Tomas Mraz [Fri, 21 Jul 2023 15:40:31 +0000 (17:40 +0200)]
When exporting/importing decoded keys do not use 0 as selection
When decoding 0 as the selection means to decode anything
you get.
However when exporting and then importing the key data 0 as
selection is not meaningful.
So we set it to OSSL_KEYMGMT_SELECT_ALL to make the export/import
function export/import everything that we have decoded.
Fixes #21493
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/21519)
Tomas Mraz [Fri, 21 Jul 2023 14:26:12 +0000 (16:26 +0200)]
Avoid exporting bogus (empty) data if empty selection is used
This is already correct in the rsa_kmgmt.c but other
implementations are wrong.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/21519)
Pauli [Wed, 2 Aug 2023 00:44:47 +0000 (10:44 +1000)]
no_autoload: make the no-autoload-config option work again.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/21621)
Pauli [Wed, 2 Aug 2023 01:36:46 +0000 (11:36 +1000)]
test: skip FIPS config auto loading based tests if feature is disabled
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/21621)
Pauli [Wed, 2 Aug 2023 00:44:37 +0000 (10:44 +1000)]
provider test: don't run configuration based tests if configuration isn't loaded
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/21621)
Pauli [Wed, 2 Aug 2023 00:41:22 +0000 (10:41 +1000)]
PBE test: load providers if auto config load is turned off
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/21621)
Pauli [Wed, 2 Aug 2023 00:40:23 +0000 (10:40 +1000)]
testutil: allow a failure return from setup_tests that doesn't print help
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/21621)
Pauli [Tue, 25 Jul 2023 02:06:45 +0000 (12:06 +1000)]
quic: using #defined constant rather than a magic number
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21429)
Pauli [Thu, 20 Jul 2023 02:40:49 +0000 (12:40 +1000)]
quic compliance: 10.2.3 dropping instead of closing
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21429)
Pauli [Wed, 19 Jul 2023 07:00:04 +0000 (17:00 +1000)]
Fix type/legacy name
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21429)
Pauli [Wed, 19 Jul 2023 04:47:13 +0000 (14:47 +1000)]
quic conformance: add comment about section 10.2.3 conformance
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21429)
Pauli [Tue, 18 Jul 2023 03:03:30 +0000 (13:03 +1000)]
trivial code nit
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21429)
Pauli [Tue, 18 Jul 2023 01:37:14 +0000 (11:37 +1000)]
quic conformance: 10.2.1 rate limiting
Implement the two requirements about limiting closing transmission size to
no more than thrice the received size.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21429)
Pauli [Mon, 17 Jul 2023 01:32:58 +0000 (11:32 +1000)]
quic conformance: section 10.2.2 requirements
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21429)
Pauli [Mon, 17 Jul 2023 01:11:58 +0000 (11:11 +1000)]
quic conformance: section 10.2.1 requirements
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21429)
Pauli [Mon, 17 Jul 2023 01:06:35 +0000 (11:06 +1000)]
quic: use the safe fused multiply divide instead of a safe multiply then a normal division
This should extend the range of possible results.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21429)
Pauli [Thu, 13 Jul 2023 04:26:26 +0000 (14:26 +1000)]
Add note about RFC 9000 10.2 persist time
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21429)
Pauli [Mon, 26 Jun 2023 09:31:20 +0000 (19:31 +1000)]
document RRFC9000 10.1 MUST requirement
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21429)
Pauli [Thu, 13 Jul 2023 03:43:46 +0000 (13:43 +1000)]
Note RFC 9000 19.19 requirement
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21429)
Frederik Wedel-Heinen [Wed, 2 Aug 2023 12:49:17 +0000 (14:49 +0200)]
Resolves some magic values that has a hello_retry_request enum type.
