sync code with last improvements from OpenBSD

lib/libcrypto/cms/cms_lib.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_lib.c,v 1.21 2023/08/22 08:59:44 tb Exp $ */
+/* $OpenBSD: cms_lib.c,v 1.24 2023/08/24 04:56:36 tb Exp $ */
 /*
  * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
@@ -121,55 +121,55 @@ cms_Data_create(void)
 	return cms;
 }
 
-BIO *
+static BIO *
 cms_content_bio(CMS_ContentInfo *cms)
 {
-	ASN1_OCTET_STRING **pos = CMS_get0_content(cms);
+	ASN1_OCTET_STRING **pos;
 
-	if (!pos)
+	if ((pos = CMS_get0_content(cms)) == NULL)
 		return NULL;
-	/* If content detached data goes nowhere: create NULL BIO */
-	if (!*pos)
+
+	/* If content is detached, data goes nowhere: create null BIO. */
+	if (*pos == NULL)
 		return BIO_new(BIO_s_null());
-	/*
-	 * If content not detached and created return memory BIO
-	 */
-	if (!*pos || ((*pos)->flags == ASN1_STRING_FLAG_CONT))
+
+	/* If content is not detached and was created, return memory BIO. */
+	if ((*pos)->flags == ASN1_STRING_FLAG_CONT)
 		return BIO_new(BIO_s_mem());
 
-	/* Else content was read in: return read only BIO for it */
+	/* Else content was read in: return read-only BIO for it. */
 	return BIO_new_mem_buf((*pos)->data, (*pos)->length);
 }
 
 BIO *
-CMS_dataInit(CMS_ContentInfo *cms, BIO *icont)
+CMS_dataInit(CMS_ContentInfo *cms, BIO *in_content_bio)
 {
-	BIO *cmsbio = NULL, *cont = NULL;
+	BIO *cms_bio = NULL, *content_bio = NULL;
 
-	if ((cont = icont) == NULL)
-		cont = cms_content_bio(cms);
-	if (cont == NULL) {
+	if ((content_bio = in_content_bio) == NULL)
+		content_bio = cms_content_bio(cms);
+	if (content_bio == NULL) {
 		CMSerror(CMS_R_NO_CONTENT);
 		goto err;
 	}
 
 	switch (OBJ_obj2nid(cms->contentType)) {
 	case NID_pkcs7_data:
-		return cont;
+		return content_bio;
 	case NID_pkcs7_signed:
-		if ((cmsbio = cms_SignedData_init_bio(cms)) == NULL)
+		if ((cms_bio = cms_SignedData_init_bio(cms)) == NULL)
 			goto err;
 		break;
 	case NID_pkcs7_digest:
-		if ((cmsbio = cms_DigestedData_init_bio(cms)) == NULL)
+		if ((cms_bio = cms_DigestedData_init_bio(cms)) == NULL)
 			goto err;
 		break;
 	case NID_pkcs7_encrypted:
-		if ((cmsbio = cms_EncryptedData_init_bio(cms)) == NULL)
+		if ((cms_bio = cms_EncryptedData_init_bio(cms)) == NULL)
 			goto err;
 		break;
 	case NID_pkcs7_enveloped:
-		if ((cmsbio = cms_EnvelopedData_init_bio(cms)) == NULL)
+		if ((cms_bio = cms_EnvelopedData_init_bio(cms)) == NULL)
 			goto err;
 		break;
 	default:
@@ -177,11 +177,11 @@ CMS_dataInit(CMS_ContentInfo *cms, BIO *icont)
 		goto err;
 	}
 
-	return BIO_push(cmsbio, cont);
+	return BIO_push(cms_bio, content_bio);
 
  err:
-	if (cont != icont)
-		BIO_free(cont);
+	if (content_bio != in_content_bio)
+		BIO_free(content_bio);
 
 	return NULL;
 }

lib/libcrypto/cms/cms_local.h

@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_local.h,v 1.4 2023/07/07 16:04:57 tb Exp $ */
+/* $OpenBSD: cms_local.h,v 1.5 2023/08/24 04:56:36 tb Exp $ */
 /*
  * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
@@ -410,8 +410,6 @@ void CMS_IssuerAndSerialNumber_free(CMS_IssuerAndSerialNumber *a);
 #define CMS_OIK_KEYIDENTIFIER           1
 #define CMS_OIK_PUBKEY                  2
 
