Matt Caswell [Mon, 27 Feb 2023 11:54:29 +0000 (11:54 +0000)]
Ensure we use a non-zero time for tickets in early data
Our tests run so quickly that the ticket age is virtually zero. This may
not show up problems in the age calculations, so we artificially add some
age to the tickets in some runs.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20387)
Matt Caswell [Mon, 27 Feb 2023 11:18:26 +0000 (11:18 +0000)]
Fix early_data age calculation
The ticket_age/age_add values use ms granualarity. We were incorrectly
treating them as seconds and so the ticket was always being rejected for
early data. We also clarify a comment which could have been the source of
the confusion.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20387)
slontis [Mon, 27 Feb 2023 06:35:41 +0000 (16:35 +1000)]
Fix FFC mdprop setting bugs.
Coverage testing showed that ossl_ffc_params_fromdata() was not setting
OSSL_PKEY_PARAM_FFC_DIGEST_PROPS.
Adding a negative test also showed that ossl_ffc_params_copy() did not
do a shallow copy of the digest or digest property.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20385)
slontis [Mon, 27 Feb 2023 03:53:25 +0000 (13:53 +1000)]
Fix potential infinite loops in ECDSA signing.
Similiar checks to the DSA code have been added for ECDSA also.
This should not be a problem when using named groups.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20384)
slontis [Mon, 27 Feb 2023 03:48:24 +0000 (13:48 +1000)]
Fix infinite loops in DSA sign code.
Fixes #20268
Values such as q=1 or priv=0 caused infinite loops when calling
DSA_sign() without these changes.
There are other cases where bad domain parameters may have caused
infinite loops where the retry counter has been added. The simpler case
of priv=0 also hits this case. q=1 caused an infinite loop in the setup.
The max retry value has been set to an arbitrary value of 8 (it is
unlikely to ever do a single retry for valid values).
The minimum q bits was set to an arbitrary value of 128 (160 is still
used for legacy reasons when using 512 bit keys).
Thanks @guidovranken for detecting this, and @davidben for his
insightful analysis.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20384)
Robin Lee [Sun, 26 Feb 2023 05:56:14 +0000 (13:56 +0800)]
ec: Use .machine "any" explicitly in ecp_nistp521-ppc64
Since GCC commit
e154242724b084380e3221df7c08fcdbd8460674 the flag "-many"
is sometimes not passed to the assembler. Use .machine "any" just like
ecp_nistz256-ppc64 to prevent compile errors when built with some
configurations of GCC.
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20378)
Pauli [Sun, 26 Feb 2023 23:14:43 +0000 (10:14 +1100)]
Update FIPS provider documentation to note that fips=yes is mandatory
This was in the notes section but an earlier comment about it not being
mandatory was missed.
Fixes #20376
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20382)
ndossche [Thu, 9 Feb 2023 08:49:47 +0000 (09:49 +0100)]
Fix incomplete error check on RSA_public_decrypt()
According to the documentation and my analysis tool RSA_public_decrypt()
can return -1 on error, but this is not checked. Fix it by changing the
error condition.
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20250)
ndossche [Thu, 9 Feb 2023 10:39:58 +0000 (11:39 +0100)]
Fix incomplete error check on ASN1_item_i2d()
According to the documentation and my analysis tool
ASN1_item_i2d() can return a negative value on error,
but this is not checked. Fix it by changing the error check condition.
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20251)
slontis [Wed, 22 Feb 2023 23:09:57 +0000 (09:09 +1000)]
Document the list of RAND algorithms in the default and fips providers.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20361)
slontis [Wed, 22 Feb 2023 00:11:33 +0000 (10:11 +1000)]
Add provider pre-fetching documentation
Clearly document that implicit fetching is slower when using providers,
and explain prefetching. Added to crypto.pod and migration_guide.pod
links to it.
Add a link to EVP_default_properties_enable_fips() in crypto.pod.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20354)
slontis [Wed, 22 Feb 2023 02:15:47 +0000 (12:15 +1000)]
Add documentation for "NULL" cipher and digest algorithms.
