#
7ed6de99 |
| 05-Sep-2024 |
Tomas Mraz |
Copyright year updates Reviewed-by: Neil Horman <nhorman@openssl.org> Release: yes
|
#
14c45338 |
| 26-Aug-2024 |
slontis |
EVP_MD_size() updates For SHAKE algorithms we now return 0 from EVP_MD_size(). So all the places that check for < 0 needed to change to <= 0 (Otherwise the behaviour will be to diges
EVP_MD_size() updates For SHAKE algorithms we now return 0 from EVP_MD_size(). So all the places that check for < 0 needed to change to <= 0 (Otherwise the behaviour will be to digest nothing in most cases). Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25285)
show more ...
|
#
f6a296c3 |
| 12-Aug-2024 |
slontis |
Cleanups for FIPS options.. The options in fipsprov.c are now generated using macros with fips_indicator_params.inc. This should keep the naming consistent. Some FIPS related he
Cleanups for FIPS options.. The options in fipsprov.c are now generated using macros with fips_indicator_params.inc. This should keep the naming consistent. Some FIPS related headers have moved to providers/fips/include so that they can use fips_indicator_params.inc. securitycheck.h now includes fipsindicator.h, and fipsindicator.h includes fipscommon.h. fipsinstall.c uses OSSL_PROV_PARAM_ for the configurable FIPS options rather than using OSSL_PROV_FIPS_PARAM_* as this was confusing as to which one should be used. fips_names.h just uses aliases now for existing public names. Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25162)
show more ...
|
#
ea396c70 |
| 05-Aug-2024 |
slontis |
Add FIPS KMAC key check This adds a FIPS indicator for KMAC key size. Note that 112 bits keys are still smaller than the sizes required to reach 128 bits for KMAC128 and 256 bits
Add FIPS KMAC key check This adds a FIPS indicator for KMAC key size. Note that 112 bits keys are still smaller than the sizes required to reach 128 bits for KMAC128 and 256 bits for KMAC256 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from https://github.com/openssl/openssl/pull/25049)
show more ...
|
#
390f00a1 |
| 31-Jul-2024 |
slontis |
Add HMAC FIPS keysize check. HMAC has been changed to use a FIPS indicator for its key check. HKDF and Single Step use a salt rather than a key when using HMAC, so we need a mec
Add HMAC FIPS keysize check. HMAC has been changed to use a FIPS indicator for its key check. HKDF and Single Step use a salt rather than a key when using HMAC, so we need a mechanism to bypass this check in HMAC. A seperate 'internal' query table has been added to the FIPS provider for MACS. Giving HMAC a seprate dispatch table allows KDF's to ignore the key check. If a KDF requires the key check then it must do the check itself. The normal MAC dipatch table is used if the user fetches HMAC directly. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from https://github.com/openssl/openssl/pull/25049)
show more ...
|
#
81bb8848 |
| 30-Jul-2024 |
pohsingwu |
Call key_check_passed in set_ctx_params Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from https://github.com/openssl/openssl/
Call key_check_passed in set_ctx_params Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from https://github.com/openssl/openssl/pull/23900)
show more ...
|
#
1b838621 |
| 02-Jun-2024 |
pohsingwu |
Restrict the length of key-derivation key used in KDFs Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from https://github.com/o
Restrict the length of key-derivation key used in KDFs Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from https://github.com/openssl/openssl/pull/23900)
show more ...
|
#
14e46600 |
| 17-Jul-2024 |
pohsingwu |
Restrict digest in set_ctx_params In this commit, we also return different error if the digest is XOF. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale
Restrict digest in set_ctx_params In this commit, we also return different error if the digest is XOF. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23889)
show more ...
|
#
6d47e819 |
| 02-Jun-2024 |
pohsingwu |
Restrict digest algorithm used in KDFs Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/
Restrict digest algorithm used in KDFs Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23889)
show more ...