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21636)
Hugo Landau [Thu, 3 Aug 2023 08:17:36 +0000 (09:17 +0100)]
QUIC: Fix incompatible merges causing CI breakage
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/21641)
Dr. David von Oheimb [Thu, 27 Jul 2023 18:03:16 +0000 (20:03 +0200)]
crypto/cmp: fix clash of OSSL_CMP_CERTREQID_NONE with error result of ossl_cmp_asn1_get_int()
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/21579)
Wo'O Ideafarm [Tue, 1 Aug 2023 17:47:16 +0000 (10:47 -0700)]
formatting: shift one space to right
per request.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21595)
Wo'O Ideafarm [Fri, 28 Jul 2023 18:45:31 +0000 (11:45 -0700)]
trivial change: optionally suppress include lines
CLA: trivial
Code that includes applink.c can now define APPLINK_NO_INCLUDES to suppress the include preprocessor lines in that file. This might be needed if, for example, applink.c is being included into a source file that will be compiled to reference a C library built using different calling conventions. (Example: Open Watcom.)
This pull request is intended to replace an identical pull request that I screwed up.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21595)
Tianjia Zhang [Tue, 1 Aug 2023 06:21:02 +0000 (14:21 +0800)]
Fix typo in function name
Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21608)
Matt Caswell [Tue, 1 Aug 2023 11:22:58 +0000 (12:22 +0100)]
Add support into qtest_shutdown for blocking mode
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21591)
Matt Caswell [Fri, 28 Jul 2023 14:32:57 +0000 (15:32 +0100)]
Extend the test_quic_write_read() test to include resumption
We add an additional loop around test_quic_write_read() to repeat the
test but using a session obtained from the initial iteration to confirm
that we can successfully resume the session.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21591)
Matt Caswell [Fri, 28 Jul 2023 15:04:14 +0000 (16:04 +0100)]
Ensure the QUIC TLS SSL object is marked as shutdown
If we shutdown the QUIC connection then we should mark the underlying
TLS SSL object as shutdown as well. Otherwise any sessions are considered
unusable for resumption.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21591)
Matt Caswell [Fri, 28 Jul 2023 08:22:38 +0000 (09:22 +0100)]
Add the ability for tserver to use a pre-existing SSL_CTX
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21591)
Matt Caswell [Thu, 27 Jul 2023 12:48:02 +0000 (13:48 +0100)]
Keep doing ossl_quic_tls_tick() even after handshake completion
There may be post-handshake messages to process so make sure we keep
ticking things even if the handshake has finished. We do this simply by
calling SSL_read(). There should never be app data to read but we will
process any handshake records we encounter.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21591)
Matt Caswell [Thu, 27 Jul 2023 14:33:04 +0000 (15:33 +0100)]
Correctly keep track of where we are in the quicserver request buffer
If the request comes in in multiple chunks properly keep tract of where
we are.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21578)
Matt Caswell [Thu, 27 Jul 2023 14:30:17 +0000 (15:30 +0100)]
Ensure SSL_has_pending() always works even before a connection
s_client calls SSL_has_pending() even before the connection has been
established. We expect it to return 0 in this case and not put any errors
on the stack.
We change things so that SSL_has_pending() always returns 0 if there is
no stream available.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21578)
Matt Caswell [Thu, 27 Jul 2023 13:27:17 +0000 (14:27 +0100)]
Still advance handshake even on an empty write
A call to SSL_write() with a zero length buffer should still advance the
handshake. Applications (including s_client) may rely on this.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21578)
Matt Caswell [Wed, 5 Jul 2023 14:10:17 +0000 (15:10 +0100)]
Add a QUIC test for back pressure
Check that if one endpoint is sending data faster than its peer can handle
then we eventually see back pressure.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21368)
Matt Caswell [Mon, 31 Jul 2023 11:56:47 +0000 (12:56 +0100)]
Add a test for PEM_read_bio_Parameters()
We must not ask for a password when attempting to read parameters.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21603)
Matt Caswell [Mon, 31 Jul 2023 11:32:16 +0000 (12:32 +0100)]
The PEM_read_bio_Parameters() function should not ask for a password
The PEM_read_bio_Parameters[_ex] function does not have the capability
of specifying a password callback. We should not use the fallback password
callback in this case because it will attempt to send a prompt for the
password which might not be the correct thing to do. We should just not
use a password in that case.
