Tomas Mraz [Fri, 15 Oct 2021 12:50:17 +0000 (14:50 +0200)]
doc: EVP_PKEY_get_utf8/octet_string_param() clarify NULL buffer behavior
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16843)
Tomas Mraz [Wed, 20 Oct 2021 16:27:47 +0000 (18:27 +0200)]
doc: Document the type of label EVP_PKEY_CTX_set0_rsa_oaep_label properly
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16869)
Matt Caswell [Wed, 20 Oct 2021 14:47:22 +0000 (15:47 +0100)]
Update pyca-cryptography sub-module
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16789)
Matt Caswell [Mon, 11 Oct 2021 12:43:19 +0000 (13:43 +0100)]
Fix acvp_test sig_gen
Ensure we set the size of the signature buffer before we call
EVP_DigestSign()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16789)
Matt Caswell [Mon, 11 Oct 2021 12:12:49 +0000 (13:12 +0100)]
Fix test_CMAC_keygen
Make sure we correctly pass through the size of the buffer to
EVP_DigestSignFinal
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16789)
Matt Caswell [Mon, 11 Oct 2021 11:08:29 +0000 (12:08 +0100)]
Fix a bug in signature self tests in the FIPS module
When calling EVP_PKEY_sign(), the size of the signature buffer must
be passed in *siglen.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16789)
Matt Caswell [Fri, 8 Oct 2021 13:43:17 +0000 (14:43 +0100)]
Add an additional note to EVP_DigestSign() documentation
Clarify what happens if it fails. Make it clear that you can pass a NULL
"sig" buffer to get the "siglen".
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16789)
Matt Caswell [Thu, 7 Oct 2021 13:15:47 +0000 (14:15 +0100)]
Test short buffers
Test that calling EVP_DigestSign(), EVP_DigestSignFinal(),
EVP_PKEY_sign(), EVP_PKEY_get_raw_private_key(), or
EVP_PKEY_get_raw_public_key() with a short output buffer results in a
failure.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16789)
Matt Caswell [Thu, 7 Oct 2021 13:14:52 +0000 (14:14 +0100)]
Fix SSKDF to not claim a buffer size that is too small for the MAC
We also check that our buffer is sufficiently sized for the MAC output
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16789)
Matt Caswell [Thu, 7 Oct 2021 13:06:32 +0000 (14:06 +0100)]
Enforce a size check in EVP_MAC_final()
Make sure that the outsize for the buffer is large enough for the
output from the MAC.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16789)
Matt Caswell [Thu, 7 Oct 2021 10:33:17 +0000 (11:33 +0100)]
Prevent an overflow if an application supplies a buffer that is too small
If an application bug means that a buffer smaller than is necessary is
passed to various functions then OpenSSL does not spot that the buffer
is too small and fills it anyway. This PR prevents that.
Since it requires an application bug to hit this problem, no CVE is
allocated.
Thanks to David Benjamin for reporting this issue.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16789)
Dr. David von Oheimb [Wed, 20 Oct 2021 10:44:51 +0000 (12:44 +0200)]
APPS/req.c: Make -reqexts option an alias of -extensions option
This simplifies code, doc, and use.
Fixes issue ignoring one or the other.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16865)
Tomas Mraz [Wed, 20 Oct 2021 11:33:27 +0000 (13:33 +0200)]
Add missing define to enable AES-NI usage on x86 platform
Fixes #16858
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16866)
PW Hu [Mon, 18 Oct 2021 08:49:14 +0000 (16:49 +0800)]
Fix function signature error
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/16852)
Matt Caswell [Fri, 15 Oct 2021 15:30:45 +0000 (16:30 +0100)]
Add tests for ENGINE problems
Add some tests which would have caught the issues fixed in the previous
3 commits related to engine handling.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16846)
Matt Caswell [Fri, 15 Oct 2021 15:28:53 +0000 (16:28 +0100)]
Update provider_util.c to correctly handle ENGINE references
provider_util.c failed to free ENGINE references when clearing a cipher
or a digest. Additionally ciphers and digests were not copied correctly,
which would lead to double-frees if it were not for the previously
mentioned leaks.