|
#
fa338aa7 |
| 28-Apr-2024 |
Dimitri John Ledkov |
fips: zeroization of public security parameters (PSPs) ISO 19790:2012/Cor.1:2015 7.9 requires cryptographic module to provide methods to zeroise all unproctected security sensitive param
fips: zeroization of public security parameters (PSPs) ISO 19790:2012/Cor.1:2015 7.9 requires cryptographic module to provide methods to zeroise all unproctected security sensitive parameters (which inclues both Critical/Private **and** Public security parameters). And those that are temprorarly stored are required to be zeroised after they are no longer needed at security levels 2 and higher. Comply with the above requirements by always zeroising public security parameters whenever they are freed. This is currently done under the FIPS feature, however the requirement comes from the ISO 19790:2012 which may also be needed in other jurisdictions. If not always. Note FIPS 140-3 includes ISO 19790:2012 by reference. Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24355)
show more ...
|
#
15d6114d |
| 19-Apr-2024 |
Dimitri John Ledkov |
hkdf: when HMAC key is all zeros, still set a valid key length By itself, this is no change in any computation. However, this will unlock enforcing minimum key lengths for NIST and FIPS
hkdf: when HMAC key is all zeros, still set a valid key length By itself, this is no change in any computation. However, this will unlock enforcing minimum key lengths for NIST and FIPS 140-3 requirements. Also reading RFC8448 and RFC5869, this seems to be strictly correct too. Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@surgut.co.uk> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24204)
show more ...
|
#
6b566687 |
| 02-Feb-2024 |
Todd Short |
Fix EVP_PKEY_CTX_add1_hkdf_info() behavior Fix #23448 `EVP_PKEY_CTX_add1_hkdf_info()` behaves like a `set1` function. Fix the setting of the parameter in the params code.
Fix EVP_PKEY_CTX_add1_hkdf_info() behavior Fix #23448 `EVP_PKEY_CTX_add1_hkdf_info()` behaves like a `set1` function. Fix the setting of the parameter in the params code. Update the TLS_PRF code to also use the params code. Add tests. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23456)
show more ...
|
#
da1c088f |
| 07-Sep-2023 |
Matt Caswell |
Copyright year updates Reviewed-by: Richard Levitte <levitte@openssl.org> Release: yes
|
#
56a51b5a |
| 17-May-2023 |
Nicky Mouha |
Update hkdf.c to avoid potentially vulnerable code pattern The expression "if (a+b>c) a=c-b" is incorrect if "a+b" overflows. It should be replaced by "if (a>c-b) a=c-b", which avoids th
Update hkdf.c to avoid potentially vulnerable code pattern The expression "if (a+b>c) a=c-b" is incorrect if "a+b" overflows. It should be replaced by "if (a>c-b) a=c-b", which avoids the potential overflow and is much easier to understand. This pattern is the root cause of CVE-2022-37454, a buffer overflow vulnerability in the "official" SHA-3 implementation. It has been confirmed that the addition in https://github.com/openssl/openssl/blob/master/providers/implementations/kdfs/hkdf.c#L534 cannot overflow. So this is only a minor change proposal to avoid a potentially vulnerable code pattern and to improve readability. More information: https://github.com/github/codeql/pull/12036#issuecomment-1466056959 CLA: trivial Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20990)
show more ...
|
#
345b42be |
| 13-Apr-2023 |
Pauli |
Update KDFs to use shared functions. Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2
Update KDFs to use shared functions. Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20724)
show more ...
|
#
1e6bd31e |
| 19-Apr-2023 |
Irak Rigia |
Replaced '{ 0, NULL }' with OSSL_DISPATCH_END in OSSL_DISPATCH arrays Fixes #20710 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
Replaced '{ 0, NULL }' with OSSL_DISPATCH_END in OSSL_DISPATCH arrays Fixes #20710 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20745)
show more ...
|
#
e8115bd1 |
| 16-Dec-2022 |
slontis |
Change HKDF to alloc the info buffer. Fixes #19909 I have enforced a maximum bound still but it is much higher. Note also that TLS13 still uses the 2048 buffer size. Re
Change HKDF to alloc the info buffer. Fixes #19909 I have enforced a maximum bound still but it is much higher. Note also that TLS13 still uses the 2048 buffer size. Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19923)
show more ...
