Tomas Mraz [Fri, 13 Jan 2023 17:46:15 +0000 (18:46 +0100)]
Add test for DSA pubkey without param import and check
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Tomas Mraz [Fri, 13 Jan 2023 16:59:52 +0000 (17:59 +0100)]
Do not create DSA keys without parameters by decoder
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Tomas Mraz [Fri, 13 Jan 2023 16:57:59 +0000 (17:57 +0100)]
Prevent creating DSA and DH keys without parameters through import
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
slontis [Wed, 11 Jan 2023 01:05:04 +0000 (11:05 +1000)]
Fix NULL deference when validating FFC public key.
Fixes CVE-2023-0217
When attempting to do a BN_Copy of params->p there was no NULL check.
Since BN_copy does not check for NULL this is a NULL reference.
As an aside BN_cmp() does do a NULL check, so there are other checks
that fail because a NULL is passed. A more general check for NULL params
has been added for both FFC public and private key validation instead.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Tomas Mraz [Mon, 16 Jan 2023 18:56:20 +0000 (19:56 +0100)]
Add test for d2i_PKCS7 NULL dereference
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Tomas Mraz [Mon, 16 Jan 2023 18:45:23 +0000 (19:45 +0100)]
Do not dereference PKCS7 object data if not set
Fixes CVE-2023-0216
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Matt Caswell [Wed, 14 Dec 2022 17:15:18 +0000 (17:15 +0000)]
Check CMS failure during BIO setup with -stream is handled correctly
Test for the issue fixed in the previous commit
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Matt Caswell [Wed, 14 Dec 2022 16:18:14 +0000 (16:18 +0000)]
Fix a UAF resulting from a bug in BIO_new_NDEF
If the aux->asn1_cb() call fails in BIO_new_NDEF then the "out" BIO will
be part of an invalid BIO chain. This causes a "use after free" when the
BIO is eventually freed.
Based on an original patch by Viktor Dukhovni and an idea from Theo
Buehler.
Thanks to Octavio Galland for reporting this issue.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Matt Caswell [Tue, 13 Dec 2022 15:02:26 +0000 (15:02 +0000)]
Add a test for CVE-2022-4450
Call PEM_read_bio_ex() and expect a failure. There should be no dangling
ptrs and therefore there should be no double free if we free the ptrs on
error.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Matt Caswell [Tue, 13 Dec 2022 14:54:55 +0000 (14:54 +0000)]
Avoid dangling ptrs in header and data params for PEM_read_bio_ex
In the event of a failure in PEM_read_bio_ex() we free the buffers we
allocated for the header and data buffers. However we were not clearing
the ptrs stored in *header and *data. Since, on success, the caller is
responsible for freeing these ptrs this can potentially lead to a double
free if the caller frees them even on failure.
Thanks to Dawei Wang for reporting this issue.
Based on a proposed patch by Kurt Roeckx.
CVE-2022-4450
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Dmitry Belyavskiy [Wed, 30 Nov 2022 13:48:40 +0000 (14:48 +0100)]
Fix Timing Oracle in RSA decryption
A timing based side channel exists in the OpenSSL RSA Decryption
implementation which could be sufficient to recover a plaintext across
a network in a Bleichenbacher style attack. To achieve a successful
decryption an attacker would have to be able to send a very large number
of trial messages for decryption. The vulnerability affects all RSA
padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
Patch written by Dmitry Belyavsky and Hubert Kario
CVE-2022-4304
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Tomas Mraz [Tue, 13 Dec 2022 18:45:09 +0000 (19:45 +0100)]
Add testcase for nc_match_single type confusion
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Viktor Dukhovni [Tue, 13 Dec 2022 07:49:13 +0000 (08:49 +0100)]
Fix type confusion in nc_match_single()
This function assumes that if the "gen" is an OtherName, then the "base"
is a rfc822Name constraint. This assumption is not true in all cases.
If the end-entity certificate contains an OtherName SAN of any type besides
SmtpUtf8Mailbox and the CA certificate contains a name constraint of
OtherName (of any type), then "nc_email_eai" will be invoked, with the
OTHERNAME "base" being incorrectly interpreted as a ASN1_IA5STRING.