Fixes #20340
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20356)
Alex Gaynor [Sun, 19 Feb 2023 04:43:41 +0000 (23:43 -0500)]
Added a fuzzer for SMIME
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20332)
Dr. David von Oheimb [Fri, 24 Feb 2023 13:04:10 +0000 (14:04 +0100)]
util/find-doc-nits: improve error diagnostics on missing man section numbers in links
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20369)
Dr. David von Oheimb [Fri, 24 Feb 2023 13:03:19 +0000 (14:03 +0100)]
CMS_add0_cert.pod: add missing man section numbers in recently added L<fun()> refs
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20369)
Ingo Franzki [Wed, 8 Feb 2023 16:26:20 +0000 (17:26 +0100)]
Add OSSL_FUNC_keymgmt_im/export_types function that gets the provider context
The provider functions OSSL_FUNC_keymgmt_import_types() and
OSSL_FUNC_keymgmt_export_types() do not get the provider context passed.
This makes it difficult for providers to implement these functions unless
its a static implementation returning a truly constant OSSL_PARAM array.
Some providers may have a need to return an OSSL_PARAM array that is
dependent on the provider configuration, or anything else that is contained
in its provider context.
Add extended variants of these functions that get the provider context passed.
The functions should still return a static and constant OSSL_PARAM array, but
may use the provider context to select the array to return dependent on its
context. The returned array must be constant at least until the provider is
unloaded.
Providers can implement only the original functions, or only the extended
functions, or both. Implementing at least one of those functions is required
if also the respective OSSL_FUNC_keymgmt_import() or OSSL_FUNC_keymgmt_export()
function is implemented. If an extended function is available, it is called by
evp_keymgmt_import_types() or evp_keymgmt_export_types(), otherwise the original
function is called.
This makes the code backward compatible. Existing providers will only implement
the original functions, so these functions will continued to be called.
Newer providers can choose to implement the extended functions, and thus can
benefit from the provider context being passed to the implementation.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20255)
Dr. David von Oheimb [Mon, 12 Sep 2022 18:50:28 +0000 (20:50 +0200)]
CMS_add0_cert: if cert already present, do not throw error but ignore it
Also add checks on failing cert/CRL up_ref calls; improve coding style.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19199)
Dr. David von Oheimb [Fri, 10 Feb 2023 08:53:43 +0000 (09:53 +0100)]
CMS_add1_crl(): prevent double free on failure of CMS_add0_crl()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19199)
Michael Baentsch [Mon, 26 Sep 2022 15:32:05 +0000 (17:32 +0200)]
first cut at sigalg loading
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19312)
Richard Levitte [Sat, 18 Feb 2023 10:22:39 +0000 (11:22 +0100)]
test/recipes/01-test_symbol_presence.t: check for duplicate symbols in static libs
This checks that all symbols are unique across all public static libraries.
This includes a bit of refacftoring to avoid repeating code too much.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20331)
slontis [Thu, 15 Dec 2022 02:13:55 +0000 (12:13 +1000)]
Add help for pkeyopt values for the genpkey commandline app.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/19931)
olszomal [Tue, 21 Feb 2023 13:20:24 +0000 (14:20 +0100)]
Skip subdirectories in SSL_add_dir_cert_subjects_to_stack()
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20312)
Jeeban Sethi [Tue, 21 Feb 2023 16:01:43 +0000 (21:31 +0530)]
Fixes #20278: Fixed double free bug in crypto/http/http_client.c
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20351)
Matt Caswell [Thu, 26 Jan 2023 18:23:32 +0000 (18:23 +0000)]
Test that QUIC has the ciphersuites that we expect
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20148)
Matt Caswell [Thu, 26 Jan 2023 17:53:30 +0000 (17:53 +0000)]
Don't send ciphersuites twice in QUIC
QUIC TLS was sending some ciphersuites twice in the ClientHello. This
was due to us declaring some TLSv1.3 ciphersuites in the list intended to
describe the TLSv1.2 ciphersuites supported by the SSL_METHOD.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20148)
Sam James [Tue, 21 Feb 2023 00:37:57 +0000 (00:37 +0000)]
CI: add Clang 16
Clang 16 will be released shortly (beginning of March).