Fixes #16845
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16846)
Matt Caswell [Fri, 15 Oct 2021 15:23:31 +0000 (16:23 +0100)]
Ensure pkey_set_type handles ENGINE references correctly
pkey_set_type should not consume the ENGINE references that may be
passed to it.
Fixes #16757
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16846)
Matt Caswell [Fri, 15 Oct 2021 15:06:28 +0000 (16:06 +0100)]
Make sure EVP_CIPHER_CTX_copy works with the dasync engine
Ciphers in the daysnc engine were failing to copy their context properly
in the event of EVP_CIPHER_CTX_copy() because they did not define the
flag EVP_CIPH_CUSTOM_FLAG
Fixes #16844
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16846)
jwalch [Fri, 15 Oct 2021 23:03:17 +0000 (19:03 -0400)]
Avoid NULL+X UB in bss_mem.c
Fixes #16816
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16818)
Matt Caswell [Thu, 14 Oct 2021 16:04:16 +0000 (17:04 +0100)]
Fix the signature newctx documentation
The documentation omitted the propq parameter
Fixes #16755
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16836)
Richard Levitte [Sat, 16 Oct 2021 08:22:42 +0000 (10:22 +0200)]
Fix lock leak in evp_keymgmt_util_export_to_provider()
Fixes #16847
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16849)
Tomas Mraz [Thu, 14 Oct 2021 09:02:36 +0000 (11:02 +0200)]
Raise error when invalid digest used with SM2
Otherwise commands like openssl req -newkey sm2 fail silently without
reporting any error unless -sm3 option is added.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16833)
Peiwei Hu [Tue, 12 Oct 2021 02:50:12 +0000 (10:50 +0800)]
test/ssl_old_test.c: Fix potential leak
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16806)
Richard Levitte [Thu, 14 Oct 2021 16:49:11 +0000 (18:49 +0200)]
Fix test/recipes/01-test_symbol_presence.t to disregard version info
The output of 'nm -DPg' contains version info attached to the symbols,
which makes the test fail. Simply dropping the version info makes the
test work again.
Fixes #16810 (followup)
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16840)
Bernd Edlinger [Wed, 13 Oct 2021 04:37:46 +0000 (06:37 +0200)]
Fix another memory leak reported in CIFuzz
Direct leak of 2 byte(s) in 1 object(s) allocated from:
#0 0x4a067d in __interceptor_malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:129:3
#1 0x57acd9 in CRYPTO_malloc /src/openssl/crypto/mem.c:184:12
#2 0x57e106 in CRYPTO_strdup /src/openssl/crypto/o_str.c:24:11
#3 0x5c139f in def_load_bio /src/openssl/crypto/conf/conf_def.c:427:45
#4 0x56adf5 in NCONF_load_bio /src/openssl/crypto/conf/conf_lib.c:282:12
#5 0x4d96cf in FuzzerTestOneInput /src/openssl/fuzz/conf.c:38:5
#6 0x4d9830 in LLVMFuzzerTestOneInput /src/openssl/fuzz/driver.c:28:12
#7 0x510c23 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) cxa_noexception.cpp
#8 0x4fc4d2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
#9 0x501f85 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) cxa_noexception.cpp
#10 0x52ac82 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#11 0x7f15336bf0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16813)
Bernd Edlinger [Tue, 12 Oct 2021 17:38:14 +0000 (19:38 +0200)]
Fix a memory leak reported in CIFuzz
Direct leak of 4 byte(s) in 1 object(s) allocated from:
#0 0x4a067d in __interceptor_malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:129:3
#1 0x57af0d in CRYPTO_malloc /src/openssl/crypto/mem.c:184:12
#2 0x57af0d in CRYPTO_realloc /src/openssl/crypto/mem.c:207:16
#3 0x569d17 in BUF_MEM_grow /src/openssl/crypto/buffer/buffer.c:97:15
#4 0x5c3629 in str_copy /src/openssl/crypto/conf/conf_def.c:642:10
#5 0x5c1cc1 in def_load_bio /src/openssl/crypto/conf/conf_def.c:452:22
#6 0x56adf5 in NCONF_load_bio /src/openssl/crypto/conf/conf_lib.c:282:12
#7 0x4d96cf in FuzzerTestOneInput /src/openssl/fuzz/conf.c:38:5
#8 0x4d9830 in LLVMFuzzerTestOneInput /src/openssl/fuzz/driver.c:28:12
#9 0x510c23 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) cxa_noexception.cpp
#10 0x4fc4d2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
#11 0x501f85 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) cxa_noexception.cpp
#12 0x52ac82 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16813)
Richard Levitte [Wed, 13 Oct 2021 07:09:05 +0000 (09:09 +0200)]
Fix test/recipes/01-test_symbol_presence.t to allow for stripped libraries
It's a small change to the 'nm' call, to have it look at dynamic symbols
rather than the normal ones.