Reported by Corey Bonnell from Digicert.
CVE-2022-4203
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Xu Yizhou [Fri, 3 Feb 2023 07:59:59 +0000 (15:59 +0800)]
Fix SM4-XTS build failure on Mac mini M1
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20202)
Viktor Dukhovni [Fri, 3 Feb 2023 01:29:33 +0000 (20:29 -0500)]
Fix typo in Ordinals.pm from PR #14074
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20201)
Dr. David von Oheimb [Fri, 27 Jan 2023 13:31:45 +0000 (14:31 +0100)]
APPS/{storeutl,gendsa}: give error on extra arguments, improve doc
Point out that options must be given before the final file/URI arg.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20156)
Dr. David von Oheimb [Mon, 16 Jan 2023 18:38:01 +0000 (19:38 +0100)]
APPS load_key_certs_crls(): improve diagnostics on not finding expected types of contents
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20156)
Xu Yizhou [Wed, 18 Jan 2023 01:55:02 +0000 (09:55 +0800)]
SM4 AESE optimization for ARMv8
Signed-off-by: Xu Yizhou <xuyizhou1@huawei.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19914)
ndossche [Tue, 31 Jan 2023 12:20:17 +0000 (13:20 +0100)]
Fix incomplete check on EVP_CIPHER_param_to_asn1()
That function is a wrapper around evp_cipher_param_to_asn1_ex() which
can return 0 as an error value via its ret <= 0 check [1].
Furthermore, all other callers of this function check against <= 0
instead of < 0 and this is also in line with what the documentation
tells us. Fix the incomplete check by changing it to <= 0 as well.
CLA: trivial
[1] https://github.com/openssl/openssl/blob/
114d99b46bfb212ffc510865df317ca2c1542623/crypto/evp/evp_lib.c#L164-L165
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20180)
Richard Levitte [Mon, 30 Jan 2023 12:54:01 +0000 (13:54 +0100)]
Use $config{build_file} instead of $target{build_file}
If the user specifies an alternative build file than the default, this
alternative is recorded in $config{build_file}, not $target{build_file}.
Therefore, the former should be used, leaving the latter as a mere default.
This is a bug. While fixing it, document it better too.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20173)
Ruili Fang [Sun, 29 Jan 2023 04:48:24 +0000 (23:48 -0500)]
Fix a potential memory leak in crypto/provider_child.c
Fix issue #20063.
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20163)
Andrea Pappacoda [Mon, 30 Jan 2023 09:28:49 +0000 (10:28 +0100)]
BIO_read.pod: fix small typo
Add missing `I` to `<b>`
CLA: trivial
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20169)
Matt Caswell [Fri, 9 Dec 2022 17:01:01 +0000 (17:01 +0000)]
Design for the Fault Injector
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19877)
Tomas Mraz [Fri, 27 Jan 2023 09:25:10 +0000 (10:25 +0100)]
Do not include sparse_array.o in libssl with no-shared
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20137)
Tomas Mraz [Wed, 25 Jan 2023 15:32:02 +0000 (16:32 +0100)]
Avoid duplicating symbols in legacy.a with some build options
If no-module or no-shared is used, the symbols from
libcrypto should not be duplicated in legacy.a
Also the BIGNUM functions are currently not needed
in legacy.a at all.
Fixes #20124
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20137)
Nicola Tuveri [Tue, 13 Dec 2022 23:55:49 +0000 (01:55 +0200)]
[doc] Sync documentation now that 3.0 honors OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT
https://github.com/openssl/openssl/pull/19901 backported the
"Honor OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT as set and default to
UNCOMPRESSED" changeset to 3.0.
This commit updates:
- the HISTORY notes of the relevant documentation to mark the change
happened since 3.0.8.
- the `CHANGES.md file` to sync up with the tip of the `openssl-3.0`
branch
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20003)
ndossche [Fri, 27 Jan 2023 14:43:42 +0000 (15:43 +0100)]
Fix incomplete check on X509V3_add1_i2d()
X509V3_add1_i2d() can return both -1 and 0 as an error code. This check
only checked for 0. Change it into <= 0 to also catch the -1 error code.
