I have initially placed these utility functions in crypto/asn1_dsa.c

That's the first thing I noticed 😄
While I understand the tentative choice, it gets confusing to have it in the same spot as the code it "competes" with. Considering this is specifically for the FIPS module, it might be that this code is better located somewhere under providers/fips.

I don't think this belongs in a fips-specific location - the handling of things using this sort of parser should be done in both fips and non-fips contexts IMHO.

As a general comment on the code itself, I assume we will not only encode/decode DSA, so you might as well make the primitive type encoders/decoders (enc_int and dec_int) non-static, and probably rename them to something a little more descriptive.

While I understand the tentative choice, it gets confusing to have it in the same spot as the code it "competes" with. Considering this is specifically for the FIPS module, it might be that this code is better located somewhere under providers/fips.

So you want them in providers/common ?

I don't think this belongs in a fips-specific location - the handling of things using this sort of parser should be done in both fips and non-fips contexts IMHO.

There's a difference between the two providers: the default provider relies on and uses libcrypto, the FIPS module doesn't. So if we make this for the default provider, it means we're starting to replace the current ASN.1 library for all, not just for providers.

And the objective is for the code in a FIPS context and the code in a non-FIPS context to be as close as is possible. We shouldn't unnecessarily have two sets of code for handling the rather simplistic ASN.1 required at this level. And it shouldn't be seen as an ASN.1 replacement - it should be seen as basically handling formatting items at this layer.

And it shouldn't be seen as an ASN.1 replacement - it should be seen as basically handling formatting items at this layer.

That was terribly confusing, 'cause this is effectively replacing the DER encoding / decoding, specifically for DSA, in libcrypto.

Note: I'm not opposed to this change, I just want to make it explicit what we're actually doing.

As a general comment on the code itself, I assume we will not only encode/decode DSA, so you might as well make the primitive type encoders/decoders (enc_int and dec_int) non-static, and probably rename them to something a little more descriptive.

I admit the names could be better, and more descriptive. I'll fix that.
I will make them non-static but note that they currently only work for positive integers since that was all that was needed for the current use case.

I will make them non-static but note that they currently only work for positive integers since that was all that was needed for the current use case.

I think that for most of the stuff we do, the numbers are positive, so until we get to a case where that's not true, this is an ok assumption.

You could possibly add an assertion that !BN_is_negative

I just want to make it explicit what we're actually doing.

My view is that this is preventing the entirety of the ASN.1 code being pulled inside the FIPS boundary.
It isn't intended as the start of a rewrite of ASN.1.
I'm fine with this code being used only in FIPS provider or with it being used by the default provider as well.

@mattcaswell David has written many asn1 parsers and should be aware of the edge cases. I am not sure we need a full blown packet system just to address the few instances that need to reside within the fips boundary. There should not really be a problem if the code is shared by the default provider - if it has to work for the fips provider it should also be able to work for the default case.

I have just pushed the updates.

@levitte commented:

You could possibly add an assertion that !BN_is_negative

Okay, sure. I have added an assertion.

@levitte commented:

As a general comment on the code itself, I assume we will not only encode/decode DSA, so you might as well make the primitive type encoders/decoders (enc_int and dec_int) non-static, and probably rename them to something a little more descriptive.

I renamed all the functions and made them all non-static.

I haven't yet moved the implementation into providers/common since I wasn't sure if it was possible to do that before moving the dsa/ecdsa code into the providers. Suggestions and guidance welcome.

Another thought I'm having is about the encoders. The more complex the ASN.1 structure, the more hellish and separate the size calculations will have too be. An idea I've seen somewhere else is to do the DER encoding backwards, which means that at any time an element is encoded, there's just one size to keep track of (and in the case of combined elements, such as a SEQUENCE, you naturally add those sizes together on the fly).

Is this a suggestion for a recursive descent encoder?
This would be my approach for decoding as well, BTW.

Is this a suggestion for a recursive descent encoder?

In a manner of speaking, yes... although I rather see it as a series of function calls, potentially calling other functions and ending up calling generic primitive encoders. So essentially, one would have a set of functions to build up the "template" for the DER encoding of the ASN.1 structure, given a corresponding C structure.

This would be my approach for decoding as well, BTW.

Sure.

Another thought I'm having is about the encoders. The more complex the ASN.1 structure, the more hellish and separate the size calculations will have too be. An idea I've seen somewhere else is to do the DER encoding backwards, which means that at any time an element is encoded, there's just one size to keep track of (and in the case of combined elements, such as a SEQUENCE, you naturally add those sizes together on the fly).

It's a tree structure where you could have sequences and/or sets containing multiple sequences and/or sets. At some point you do need to keep track of more than one size. You might as well encode forwards rather than backwards.

If you are encoding to memory then you probably want to do a pass to calculate the total encoded size so that you can allocate a buffer of that size. If you are streaming the encode then you also need to know the sizes in advance if you want DER (i.e. definite-length encoding) and you can't do the encoding backwards. :)

Also SET and SET OF must be sorted (with a different comparator depending on whether it is a SET or a SET OF) in order to conform to DER.

Recursive descent encoding and decoding is, of course, the way to go.

Streaming is a problem for data sets, that's true. We do have to handle that in some cases, most notable CMS. But for smaller data sets (I count keys, certificates and similar there), I'm unsure how much effort we must put into streaming, rather than collecting a whole data set in a buffer and decode it when complete.

(this depends on what one means with "small", of course)

@mattcaswell David has written many asn1 parsers and should be aware of the edge cases. I am not sure we need a full blown packet system just to address the few instances that need to reside within the fips boundary.