Signed-off-by: Sam James <sam@gentoo.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20346)
zhailiangliang [Wed, 15 Feb 2023 02:43:01 +0000 (10:43 +0800)]
Fix potential NULL pointer dereference in function evp_pkey_asn1_ctrl
CLA: trivial
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20294)
Matt Caswell [Mon, 6 Feb 2023 15:56:33 +0000 (15:56 +0000)]
Add const to some test tserver functions
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20030)
Matt Caswell [Mon, 6 Feb 2023 15:34:05 +0000 (15:34 +0000)]
Rename various functions OSSL_QUIC_FAULT -> QTEST_FAULT
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20030)
Matt Caswell [Thu, 26 Jan 2023 15:19:40 +0000 (15:19 +0000)]
Don't declare SSL_CONNECTION twice
It causes problems with some compilation options
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20030)
Matt Caswell [Thu, 26 Jan 2023 14:55:28 +0000 (14:55 +0000)]
Ensure calling BIO_recvmmsg() with a dgram pair reports errors
When calling BIO-recvmmsg() and using a dgram pair we were failing to
raise an error in the case that a problem occurs. This means that the
reason behind a failure cannot be detected and all problems are treated
as fatal even if they may not be.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20030)
Matt Caswell [Tue, 17 Jan 2023 15:16:42 +0000 (15:16 +0000)]
Add a helper function to prepend a frame to a packet
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20030)
Matt Caswell [Wed, 11 Jan 2023 16:08:53 +0000 (16:08 +0000)]
Add explanatory comments to say what happens during resizing of buffers
Explain that buffers are over allocated to being with, so a resize is a
logical resize only. Buffer addresses never change.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20030)
Matt Caswell [Wed, 11 Jan 2023 16:04:25 +0000 (16:04 +0000)]
Add a qtest_check_server_transport_err helper function
Allows tests to check that a given transport error was received by the
server.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20030)
Matt Caswell [Wed, 11 Jan 2023 15:14:52 +0000 (15:14 +0000)]
Extend the corruption test to truncate a datagram
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20030)
Matt Caswell [Tue, 10 Jan 2023 18:55:05 +0000 (18:55 +0000)]
Add the capability to listen for datagrams
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20030)
Matt Caswell [Tue, 10 Jan 2023 17:52:18 +0000 (17:52 +0000)]
Don't treat the Tserver as connected until the handshake is confirmed
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20030)
Matt Caswell [Tue, 10 Jan 2023 16:22:20 +0000 (16:22 +0000)]
Add a test for a corrupted packet
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20030)
Matt Caswell [Mon, 12 Dec 2022 16:52:50 +0000 (16:52 +0000)]
Enable the fault injector to add faults to post-encryption packets
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20030)
Matt Caswell [Fri, 9 Dec 2022 17:00:46 +0000 (17:00 +0000)]
Expand some comments in the header file
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20030)
Matt Caswell [Wed, 7 Dec 2022 16:55:21 +0000 (16:55 +0000)]
Raise a protocol error if we have not received transport params from peer
If we complete the TLS handshake but transport params were not received
then this is a protcol error and we should fail.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20030)
Matt Caswell [Tue, 6 Dec 2022 16:44:09 +0000 (16:44 +0000)]
Add a test for a server that doesn't provide transport params
Check that we fail if the server has failed to provide transport params.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20030)
Matt Caswell [Fri, 2 Dec 2022 15:52:21 +0000 (15:52 +0000)]
Implement the QUIC Fault injector support for TLS handshake messages
Provide helper functions to listen for TLS handshake messages being sent,
as well as the ability to change the contents of those messages as well as
resizing them.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20030)
Matt Caswell [Fri, 2 Dec 2022 14:38:46 +0000 (14:38 +0000)]
Add the ability to mutate TLS handshake messages before they are written
We add callbacks so that TLS handshake messages can be modified by the test
framework before they are passed to the handshake hash, possibly encrypted
and written to the network. This enables us to simulate badly behaving
endpoints.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20030)
Matt Caswell [Thu, 1 Dec 2022 11:52:48 +0000 (11:52 +0000)]
Add a test where an unknown frame type is received
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20030)
Matt Caswell [Thu, 1 Dec 2022 16:37:47 +0000 (16:37 +0000)]
Enable QUIC test server to find out the termination reason
We enable querying of the termination reason which is useful for tests.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20030)
Matt Caswell [Thu, 1 Dec 2022 16:36:08 +0000 (16:36 +0000)]
Treat unknown frames as a protocol error
From RFC9000, section 19.21 "An extension to QUIC that wishes to use a new
type of frame MUST first ensure that a peer is able to understand the
frame". So if we receive an unknown frame type from a peer we should treat
it as a protocol violation. In fact we ignore it, and ignore all the
contents of the rest of the packet and continue on regardless.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20030)
Matt Caswell [Thu, 1 Dec 2022 14:16:02 +0000 (14:16 +0000)]
Don't raise an error on retryable read in a BIO_s_dgram_pair()
This results in spurious errors appearing on the queue in normal
operation, e.g. calling SSL_tick() with a QUIC connection will succeed,
but an error will end up on the queue anyway.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20030)
Matt Caswell [Wed, 30 Nov 2022 16:41:31 +0000 (16:41 +0000)]
Implement the QUIC Fault injector support for plaintext packets
Provider helper functions to listen for plaintext packets being sent, as
well as the ability to change the contents of those packets as well as
resizing them.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20030)
Matt Caswell [Wed, 30 Nov 2022 14:21:00 +0000 (14:21 +0000)]
Add a skeleton quicfaultstest
Also includes helper support to create a QUIC connection inside a test.