Fixes #21588
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21603)
Matt Caswell [Mon, 31 Jul 2023 11:30:34 +0000 (12:30 +0100)]
Always add a suitable error if we fail to decode
We're always supposed to add the fallback "unsupported" error if we don't
have anything better. However in some cases this wasn't happening because
we were incorrectly setting "flag_construct_called" - even though the
construct function had failed.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21603)
Matt Caswell [Mon, 31 Jul 2023 11:28:37 +0000 (12:28 +0100)]
Don't add the msblob/pvk decoders if they're not suitable
msblob only decodes public/private keys (not just params).
pvk only decodes private keys.
If the requested selection doesn't intersect with the above then don't
consider those decoders.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21603)
zhuchen [Mon, 24 Jul 2023 08:03:29 +0000 (16:03 +0800)]
Fixed incorrect usage of vshuf.b instruction
In the definition of the latest revised LoongArch64 vector instruction manual,
it is clearly pointed out that the undefined upper three bits of each byte in
the control register of the vshuf.b instruction should not be used, otherwise
uncertain results may be obtained. Therefore, it is necessary to correct the
use of the vshuf.b instruction in the existing vpaes-loongarch64.pl code to
avoid erroneous calculation results in future LoongArch64 processors.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21530)
Xi Ruoyao [Thu, 20 Jul 2023 23:59:07 +0000 (07:59 +0800)]
Add system guessing for linux64-loongarch64 target
Now the default is linux-generic32, it's not good for loongarch64.
We can also test if the assembler supports vector instructions here and
disable asm if not.
Closes #21340.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21510)
Ingo Franzki [Wed, 19 Jul 2023 08:49:44 +0000 (10:49 +0200)]
speed: Unify output messages regarding number of ops per time
Always report "<algo> ops in <time>", instead of "<algo>'s in <time>" or
similar. Avoid the use of apostrophes and/or plural with algorithm names.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21383)
Ingo Franzki [Tue, 20 Jun 2023 11:40:41 +0000 (13:40 +0200)]
speed: Also measure RSA encrypt/decrypt, not only RSA sign/verify
While RSA encrypt/decrypt and sign/verify are basically the same mod-expo
operations, the speed of the operation may still differ, due to different
padding, as well as the use of implicit rejection for RSA decrypt.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21383)
Matt Caswell [Thu, 27 Jul 2023 11:09:47 +0000 (12:09 +0100)]
Fix a regression in X509_VERIFY_PARAM_add0_policy()
Also fixes a similar regression in X509_VERIFY_PARAM_add0_table().
Commit
38ebfc3 introduced a regression in 3.0.6 that changed the return
value of the two functions above from 1 on success to the number of entries
in the stack. If there are more than one entry then this is a change in
behaviour which should not have been introduced into a stable release.
This reverts the behaviour back to what it was prior to the change. The code
is slightly different to the original code in that we also handle a possible
-1 return value from the stack push function. This should never happen in
reality because we never pass a NULL stack as a parameter - but for the sake
of robustness we handle it anyway.
Note that the changed behaviour exists in all versions of 3.1 (it never had
the original version). But 3.1 should be fully backwards compatible with 3.0
so we should change it there too.
