test/provider_test.c: Add OSSL_PROVIDER_unload() to avoid memory leak

Add OSSL_PROVIDER_unload() when OSSL_PROVIDER_add_builtin() fails to avoid memory leak.

Fixes: 5442611dff ("Add

test/provider_test.c: Add OSSL_PROVIDER_unload() to avoid memory leak

Add OSSL_PROVIDER_unload() when OSSL_PROVIDER_add_builtin() fails to avoid memory leak.

Fixes: 5442611dff ("Add a test for OSSL_LIB_CTX_new_child()")
Signed-off-by: Jiasheng Jiang <jiashengjiangcool@outlook.com>

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25109)

show more ...

test/provider_fallback_test.c: Add OSSL_PROVIDER_unload() to avoid memory leak

Add OSSL_PROVIDER_unload() when test_provider() fails to avoid memory leak.

Fixes: f995e5bdcd ("TEST:

test/provider_fallback_test.c: Add OSSL_PROVIDER_unload() to avoid memory leak

Add OSSL_PROVIDER_unload() when test_provider() fails to avoid memory leak.

Fixes: f995e5bdcd ("TEST: Add provider_fallback_test, to test aspects of
fallback providers")
Signed-off-by: Jiasheng Jiang <jiashengjiangcool@outlook.com>

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25108)

show more ...

Fix the alert used on a missing key_share

RFC8446 requires we send an illegal_parameter alert if we don't get a
key_share back from the server and our kex_modes require one. We were

Fix the alert used on a missing key_share

RFC8446 requires we send an illegal_parameter alert if we don't get a
key_share back from the server and our kex_modes require one. We were
instead reporting this as missing_extension.

Fixes #25040

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25059)

show more ...

Add additional test cases for Single Step KDF.

SSKDF KMAC tests added.
Added FIPS indicator tests for SSKDF Hash, HMAC, and KMAC cases.
Added short salt length tests for SSKDF HMAC a

Add additional test cases for Single Step KDF.

SSKDF KMAC tests added.
Added FIPS indicator tests for SSKDF Hash, HMAC, and KMAC cases.
Added short salt length tests for SSKDF HMAC and KMAC.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25049)

show more ...

Add FIPS KMAC key check

This adds a FIPS indicator for KMAC key size.
Note that 112 bits keys are still smaller than the
sizes required to reach 128 bits for KMAC128 and
256 bits

Add FIPS KMAC key check

This adds a FIPS indicator for KMAC key size.
Note that 112 bits keys are still smaller than the
sizes required to reach 128 bits for KMAC128 and
256 bits for KMAC256

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25049)

show more ...

Add HMAC FIPS keysize check.

HMAC has been changed to use a FIPS indicator for its key check.

HKDF and Single Step use a salt rather than a key when using HMAC,
so we need a mec

Add HMAC FIPS keysize check.

HMAC has been changed to use a FIPS indicator for its key check.

HKDF and Single Step use a salt rather than a key when using HMAC,
so we need a mechanism to bypass this check in HMAC.

A seperate 'internal' query table has been added to the FIPS provider
for MACS. Giving HMAC a seprate dispatch table allows KDF's to ignore
the key check. If a KDF requires the key check then it must do the
check itself. The normal MAC dipatch table is used if the user fetches
HMAC directly.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25049)

show more ...

hashtable.c: Code style fixes

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24504)

core_namemap.c: 2048 hashtable buckets should be sufficient

It is unlikely we would need more than 4000 names and even
with more names (up to 8192) it would still work, just
the perf

core_namemap.c: 2048 hashtable buckets should be sufficient

It is unlikely we would need more than 4000 names and even
with more names (up to 8192) it would still work, just
the performance fo the namemap would degrade.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24504)

show more ...

For lockless reads use the whole hashtable for colliding entries

Instead of just using the neighborhood, fill
subsequent neighborhoods with colliding entries.

If the hashtable i

For lockless reads use the whole hashtable for colliding entries

Instead of just using the neighborhood, fill
subsequent neighborhoods with colliding entries.

If the hashtable is properly sized, it won't degrade
performance too much.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24504)

show more ...

Use the new hashtable for core_namemap

This replaces LHASH in core_namemap with the new hashtable and adds
a reverse mapping in form of stack of stacks instead of iterating
the exist

Use the new hashtable for core_namemap

This replaces LHASH in core_namemap with the new hashtable and adds
a reverse mapping in form of stack of stacks instead of iterating
the existing hash table members.

The new hashtable is used in lockless-read mode.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24504)

show more ...

hashtable: Support lockless reads

Also build it in the FIPS provider too and properly
report error on insert when hashtable cannot be grown.

Reviewed-by: Neil Horman <nhorman@op

hashtable: Support lockless reads

Also build it in the FIPS provider too and properly
report error on insert when hashtable cannot be grown.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24504)

show more ...

hashtable.c: Avoid infinite loop in ossl_ht_insert()

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/

hashtable.c: Avoid infinite loop in ossl_ht_insert()

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24504)

show more ...

some performance improvements

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24504)

alternate collision checking support

Add full key matching to hashtable

the idea is that on a hash value match we do a full memory comparison of
the unhashed key to validate tha

alternate collision checking support

Add full key matching to hashtable

the idea is that on a hash value match we do a full memory comparison of
the unhashed key to validate that its actually the key we're looking for

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24504)

show more ...

fix: Have util/mkerr.pl comply better with our coding style

util/mkerr.pl produced lines like these:

{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE),

fix: Have util/mkerr.pl comply better with our coding style

util/mkerr.pl produced lines like these:

{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE),
"operation not supported for this keytype"},

According to our coding style, they should look like this:

{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE),
"operation not supported for this keytype"},

This nit was correctly picked up by util/check-format.pl

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24902)

show more ...