-BIO *cms_content_bio(CMS_ContentInfo *cms);
-
 CMS_ContentInfo *cms_Data_create(void);
 
 CMS_ContentInfo *cms_DigestedData_create(const EVP_MD *md);

lib/libcrypto/evp/e_chacha.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: e_chacha.c,v 1.12 2023/07/07 19:37:53 beck Exp $ */
+/* $OpenBSD: e_chacha.c,v 1.13 2023/08/24 04:20:57 tb Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -53,13 +53,11 @@ static const EVP_CIPHER chacha20_cipher = {
 	.nid = NID_chacha20,
 	.block_size = 1,
 	.key_len = 32,
-	/* 
-	 * The 128 bit EVP IV is split for ChaCha into four 32 bit pieces:
-	 * 			counter[0]	counter[1]	iv[0]	iv[1]
-	 * OpenSSL exposes these as:
-	 * 	openssl_iv =	counter[0]	iv[0]		iv[1]	iv[2]
-	 * Due to the cipher internal state's symmetry, these are functionally
-	 * equivalent.
+	/*
+	 * The 16-byte EVP IV is split into 4 little-endian 4-byte words
+	 *      evpiv[15:12]	evpiv[11:8]	evpiv[7:4]	evpiv[3:0]
+	 *	iv[1]		iv[0]		counter[1]	counter[0]
+	 * and passed as iv[] and counter[] to ChaCha_set_iv().
 	 */
 	.iv_len = 16,
 	.flags = EVP_CIPH_STREAM_CIPHER | EVP_CIPH_ALWAYS_CALL_INIT |

lib/libcrypto/evp/e_chacha20poly1305.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: e_chacha20poly1305.c,v 1.30 2023/07/07 19:37:53 beck Exp $ */
+/* $OpenBSD: e_chacha20poly1305.c,v 1.31 2023/08/24 04:33:08 tb Exp $ */
 
 /*
  * Copyright (c) 2022 Joel Sing <jsing@openbsd.org>
@@ -106,7 +106,7 @@ poly1305_pad16(poly1305_state *poly1305, size_t data_len)
 	static const unsigned char zero_pad16[16];
 	size_t pad_len;
 
-	/* pad16() is defined in RFC 7539 2.8.1. */
+	/* pad16() is defined in RFC 8439 2.8.1. */
 	if ((pad_len = data_len % 16) == 0)
 		return;
 
@@ -330,7 +330,7 @@ aead_xchacha20_poly1305_open(const EVP_AEAD_CTX *ctx, unsigned char *out,
 	return 1;
 }
 
-/* RFC 7539 */
+/* RFC 8439 */
 static const EVP_AEAD aead_chacha20_poly1305 = {
 	.key_len = 32,
 	.nonce_len = CHACHA20_NONCE_LEN,