Fixes #21570
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/21576)
Hugo Landau [Mon, 24 Jul 2023 17:11:23 +0000 (18:11 +0100)]
QUIC: Automatically drain non-concluded streams, bugfixes
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21484)
Hugo Landau [Tue, 18 Jul 2023 15:39:32 +0000 (16:39 +0100)]
QUIC APL: Mask API operations when in shutdown flush
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21484)
Hugo Landau [Tue, 18 Jul 2023 15:18:33 +0000 (16:18 +0100)]
QUIC MULTISTREAM TEST: Shutdown flush test
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21484)
Hugo Landau [Tue, 18 Jul 2023 15:17:55 +0000 (16:17 +0100)]
QUIC MULTISTREAM TEST: Better failure logging with failing script ID
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21484)
Hugo Landau [Tue, 18 Jul 2023 15:15:49 +0000 (16:15 +0100)]
QUIC APL: Shutdown Stream Flush Functionality
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21484)
Hugo Landau [Tue, 18 Jul 2023 15:15:15 +0000 (16:15 +0100)]
QUIC TXP: Fix bug relating to STREAM FIN generation
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21484)
Hugo Landau [Tue, 18 Jul 2023 15:14:54 +0000 (16:14 +0100)]
QUIC APL: Ensure tick inhibition is not used during blocking
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21484)
Hugo Landau [Tue, 18 Jul 2023 15:14:05 +0000 (16:14 +0100)]
QUIC TSERVER: Allow reading from a stream after connection termination
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21484)
Hugo Landau [Tue, 18 Jul 2023 15:13:25 +0000 (16:13 +0100)]
QUIC QSM: Infrastructure for tracking shutdown flush eligible streams
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21484)
Hugo Landau [Tue, 18 Jul 2023 15:12:44 +0000 (16:12 +0100)]
QUIC APL: Add internal call to allow changing send buffer size
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21484)
Hugo Landau [Tue, 18 Jul 2023 15:12:04 +0000 (16:12 +0100)]
QUIC CHANNEL: Allow ticking to be inhibited for testing purposes
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21484)
Dmitry Belyavskiy [Fri, 28 Jul 2023 09:56:17 +0000 (11:56 +0200)]
Update GOST engine commit to deal with test failure
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21586)
Frederik Wedel-Heinen [Thu, 27 Jul 2023 09:28:33 +0000 (11:28 +0200)]
Removes unused parameter 'sending' from derive_secret_key_and_iv()
Fixes #21569
CLA: trivial
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21569)
Xi Ruoyao [Fri, 21 Jul 2023 02:07:04 +0000 (02:07 +0000)]
vpaes: LoongArch: Use getauxval(AT_HWCAP) for LSX detection
Running LSX instructions requires both the hardware support and the
kernel support. The `cpucfg` instruction only tests the hardware
support, causing a SIGILL if the hardware supports LSX but the kernel
does not.
Use `getauxval(AT_HWCAP)` as the ["Software Development and Build
Convention for LoongArch Architectures"][1] manual suggests.
The LOONGARCH_HWCAP_LSX and LOONGARCH_HWCAP_LASX bits are copied from
the manual too. In Glibc 2.38 they'll be provided by <sys/auxv.h> as
well, but they are unavailable in earlier Glibc versions so we cannot
rely on it.
The getauxval syscall and Glibc wrapper are available since day one
(Linux-5.19 and Glibc-2.36) for LoongArch.
Fixes #21508.