Sorry - I don't agree. I'm not doubting David's ability to write parsers, but I have fixed many bugs in this kind of code over time and the old packet parsing/encoding system was a major cause of those bugs. I do not want to make the same mistake again. It's not just the initial implementation that you have worry about. Code changes over time and this type of code is brittle. It doesn't take much to suddenly find that some edge case is causing an OOB read or write - and in a potentially exploitable way.

We already have a packet parsing and encoding system. It's not currently available to libcrypto (libssl only) - but the design document does show it as moving to libcrypto. We should be using it.

Don't turn this into a "solve all the problems" thing. This is a small piece of code that does what's needed for the FIPS module [yes it will need more for RSA etc], and that should be enough for this release.

PACKET/WPACKET looks like it would be useful if I was implementing an entire ASN.1 module, but this PR is intended to be small, simple and robust and initially only satisfy the requirements of ECDSA/DSA signatures.

PACKET/WPACKET is useful for any packet parsing. It it not a particularly large amount of code: in the PACKET case it is implemented entirely as inline functions so you only pay the cost for the code you actually use. In the WPACKET case it is a single file with less than 450 lines of code.

Using it is straight forward and should not significantly increase the complexity of your current PR.

I'm strongly of the view that you should be taking this approach.

This isn't so much about code size, using PACKET/WPACKET inside the FIPS provider means freezing the code. The ASN.1 encoding here is two integers and every FIPS implementation I've heard of has hardcoded this...

This isn't so much about code size, using PACKET/WPACKET inside the FIPS provider means freezing the code.

So are you suggesting we should do things the wrong way because of FIPS rules? Surely we should design things the right way so as to avoid introducing bugs and vulnerabilities.

My understanding is that we are not going to "freeze" any code. We just fix bugs in it as required. If that means we have to do a 3SUB then so be it. Obviously we should avoid bringing in large chunks of code unnecessarily, but that shouldn't stop us bringing in the code that we need to do the job properly.

The ASN.1 encoding here is two integers and every FIPS implementation I've heard of has hardcoded this...

And it is still hardcoded with PACKET/WPACKET...we're not bringing in all the ASN.1 code.

I would like to see an alternate PR using the [W]PACKET interface to compare if anyone is willing to produce it. I don't see a issue one way or the other on whether or not we included the [W]PACKET code in the FIPS module. If we hit bugs we evaluate and fix. And bugs in this area would be non-algorithm bugs and able to go through a quick lab review for non-impact.

I shared the concerns about using PACKET/WPACKET and I just spent a bit of time trying to do this. It's an awkward fit, although some of that might be that I am not expert with the packet stuff. For example:

1. No ability to compute lengths without outputting the data and then throwing it away
2. No support for variable-length lengths (required by DER and BER)
3. Much support for sub-packets and passing up lengths, but that doesn't work for variable-length lengths (not surprising since all TLS presentation lengths are fixed-size). This means that it becomes an even WORSE fit if we need to support nested ASN.1 structures in the FIPS module.

So I changed my mind, threw away my half-written code, and support this PR as-is.

Just to ensure this isn't merged until this is resolved:

-1

I also had a look at the interface.
You will gain very little by over-engineering this.

I just pushed some updates to code comments only.

It would be foolish to think that this will be done for DSA sigs only, so encoding/decoding of primitives (integers in this PR) should really be factored out to its own translation unit.

Please take a look at #9111 for what this would look like using the PACKET API. I've not yet done the WPACKET changes.

I prefer to wait for refactoring until you see what other use-cases and code are needed.

I prefer to wait for refactoring until you see what other use-cases and code are needed.

That's how you end up having a generic URL parser in the OCSP code and then forget it's there. Some generalism isn't always a bad idea...

Rebased to resolve a conflict with master.

I prefer to wait for refactoring until you see what other use-cases and code are needed.

This case was the only ASN1 encode/decode required inside the old FOM - apart from RSA which is handled as fixed tables - so given that we already know what algorithms are inside the boundary, I dont see there being any more cases needed inside the FIPS provider. I also then dont see why it needs to use WPACKET/PACKET as it is fairly simple.
I cant see this changing any time soon. If it does then maybe refactor it then to use PACKET/WPACKET, otherwise I think its just overkill.

I withdraw my "prefer to wait" comment; #9067 (comment) convinced me there's no new information likely to come in.

To ensure it doesn't get lost in the intervening comments, my -1 on this still stands.

This case was the only ASN1 encode/decode required inside the old FOM - apart from RSA which is handled as fixed tables - so given that we already know what algorithms are inside the boundary, I dont see there being any more cases needed inside the FIPS provider. I also then dont see why it needs to use WPACKET/PACKET as it is fairly simple.

I don't see that using WPACKET/PACKET adds any complexity. If anything it makes it simpler and easier to read.

Regardless of that though, IMO all new packet processing code should be using WPACKET/PACKET no matter what. No exceptions. It makes no difference whether it is apparently simple. We were constantly being bombarded with OOB read/write reports in the past in libssl in code that was very similar to this. Code that should also have been simple. It turns out it's just too easy to make a mistake. I don't ever want to go there again.

I understand the argument for using the PACKET API's (and, to me, it's convincing; raw buffer manipulation seems a step backwards, no matter how "simple" it is). But I think it's wrong for an OMC member to be able to "perpetually" block a PR. They should either expire after some number of weeks (four?) or the blocker should start a vote.

All other OMC policies (inactivity, voting periods) have a time-based cut-off; holds on PR's should also.

Closed via #9111