We wil use quicfaultstest to deliberately inject faulty datagrams/packets
to test how we handle them.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20030)
Matt Caswell [Tue, 29 Nov 2022 16:04:23 +0000 (16:04 +0000)]
Add the ability to mutate QUIC packets before they are written
We add callbacks so that QUIC packets can be modified by the test
framework before they are encrypted and written to the network. This
enables us to simulate badly behaving endpoints.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20030)
Pauli [Mon, 20 Feb 2023 22:20:43 +0000 (09:20 +1100)]
update documentation to note that EdDSA is not FIPS approved
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20343)
Pauli [Mon, 20 Feb 2023 22:20:22 +0000 (09:20 +1100)]
update changes entry to note EdDSA is not FIPS approved
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20343)
Pauli [Mon, 20 Feb 2023 22:11:44 +0000 (09:11 +1100)]
Revert "Put EdDSA back as approved algorithms."
This reverts commit
09627a8ceb69e19d2855b36228f44a3660af177a.
NIST isn't allowing EdDSA at this stage after all, so flag it as not
FIPS approved in the FIPS provider. Guidance for FIPS 140-3 is expected
later this month:
The use of EdDSA still remains non-approved.
Before the FIPS 186-5 and SP 800-186 algorithms / curves can be
used in the approved mode, the CMVP will need to do (at least)
the following:
* Incorporate FIPS 186-5 and SP 800-186 into SP 800-140C/D;
* Update IG 10.3.A to incorporate self-test requirements for the
new algorithms/curves.
* Write a new IG on this transition to clarify the issues raised in
this thread and elsewhere and provide a clear transition schedule.
The CMVP is working on all three of these items and hope to have
drafts public by the end of March.
Since security relevant changes are not permitted for new 140-2
submissions, and under the assumption that this transition away
from FIPS 186-4 algorithms will be 'soft' and not move modules to
the historical list, we do not plan on writing 140-2 guidance for
this transition.
It seems unlikely that all of these requirements will be completed before
we submit.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20343)
Matt Caswell [Mon, 20 Feb 2023 17:22:57 +0000 (17:22 +0000)]
Add a test for no initialisation of the default config file
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20341)
Matt Caswell [Mon, 20 Feb 2023 14:47:20 +0000 (14:47 +0000)]
Only call OPENSSL_init_crypto on fetch if using the default libctx
There is no point in calling OPENSSL_init_crypto() unless we are actually
going to be using the default libctx.
Fixes #20315
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20341)
Benno Evers [Fri, 17 Feb 2023 12:03:19 +0000 (13:03 +0100)]
Document return value of OSSL_DECODER_from_data
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20327)
ndossche [Mon, 13 Feb 2023 14:27:25 +0000 (15:27 +0100)]
Fix incorrect error branch in ossl_bn_rsa_fips186_4_derive_prime()
BN_priv_rand_range_ex() and BN_add() both return a 0 on failure and a 1
on success. In case of failure, the algorithm should fail. However, the
branch that it goes through on failure is "goto end", not "goto err".
Therefore, the algorithm will return 1 which indicates success instead
of 0 for failure, leading to potential problems for the callers.