CLA: trivial
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20157)
Tomas Mraz [Tue, 6 Dec 2022 09:52:47 +0000 (10:52 +0100)]
Workaround crash in atexit on NonStop platforms
We cannot dynamically load the legacy provider into an application
that is linked statically to libcrypto as this causes
a double loading of libcrypto (one static and one dynamic) and
on NonStop this leads to a segfault in atexit().
Fixes #17537
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19844)
slontis [Fri, 27 Jan 2023 03:18:17 +0000 (13:18 +1000)]
ChaCha20-Poly1305 no longer supports truncated IV's.
Fixes #20084
In the 3.0 provider implementation the generic code that handles IV's
only allows a 12 byte IV. Older code intentionally added the ability for
the IV to be truncated.
As this truncation is unsafe, the documentation has been updated to
state that this in no longer allowed. The code has been updated to
produce an error when the iv length is set to any value other than 12.
NOTE: It appears that this additional padding may have originated from the code
which uses a 12 byte IV, that is then passed to CHACHA which zero pads it to 16 bytes.
Note that legacy behaviour in e_chacha20_poly1305.c has not been
updated.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20151)
Hugo Landau [Thu, 26 Jan 2023 13:30:38 +0000 (13:30 +0000)]
QUIC Probes Support: Minor tweaks
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19925)
Hugo Landau [Fri, 16 Dec 2022 10:57:11 +0000 (10:57 +0000)]
QUIC TXP: Allow TXP to generate probes
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19925)
Hugo Landau [Fri, 16 Dec 2022 10:53:02 +0000 (10:53 +0000)]
QUIC ACKM: Rework probe reporting to allow use for bookkeeping
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19925)
Hugo Landau [Fri, 16 Dec 2022 10:11:10 +0000 (10:11 +0000)]
QUIC ACKM: Clarify probe types
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19925)
Steffen Nurpmeso [Thu, 19 Jan 2023 21:04:46 +0000 (22:04 +0100)]
SSL_conf_cmd: add support for IgnoreUnexpectedEOF
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20089)
Tom Cosgrove [Wed, 25 Jan 2023 19:34:25 +0000 (19:34 +0000)]
Enable AES optimisation on Apple Silicon M2-based systems
Gives a performance enhancement of 16-38%, similar to the M1.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20141)
Pauli [Wed, 25 Jan 2023 01:06:23 +0000 (12:06 +1100)]
coverity
1520506: error handling
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20132)
Pauli [Wed, 25 Jan 2023 01:06:09 +0000 (12:06 +1100)]
coverity
1520505: error handling
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20132)
Tomas Mraz [Mon, 16 Jan 2023 11:26:20 +0000 (12:26 +0100)]
compute_pqueue_growth(): Fix the return type
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20012)
Tomas Mraz [Mon, 9 Jan 2023 17:39:50 +0000 (18:39 +0100)]
Implement BIO_s_dgram_mem() reusing the BIO_s_dgram_pair() code
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20012)
Tomas Mraz [Mon, 9 Jan 2023 17:03:07 +0000 (18:03 +0100)]
Revert "Give BIO_s_mem() the ability to support datagrams"
This reverts commit
5a4ba72f00f9b336a4d65abff822699ceb9617c6.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20012)
Hugo Landau [Thu, 26 Jan 2023 13:24:35 +0000 (13:24 +0000)]
QUIC FIN Support: Documentation fixups
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19897)
Hugo Landau [Tue, 24 Jan 2023 10:34:00 +0000 (10:34 +0000)]
QUIC FIN Support: Various fixes
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19897)
Hugo Landau [Thu, 5 Jan 2023 10:51:14 +0000 (10:51 +0000)]
QUIC TSERVER: Fix probable nondeterminism in some OS network stacks
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19897)
Hugo Landau [Thu, 5 Jan 2023 08:35:07 +0000 (08:35 +0000)]
QUIC: Add documentation for stream and connection shutdown functions
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19897)
Hugo Landau [Tue, 13 Dec 2022 12:29:23 +0000 (12:29 +0000)]
QUIC Test Server: Exercise end-of-stream condition on read and write
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19897)
Hugo Landau [Tue, 13 Dec 2022 12:28:54 +0000 (12:28 +0000)]
QUIC Front End I/O API: Add support for signalling and detecting end-of-stream
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19897)
Hugo Landau [Tue, 13 Dec 2022 12:27:43 +0000 (12:27 +0000)]
QUIC TXP: Fix handling of FIN stream chunks
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19897)
Hugo Landau [Tue, 13 Dec 2022 12:27:05 +0000 (12:27 +0000)]
QUIC: Refine SSL_shutdown and begin to implement SSL_shutdown_ex
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19897)
Tomas Mraz [Wed, 25 Jan 2023 09:15:05 +0000 (10:15 +0100)]
Add notes about ignoring initialization failures on contexts
Fixes #20130
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/20136)
slontis [Wed, 25 Jan 2023 01:06:34 +0000 (11:06 +1000)]
Document that the RSA e value is mandatory when importing.