[1]:https://github.com/loongson/la-softdev-convention/blob/master/la-softdev-convention.adoc#kernel-constraints
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21509)
John Kohl [Wed, 26 Jul 2023 12:41:31 +0000 (08:41 -0400)]
fix compile error (SIZE_MAX not found) on HP-UX
Fixes #21554
CLA: trivial
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21562)
atishkov [Tue, 25 Jul 2023 09:25:57 +0000 (12:25 +0300)]
x509/by_file.c: fix unreachable and redundant code
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/21545)
Fatih Arslan Tugay [Mon, 24 Jul 2023 12:34:08 +0000 (15:34 +0300)]
Correct spelling of database
Apply normal sentence case to db update message
CLA: trivial
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/21535)
John Kohl [Wed, 26 Jul 2023 12:16:54 +0000 (08:16 -0400)]
Include <openssl/err.h> in include/refcount.h
Fixes #21555
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/21561)
Tomas Mraz [Tue, 25 Jul 2023 13:35:34 +0000 (15:35 +0200)]
Add CHANGES.md and NEWS.md entries for CVE-2023-3817
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/21550)
Tomas Mraz [Tue, 25 Jul 2023 13:23:43 +0000 (15:23 +0200)]
dhtest.c: Add test of DH_check() with q = p + 1
This must fail with DH_CHECK_INVALID_Q_VALUE and
with DH_CHECK_Q_NOT_PRIME unset.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/21550)
Tomas Mraz [Tue, 25 Jul 2023 13:22:48 +0000 (15:22 +0200)]
DH_check(): Do not try checking q properties if it is obviously invalid
If |q| >= |p| then the q value is obviously wrong as q
is supposed to be a prime divisor of p-1.
We check if p is overly large so this added test implies that
q is not large either when performing subsequent tests using that
q value.
Otherwise if it is too large these additional checks of the q value
such as the primality test can then trigger DoS by doing overly long
computations.
Fixes CVE-2023-3817
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/21550)
Bernd Edlinger [Sun, 23 Jul 2023 12:27:54 +0000 (14:27 +0200)]
Make DH_check set some error bits in recently added error
The pre-existing error cases where DH_check returned zero
are not related to the dh params in any way, but are only
triggered by out-of-memory errors, therefore having *ret
set to zero feels right, but since the new error case is
triggered by too large p values that is something different.
On the other hand some callers of this function might not
be prepared to handle the return value correctly but only
rely on *ret. Therefore we set some error bits in *ret as
additional safety measure.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21524)
atishkov [Fri, 21 Jul 2023 08:36:37 +0000 (11:36 +0300)]
get_cert_by_subject_ex(): Check result of X509_STORE_lock()
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21515)
MrRurikov [Thu, 29 Jun 2023 14:06:08 +0000 (17:06 +0300)]
bio_print.c: Delete unreachable code at lines 710 and 711
CLA: trivial
The purpose of adding the conditional operator on line 710 is to check
if the value of the variable 'fplace' exceeds the size of the array
'fconvert', and to reduce the value of 'fplace' by 1, so that later on
we can set the value to zero of the array element with the index 'fplace'
and not make any calls beyond the array edges.
However, the condition on line 710 will always be false, because
the size of 'fconvert' is strictly specified at the beginning of
the 'fmtfp()' function (line 571), so it is reasonable to remove
this conditional operator, as well as the unreachable decrementation
code of the variable 'fplace'.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21325)
Frederik Wedel-Heinen [Wed, 28 Jun 2023 12:40:05 +0000 (14:40 +0200)]
Adds separate configuration targets for intel i386/x86_64 and arm64 ios simulators
Fixes #21287
CLA: trivial
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21309)
atishkov [Thu, 20 Jul 2023 08:02:38 +0000 (11:02 +0300)]
x509: add ASN1_STRING_set() check result
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21497)
Hugo Landau [Fri, 21 Jul 2023 06:57:51 +0000 (07:57 +0100)]
QUIC TXP: Add extra test
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21513)
Bernd Edlinger [Fri, 21 Jul 2023 05:34:39 +0000 (07:34 +0200)]
Fix error handling in pipelining test
When an early error happens in the test_pipelining
function and idx == 5 the error handling would try
to call OPENSSL_free(msg), but msg is at that time
just a string constant in read-only memory, so a
crash would be the result. Fixed that by using
fragsize as an indication when to free msg.
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21512)
Adam Šulc [Thu, 20 Jul 2023 19:30:45 +0000 (21:30 +0200)]
fix: reject adding a duplicity into STACK_OF(X509_ATTRIBUTE)
Function `X509at_add1_attr()` (crypto/x509/x509_att.c) rejects to add a duplicity into `*x` but it searches in a wrong stack.