Fix it by changing the goto to "goto err" instead of "goto end".
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20279)
Philippe Antoine [Thu, 9 Feb 2023 14:21:59 +0000 (15:21 +0100)]
fuzz: fix coverity warnings
introduced by
2b9e2afc382490592078cdb69d06f54f0fefd4c6
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20253)
Jeeban Sethi [Wed, 15 Feb 2023 18:57:12 +0000 (00:27 +0530)]
openssl#20299: Fixed use after free bug
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20300)
Todd Short [Thu, 16 Feb 2023 15:56:29 +0000 (10:56 -0500)]
Fix possible memory leak on error
The two places that call `ossl_ssl_init()` assume that no additional
memory has been allocated when this fails; they subsequently free
the QUIC_CONNECTION/SSL_CONNECTION via OPENSSL_free() without freeing
any other resources.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20316)
Bernd Edlinger [Mon, 13 Feb 2023 11:58:33 +0000 (12:58 +0100)]
Fix failing cms test when no-des is used
The test tries to use DES but that may not be available.
But for the purpose of regression testing CVE-2023-0215
the cipher is not relevant, so we use AES-128 instead.
Fixes #20249
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20276)
Jeeban Sethi [Thu, 16 Feb 2023 12:00:45 +0000 (17:30 +0530)]
openssl-3.0#20290: Fixed typo in "config" man page
CLA: trivial
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20311)
(cherry picked from commit
3da073c405e2d2000188571c23f3a79cf67a6e9d)
Clemens Lang [Thu, 16 Feb 2023 14:20:43 +0000 (15:20 +0100)]
kbkdf: Fix kbkdf_dup function pointer type
kbkdf_dup should use the appropriate type OSSL_FUNC_kdf_dupctx_fn.
Signed-off-by: Clemens Lang <cllang@redhat.com>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20314)
Richard Levitte [Wed, 8 Feb 2023 07:23:41 +0000 (08:23 +0100)]
Use of sparse_array.c only in the shared libssl
Conditioning it on $disabled{shared} isn't right, it will still end up
in the static variant of the library. It's better to use SHARED_SOURCE
for these sorts of things.
Fixes #20238
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20240)
Dr. David von Oheimb [Fri, 27 Jan 2023 20:17:50 +0000 (21:17 +0100)]
OSSL_CMP_certConf_cb(): fix regression on checking newly enrolled cert
Also add corresponding tests and to this end update credentials
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20160)
Tomas Mraz [Wed, 8 Feb 2023 07:47:15 +0000 (08:47 +0100)]
Correct a copy&paste error in a link URL
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20228)
Tomas Mraz [Tue, 7 Feb 2023 16:18:54 +0000 (17:18 +0100)]
Sync CHANGES.md and NEWS.md with 3.0.8 release
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20228)
Hubert Kario [Wed, 8 Feb 2023 13:13:24 +0000 (14:13 +0100)]
rsa: add msvc intrinsic for non x64 platforms
_umul128() is x86_64 (x64) only, while __umulh() works everywhere, but
doesn't generate optimal code on x64
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20244)
Tom Cosgrove [Sat, 28 Jan 2023 18:43:30 +0000 (18:43 +0000)]
Fix the return values of the aarch64 unroll8_eor_aes_gcm_*_*_kernel functions
These aren't currently checked when they are called in cipher_aes_gcm_hw_armv8.inc,
but they are declared as returning as size_t the number of bytes they have processed,
and the aes_gcm_*_*_kernel (unroll by 4) versions of these do return the correct
values.