Fixes #16810
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16822)
Mingjun.Yang [Mon, 11 Oct 2021 07:51:34 +0000 (15:51 +0800)]
feat: Add sm2 signature test case from GM/T 0003.5-2012
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16802)
Tomas Mraz [Mon, 11 Oct 2021 13:04:46 +0000 (15:04 +0200)]
cmp_vfy.c, encoder_lib.c: Fix potential leak of a BIO
Fixes #16787
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/16804)
Tomas Mraz [Mon, 11 Oct 2021 13:03:47 +0000 (15:03 +0200)]
ctrl_params_translate: Fix leak of BN_CTX
Also add a missing allocation failure check.
Fixes #16788
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/16804)
Tomas Mraz [Thu, 7 Oct 2021 15:34:08 +0000 (17:34 +0200)]
req: Do not warn about using stdin when generating new request
Fixes #16773
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16774)
Matt Caswell [Mon, 20 Sep 2021 13:36:42 +0000 (14:36 +0100)]
Extend custom extension testing
Test the scenario where we add a custom extension to a cetificate
request and expect a response in the client's certificate message.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16634)
Matt Caswell [Mon, 20 Sep 2021 13:15:18 +0000 (14:15 +0100)]
New extensions can be sent in a certificate request
Normally we expect a client to send new extensions in the ClientHello,
which may be echoed back by the server in subsequent messages. However the
server can also send a new extension in the certificate request message to
be echoed back in a certificate message
Fixes #16632
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16634)
Tomas Mraz [Thu, 7 Oct 2021 09:10:19 +0000 (11:10 +0200)]
doc: OPENSSL_CORE_CTX should never be cast to OSSL_LIB_CTX
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16771)
PW Hu [Fri, 8 Oct 2021 09:01:47 +0000 (17:01 +0800)]
Bugfix: unsafe return check of EVP_PKEY_fromdata
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16783)
PW Hu [Fri, 8 Oct 2021 08:59:00 +0000 (16:59 +0800)]
Bugfix: unsafe return check of EVP_PKEY_fromdata_init
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16783)
Matt Caswell [Fri, 8 Oct 2021 12:45:51 +0000 (13:45 +0100)]
Update gost-engine to the latest version
Update the gost-engine submodule to pick up the latest version
including fixes for the default security level of 2.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16760)
Matt Caswell [Wed, 6 Oct 2021 14:08:43 +0000 (15:08 +0100)]
Update document for default security level change
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16760)
Matt Caswell [Tue, 5 Oct 2021 16:30:09 +0000 (17:30 +0100)]
Fix tests for new default security level
Fix tests that were expecting a default security level of 1 to work with
the new default of 2.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16760)
Matt Caswell [Tue, 5 Oct 2021 16:29:35 +0000 (17:29 +0100)]
Increase the default security level to 2
OTC voted to increase the security level from 1 to 2
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16760)
Pauli [Thu, 30 Sep 2021 01:39:41 +0000 (11:39 +1000)]
doc: document that property names are unique
Both queries and definitions only support each individual name appearing once.