Changed to search in `*x`.
CLA: trivial
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21505)
Marco Abbadini [Thu, 20 Jul 2023 15:07:19 +0000 (17:07 +0200)]
fix clang-6,7,8 strict build
CLA: trivial
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21501)
Tom Cosgrove [Wed, 19 Jul 2023 11:59:36 +0000 (12:59 +0100)]
Fix build when configured with -DOPENSSL_USE_IPV6=0
Change-Id: I57723835b0a7d20609d8c4ed2988123f975a927d
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21495)
Hugo Landau [Thu, 13 Jul 2023 10:41:26 +0000 (11:41 +0100)]
QUIC TXP: Generate forced PINGs correctly
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21458)
Hugo Landau [Thu, 13 Jul 2023 10:36:24 +0000 (11:36 +0100)]
QUIC TXP: Refactor TXP-related deadline handling into TXP
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21458)
Hugo Landau [Thu, 13 Jul 2023 10:22:41 +0000 (11:22 +0100)]
QUIC TXP: Update tests for refactor
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21458)
Hugo Landau [Thu, 13 Jul 2023 10:22:14 +0000 (11:22 +0100)]
QUIC TXP: Major refactor to handle padding correctly
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21458)
Hugo Landau [Wed, 12 Jul 2023 19:12:07 +0000 (20:12 +0100)]
QUIC QTX: Add ciphertext size calculation function
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21458)
Hugo Landau [Tue, 11 Jul 2023 14:30:46 +0000 (15:30 +0100)]
QUIC TXP: Test packet size boundary cases
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21458)
sdlyyxy [Sat, 15 Jul 2023 15:26:05 +0000 (23:26 +0800)]
Update with `ARMV8_HAVE_SHA3_AND_WORTH_USING`
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21398)
sdlyyxy [Fri, 14 Jul 2023 09:10:43 +0000 (17:10 +0800)]
Move CPU detection to armcap.c
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21398)
sdlyyxy [Fri, 7 Jul 2023 11:26:10 +0000 (19:26 +0800)]
Enable ARMv8.2 accelerated SHA3 on compatible Apple CPUs
The hardware-assisted ARMv8.2 implementation is already in keccak1600-armv8.pl.
It is not called because the author mentioned that it's not actually obvious
that it will provide performance improvements. The test on Apple M1 Firestorm
shows that the ARMv8.2 implementation could improve about 36% for large blocks.
So let's enable ARMv8.2 accelerated SHA3 on Apple CPU family.
Fixes #21380
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21398)
Ingo Franzki [Wed, 19 Jul 2023 13:24:49 +0000 (15:24 +0200)]
speed: Fix execution of EdDSA measurement
Running 'openssl speed eddsa' fails with
Doing 253 bits sign
Ed25519 ops for 10s: EdDSA sign failure
000003FF9306C7D0:error:
030000BC:digital envelope routines:EVP_DigestSign:
final error:crypto/evp/m_sigver.c:585:
-1 253 bits
Ed25519 sign ops in 0.00s
Doing 253 bits verify
Ed25519 ops for 10s: EdDSA verify failure
000003FF9306C7D0:error:
030000BC:digital envelope routines:EVP_DigestVerify:
final error:crypto/evp/m_sigver.c:694:
-1 253 bits
Ed25519 verify ops in 0.00s
This is because the EVP_DigestSign/Verify() calls in the EdDSA_sign/verify_loop()
fail because the context has already been finalized by the previous
EVP_DigestSign/Verify call during the EdDSA signature test done by speed_main().
This happens since commit
3fc2b7d6b8f961144905330dfd4689f5bd515199 where the
EVP_DigestSign/Verify() functions have been changed to set a flag that the
context has been finalized.
Fix this by re-initializing the context using EVP_DigestSign/Verify() in the
EdDSA_sign/verify_loop().