Change-Id: Ic3eaf139e36e29e8779b5bd8b867c08fde37a337
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20191)
Dr. David von Oheimb [Wed, 1 Feb 2023 16:22:17 +0000 (17:22 +0100)]
CMP cert_response(): add missing rejection status on client rejecting new cert
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20190)
Dr. David von Oheimb [Wed, 1 Feb 2023 14:50:54 +0000 (15:50 +0100)]
cmp_client_test.c: add tests for errors reported by server on subsequent requests in a transaction
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20190)
Dr. David von Oheimb [Wed, 1 Feb 2023 14:47:14 +0000 (15:47 +0100)]
ossl_cmp_mock_srv_new.pod: correct/update names of internal test support functions
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20190)
Dr. David von Oheimb [Wed, 1 Feb 2023 14:43:35 +0000 (15:43 +0100)]
OSSL_CMP_SRV_process_request(): fix recipNonce on error in subsequent request of a transaction
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20190)
Dr. David von Oheimb [Wed, 1 Feb 2023 14:39:52 +0000 (15:39 +0100)]
cmp_ctx.c: fix wrong comments on OSSL_CMP_CTX_set1_{recipient,issuer}
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20190)
Dr. David von Oheimb [Wed, 1 Feb 2023 14:37:21 +0000 (15:37 +0100)]
CMP check_transactionID_or_nonce(): fix reason code on unmatched recipNonce
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20190)
Dr. David von Oheimb [Wed, 1 Feb 2023 14:36:25 +0000 (15:36 +0100)]
ossl_cmp_msg_check_update(): fix two wrong error return values (-1 instead of 0)
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20190)
Dr. David von Oheimb [Wed, 1 Feb 2023 14:34:19 +0000 (15:34 +0100)]
test_get_libctx(): prevent crash when called with NULL provider arg
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20190)
Niels Dossche [Wed, 1 Feb 2023 14:06:12 +0000 (15:06 +0100)]
Fix BIO_set_indent() check
This function returns an errorcode <= 0, but only < 0 is checked. Other
callers that check the return value perform this check correctly. Fix it
by changing the check to <= 0.
CLA: trivial
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20186)
slontis [Tue, 31 Jan 2023 23:19:02 +0000 (09:19 +1000)]
Add tests for FIPS keygen self test failures.
During key generation RSA, EC and DSA have extra tests that run in FIPS mode
All 3 algorithms have a pairwise test, EC & DSA also run a KAT test.
This test uses the self test callback to force an error
during each of the extra pairwise and KAT tests.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20183)
ndossche [Thu, 2 Feb 2023 13:02:34 +0000 (14:02 +0100)]
Fix incomplete BIO_dup_state() error check
BIO_dup_state() returns an error code <= 0 according to my analysis tool
and the documentation. Currently only == 0 is checked. Fix it by
changing the check condition.
CLA: trivial
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20194)
ndossche [Tue, 31 Jan 2023 15:30:26 +0000 (16:30 +0100)]
Fix incomplete check on CMS_SharedInfo_encode
CMS_SharedInfo_encode() can also return a negative error value, but this
is not checked in the current check, only the zero error return value is
covered. A previous PR [1] fixed the other caller's check of
CMS_SharedInfo_encode in this file, but it seems like this place was
missed. Fix it by changing the check to <= 0.
[1] https://github.com/openssl/openssl/pull/12628/commits/
a752fc4da5e1dfd5b3a730d95272c2e2b0c48f1a
CLA: trivial
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20181)
ndossche [Mon, 30 Jan 2023 14:24:01 +0000 (15:24 +0100)]
Fix error check on default_check() helper function
default_check() can return a zero value to indicate an internal error in
one condition for the PRE_CTRL_STR_TO_PARAMS state. This state can be
reached from the default_fixup_args() function which does not check for
a zero value. All other callers of default_check() in that file do check
for a zero return value. Fix it by changing the check to <= 0.
CLA: trivial
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20175)
Xiaokang Qian [Sun, 29 Jan 2023 06:22:43 +0000 (06:22 +0000)]
Apply aes-gcm unroll8+eor3 optimization patch to Neoverse V2
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20184)
Juergen Christ [Fri, 20 Jan 2023 16:43:59 +0000 (17:43 +0100)]
S390x: Support ME and CRT offloading
S390x has to ability to offload modular exponentiation and CRT operations to
Crypto Express Adapters. This possible performance optimization was not yet
used by OpenSSL. Add support for offloading and implement an optimized
version of RSA and DH with it.
The environment variable OPENSSL_s390xcap now recognizes the token "nocex" to
prevent offloading.
Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20113)
ndossche [Thu, 2 Feb 2023 15:11:16 +0000 (16:11 +0100)]
Fix incomplete error check on BIO_set_md()
BIO_set_md() can return an error value <= 0 according to my analysis
tool and the documentation. But only an error value == 0 is currently
checked. Fix it by changing the check condition.
