Fix in-place decryption for EVP_chacha20_poly1305()

Take the MAC before clobbering the input value on decryption. Fixes hangs
during the QUIC handshake with HAProxy using TLS_CHACHA20_POLY1305_SHA25

Fix in-place decryption for EVP_chacha20_poly1305()

Take the MAC before clobbering the input value on decryption. Fixes hangs
during the QUIC handshake with HAProxy using TLS_CHACHA20_POLY1305_SHA256.

Found, issue pinpointed, and initial fix tested by Lucas Gabriel Vuotto:
Let me take this opportunity to thank the HAProxy team for going out of
their way to keep supporting LibreSSL. It's much appreciated.

See https://github.com/haproxy/haproxy/issues/2569

tweak/ok jsing

show more ...

Hide public symbols in evp.h

largely mechanically done by the guentherizer 9000

ok tb@

Some Australians don't like voids either

Fix a return value confusion in chacha20_poly1305_cipher()

On overlong input, chacha20_poly1305_cipher() would return 0, which in
EVP_CipherUpdate() and EVP_CipherFinal() signals success with no dat

Fix a return value confusion in chacha20_poly1305_cipher()

On overlong input, chacha20_poly1305_cipher() would return 0, which in
EVP_CipherUpdate() and EVP_CipherFinal() signals success with no data
written since EVP_CIPH_FLAG_CUSTOM_CIPHER is set. In order to signal an
error, we need to return -1. Obviously.

ok jsing

show more ...

Fix EVP_CIPHER_CTX_iv_length()

In today's episode of "curly nonsense from EVP land" we deal with a quite
harmless oversight and a not too bad suboptimal fix, relatively speaking.

At some point EVP_

Fix EVP_CIPHER_CTX_iv_length()

In today's episode of "curly nonsense from EVP land" we deal with a quite
harmless oversight and a not too bad suboptimal fix, relatively speaking.

At some point EVP_CIPHER_{CCM,GCM}_SET_IVLEN was added. It modified some
object hanging off of EVP_CIPHER. However, EVP_CIPHER_CTX_iv_length() wasn't
taught about this and kept returning the hardcoded default value on the
EVP_CIPHER. Once it transpired that a doc fix isn't going to cut it, this
was fixed. And of course it's easy to fix: you only have to dive through
about three layers of EVP, test and set a flag and handle a control in a
couple methods.

The upstream fix was done poorly and we begrudgingly have to match the API:
the caller is expected to pass a raw pointer next to a 0 length along with
EVP_CIPHER_GET_IV_LENGTH and the control handler goes *(int *)ptr = length
in full YOLO mode. That's never going to be an issue because of course the
caller will always pass a properly aligned pointer backing a sufficient
amount of memory. Yes, unlikely to be a real issue, but it could have been
done with proper semantics and checks without complicating the code. But
why do I even bother to complain? We're used to this.

Of note here is that there was some pushback painting other corners of a
bikeshed until the reviewer gave up with a resigned

That kind of changes the semantics and is one extra complexity level,
but [shrug] ok...

Anyway, the reason this matters now after so many years is that rust-openssl
has an assert, notably added in a +758 -84 commit with the awesome message
"Docs" that gets triggered by recent tests added to py-cryptography.

Thanks to Alex Gaynor for reporting this. Let me take the opportunity to
point out that pyca contributed to improve rust-openssl, in particular its
libressl support, quite a bit. That's much appreciated and very noticeable.

Regress coverage to follow in subsequent commits.

Based on OpenSSL PR #9499 and issue #8330.

ok beck jsing

PS: A few macros were kept internal for now to avoid impact on the release
cycle that is about to finish. They will be exposed after release.

show more ...

Update references from RFC 7539 to RFC 8439

RFC 7539 was superseded by RFC 8439, incorporating errata and making
editorial improvements. Very little of substance changed, in particular
section numbe

Update references from RFC 7539 to RFC 8439

RFC 7539 was superseded by RFC 8439, incorporating errata and making
editorial improvements. Very little of substance changed, in particular
section numbers remain the same.

Prompted by a question from schwarze

show more ...

Unbreak the namespace build after a broken mk.conf and tool misfire had
me aliasing symbols not in the headers I was procesing.

