0; } } else { + int ret; + if (!setup_tbuf(prsactx)) return 0; - rslen = RSA_public_decrypt(siglen, sig, prsactx->tbuf, prsactx->rsa, - prsactx->pad_mode); - if (rslen == 0) { + ret = RSA_public_decrypt(siglen, sig, prsactx->tbuf, prsactx->rsa, + prsactx->pad_mode); + if (ret <= 0) { ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); return 0; } + rslen = (size_t)ret; } if ((rslen != tbslen) || memcmp(tbs, prsactx->tbuf, rslen)) diff --git a/ssl/record/rec_layer_d1.c b/ssl/record/rec_layer_d1.c index 7f3d1a7f0ddf..79de0219ec7b 100644 --- a/ssl/record/rec_layer_d1.c +++ b/ssl/record/rec_layer_d1.c @@ -1,5 +1,5 @@ /* - * Copyright 2005-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2005-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -1011,13 +1011,11 @@ DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, return &s->rlayer.d->bitmap; /* - * Only HM and ALERT messages can be from the next epoch and only if we - * have already processed all of the unprocessed records from the last - * epoch + * We can only handle messages from the next epoch if we have already + * processed all of the unprocessed records from the previous epoch */ - else if (rr->epoch == (unsigned long)(s->rlayer.d->r_epoch + 1) && - s->rlayer.d->unprocessed_rcds.epoch != s->rlayer.d->r_epoch && - (rr->type == SSL3_RT_HANDSHAKE || rr->type == SSL3_RT_ALERT)) { + else if (rr->epoch == (unsigned long)(s->rlayer.d->r_epoch + 1) + && s->rlayer.d->unprocessed_rcds.epoch != s->rlayer.d->r_epoch) { *is_next_epoch = 1; return &s->rlayer.d->next_bitmap; } diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c index 4121f3b2ae1c..3baf820761a6 100644 --- a/ssl/record/rec_layer_s3.c +++ b/ssl/record/rec_layer_s3.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -215,25 +215,7 @@ int ssl3_read_n(SSL *s, size_t n, size_t max, int extend, int clearold, /* start with empty packet ... */ if (left == 0) rb->offset = align; - else if (align != 0 && left >= SSL3_RT_HEADER_LENGTH) { - /* - * check if next packet length is large enough to justify payload - * alignment... - */ - pkt = rb->buf + rb->offset; - if (pkt[0] == SSL3_RT_APPLICATION_DATA - && (pkt[3] << 8 | pkt[4]) >= 128) { - /* - * Note that even if packet is corrupted and its length field - * is insane, we can only be led to wrong decision about - * whether memmove will occur or not. Header values has no - * effect on memmove arguments and therefore no buffer - * overrun can be triggered. - */ - memmove(rb->buf + align, pkt, left); - rb->offset = align; - } - } + s->rlayer.packet = rb->buf + rb->offset; s->rlayer.packet_length = 0; /* ... now we can act as if 'extend' was set */ @@ -626,14 +608,13 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len, if (numpipes > maxpipes) numpipes = maxpipes; - if (n / numpipes >= max_send_fragment) { + if (n / numpipes >= split_send_fragment) { /* * We have enough data to completely fill all available * pipelines */ - for (j = 0; j < numpipes; j++) { - pipelens[j] = max_send_fragment; - } + for (j = 0; j < numpipes; j++) + pipelens[j] = split_send_fragment; } else { /* We can partially fill all available pipelines */ tmppipelen = n / numpipes; diff --git a/ssl/record/ssl3_buffer.c b/ssl/record/ssl3_buffer.c index f631829ef646..97b0c26ced81 100644 --- a/ssl/record/ssl3_buffer.c +++ b/ssl/record/ssl3_buffer.c @@ -58,6 +58,11 @@ int ssl3_setup_read_buffer(SSL *s) if (ssl_allow_compression(s)) len += SSL3_RT_MAX_COMPRESSED_OVERHEAD; #endif + + /* Ensure our buffer is large enough to support all our pipelines */ + if (s->max_pipelines > 1) + len *= s->max_pipelines; + if (b->default_len > len) len = b->default_len; if ((p = OPENSSL_malloc(len)) == NULL) { diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c index 1867f001179f..3c0b1323a459 100644 --- a/ssl/record/ssl3_record.c +++ b/ssl/record/ssl3_record.c @@ -576,6 +576,7 @@ int ssl3_get_record(SSL *s) } } + ERR_set_mark(); enc_err = s->method->ssl3_enc->enc(s, rr, num_recs, 0, macbufs, mac_size); /*- @@ -587,6 +588,7 @@ int ssl3_get_record(SSL *s) if (enc_err == 0) { if (ossl_statem_in_error(s)) { /* SSLfatal() already got called */ + ERR_clear_last_mark(); goto end; } if (num_recs == 1 && ossl_statem_skip_early_data(s)) { @@ -595,6 +597,12 @@ int ssl3_get_record(SSL *s) * it like an empty record. */ + /* + * Remove any errors from the stack. Decryption failures are normal + * behaviour. + */ + ERR_pop_to_mark(); + thisrr = &rr[0]; if (!early_data_count_ok(s, thisrr->length, @@ -610,9 +618,12 @@ int ssl3_get_record(SSL *s) ret = 1; goto end; } + ERR_clear_last_mark(); SSLfatal(s, SSL_AD_BAD_RECORD_MAC, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); goto end; + } else { + ERR_clear_last_mark(); } OSSL_TRACE_BEGIN(TLS) { BIO_printf(trc_out, "dec %lu\n", (unsigned long)rr[0].length); @@ -964,6 +975,7 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending, EVP_CIPHER_CTX *ds; size_t reclen[SSL_MAX_PIPELINES]; unsigned char buf[SSL_MAX_PIPELINES][EVP_AEAD_TLS1_AAD_LEN]; + unsigned char *data[SSL_MAX_PIPELINES]; int i, pad = 0, tmpr; size_t bs, ctr, padnum, loop; unsigned char padval; @@ -1123,8 +1135,6 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending, } } if (n_recs > 1) { - unsigned char *data[SSL_MAX_PIPELINES]; - /* Set the output buffers */ for (ctr = 0; ctr < n_recs; ctr++) { data[ctr] = recs[ctr].data; diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index e4168e74c276..2e2d09a32ee4 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -24,6 +24,16 @@ #include "ssl_local.h" #include "ssl_cert_table.h" #include "internal/thread_once.h" +#ifndef OPENSSL_NO_POSIX_IO +# include <sys/stat.h> +# ifdef _WIN32 +# define stat _stat +# endif +# ifndef S_ISDIR +# define S_ISDIR(a) (((a) & S_IFMT) == S_IFDIR) +# endif +#endif + static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx, int op, int bits, int nid, void *other, @@ -751,7 +761,14 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, while ((filename = OPENSSL_DIR_read(&d, dir))) { char buf[1024]; int r; +#ifndef OPENSSL_NO_POSIX_IO + struct stat st; +#else + /* Cannot use stat so just skip current and parent directories */ + if (strcmp(filename, ".") == 0 || strcmp(filename, "..") == 0) + continue; +#endif if (strlen(dir) + strlen(filename) + 2 > sizeof(buf)) { ERR_raise(ERR_LIB_SSL, SSL_R_PATH_TOO_LONG); goto err; @@ -761,6 +778,11 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, #else r = BIO_snprintf(buf, sizeof(buf), "%s/%s", dir, filename); #endif +#ifndef OPENSSL_NO_POSIX_IO + /* Skip subdirectories */ + if (!stat(buf, &st) && S_ISDIR(st.st_mode)) + continue; +#endif if (r <= 0 || r >= (int)sizeof(buf)) goto err; if (!SSL_add_file_cert_subjects_to_stack(stack, buf)) diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index 68b57a532bfe..c322a11d9c52 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2005 Nokia. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -190,9 +190,10 @@ SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket) dest->ticket_appdata = NULL; memset(&dest->ex_data, 0, sizeof(dest->ex_data)); - /* We deliberately don't copy the prev and next pointers */ + /* As the copy is not in the cache, we remove the associated pointers */ dest->prev = NULL; dest->next = NULL; + dest->owner = NULL; dest->references = 1; diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 51c2283db915..e6f4bcc04533 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -765,6 +765,7 @@ int tls1_set_groups_list(SSL_CTX *ctx, uint16_t **pext, size_t *pextlen, tmparr = OPENSSL_memdup(gcb.gid_arr, gcb.gidcnt * sizeof(*tmparr)); if (tmparr == NULL) goto end; + OPENSSL_free(*pext); *pext = tmparr; *pextlen = gcb.gidcnt; ret = 1; |