The lab tried doing a RSA decryption primitive using just n (using p, q) and d.
This failed for 2 reasons:
(1) e is required when importing
(2) Internally e is used for blinding.
Note n and e can be calculated using:
n = pq
e = (1/d) mod (p-1)(q-1)
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20133)
Pauli [Tue, 24 Jan 2023 01:23:37 +0000 (12:23 +1100)]
Fix Coverity
1520485: logically dead code
The check is unnecessary as the condition is already checked
before the switch statement.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20121)
Christoph Müllner [Wed, 25 Jan 2023 16:48:41 +0000 (17:48 +0100)]
Revert "CI: cross-compile: riscv: Add RV64 machine with Zb* and Zk*"
This reverts commit
e787c57c538d0922004e49a10be0d403af773272.
The current CI host system is Ubuntu 22.04, which ships with QEMU 6.2.
This QEMU release is too old for the required RISC-V extensions.
We would need at least QEMU 7.1 (Aug 2022) for this patch.
Let's revert the patch.
Signed-off-by: Christoph Müllner <christoph.muellner@vrull.eu>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20139)
Viktor Dukhovni [Tue, 24 Jan 2023 13:40:57 +0000 (14:40 +0100)]
Clarify the change of enc -S behavior in 3.0
Fixes #19730
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19732)
Dr. David von Oheimb [Wed, 21 Dec 2022 13:16:33 +0000 (14:16 +0100)]
rename 90-test_traceapi.t to 90-test_trace_api.t for consistency
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18704)
Dr. David von Oheimb [Fri, 1 Jul 2022 20:12:08 +0000 (22:12 +0200)]
OSSL_HTTP_REQ_CTX_nbio(): use OSSL_TRACE_STRING() for msg body where it makes sense
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18704)
Dr. David von Oheimb [Fri, 1 Jul 2022 20:09:18 +0000 (22:09 +0200)]
add OSSL_TRACE_STRING(), OSSL_TRACE_STRING_MAX, and OSSL_trace_string()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18704)
Niels Dossche [Mon, 23 Jan 2023 16:16:34 +0000 (17:16 +0100)]
Fix incomplete checks for EVP_CIPHER_asn1_to_param
EVP_CIPHER_asn1_to_param() returns a value <= 0 in case of an error, and
a value greater than 0 in case of success. Two callsites only check for
< 0 instead of <= 0. The other callsites perform this check correctly.
Change the two callsites to <= 0. Additionally correctly handle a zero
return value from EVP_CIPHER_get_asn1_iv as success.
