Check DSA parameters for excessive sizes before validating

This avoids overly long computation of various validation
checks.

Fixes CVE-2024-4603

Reviewed-by: Paul Dale

Check DSA parameters for excessive sizes before validating

This avoids overly long computation of various validation
checks.

Fixes CVE-2024-4603

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/24346)

show more ...

Copyright year updates

Reviewed-by: Neil Horman <nhorman@openssl.org>
Release: yes
(cherry picked from commit 0ce7d1f355c1240653e320a3f6f8109c1f05f8c0)

Reviewed-by: Hugo Lan

Copyright year updates

Reviewed-by: Neil Horman <nhorman@openssl.org>
Release: yes
(cherry picked from commit 0ce7d1f355c1240653e320a3f6f8109c1f05f8c0)

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24034)

show more ...

Fix typos

CLA: trivial

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Review

Fix typos

CLA: trivial

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23345)

show more ...

DH_check_pub_key() should not fail when setting result code

The semantics of ossl_ffc_validate_public_key() and
ossl_ffc_validate_public_key_partial() needs to be changed
to not retu

DH_check_pub_key() should not fail when setting result code

The semantics of ossl_ffc_validate_public_key() and
ossl_ffc_validate_public_key_partial() needs to be changed
to not return error on non-fatal problems.

Fixes #22287

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22291)

show more ...

Update copyright year

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14512)

Fix external symbols related to dsa keys

Partial fix for #12964

This adds ossl_ names for the following symbols:

dsa_check_pairwise, dsa_check_params, dsa_check_priv_key, d

Fix external symbols related to dsa keys

Partial fix for #12964

This adds ossl_ names for the following symbols:

dsa_check_pairwise, dsa_check_params, dsa_check_priv_key, dsa_check_pub_key, dsa_check_pub_key_partial,
dsa_do_sign_int, dsa_ffc_params_fromdata,
dsa_generate_ffc_parameters, dsa_generate_public_key,
dsa_get0_params, dsa_key_fromdata, dsa_new_with_ctx, dsa_pkey_method, dsa_sign_int

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14231)

show more ...

dsa_check: Perform simple parameter check if seed is not available

Added primality check on p and q in the ossl_ffc_params_simple_validate().
Checking for p and q sizes in the default pr

dsa_check: Perform simple parameter check if seed is not available

Added primality check on p and q in the ossl_ffc_params_simple_validate().
Checking for p and q sizes in the default provider is made more
lenient.
Added two testcases for invalid parameters.

Fixes #13950

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14148)

show more ...

dsa: provider and library deprecation changes

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/ope

dsa: provider and library deprecation changes

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13638)

show more ...

ffc: add _ossl to exported but internal functions

The functions updated are:
ffc_generate_private_key, ffc_named_group_from_uid,
ffc_named_group_to_uid, ffc_params_FIPS186_2_

ffc: add _ossl to exported but internal functions

The functions updated are:
ffc_generate_private_key, ffc_named_group_from_uid,
ffc_named_group_to_uid, ffc_params_FIPS186_2_gen_verify,
ffc_params_FIPS186_2_generate, ffc_params_FIPS186_2_validate,
ffc_params_FIPS186_4_gen_verify, ffc_params_FIPS186_4_generate,
ffc_params_FIPS186_4_validate, ffc_params_cleanup, ffc_params_cmp,
ffc_params_copy, ffc_params_enable_flags, ffc_params_flags_from_name,
ffc_params_flags_to_name, ffc_params_fromdata,
ffc_params_get0_pqg, ffc_params_get_validate_params,
ffc_params_init, ffc_params_print, ffc_params_set0_j,
ffc_params_set0_pqg, ffc_params_set_flags, ffc_params_set_gindex,
ffc_params_set_h, ffc_params_set_pcounter, ffc_params_set_seed,
ffc_params_set_validate_params, ffc_params_simple_validate,
ffc_params_todata, ffc_params_validate_unverifiable_g, ffc_set_digest,
ffc_set_group_pqg, ffc_validate_private_key, ffc_validate_public_key
and ffc_validate_public_key_partial.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13041)

show more ...

Add ACVP fips module tests

For FIPS validation purposes - Automated Cryptographic Validation Protocol (ACVP) tests need to be
performed. (See https://github.com/usnistgov/ACVP). These te

Add ACVP fips module tests

For FIPS validation purposes - Automated Cryptographic Validation Protocol (ACVP) tests need to be
performed. (See https://github.com/usnistgov/ACVP). These tests are very similiar to the old CAVS tests.

This PR uses a hardwired subset of these test vectors to perform similiar operations,
to show the usage and prove that the API's are able to perform the required operations.
It may also help with communication with the lab (i.e- The lab could add a test here to show
a unworking use case - which we can then address).

The EVP layer performs these tests instead of calling lower level API's
as was done in the old FOM.
Some of these tests require access to internals that are not normally allowed/required.

The config option 'acvp_tests' (enabled by default) has been added so that this
access may be removed.

The mechanism has been implemented as additional OSSL_PARAM values that can be set and get.
A callback mechanism did not seem to add any additional benefit.
These params will not be added to the gettables lists.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11572)

show more ...

Update copyright year

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11616)

Add DSA Key validation to default provider

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10912)

Add FFC param/key validation

Embed libctx in dsa and dh objects and cleanup internal methods to not pass libctx (This makes it consistent with the rsa changes)

Reviewed-by: Matt Cas

Add FFC param/key validation

Embed libctx in dsa and dh objects and cleanup internal methods to not pass libctx (This makes it consistent with the rsa changes)

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10910)

show more ...