Always end BN_mod_exp_mont_consttime with normal Montgomery reduction.

This partially fixes a bug where, on x86_64, BN_mod_exp_mont_consttime
would sometimes return m, the modulus, when

Always end BN_mod_exp_mont_consttime with normal Montgomery reduction.

This partially fixes a bug where, on x86_64, BN_mod_exp_mont_consttime
would sometimes return m, the modulus, when it should have returned
zero. Thanks to Guido Vranken for reporting it. It is only a partial fix
because the same bug also exists in the "rsaz" codepath.

The bug only affects zero outputs (with non-zero inputs), so we believe
it has no security impact on our cryptographic functions.

The fx is to delete lowercase bn_from_montgomery altogether, and have the
mont5 path use the same BN_from_montgomery ending as the non-mont5 path.
This only impacts the final step of the whole exponentiation and has no
measurable perf impact.

See the original BoringSSL commit
https://boringssl.googlesource.com/boringssl/+/13c9d5c69d04485a7a8840c12185c832026c8315
for further analysis.

Original-author: David Benjamin <davidben@google.com>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18510)

show more ...

test/ssl_old_test.c: Add check for OPENSSL_malloc

As the potential failure of the OPENSSL_malloc(),
it should be better to add the check and return
error if fails.

Signed-of

test/ssl_old_test.c: Add check for OPENSSL_malloc

As the potential failure of the OPENSSL_malloc(),
it should be better to add the check and return
error if fails.

Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18555)

show more ...

Add sensitive memory clean in priv encode
Fixed #18540

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/open

Add sensitive memory clean in priv encode
Fixed #18540

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18541)

show more ...

test/ssl_old_test.c: Add check for OPENSSL_zalloc

As the potential failure of the OPENSSL_zalloc(),
it should be better to add the check and return
error if fails.

Signed-of

test/ssl_old_test.c: Add check for OPENSSL_zalloc

As the potential failure of the OPENSSL_zalloc(),
it should be better to add the check and return
error if fails.

Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/18552)

show more ...

Fix a mem leak in evp_pkey_export_to_provider

If keymgmt is NULL, tmp_keymgmt is allocated and will not be freed.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Y

Fix a mem leak in evp_pkey_export_to_provider

If keymgmt is NULL, tmp_keymgmt is allocated and will not be freed.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/18499)

show more ...

Fix a crash in X509v3_asid_subset()

If the asnum or rdi fields are NULL and the ASIdentifiers are otherwise
subsets then this will result in a crash. Of note is that rdi will usually

Fix a crash in X509v3_asid_subset()

If the asnum or rdi fields are NULL and the ASIdentifiers are otherwise
subsets then this will result in a crash. Of note is that rdi will usually
be NULL.

Reported by Theo Buehler (@botovq)

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/18514)

show more ...

providers/implementations/exchange/kdf_exch.c: Fix kdf_derive()

kdf_derive() calls EVP_KDF_derive(), but didn't do enough to adapt its input
buffer length arguments to fit the requiremen

providers/implementations/exchange/kdf_exch.c: Fix kdf_derive()

kdf_derive() calls EVP_KDF_derive(), but didn't do enough to adapt its input
buffer length arguments to fit the requirements to call EVP_KDF_derive().

Fixes #18517

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18533)

(cherry picked from commit e906eab8d863ac7bdadc671e8d0686fead88c4bf)

show more ...

test/evp_test.c: Check too big output buffer sizes in PKEYKDF tests

EVP_PKEY_derive() should be able to cope with a too big buffer for fixed
size outputs. However, we don't test that.

test/evp_test.c: Check too big output buffer sizes in PKEYKDF tests

EVP_PKEY_derive() should be able to cope with a too big buffer for fixed
size outputs. However, we don't test that.

This change modifies the PKEYKDF tests to ask EVP_PKEY_derive() what the
desired output buffer size is, and as long as the returned value isn't
absurd (indicating that anything goes), the output buffer is made to be
twice as big as what is expected.

Tests #18517

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18533)

(cherry picked from commit a0587aaeff7391b8cf4ee4c6a233d0f4dca7d62f)

show more ...