This unbreaks the namespace build so it will pass again

ok tb@

Hide symbols in hkdf, evp, err, ecdsa, and ec

(part 2 of commit)

ok jsing@

Make the cleanup() method return an int again

This partially reverts jsing's OpenBSD commit b8185953, but without adding
back the error check that potentialy results in dumb leaks. No cleanup()
meth

Make the cleanup() method return an int again

This partially reverts jsing's OpenBSD commit b8185953, but without adding
back the error check that potentialy results in dumb leaks. No cleanup()
method in the wild returns anything but 1. Since that's the signature in
the EVP_CIPHER_meth_* API, we have no choice...

ok jsing

show more ...

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_l

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.

Adjust all .c files in libcrypto, libssl and regress.

The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.

discussed with jsing,
no objection bcook

show more ...

Stop pretending that EVP_CIPHER cleanup can fail.

Now that EVP_CIPHER is opaque, stop pretending that EVP_CIPHER cleanup can
fail.

ok tb@

chacha20_poly1305_cleanup() should return 1

Otherwise EVP_CIPHER_CTX_cleanup() leaks, as spotted by the ASAN CI.

ok jsing

fix indent and zap trailing whitespace

Provide EVP_chacha20_poly1305()

EVP_chacha20_poly1305() is an EVP_CIPHER implementation of the
ChaCha20-Poly1305 AEAD. This is potentially used to provide encryption for
the QUIC transport layer.

W

Provide EVP_chacha20_poly1305()

EVP_chacha20_poly1305() is an EVP_CIPHER implementation of the
ChaCha20-Poly1305 AEAD. This is potentially used to provide encryption for
the QUIC transport layer.

Where possible, this should be avoided in favour of the significantly saner
EVP_AEAD interface.

ok tb@

show more ...

Remove bogus length checks from EVP_aead_chacha20_poly1305()

The length checks for EVP_aead_chacha20_poly1305() seal/open were incorrect
and are no longer necessary (not to mention that the comment

Remove bogus length checks from EVP_aead_chacha20_poly1305()

The length checks for EVP_aead_chacha20_poly1305() seal/open were incorrect
and are no longer necessary (not to mention that the comment failed to
match the code). Remove these since the underlying ChaCha implementation
will now handle the same sized inputs at these functions can.

Issue flagged by and ok tb@

show more ...

Cast nonce bytes to avoid undefined behaviour when left shifting.

Reported by oss-fuzz, really fixes issue #13805.

ok beck@ tb@

Cast nonce bytes to avoid undefined behaviour when left shifting.

Reported by oss-fuzz, fixes issue #13805.

ok beck@ tb@

add support for xchacha20 and xchacha20-poly1305

xchacha is a chacha stream that allows for an extended nonce, which
in turn makes it feasible to use random nonces.

ok tb@

Remove EVP_aead_chacha20_poly1305_old() now that the original/old
chacha20-poly1305 cipher suites have been removed from libssl.

Fix a problem introduced in freezero() conversion and use
sizeof(struct) not sizeof(pointer).

otto@ points out that on OpenBSD currently freezero() would have still
zeroed the entire allocation, but

Fix a problem introduced in freezero() conversion and use
sizeof(struct) not sizeof(pointer).

otto@ points out that on OpenBSD currently freezero() would have still
zeroed the entire allocation, but this is not documented behaviour and
may change in future.

ok tom@

show more ...

use freezero() instead of memset/explicit_bzero + free. Substantially
reduces conditional logic (-218, +82).

MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH cache alignment calculation bn/bn_exp.c
wasn'tt quite

use freezero() instead of memset/explicit_bzero + free. Substantially
reduces conditional logic (-218, +82).

MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH cache alignment calculation bn/bn_exp.c
wasn'tt quite right. Two other tricky bits with ASN1_STRING_FLAG_NDEF and
BN_FLG_STATIC_DATA where the condition cannot be collapsed completely.

Passes regress. ok beck

show more ...

Send the function codes from the error functions to the bit bucket,
as was done earlier in libssl. Thanks inoguchi@ for noticing
libssl had more reacharounds into this.
ok jsing@ inoguchi@

Rename EVP_aead_chacha20_poly1305() to EVP_aead_chacha20_poly1305_old()
and replace with EVP_aead_chacha20_poly1305_ietf(). The IETF version will
become the standard version.

Discussed with many.

Use the correct iv and counter when decrypting the ciphertext for
EVP_aead_chacha20_poly1305_ietf().

Fix typo in comment of previous commit: "that that".