Enable RSA-SM3 in the default provider

It turns out that we didn't allow the combination RSA + SM3 anywhere.

This is perfectly reasonable in the FIPS module, but less so in the defa

Enable RSA-SM3 in the default provider

It turns out that we didn't allow the combination RSA + SM3 anywhere.

This is perfectly reasonable in the FIPS module, but less so in the default
provider. This change enables it in the default provider, and adds a simple
evp_test stanza for the RSA-SM3 signature scheme.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23416)

show more ...

fix coding style

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23416)

Add new test types in test/evp_test.c, and a test for RSA sigalgs

With these tests, we get to test:

- EVP_PKEY_sign_init_ex()
- EVP_PKEY_verify_init_ex2()
- EVP_PKEY_verify_

Add new test types in test/evp_test.c, and a test for RSA sigalgs

With these tests, we get to test:

- EVP_PKEY_sign_init_ex()
- EVP_PKEY_verify_init_ex2()
- EVP_PKEY_verify_recover_init_ex2()
- EVP_PKEY_sign_message_init() and friends
- EVP_PKEY_verify_message_init() and friends

A few test cases for RSA-{hash} are added, in
test/recipes/30-test_evp_data/evppkey_rsa_sigalg.txt

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23416)

show more ...

Refactor OpenSSL 'RSA' EVP_SIGNATURE to also include RSA+hash composites

(in the code, "sigalg" is used to refer to these composite algorithms,
which is a nod to libcrypto and libssl, wh

Refactor OpenSSL 'RSA' EVP_SIGNATURE to also include RSA+hash composites

(in the code, "sigalg" is used to refer to these composite algorithms,
which is a nod to libcrypto and libssl, where that term is commonly used
for composite algorithms)

To make this implementation possible, wrappers were added around the hash
function itself, allowing the use of existing hash implementations through
their respective OSSL_DISPATCH tables, but also retaining the dynamic fetch
of hash implementations when the digest_sign / digest_verify functionality
is used. This wrapper allows implementing the RSA+hash composites through
simple initializer function and a custom OSSL_DISPATCH table for each.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23416)

show more ...

Implement functionality for direct use of composite signature algorithms

The following API groups are extended with a new init function, as well
as an update and final function, to allow

Implement functionality for direct use of composite signature algorithms

The following API groups are extended with a new init function, as well
as an update and final function, to allow the use of explicitly fetched
signature implementations for any composite signature algorithm, like
"sha1WithRSAEncryption":

- EVP_PKEY_sign
- EVP_PKEY_verify
- EVP_PKEY_verify_recover

To support this, providers are required to add a few new functions, not
the least one that declares what key types an signature implementation
supports.

While at this, the validity check in evp_signature_from_algorithm() is
also refactored; the SIGNATURE provider functionality is too complex for
counters. It's better, or at least more readable, to check function
combinations.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23416)

show more ...

Link to the place where signature options are defined

ca man page: link to section

Signed-off-by: Hubert Kario <hkario@redhat.com>

Reviewed-by: Dmitry Belyavskiy <beldmit@g

Link to the place where signature options are defined

ca man page: link to section

Signed-off-by: Hubert Kario <hkario@redhat.com>

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25011)

show more ...

When calling ASN1_item_i2d () check both returned length and allocated pointer

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewe

When calling ASN1_item_i2d () check both returned length and allocated pointer

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24979)

show more ...

Enhance s_client Output

Fixes #8123: Clarify cipher and protocol version display
- Added a new line “Protocol:” to display the protocol version separately after the cipher line.

Enhance s_client Output

Fixes #8123: Clarify cipher and protocol version display
- Added a new line “Protocol:” to display the protocol version separately after the cipher line.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24921)

show more ...

test: add command line indicator option checking to fipsinstall

Validate that the relevant options are on when -pedantic is specified,
off when it isn't and can be given to enable the se

test: add command line indicator option checking to fipsinstall

Validate that the relevant options are on when -pedantic is specified,
off when it isn't and can be given to enable the setting.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25194)

show more ...

Add FIPS self test updates

After reviewing the FIPS 140-3 IG self tests requirements the following
were added:

- TDES Decryption (Not sure why this was missing)
- DH changed

Add FIPS self test updates

After reviewing the FIPS 140-3 IG self tests requirements the following
were added:

- TDES Decryption (Not sure why this was missing)
- DH changed to use ffdhe2048 instead of P,Q,G params.
- Signature code has been changed to use a msg rather than a digest as input.
(Since some digests dont provide the one shot API, the EVP_DigestSignFinal and
EVP_DigestVerifyFinal needed to be exposed to the FIPS provider). The
code is now shared between ED and the other key types.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25217)

show more ...