Fix the export routines to not return success if param alloc failed

We fix the dsa, dh, ec and rsa export routines so that they are
consistent with each other and do not report success i

Fix the export routines to not return success if param alloc failed

We fix the dsa, dh, ec and rsa export routines so that they are
consistent with each other and do not report success if the allocation
of parameters failed.

This is essentially the same fix as applied in #18483 but applied to all
relevant key types.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18507)

show more ...

test_pkey_check: Positive testcase for private key with unknown parameters

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from

test_pkey_check: Positive testcase for private key with unknown parameters

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18099)

show more ...

ossl_dh_check_priv_key: Do not fail on private keys without q

Fixes #18098

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Me

ossl_dh_check_priv_key: Do not fail on private keys without q

Fixes #18098

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18099)

show more ...

Testcase for regression by PPC64 fixed length montgomery multiplication

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from htt

Testcase for regression by PPC64 fixed length montgomery multiplication

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18512)

show more ...

Revert "bn: Add fixed length (n=6), unrolled PPC Montgomery Multiplication"

This reverts commit 0d40ca47bd86e74a95c3a2f5fb6c67cdbee93c79.

It was found that the computation produces

Revert "bn: Add fixed length (n=6), unrolled PPC Montgomery Multiplication"

This reverts commit 0d40ca47bd86e74a95c3a2f5fb6c67cdbee93c79.

It was found that the computation produces incorrect results in some
cases.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18512)

show more ...

Avoid reusing the init_lock for a different purpose

Otherwise we might cause a recursive locking.

Fixes #18535

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by:

Avoid reusing the init_lock for a different purpose

Otherwise we might cause a recursive locking.

Fixes #18535

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18545)

show more ...

init: fix defined but unused warning/error

The #ifdefs weren't quite correct at times.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>

init: fix defined but unused warning/error

The #ifdefs weren't quite correct at times.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18503)

show more ...

RSA keygen update: Raise an error if no prime candidate q is found.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: To

RSA keygen update: Raise an error if no prime candidate q is found.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18429)

show more ...

RSA Keygen update - When using the default provider fallback to default multiprime keygen if e is < 65537

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <

RSA Keygen update - When using the default provider fallback to default multiprime keygen if e is < 65537

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18429)

show more ...

RSA keygen fixes

Fixes #18321

Increase the iteration factor used when 'Computing a Probable Prime Factor Based on Auxiliary Primes' from 5 to 20.
This matches the algorithm upda

RSA keygen fixes

Fixes #18321

Increase the iteration factor used when 'Computing a Probable Prime Factor Based on Auxiliary Primes' from 5 to 20.
This matches the algorithm update made in FIPS 186-5.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18429)

show more ...

[crypto/bn] BN_consttime_swap: remove superfluous early exit

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@op

[crypto/bn] BN_consttime_swap: remove superfluous early exit

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18518)

show more ...

sm2_dupctx: Avoid potential use after free of the md

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/

sm2_dupctx: Avoid potential use after free of the md

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18494)

show more ...

Check return of BIO_new() and always free pkey from evp_pkey_copy_downgraded()

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merge

Check return of BIO_new() and always free pkey from evp_pkey_copy_downgraded()

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18494)

show more ...

add_provider_groups: Clean up algorithm pointer on failure

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://githu

add_provider_groups: Clean up algorithm pointer on failure

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18494)

show more ...

parse_unquoted: Check returned value from ossl_property_value()

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://

parse_unquoted: Check returned value from ossl_property_value()

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18494)

show more ...

Fix a use after free in error handling of hmac_dup

dst->digest needs to be zeroized in case HMAC_CTX_copy
or ossl_prov_digest_copy return failure.

Fixes #18493

Reviewed

Fix a use after free in error handling of hmac_dup

dst->digest needs to be zeroized in case HMAC_CTX_copy
or ossl_prov_digest_copy return failure.

Fixes #18493

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18502)

show more ...

providers: cipher: aes: add riscv64 zkn support

Signed-off-by: Hongren (Zenithal) Zheng <i@zenithal.me>
Tested-by: Jiatai He <jiatai2021@iscas.ac.cn>

Reviewed-by: Paul Dale <pau

providers: cipher: aes: add riscv64 zkn support

Signed-off-by: Hongren (Zenithal) Zheng <i@zenithal.me>
Tested-by: Jiatai He <jiatai2021@iscas.ac.cn>

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18197)

show more ...