It is an error to have a name appear more than once.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16716)
Pauli [Thu, 30 Sep 2021 01:35:32 +0000 (11:35 +1000)]
test: add failure testing for property parsing
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16716)
Pauli [Thu, 30 Sep 2021 01:33:37 +0000 (11:33 +1000)]
property: produce error if a name is duplicated
Neither queries nor definitions handle duplicated property names well.
Make having such an error.
Fixes #16715
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16716)
Dmitry Belyavskiy [Thu, 7 Oct 2021 17:14:50 +0000 (19:14 +0200)]
Bindhost/bindport should be freed
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16775)
PW Hu [Thu, 7 Oct 2021 03:50:59 +0000 (11:50 +0800)]
Fix unsafe BIO_get_md_ctx check
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16768)
Tobias Nießen [Wed, 6 Oct 2021 00:01:42 +0000 (02:01 +0200)]
Fix heading in random generator man7 page
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16753)
Dr. David von Oheimb [Tue, 5 Oct 2021 10:54:15 +0000 (12:54 +0200)]
apps/x509: Fix self-signed check to happen before setting issuer name
Fixes #16720
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16747)
Tomas Mraz [Mon, 4 Oct 2021 09:19:33 +0000 (11:19 +0200)]
s_socket.c: Avoid possible NULL pointer dereference
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/16736)
Bernd Edlinger [Sun, 24 May 2020 14:14:02 +0000 (16:14 +0200)]
Replace the AES-128-CBC-HMAC-SHA1 cipher in e_ossltest.c
This replaces the AES-128-CBC-HMAC-SHA1 cipher with a
non-encrypting version for use the test suite.
[extended tests]
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16693)
Bernd Edlinger [Sun, 24 May 2020 09:11:27 +0000 (11:11 +0200)]
Remove OPENSSL_ia32cap overrides in various test scripts
The removed override was: OPENSSL_ia32cap=~0x200000200000000
which disables AESNI codepaths and PCLMULQDQ (useful for ghash).
It is unclear why this was done, but it probably just hides bugs.
[extended tests]
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16693)
Bernd Edlinger [Mon, 4 Oct 2021 17:45:19 +0000 (19:45 +0200)]
Fix a memory leak in the afalg engine
Fixes: #16743
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16744)
Dmitry Belyavskiy [Sun, 3 Oct 2021 18:20:23 +0000 (20:20 +0200)]
Fix for the dasync engine
Fixes: #16724
Fixes: #16735
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16734)
Tianjia Zhang [Sun, 3 Oct 2021 03:07:24 +0000 (11:07 +0800)]
obj: Add SM4 GCM/CCM OID
Add the following OID:
SM4-GCM: 1.2.156.10197.1.104.8
SM4-CCM: 1.2.156.10197.1.104.9
Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16731)
Mark Fedorov [Wed, 29 Sep 2021 17:49:59 +0000 (20:49 +0300)]
RISC-V support for the SHA256
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16710)
Dr. David von Oheimb [Thu, 30 Sep 2021 09:12:49 +0000 (11:12 +0200)]
BIO_f_ssl.pod: Make clear where an SSL BIOs are expected as an argument
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16688)
Dr. David von Oheimb [Wed, 29 Sep 2021 08:46:23 +0000 (10:46 +0200)]
apps/lib/s_socket.c: Fix mem leak on host name in init_client()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16688)
Dr. David von Oheimb [Mon, 27 Sep 2021 12:22:40 +0000 (14:22 +0200)]
Fix ssl_free() and thus BIO_free() to respect BIO_NOCLOSE
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16688)
Russ Butler [Sat, 28 Aug 2021 18:57:09 +0000 (13:57 -0500)]
aarch64: support BTI and pointer authentication in assembly
This change adds optional support for
- Armv8.3-A Pointer Authentication (PAuth) and
- Armv8.5-A Branch Target Identification (BTI)
features to the perl scripts.