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21491)
Ingo Franzki [Wed, 19 Jul 2023 12:59:16 +0000 (14:59 +0200)]
speed: Fix memory leak
Free the signature stack after iterating over all found signatures.
Free the kem and signature stacks at the end of speed_main() if not
NULL.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21491)
Samuel Lee [Wed, 19 Jul 2023 18:04:12 +0000 (11:04 -0700)]
Fix documentation around AAD and return values in EVP_Cipher*
Fixes #21485
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21494)
Pauli [Mon, 17 Apr 2023 03:26:39 +0000 (13:26 +1000)]
Connection ID processing
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20749)
atishkov [Mon, 17 Jul 2023 10:10:44 +0000 (13:10 +0300)]
apps/cms.c: Fix unreachable code in cms_main()
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21474)
Matt Caswell [Thu, 13 Jul 2023 15:14:49 +0000 (16:14 +0100)]
Update CHANGES/NEWS for CVE-2023-3446
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21451)
Matt Caswell [Fri, 7 Jul 2023 13:39:48 +0000 (14:39 +0100)]
Add a test for CVE-2023-3446
Confirm that the only errors DH_check() finds with DH parameters with an
excessively long modulus is that the modulus is too large. We should not
be performing time consuming checks using that modulus.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21451)
Matt Caswell [Thu, 6 Jul 2023 15:36:35 +0000 (16:36 +0100)]
Fix DH_check() excessive time with over sized modulus
The DH_check() function checks numerous aspects of the key or parameters
that have been supplied. Some of those checks use the supplied modulus
value even if it is excessively large.
There is already a maximum DH modulus size (10,000 bits) over which
OpenSSL will not generate or derive keys. DH_check() will however still
perform various tests for validity on such a large modulus. We introduce a
new maximum (32,768) over which DH_check() will just fail.
An application that calls DH_check() and supplies a key or parameters
obtained from an untrusted source could be vulnerable to a Denial of
Service attack.
The function DH_check() is itself called by a number of other OpenSSL
functions. An application calling any of those other functions may
similarly be affected. The other functions affected by this are
DH_check_ex() and EVP_PKEY_param_check().
CVE-2023-3446
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21451)
Hugo Landau [Mon, 3 Jul 2023 15:41:51 +0000 (16:41 +0100)]
Fixup tests
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21349)
Hugo Landau [Mon, 3 Jul 2023 14:45:25 +0000 (15:45 +0100)]
QUIC TXP: Handle non-inflight-eligible packets correctly
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21349)
Hugo Landau [Mon, 3 Jul 2023 14:45:25 +0000 (15:45 +0100)]
QUIC ACKM: Don't record non-inflight packets in CC
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21349)
Hugo Landau [Mon, 3 Jul 2023 14:45:25 +0000 (15:45 +0100)]
QUIC TXP: Do not generate full-size packets when sending CC-excess probes
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21349)
Hugo Landau [Mon, 3 Jul 2023 14:45:25 +0000 (15:45 +0100)]
QUIC ACKM: RFC 9000 s. 13.2.1: max_ack_delay taken as 0 in INITIAL/HANDSHAKE
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21349)
Hugo Landau [Mon, 3 Jul 2023 14:45:25 +0000 (15:45 +0100)]
QUIC CHANNEL: Initialise max_ack_delay values properly
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21349)
Hugo Landau [Mon, 3 Jul 2023 14:45:25 +0000 (15:45 +0100)]
QUIC ACKM: Clean up max_ack_delay tracking and separate TX and RX values
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21349)
Hugo Landau [Mon, 3 Jul 2023 14:45:25 +0000 (15:45 +0100)]
QUIC STATM: Move max_ack_delay tracking out of STATM
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21349)
Pauli [Mon, 26 Jun 2023 09:30:51 +0000 (19:30 +1000)]
remove duplicate defines, add comment
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21441)