Make DH_check_pub_key() and DH_generate_key() safer yet We already check for an excessively large P in DH_generate_key(), but not in DH_check_pub_key(), and none of them check for an excessively large Q. This change adds all the missing excessive size checks of P and Q. It's to be noted that behaviours surrounding excessively sized P and Q differ. DH_check() raises an error on the excessively sized P, but only sets a flag for the excessively sized Q. This behaviour is mimicked in DH_check_pub_key(). Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22453)
Don't (re-)initialize the FFC_PARAMs in dh_init and dsa_init The initialization was introduced in commit dc8de3e6f1ee and changes the behaviour of the `init` method for DSA and DH between 1.1.1 and 3.0, while the behaviour for RSA and EC_KEY remains unchanged. The initialization is not necessary in 3.x and master imho and breaks the use-case of intercepting the methods of an existing key. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22185)
Copyright year updates Reviewed-by: Richard Levitte <levitte@openssl.org> Release: yes
S390x: Support ME and CRT offloading S390x has to ability to offload modular exponentiation and CRT operations to Crypto Express Adapters. This possible performance optimization was not yet used by OpenSSL. Add support for offloading and implement an optimized version of RSA and DH with it. The environment variable OPENSSL_s390xcap now recognizes the token "nocex" to prevent offloading. Signed-off-by: Juergen Christ <jchrist@linux.ibm.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20113)
Stop raising ERR_R_MALLOC_FAILURE in most places Since OPENSSL_malloc() and friends report ERR_R_MALLOC_FAILURE, and at least handle the file name and line number they are called from, there's no need to report ERR_R_MALLOC_FAILURE where they are called directly, or when SSLfatal() and RLAYERfatal() is used, the reason `ERR_R_MALLOC_FAILURE` is changed to `ERR_R_CRYPTO_LIB`. There were a number of places where `ERR_R_MALLOC_FAILURE` was reported even though it was a function from a different sub-system that was called. Those places are changed to report ERR_R_{lib}_LIB, where {lib} is the name of that sub-system. Some of them are tricky to get right, as we have a lot of functions that belong in the ASN1 sub-system, and all the `sk_` calls or from the CRYPTO sub-system. Some extra adaptation was necessary where there were custom OPENSSL_malloc() wrappers, and some bugs are fixed alongside these changes. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19301)
Update copyright year Reviewed-by: Tomas Mraz <tomas@openssl.org> Release: yes
Replace size check with more meaningful pubkey check It does not make sense to check the size because this function can be used in other contexts than in TLS-1.3 and the value might not be padded to the size of p. However it makes sense to do the partial pubkey check because there is no valid reason having the pubkey value outside the 1 < pubkey < p-1 bounds. Fixes #15465 Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17630)
add zero strenght arguments to BN and RAND RNG calls Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15513)
Add a range check (from SP800-56Ar3) to DH key derivation. Fixes #14401 Note that this moves the public key check out of DH compute_key() since key validation does not belong inside this primitive.. The check has been moved to the EVP_PKEY_derive_set_peer() function so that it generally applies to all exchange operations.. Use EVP_PKEY_derive_set_peer_ex() to disable this behaviour. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14717)
Fix misc external ossl_ symbols. Partial fix for #12964 Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14473)
Fix external symbols related to dh keys Partial fix for #12964 This adds ossl_ names for the following symbols: dh_new_by_nid_ex, dh_new_ex, dh_generate_ffc_parameters, dh_generate_public_key, dh_get_named_group_uid_from_size, dh_gen_type_id2name, dh_gen_type_name2id, dh_cache_named_group, dh_get0_params, dh_get0_nid, dh_params_fromdata, dh_key_fromdata, dh_params_todata, dh_key_todata, dh_check_pub_key_partial, dh_check_priv_key, dh_check_pairwise, dh_get_method, dh_buf2key, dh_key2buf, dh_KDF_X9_42_asn1, dh_pkey_method, dhx_pkey_method Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14231)
dsa_check: Perform simple parameter check if seed is not available Added primality check on p and q in the ossl_ffc_params_simple_validate(). Checking for p and q sizes in the default provider is made more lenient. Added two testcases for invalid parameters. Fixes #13950 Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/14148)
Update copyright year Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13999)
[crypto/dh] side channel hardening for computing DH shared keys Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/13783)
Convert all {NAME}err() in crypto/ to their corresponding ERR_raise() call This includes error reporting for libcrypto sub-libraries in surprising places. This was done using util/err-to-raise Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/13318)
DH: stop setting the private key length arbitrarily The private key length is supposed to be a user settable parameter. We do check if it's set or not, and if not, we do apply defaults. Fixes #12071 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/13140)
Constify OSSL_FUNC_keymgmt_validate() The keydata argument of OSSL_FUNC_keymgmt_validate() should be read-only. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/13201)
ffc: add _ossl to exported but internal functions The functions updated are: ffc_generate_private_key, ffc_named_group_from_uid, ffc_named_group_to_uid, ffc_params_FIPS186_2_gen_verify, ffc_params_FIPS186_2_generate, ffc_params_FIPS186_2_validate, ffc_params_FIPS186_4_gen_verify, ffc_params_FIPS186_4_generate, ffc_params_FIPS186_4_validate, ffc_params_cleanup, ffc_params_cmp, ffc_params_copy, ffc_params_enable_flags, ffc_params_flags_from_name, ffc_params_flags_to_name, ffc_params_fromdata, ffc_params_get0_pqg, ffc_params_get_validate_params, ffc_params_init, ffc_params_print, ffc_params_set0_j, ffc_params_set0_pqg, ffc_params_set_flags, ffc_params_set_gindex, ffc_params_set_h, ffc_params_set_pcounter, ffc_params_set_seed, ffc_params_set_validate_params, ffc_params_simple_validate, ffc_params_todata, ffc_params_validate_unverifiable_g, ffc_set_digest, ffc_set_group_pqg, ffc_validate_private_key, ffc_validate_public_key and ffc_validate_public_key_partial. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13041)
Add multiple fixes for ffc key generation using invalid p,q,g parameters. Fixes #11864 - The dsa keygen assumed valid p, q, g values were being passed. If this is not correct then it is possible that dsa keygen can either hang or segfault. The fix was to do a partial validation of p, q, and g inside the keygen. - Fixed a potential double free in the dsa keypair test in the case when in failed (It should never fail!). It freed internal object members without setting them to NULL. - Changed the FFC key validation to accept 1024 bit keys in non fips mode. - Added tests that use both the default provider & fips provider to test these cases. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/12176)
Make EVP_PKEY_[get1|set1]_tls_encodedpoint work with provided keys EVP_PKEY_[get1|set1]_tls_encodedpoint() only worked if an ameth was present which isn't the case for provided keys. Support has been added to dh, ec and ecx keys. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11898)