Both features can be enabled with additional compiler flags.
Unless any of these are enabled explicitly there is no code change at
all.
The extensions are briefly described below. Please read the appropriate
chapters of the Arm Architecture Reference Manual for the complete
specification.
Scope
-----
This change only affects generated assembly code.
Armv8.3-A Pointer Authentication
--------------------------------
Pointer Authentication extension supports the authentication of the
contents of registers before they are used for indirect branching
or load.
PAuth provides a probabilistic method to detect corruption of register
values. PAuth signing instructions generate a Pointer Authentication
Code (PAC) based on the value of a register, a seed and a key.
The generated PAC is inserted into the original value in the register.
A PAuth authentication instruction recomputes the PAC, and if it matches
the PAC in the register, restores its original value. In case of a
mismatch, an architecturally unmapped address is generated instead.
With PAuth, mitigation against ROP (Return-oriented Programming) attacks
can be implemented. This is achieved by signing the contents of the
link-register (LR) before it is pushed to stack. Once LR is popped,
it is authenticated. This way a stack corruption which overwrites the
LR on the stack is detectable.
The PAuth extension adds several new instructions, some of which are not
recognized by older hardware. To support a single codebase for both pre
Armv8.3-A targets and newer ones, only NOP-space instructions are added
by this patch. These instructions are treated as NOPs on hardware
which does not support Armv8.3-A. Furthermore, this patch only considers
cases where LR is saved to the stack and then restored before branching
to its content. There are cases in the code where LR is pushed to stack
but it is not used later. We do not address these cases as they are not
affected by PAuth.
There are two keys available to sign an instruction address: A and B.
PACIASP and PACIBSP only differ in the used keys: A and B, respectively.
The keys are typically managed by the operating system.
To enable generating code for PAuth compile with
-mbranch-protection=<mode>:
- standard or pac-ret: add PACIASP and AUTIASP, also enables BTI
(read below)
- pac-ret+b-key: add PACIBSP and AUTIBSP
Armv8.5-A Branch Target Identification
--------------------------------------
Branch Target Identification features some new instructions which
protect the execution of instructions on guarded pages which are not
intended branch targets.
If Armv8.5-A is supported by the hardware, execution of an instruction
changes the value of PSTATE.BTYPE field. If an indirect branch
lands on a guarded page the target instruction must be one of the
BTI <jc> flavors, or in case of a direct call or jump it can be any
other instruction. If the target instruction is not compatible with the
value of PSTATE.BTYPE a Branch Target Exception is generated.
In short, indirect jumps are compatible with BTI <j> and <jc> while
indirect calls are compatible with BTI <c> and <jc>. Please refer to the
specification for the details.
Armv8.3-A PACIASP and PACIBSP are implicit branch target
identification instructions which are equivalent with BTI c or BTI jc
depending on system register configuration.
BTI is used to mitigate JOP (Jump-oriented Programming) attacks by
limiting the set of instructions which can be jumped to.
BTI requires active linker support to mark the pages with BTI-enabled
code as guarded. For ELF64 files BTI compatibility is recorded in the
.note.gnu.property section. For a shared object or static binary it is
required that all linked units support BTI. This means that even a
single assembly file without the required note section turns-off BTI
for the whole binary or shared object.
The new BTI instructions are treated as NOPs on hardware which does
not support Armv8.5-A or on pages which are not guarded.
To insert this new and optional instruction compile with
-mbranch-protection=standard (also enables PAuth) or +bti.
When targeting a guarded page from a non-guarded page, weaker
compatibility restrictions apply to maintain compatibility between
legacy and new code. For detailed rules please refer to the Arm ARM.
