summaryrefslogtreecommitdiffstats
path: root/crypto/evp/e_chacha20_poly1305.c
AgeCommit message (Collapse)Author
2020-11-13Convert all {NAME}err() in crypto/ to their corresponding ERR_raise() callRichard Levitte
This includes error reporting for libcrypto sub-libraries in surprising places. This was done using util/err-to-raise Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/13318)
2020-07-16Update copyright yearRichard Levitte
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/12463)
2020-07-11Add and use internal header that implements endianness checkRichard Levitte
This moves test/ossl_test_endian.h to include/internal/endian.h and thereby makes the macros in there our standard way to check endianness in run-time. Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/12390)
2019-09-28Reorganize local header filesDr. Matthias St. Pierre
Apart from public and internal header files, there is a third type called local header files, which are located next to source files in the source directory. Currently, they have different suffixes like '*_lcl.h', '*_local.h', or '*_int.h' This commit changes the different suffixes to '*_local.h' uniformly. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9333)
2019-09-28Reorganize private crypto header filesDr. Matthias St. Pierre
Currently, there are two different directories which contain internal header files of libcrypto which are meant to be shared internally: While header files in 'include/internal' are intended to be shared between libcrypto and libssl, the files in 'crypto/include/internal' are intended to be shared inside libcrypto only. To make things complicated, the include search path is set up in such a way that the directive #include "internal/file.h" could refer to a file in either of these two directoroes. This makes it necessary in some cases to add a '_int.h' suffix to some files to resolve this ambiguity: #include "internal/file.h" # located in 'include/internal' #include "internal/file_int.h" # located in 'crypto/include/internal' This commit moves the private crypto headers from 'crypto/include/internal' to 'include/crypto' As a result, the include directives become unambiguous #include "internal/file.h" # located in 'include/internal' #include "crypto/file.h" # located in 'include/crypto' hence the superfluous '_int.h' suffixes can be stripped. The files 'store_int.h' and 'store.h' need to be treated specially; they are joined into a single file. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9333)
2019-08-08Change EVP_CIPHER_CTX_iv_length() to return current ivlen for some modesShane Lontis
Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9542)
2019-05-01Structure alignment macro.Pauli
Introduce a macro that allows all structure alignment tricks to be rolled up into a single place. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8845)
2019-03-06Prevent over long nonces in ChaCha20-Poly1305Matt Caswell
ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for every encryption operation. RFC 7539 specifies that the nonce value (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and front pads the nonce with 0 bytes if it is less than 12 bytes. However it also incorrectly allows a nonce to be set of up to 16 bytes. In this case only the last 12 bytes are significant and any additional leading bytes are ignored. It is a requirement of using this cipher that nonce values are unique. Messages encrypted using a reused nonce value are susceptible to serious confidentiality and integrity attacks. If an application changes the default nonce length to be longer than 12 bytes and then makes a change to the leading bytes of the nonce expecting the new value to be a new unique nonce then such an application could inadvertently encrypt messages with a reused nonce. Additionally the ignored bytes in a long nonce are not covered by the integrity guarantee of this cipher. Any application that relies on the integrity of these ignored leading bytes of a long nonce may be further affected. Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe because no such use sets such a long nonce value. However user applications that use this cipher directly and set a non-default nonce length to be longer than 12 bytes may be vulnerable. CVE-2019-1543 Fixes #8345 Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8406)
2019-02-13Added new EVP/KDF API.David Makepeace
Changed PKEY/KDF API to call the new API. Added wrappers for PKCS5_PBKDF2_HMAC() and EVP_PBE_scrypt() to call the new EVP KDF APIs. Documentation updated. Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6674)
2018-12-06Following the license change, modify the boilerplates in crypto/evp/Richard Levitte
[skip ci] Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7794)
2018-09-11Update copyright yearMatt Caswell
Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7176)
2018-07-06evp/e_chacha20_poly1305.c: further improve small-fragment TLS performance.Andy Polyakov
Improvement coefficients vary with TLS fragment length and platform, on most Intel processors maximum improvement is ~50%, while on Ryzen - 80%. The "secret" is new dedicated ChaCha20_128 code path and vectorized xor helpers. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6638)
2018-06-29evp/e_chacha20_poly1305.c: improve performance for short TLS records.Andy Polyakov
Inputs not longer than 64 bytes are processed ~10% faster, longer lengths not divisble by 64, e.g. 255, up to ~20%. Unfortunately it's impossible to measure with apps/speed.c, -aead benchmarks TLS-like call sequence, but not exact. It took specially crafted code path... Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6597)
2017-10-18Remove parentheses of return.KaoruToda
Since return is inconsistent, I removed unnecessary parentheses and unified them. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4541)
2017-02-15Properly zero cipher_data for ChaCha20-Poly1305 on cleanupKazuki Yamaguchi
Fix a typo. Probably this has not been found because EVP_CIPHER_CTX is smaller than EVP_CHACHA_AEAD_CTX and heap overflow does not occur. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2294)
2017-01-26crypto/evp: harden AEAD ciphers.Andy Polyakov
Originally a crash in 32-bit build was reported CHACHA20-POLY1305 cipher. The crash is triggered by truncated packet and is result of excessive hashing to the edge of accessible memory. Since hash operation is read-only it is not considered to be exploitable beyond a DoS condition. Other ciphers were hardened. Thanks to Robert Święcki for report. CVE-2017-3731 Reviewed-by: Rich Salz <rsalz@openssl.org>
2017-01-24Add missing flags for EVP_chacha20()Kazuki Yamaguchi
ChaCha20 code uses its own custom cipher_data. Add EVP_CIPH_CUSTOM_IV and EVP_CIPH_ALWAYS_CALL_INIT so that the key and the iv can be set by different calls of EVP_CipherInit_ex(). Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2156)
2016-11-10chacha20/poly1305: make sure to clear the buffer at correct positionRichard Levitte
The offset to the memory to clear was incorrect, causing a heap buffer overflow. CVE-2016-7054 Thanks to Robert Święcki for reporting this Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-02Fix some style issues...FdaSilvaYY
extra spacing and 80 cols Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1366)
2016-05-18Fix a NULL dereference in chacha20_poly1305_init_key()Kazuki Yamaguchi
chacha20_poly1305_init_key() dereferences NULL when called with inkey != NULL && iv == NULL. This function is called by EVP_EncryptInit_ex() family, whose documentation allows setting key and iv in separate calls. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-17Copyright consolidation 04/10Rich Salz
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-16Rename some BUF_xxx to OPENSSL_xxxRich Salz
Rename BUF_{strdup,strlcat,strlcpy,memdup,strndup,strnlen} to OPENSSL_{strdup,strlcat,strlcpy,memdup,strndup,strnlen} Add #define's for the old names. Add CRYPTO_{memdup,strndup}, called by OPENSSL_{memdup,strndup} macros. Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-12-11evp/e_chacha20_poly1305.c: TLS interop fixes.Andy Polyakov
Thanks to: David Benjamin of Chromuim. Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-12-10crypto/evp: add e_chacha20_poly1305.c.Andy Polyakov
Reviewed-by: Richard Levitte <levitte@openssl.org>