Fixes: #20116
CLA: trivial
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/201213)
Matt Caswell [Mon, 23 Jan 2023 14:04:26 +0000 (14:04 +0000)]
Remove the user_ssl field
The user_ssl field in an SSL_CONNECTION is no longer used - so remove it.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19748)
Matt Caswell [Tue, 29 Nov 2022 11:26:08 +0000 (11:26 +0000)]
Add QUIC-TLS server support
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19748)
Matt Caswell [Wed, 23 Nov 2022 16:20:14 +0000 (16:20 +0000)]
Remove the old Dummy Handshake code
Now that we have a real TLS handshake we no longer need the dummy handshake
implementation and it can be removed.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19748)
Matt Caswell [Fri, 18 Nov 2022 11:39:33 +0000 (11:39 +0000)]
Add support for the msg_callback
Having support for the msg_callback will improve debug capabilities.
For record headers we "manufacture" dummy ones so that as far as the
callback is concerned we are doing "normal" TLS.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19748)
Matt Caswell [Fri, 18 Nov 2022 12:38:50 +0000 (12:38 +0000)]
Replace use of the Dummy Handshake Layer with the real one
We start using the QUIC TLS implementation rather than the dummy one.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19748)
Matt Caswell [Fri, 18 Nov 2022 12:38:38 +0000 (12:38 +0000)]
Add an initial QUIC-TLS implementation
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19748)
Matt Caswell [Mon, 14 Nov 2022 15:29:38 +0000 (15:29 +0000)]
Add the ability to add a custom extension on an SSL object
Previously we could only do this at the SSL_CTX level. We add the ability
to also do this on an SSL - but only for internal code.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19748)
Matt Caswell [Mon, 14 Nov 2022 14:19:53 +0000 (14:19 +0000)]
Extend the new_record_layer function
Add the ability to pass the main secret and length, as well as the
digest used for the KDF.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19748)
Matt Caswell [Thu, 10 Nov 2022 16:05:16 +0000 (16:05 +0000)]
Add support for setting a custom TLS Record Layer
This is just an internal API for now. Something like this will be made
public API at some point - but it is likely to be based on the provider
interface rather that a direct setting of a METHOD like we do for now.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19748)
Matt Caswell [Thu, 10 Nov 2022 15:45:46 +0000 (15:45 +0000)]
Remove an unneeded OSSL_RECORD_METHOD function
The reset() function was never called so it can be removed.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19748)
Matt Caswell [Thu, 10 Nov 2022 14:25:21 +0000 (14:25 +0000)]
Move recordmethod.h to be an "internal" header
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19748)
Matt Caswell [Tue, 8 Nov 2022 16:20:08 +0000 (16:20 +0000)]
Create the SSL object for QUIC-TLS
The "user" SSL object which represents the QUIC connection should have an
"inner" SSL object to represent the TLS connection.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19748)
Dr. David von Oheimb [Sat, 24 Sep 2022 21:59:12 +0000 (23:59 +0200)]
APPS: generated certs bear X.509 V3, unless -x509v1 option of req app is given
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19271)
Dr. David von Oheimb [Sat, 24 Sep 2022 21:03:32 +0000 (23:03 +0200)]
apps/req.c: properly report parse errors by duplicated(); simplify the function
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19271)
Dr. David von Oheimb [Wed, 28 Sep 2022 18:50:46 +0000 (20:50 +0200)]
X509{,_CRL,_REVOKED}_{set,sign}*(): fix 'modified' field and return values
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19271)
Pauli [Sun, 22 Jan 2023 22:52:17 +0000 (09:52 +1100)]
test: note that a default property query must be included for FIPS validity
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20079)
Pauli [Thu, 19 Jan 2023 23:26:45 +0000 (10:26 +1100)]
changes entry about non-approved FIPS algorithms