lib/libcrypto/man/EVP_AEAD_CTX_init.3

@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_AEAD_CTX_init.3,v 1.11 2023/05/09 07:19:24 tb Exp $
+.\" $OpenBSD: EVP_AEAD_CTX_init.3,v 1.13 2023/08/24 04:33:08 tb Exp $
 .\"
 .\" Copyright (c) 2014, Google Inc.
 .\" Parts of the text were written by Adam Langley and David Benjamin.
@@ -16,7 +16,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: May 9 2023 $
+.Dd $Mdocdate: August 24 2023 $
 .Dt EVP_AEAD_CTX_INIT 3
 .Os
 .Sh NAME
@@ -245,23 +245,44 @@ All cipher algorithms have a fixed key length unless otherwise stated.
 The following ciphers are available:
 .Bl -tag -width Ds -offset indent
 .It Fn EVP_aead_aes_128_gcm
-AES-128 in Galois Counter Mode.
+AES-128 in Galois Counter Mode, using a
+.Fa key_len
+of 16 bytes and a
+.Fa nonce_len
+of 12 bytes.
 .It Fn EVP_aead_aes_256_gcm
-AES-256 in Galois Counter Mode.
+AES-256 in Galois Counter Mode, using a
+.Fa key_len
+of 32 bytes and a
+.Fa nonce_len
+of 12 bytes.
 .It Fn EVP_aead_chacha20_poly1305
-ChaCha20 with a Poly1305 authenticator.
+ChaCha20 with a Poly1305 authenticator, using a
+.Fa key_len
+of 32 bytes and a
+.Fa nonce_len
+of 12 bytes.
 .It Fn EVP_aead_xchacha20_poly1305
-XChaCha20 with a Poly1305 authenticator.
+XChaCha20 with a Poly1305 authenticator, using a
+.Fa key_len
+of 32 bytes and a
+.Fa nonce_len
+of 24 bytes.
 .El
 .Pp
-Where possible the
+Unless compatibility with other implementations
+like OpenSSL or BoringSSL is required, using the
 .Sy EVP_AEAD
-interface to AEAD ciphers should be used in preference to the older
-.Sy EVP
-variants or to the low level interfaces.
-This is because the code then becomes transparent to the AEAD cipher
-used and much more flexible.
-It is also safer to use as it prevents common mistakes with the native APIs.
+interface to AEAD ciphers is recommended
+in preference to the functions documented in the
+.Xr EVP_EncryptInit 3 ,
+.Xr EVP_aes_256_gcm 3 ,
+and
+.Xr EVP_chacha20_poly1305 3
+manual pages.
+The code then becomes transparent to the AEAD cipher used
+and much more flexible.
+It is also safer to use as it prevents common mistakes with the EVP APIs.
 .Sh RETURN VALUES
 .Fn EVP_AEAD_CTX_new
 returns the new
@@ -319,17 +340,12 @@ EVP_AEAD_CTX_free(ctx);
 .Rs
 .%A A. Langley
 .%A W. Chang
-.%D November 2013
-.%R draft-agl-tls-chacha20poly1305-04
-.%T ChaCha20 and Poly1305 based Cipher Suites for TLS
-.Re
-.Pp
-.Rs
-.%A Y. Nir
-.%A A. Langley
-.%D May 2015
-.%R RFC 7539
-.%T ChaCha20 and Poly1305 for IETF Protocols
+.%A N. Mavrogiannopoulos
+.%A J. Strombergson
+.%A S. Josefsson
+.%D June 2016
+.%R RFC 7905
+.%T ChaCha20-Poly1305 Cipher Suites for Transport Layer Security (TLS)
 .Re
 .Pp
 .Rs
@@ -341,6 +357,7 @@ EVP_AEAD_CTX_free(ctx);
 .Sh HISTORY
 AEAD is based on the implementation by
 .An Adam Langley
+.\" OpenSSL commit 9a8646510b Sep 9 12:13:24 2013 -0400
 for Chromium/BoringSSL and first appeared in
 .Ox 5.6 .
 .Pp
@@ -349,3 +366,28 @@ and
 .Fn EVP_AEAD_CTX_free
 first appeared in
 .Ox 7.1 .
+.Sh CAVEATS
+The original publications and code by
+.An Adam Langley
+used a modified AEAD construction that is incompatible with the common
+style used by AEAD in TLS and incompatible with RFC 7905:
+.Pp
+.Rs
+.%A A. Langley
+.%A W. Chang
+.%D November 2013
+.%R draft-agl-tls-chacha20poly1305-04
+.%T ChaCha20 and Poly1305 based Cipher Suites for TLS
+.Re
+.Pp
+.Rs
+.%A Y. Nir
+.%A A. Langley
+.%D June 2018
+.%R RFC 8439
+.%T ChaCha20 and Poly1305 for IETF Protocols
+.Re
+.Pp
+In particular, the original version used a
+.Fa nonce_len
+of 8 bytes.