|
#
e077455e |
| 29-Sep-2022 |
Richard Levitte |
Stop raising ERR_R_MALLOC_FAILURE in most places Since OPENSSL_malloc() and friends report ERR_R_MALLOC_FAILURE, and at least handle the file name and line number they are called from,
Stop raising ERR_R_MALLOC_FAILURE in most places Since OPENSSL_malloc() and friends report ERR_R_MALLOC_FAILURE, and at least handle the file name and line number they are called from, there's no need to report ERR_R_MALLOC_FAILURE where they are called directly, or when SSLfatal() and RLAYERfatal() is used, the reason `ERR_R_MALLOC_FAILURE` is changed to `ERR_R_CRYPTO_LIB`. There were a number of places where `ERR_R_MALLOC_FAILURE` was reported even though it was a function from a different sub-system that was called. Those places are changed to report ERR_R_{lib}_LIB, where {lib} is the name of that sub-system. Some of them are tricky to get right, as we have a lot of functions that belong in the ASN1 sub-system, and all the `sk_` calls or from the CRYPTO sub-system. Some extra adaptation was necessary where there were custom OPENSSL_malloc() wrappers, and some bugs are fixed alongside these changes. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19301)
show more ...
|
#
fecb3aae |
| 03-May-2022 |
Matt Caswell |
Update copyright year Reviewed-by: Tomas Mraz <tomas@openssl.org> Release: yes
|
#
fba140c7 |
| 12-Apr-2022 |
Dmitry Belyavskiy |
str[n]casecmp => OPENSSL_strncasecmp Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18069)
|
#
d5f9166b |
| 04-Feb-2022 |
Richard Levitte |
Move e_os.h to include/internal Including e_os.h with a path from a header file doesn't work well on certain exotic platform. It simply fails to build. Since we don't seem to b
Move e_os.h to include/internal Including e_os.h with a path from a header file doesn't work well on certain exotic platform. It simply fails to build. Since we don't seem to be able to stop ourselves, the better move is to move e_os.h to an include directory that's part of the inclusion path given to the compiler. Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17641)
show more ...
|
#
95bd5ff6 |
| 24-Jan-2022 |
Pauli |
hkdf: implement ctx dup operation Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/17572)
|
#
f7d998a2 |
| 02-Aug-2021 |
Pauli |
tls/prov: move the TLS 1.3 KDF code to providers This function needs to be power up tested as part of the FIPS validation and thus it needs to be inside the provider boundary. This is r
tls/prov: move the TLS 1.3 KDF code to providers This function needs to be power up tested as part of the FIPS validation and thus it needs to be inside the provider boundary. This is realised by introducing a new KDF "TLS13-KDF" which does the required massaging of parameters but is otherwise functionally equivalent to HKDF. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/16203)
show more ...
|
#
9d300aa2 |
| 02-Jul-2021 |
Shane Lontis |
Add HKDF negative tests Fix memory leak if legacy test is skipped. Using EVP_KDF_CTX_get_params() to get OSSL_KDF_PARAM_SIZE will now return 0 if the returned size is 0. Rev
Add HKDF negative tests Fix memory leak if legacy test is skipped. Using EVP_KDF_CTX_get_params() to get OSSL_KDF_PARAM_SIZE will now return 0 if the returned size is 0. Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15977)
show more ...
|
#
ed576acd |
| 21-May-2021 |
Tomas Mraz |
Rename all getters to use get/get0 in name For functions that exist in 1.1.1 provide a simple aliases via #define. Fixes #15236 Functions with OSSL_DECODER_, OSSL_ENCODER_,
Rename all getters to use get/get0 in name For functions that exist in 1.1.1 provide a simple aliases via #define. Fixes #15236 Functions with OSSL_DECODER_, OSSL_ENCODER_, OSSL_STORE_LOADER_, EVP_KEYEXCH_, EVP_KEM_, EVP_ASYM_CIPHER_, EVP_SIGNATURE_, EVP_KEYMGMT_, EVP_RAND_, EVP_MAC_, EVP_KDF_, EVP_PKEY_, EVP_MD_, and EVP_CIPHER_ prefixes are renamed. Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15405)
show more ...
|