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20079)
Pauli [Thu, 19 Jan 2023 22:32:49 +0000 (09:32 +1100)]
Put X25519 and X448 back as approved algorithms
CMVP's answer when questioned about this being:
X448 and X25519 uses Curve448 and Curve25519, respectfully, within an
ECDH scheme. Therefore, it is possible for a key agreement scheme
that uses Curve448 and Curve25519 to be used in the approved mode
and be viewed as an allowed algorithm if requirements of Scenario
X2 of IG D.8 and IG A.2 are met (or Scenario 3 of D.F and IG C.A for
FIPS 140-3). The use of EdDSA in the approved mode is not permitted
until FIPS 186-5 is published and part of CMVP guidance.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20079)
Pauli [Thu, 19 Jan 2023 00:16:40 +0000 (11:16 +1100)]
fips: document that the EdDSA algorithms are not-validated
Ed25519 and Ed448 are included in the FIPS 140-3 provider for
compatibility purposes but are flagged as "fips=no" to prevent their accidental
use. This therefore requires that applications always specify the "fips=yes"
property query to enforce FIPS correctness.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20079)
Dr. David von Oheimb [Thu, 22 Dec 2022 10:47:41 +0000 (11:47 +0100)]
OSSL_trace_set_channel(): add important statement that it takes BIO ownership
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19959)
Dr. David von Oheimb [Thu, 22 Dec 2022 10:42:14 +0000 (11:42 +0100)]
set_trace_data(): prevent double free on OPENSSL_strdup() failure
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19959)
FdaSilvaYY [Sat, 20 Feb 2021 22:39:30 +0000 (23:39 +0100)]
Typos fixing
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20109)
FdaSilvaYY [Mon, 16 Jan 2023 22:49:01 +0000 (23:49 +0100)]
Fix windows builds
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20109)
Christoph Müllner [Sat, 21 Jan 2023 14:55:27 +0000 (15:55 +0100)]
CI: cross-compile: riscv: Add RV64 machine with Zb* and Zk*
RISC-V already has a couple of routines to accelerate cryptographic
calculations using ISA extensions. Let's add a cross-compile target
that allows the CI to test this code.
The new defined machine is a rv64gc machine with
* all Bitmanip extensions (Zb*)
* all Scalar Crypto extensions (Zk*)
This selection matches the supported RISC-V extensions in OpenSSL.
Signed-off-by: Christoph Müllner <christoph.muellner@vrull.eu>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20107)
Christoph Müllner [Sat, 21 Jan 2023 14:49:17 +0000 (15:49 +0100)]
CI: cross-compile: Allow to set CPU capabilities
The cross-compile CI tests use cross-compilers for building
and QEMU for testing. This implies that testing of ISA extension
for HW accelerated cryptographic calculations is undefined
(it depends on arch-specific QEMU defaults and arch-specific
detection mechanisms in OpenSSL).
Let's add a mechanism to set two environment variables, that allow
to control the ISA extensions:
* QEMU_CPU: used by QEMU to specify CPU capabilities of the emulation
* OPENSSL_*: used by OpenSSL (on some architectures) to enable ISA
extensions.
Signed-off-by: Christoph Müllner <christoph.muellner@vrull.eu>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20107)
Hugo Landau [Wed, 18 Jan 2023 15:43:56 +0000 (15:43 +0000)]
Fix corruption when searching for CRLs in hashed directories
The by_dir certificate/CRL lookup code uses an OPENSSL_STACK to track
how many sequentially numbered CRL files have been loaded for a given
X509_NAME hash which is being requested. This avoids loading already
loaded CRL files and repeated stat() calls.
This OPENSSL_STACK is searched using sk_find, however this mutates
the OPENSSL_STACK unless it is known to be sorted. This operation
therefore requires a write lock, which was not taken.
Fix this issue by sorting the OPENSSL_STACK whenever it is mutated. This
guarantees no mutation will occur during sk_find. This is chosen over
taking a write lock during sk_find as retrieving a CRL by X509_NAME is
assumed to be a hotter path than the case where a new CRL is installed.