lib/libcrypto/man/EVP_chacha20.3

@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_chacha20.3,v 1.3 2023/08/21 03:26:42 jsg Exp $
+.\" $OpenBSD: EVP_chacha20.3,v 1.6 2023/08/24 04:33:08 tb Exp $
 .\" full merge up to: OpenSSL 35fd9953 May 28 14:49:38 2019 +0200
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 21 2023 $
+.Dd $Mdocdate: August 24 2023 $
 .Dt EVP_CHACHA20 3
 .Os
 .Sh NAME
@@ -93,11 +93,11 @@ argument of 16 bytes = 128 bits, internally using
 .Xr ChaCha_set_key 3
 and
 .Xr ChaCha_set_iv 3 .
-Due to the symmetry of the internal cipher state, interpreting the
+The lower 8 bytes = 64 bits of
 .Fa iv
-argument as a 4 byte counter followed by a 12 byte nonce
-or interpreting it as an 8 byte counter followed by an 8 byte nonce
-is functionally equivalent.
+are used as counter and the remaining 8 bytes are used as
+the initialization vector of
+.Xr ChaCha_set_iv 3 .
 .Xr EVP_EncryptUpdate 3 ,
 .Xr EVP_EncryptFinal_ex 3 ,
 .Xr EVP_DecryptUpdate 3 ,
@@ -114,6 +114,16 @@ objects created from
 .Pp
 .Fn EVP_chacha20_poly1305
 provides authenticated encryption with ChaCha20-Poly1305.
+Unless compatibility with other implementations
+like OpenSSL or BoringSSL is required, using
+.Xr EVP_AEAD_CTX_init 3
+with
+.Xr EVP_aead_chacha20_poly1305 3
+is recommended instead because the code then becomes transparent
+to the AEAD cipher used, more flexible, and less error prone.
+.Pp
+With
+.Fn EVP_chacha20_poly1305 ,
 .Xr EVP_EncryptInit_ex 3 ,
 .Xr EVP_DecryptInit_ex 3 ,
 and
@@ -237,6 +247,32 @@ returns 1 for success or 0 for failure.
 .Rs
 .%A A. Langley
 .%A W. Chang
+.%A N. Mavrogiannopoulos
+.%A J. Strombergson
+.%A S. Josefsson
+.%D June 2016
+.%R RFC 7905
+.%T ChaCha20-Poly1305 Cipher Suites for Transport Layer Security (TLS)
+.Re
+.Sh HISTORY
+.Fn EVP_chacha20
+first appeared in
+.Ox 5.6 .
+.Pp
+.Fn EVP_chacha20_poly1305
+first appeared in OpenSSL 1.1.0
+.\" OpenSSL commit bd989745 Dec 9 21:30:56 2015 +0100 Andy Polyakov
+and has been available since
+.Ox 7.2 .
+.Sh CAVEATS
+The original publications and code by
+.An Adam Langley
+used a modified AEAD construction that is incompatible with the common
+style used by AEAD in TLS and incompatible with RFC 7905:
+.Pp
+.Rs
+.%A A. Langley
+.%A W. Chang
 .%D November 2013
 .%R draft-agl-tls-chacha20poly1305-04
 .%T ChaCha20 and Poly1305 based Cipher Suites for TLS
@@ -245,15 +281,9 @@ returns 1 for success or 0 for failure.
 .Rs
 .%A Y. Nir
 .%A A. Langley
-.%D May 2015
-.%R RFC 7539
+.%D May 2018
+.%R RFC 8439
 .%T ChaCha20 and Poly1305 for IETF Protocols
 .Re
-.Sh HISTORY
-.Fn EVP_chacha20
-first appeared in
-.Ox 5.6 .
 .Pp
-.Fn EVP_chacha20_poly1305
-first appeared in OpenSSL 1.1.0 and has been available since
-.Ox 7.2 .
+In particular, the original version used a nonce of 8 instead of 12 bytes.