+ Hopefully handing allocation/freeing of SymCrypt digest state entirely
to OpenSSL should avoid leaks in HMAC which Ming-Wei observes but I
have not been able to reproduce
+ Reduces complexity and lines of code anyway, so seems like a step in
the right direction
+ Free allocated public key on successful ECDH
+ Error in the engine when flen provided to RSA is too big, rather than
changing the value to read a prefix of the provided buffer
+ Also explicitly write to the amount of memory that is specified in
the RSA documentation:
https://www.openssl.org/docs/man1.1.1/man3/RSA_private_decrypt.html
+ In sc_ossl_rsa_finish free exdata if it is non-NULL
+ And do not dereference exdata if it is NULL
+ In ECC, do not initialize exdata until we know we will definitely be
using it (and not falling back to default implementation)
+ Rather than using the curve to determine whether to free exdata
members, use the initialized field
+ Always free the exdata if it is non-NULL
+ Also in ECDSA, handle DER encoded ECDSA signatures for P192 and P224
+ Renaming all the files separately to renaming all the symbols to help
git track file history - the source will not build with this commit as
the file contents have not been modified
+ Special AES-GCM codepaths for handling ESP buffers which have 8B of IV
at the start, then the payload, then 16B of tag (or ICV)
+ Requires 2 new CTRL methods - one to set AAD, one to set the
constant part of the IV (4B)
+ In AES-CBC use the default IV handling area to enable easy export of
the IV in the CMS API test
+ Try to enable use of MD5+SHA1 hash everywhere as it seems to be
important for TLS tests (log info messages in these cases)
+ Though it is hard to fallback to OpenSSL in RSA sign/verify, it turns
out to be easy to support MD5+SHA1 signatures using SymCrypt
+ Similarly for TLS PRF - there is an existing SymCrypt functions for
TLSPRF1_1 which handles the MD5+SHA1 hash
+ For HKDF fallback to performing the operation using OpenSSL APIs in
the engine if the digest is not supported by SymCrypt (already being
done for the cases where we do not perform full HKDF)
+ Reduce noisy INFO logs from RSA_PSS
+ Introduce RSA pmeths which reroute calls to sign/verify PSS to SymCrypt, rather than using
OpenSSL's padding handling which could not be within our FIPS boundary
+ Mostly should be as in default OpenSSL, just with sign/verify methods replaced
+ Still just using RSA method for everything else - PKCS1 and OAEP padding can be routed appropriately just at the RSA method level
+ Fallback to OpenSSL for priv_enc and pub_dec RSA methods
+ Introduce SymCrypt error logging macro
+ Default to falling back to OpenSSL for unknown padding schemes for RSA encrypt and decrypt
+ Hook up hkdf and tls1prf to use OpenSSL's ctrl_str methods - which in turn call our ctrl method
+ Update SslPlay tests to exercise PSS
Add a NOTICE file with OpenSSL copyright information. I didn't add the LICENSE, README or other files since I figure we'll pick those up from GitHub when we merge our code into that repo.
+ When SymCrypt AES context is copied, we need to fix up the start and
end pointers into the expanded key.
+ Use the SymCrypt key copy functions
+ Disable AES-XTS again for now
+ Needs some thought about how to handle gracefully
+ Add explicit error message when trying to initialize an RSA key for
multi-prime RSA. We should consider the best way to fall back to
OpenSSL here (if necessary)
+ Looks like the EVP interface expects callers to do one En/Decrypt call per XTS data unit, rather than using the block size to indicate the data unit size
+ Fixes for some typos
+ For AES-GCM - remove `EVP_CIPH_CUSTOM_COPY` flag, and fix return values for `symcrypt_aes_gcm_cipher` (-1 is error, >= 0 is success, and finalize call which handles the tag should return 0)
+ Fix up some issues identified by sanitizers when running SslPlay
+ We still seem some apparent leaks from OpenSSL (a few hundred bytes) - it seems to be a known thing where `EVP_PKEY_keygen` can increase the size of an OpenSSL internal buffer ([reference](https://stackoverflow.com/questions/21532371/memory-leak-in-openssl-function-evp-pkey-keygen)). I'm not sure we can do anything about it in the engine
snofz
Spencer Nofzinger
Samuel Lee
Samuel Lee
Mitch Lindgren
XuHui Miao
Akshay Kumar
Microsoft Open Source