Also optimise the code by avoiding creating the structure to track the
last CRL file sequence number in the circumstance where it would match
the initial value, namely where no CRL with the given hash is installed.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20076)
Matt Caswell [Fri, 20 Jan 2023 14:08:42 +0000 (14:08 +0000)]
Add DTLS support to the large app data test
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20085)
Matt Caswell [Thu, 19 Jan 2023 11:59:44 +0000 (11:59 +0000)]
Ensure our buffer allocation allows for the Explicit IV
Some ciphers/protocol versions have an explicit IV. We need to make sure we
have sufficient room for it in the underlying buffer.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20085)
Matt Caswell [Thu, 19 Jan 2023 10:52:45 +0000 (10:52 +0000)]
Add a test for large app data
Test that sending large app data records works correctly.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20085)
Tomas Mraz [Fri, 20 Jan 2023 10:40:45 +0000 (11:40 +0100)]
MD5.pod: Recommend SHA-2 or SHA-3 family hashes instead of legacy ones
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20095)
Dr. David von Oheimb [Mon, 16 Jan 2023 07:38:01 +0000 (08:38 +0100)]
X509_V_ERR_INVALID_PURPOSE: fix misleading text; Fix omission in X509_VERIFY_PARAM_clear_flags doc
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20052)
Dr. David von Oheimb [Tue, 11 Oct 2022 14:21:20 +0000 (16:21 +0200)]
cmp_client.c: fix handling of total_timeout for RR and GENM transactions
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19391)
Dr. David von Oheimb [Fri, 25 Nov 2022 09:43:12 +0000 (10:43 +0100)]
cmp_client_test.c: add tests for end_time being initialized for RR/GENM
To this end, tweak the internal handling of ctx->total_timeout.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19391)
Dr. David von Oheimb [Fri, 25 Nov 2022 11:08:42 +0000 (12:08 +0100)]
CMP docs: clarify behavior on message/total timeout values given
Clarify behavior of OSSL_CMP_CTX_set_option() when given (negative)
values for OSSL_CMP_OPT_MSG_TIMEOUT or OSSL_CMP_OPT_TOTAL_TIMEOUT.
Fix doc of -msg_timeout and -total_timeout in openssl-cmp.pod.in
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19391)
Thib [Fri, 20 Jan 2023 13:07:15 +0000 (14:07 +0100)]
Fixes wrong return type in BIO_do_connect man page.
Current man page indicates the function returns an int while it returns
a long.
Fixes #20096.
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20097)
Niels Dossche [Sat, 21 Jan 2023 12:34:34 +0000 (13:34 +0100)]
Fix incorrect check on RAND_bytes_ex() in generate_q_fips186_4()
RAND_bytes_ex() can also return 0 on failure. Other callers do check
this correctly. Change the check from <0 to <=0.
Fixes: #20100
CLA: trivial
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20106)
Ingo Franzki [Wed, 18 Jan 2023 10:24:16 +0000 (11:24 +0100)]
Allow OSSL_SIGNATURE_PARAM_NONCE_TYPE to be retrieved
Context parameter OSSL_SIGNATURE_PARAM_NONCE_TYPE can now also be
retrieved for ECDSA and DSA.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20070)
David Carlier [Sat, 19 Dec 2020 11:07:09 +0000 (11:07 +0000)]
Adding a separated build settings for BSD flavors
to avoid inheriting Linux's linker flags (ie -Wl,-z,defs)
now targetting OpenBSD.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13393)
Richard Levitte [Fri, 13 Jan 2023 11:51:43 +0000 (12:51 +0100)]
bn2bin(): Don't accept len < 0
Test included
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20033)
Richard Levitte [Thu, 12 Jan 2023 10:10:01 +0000 (11:10 +0100)]
Add a test for public variants of bn2bin()
We test with binary input of length 1, length 0, and NULL input with length 0
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20033)
Richard Levitte [Thu, 12 Jan 2023 09:17:01 +0000 (10:17 +0100)]
bin2bn(): When len==0, just return a zero BIGNUM
This allows calls with s==NULL and len==0 to be safe. It probably already
was, but address sanitizers could still complain.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20033)
ValdikSS [Wed, 18 Jan 2023 17:14:48 +0000 (20:14 +0300)]
Padlock: fix byte swapping assembly for AES-192 and 256
Byte swapping code incorrectly uses the number of AES rounds to swap expanded
AES key, while swapping only a single dword in a loop, resulting in swapped
key and partially swapped expanded keys, breaking AES encryption and
decryption on VIA Padlock hardware.
This commit correctly sets the number of swapping loops to be done.
Fixes #20073
CLA: trivial
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20077)
Pauli [Wed, 18 Jan 2023 07:03:33 +0000 (18:03 +1100)]
Add link to EBNF definition
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20023)