CLA: trivial
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20195)
Dr. David von Oheimb [Mon, 2 Jan 2023 12:05:08 +0000 (13:05 +0100)]
CMS_decrypt_set1_*(): fix NULL deref on unsuitable content type
Fixes #19975
for CMS_decrypt_set1_pkey_and_peer() in the obvious way,
and a related potential crash in CMS_decrypt_set1_password().
The point is that the input might have an unexpected content type,
so a guard is needed at both places after `ec` is obtained.
Note that in CMS_decrypt_set1_pkey_and_peer() there was
no such ec != NULL guard for
```
if (ris != NULL)
debug = ec->debug;
```
maybe because it is implied here by ris != NULL.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19981)
slontis [Thu, 2 Feb 2023 23:37:51 +0000 (09:37 +1000)]
Add coverage test for ossl_rsa_sp800_56b_derive_params_from_pq
This test runs the error path for the above function.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20200)
Dr. David von Oheimb [Mon, 19 Dec 2022 09:56:50 +0000 (10:56 +0100)]
CMP app and doc: improve texts on (un-)trusted certs, srvCert, etc.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19946)
Oliver Mihatsch [Thu, 2 Feb 2023 11:15:14 +0000 (12:15 +0100)]
New function EC_GROUP_to_params to convert an EC_GROUP to an array of OSSL_PARAM.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20205)
Dr. David von Oheimb [Wed, 30 Nov 2022 20:11:48 +0000 (21:11 +0100)]
check-format.pl: fix statistics on whitespace and nesting issues
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19796)
Dr. David von Oheimb [Wed, 30 Nov 2022 20:12:20 +0000 (21:12 +0100)]
check-format.pl: fix detection of '#ifdef __cplusplus'
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19796)
Dr. David von Oheimb [Wed, 30 Nov 2022 20:07:40 +0000 (21:07 +0100)]
check-format.pl: fix detection of function body start
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19796)
Tomas Mraz [Fri, 11 Nov 2022 15:18:48 +0000 (16:18 +0100)]
Rationalize FIPS sources
Avoid including QUIC related stuff in the FIPS sources.
Also avoid including libssl headers in ssl3_cbc.c.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19658)
slontis [Mon, 6 Feb 2023 04:26:23 +0000 (14:26 +1000)]
Add Tests for RSA_sign_ASN1_OCTET_STRING & RSA_verify_ASN1_OCTET_STRING
Note: Internally RSA_sign_ASN1_OCTET_STRING() is used with
RSA signing only when the digest is MDC2,
and RSA_verify_ASN1_OCTET_STRING() is unused.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20220)
slontis [Tue, 31 Jan 2023 00:50:22 +0000 (10:50 +1000)]
Add more punycode tests and remove ossl_a2ucompare()
The unused and untested internal function ossl_a2ucompare() has been
removed.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/20177)
Philippe Antoine [Wed, 25 Jan 2023 14:43:50 +0000 (15:43 +0100)]
fuzz: make post handshake reachable
So that CVE-2021-3449 can be found through fuzzing
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/20128)
Randall S. Becker [Wed, 21 Dec 2022 17:32:32 +0000 (10:32 -0700)]
Document limits on static and dynamic linking for HPE NonStop platforms.
Documentation is necessary as static and dynamic linking cause SIGSEGV
during atexit() processing on the platform.
Fixes: 19951
Signed-off-by: Randall S. Becker <randall.becker@nexbridge.ca>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19952)
(cherry picked from commit
e80518db6d52f9e6faec09df7c25f08a74e8aec2)
besher [Sat, 4 Feb 2023 23:08:14 +0000 (00:08 +0100)]
Fix a potential memory leak in apps/s_server.c
Allocate memory for a new SSL session.
If any of these steps fail,
free the key memory and the tmpsess object
before returning 0 to prevent a memory leak.
Fixes: #20110
CLA: trivial
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20213)
ndossche [Fri, 3 Feb 2023 12:43:03 +0000 (13:43 +0100)]
Fix incomplete error check on BIO_set_accept_name()
BIO_set_accept_name() can return error values -1 and 0 according to
my analysis tool and the documentation. Documentation says a value of 1
indicates success. Currently, only an error value != 0 is checked which
erroneously interprets a -1 error return value as success.
Fix it by changing the check condition.
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20206)