Compiler support
----------------
Compiler support requires understanding '-mbranch-protection=<mode>'
and emitting the appropriate feature macros (__ARM_FEATURE_BTI_DEFAULT
and __ARM_FEATURE_PAC_DEFAULT). The current state is the following:
-------------------------------------------------------
| Compiler | -mbranch-protection | Feature macros |
+----------+---------------------+--------------------+
| clang | 9.0.0 | 11.0.0 |
+----------+---------------------+--------------------+
| gcc | 9 | expected in 10.1+ |
-------------------------------------------------------
Available Platforms
------------------
Arm Fast Model and QEMU support both extensions.
https://developer.arm.com/tools-and-software/simulation-models/fast-models
https://www.qemu.org/
Implementation Notes
--------------------
This change adds BTI landing pads even to assembly functions which are
likely to be directly called only. In these cases, landing pads might
be superfluous depending on what code the linker generates.
Code size and performance impact for these cases would be negligible.
Interaction with C code
-----------------------
Pointer Authentication is a per-frame protection while Branch Target
Identification can be turned on and off only for all code pages of a
whole shared object or static binary. Because of these properties if
C/C++ code is compiled without any of the above features but assembly
files support any of them unconditionally there is no incompatibility
between the two.
Useful Links
------------
To fully understand the details of both PAuth and BTI it is advised to
read the related chapters of the Arm Architecture Reference Manual
(Arm ARM):
https://developer.arm.com/documentation/ddi0487/latest/
Additional materials:
"Providing protection for complex software"
https://developer.arm.com/architectures/learn-the-architecture/providing-protection-for-complex-software
Arm Compiler Reference Guide Version 6.14: -mbranch-protection
https://developer.arm.com/documentation/101754/0614/armclang-Reference/armclang-Command-line-Options/-mbranch-protection?lang=en
Arm C Language Extensions (ACLE)
https://developer.arm.com/docs/101028/latest
Addional Notes
--------------
This patch is a copy of the work done by Tamas Petz in boringssl. It
contains the changes from the following commits:
aarch64: support BTI and pointer authentication in assembly
Change-Id: I4335f92e2ccc8e209c7d68a0a79f1acdf3aeb791
URL: https://boringssl-review.googlesource.com/c/boringssl/+/42084
aarch64: Improve conditional compilation
Change-Id: I14902a64e5f403c2b6a117bc9f5fb1a4f4611ebf
URL: https://boringssl-review.googlesource.com/c/boringssl/+/43524
aarch64: Fix name of gnu property note section
Change-Id: I6c432d1c852129e9c273f6469a8b60e3983671ec
URL: https://boringssl-review.googlesource.com/c/boringssl/+/44024
Change-Id: I2d95ebc5e4aeb5610d3b226f9754ee80cf74a9af
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16674)
Amit Kulkarni [Thu, 23 Sep 2021 23:59:12 +0000 (16:59 -0700)]
doc: crypto(7) - fix typo
CLA: trivial
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16695)
Viktor Dukhovni [Wed, 29 Sep 2021 22:03:13 +0000 (18:03 -0400)]
Fully initialise cipher/digest app handles
This avoids a crash in e.g. `openssl chacha20` as reported by
Steffen Nurpmeso on openssl-users.
Resolves: #16713
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16714)
Dr. Matthias St. Pierre [Tue, 28 Sep 2021 14:12:32 +0000 (16:12 +0200)]
doc/man3/SSL_set_fd.pod: add note about Windows compiler warning
According to an old stackoverflow thread [1], citing an even older comment by
Andy Polyakov (
1875e6db29, Pull up Win64 support from 0.9.8., 2005-07-05),
a cast of 'SOCKET' (UINT_PTR) to 'int' does not create a problem, because although
the documentation [2] claims that the upper limit is INVALID_SOCKET-1 (2^64 - 2),
in practice the socket() implementation on Windows returns an index into the kernel
handle table, the size of which is limited to 2^24 [3].
Add this note to the manual page to avoid unnecessary roundtrips to StackOverflow.
[1] https://stackoverflow.com/questions/
1953639/is-it-safe-to-cast-socket-to-int-under-win64
[2] https://docs.microsoft.com/en-us/windows/win32/winsock/socket-data-type-2
[3] https://docs.microsoft.com/en-us/windows/win32/sysinfo/kernel-objects
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16699)
marcfedorow [Mon, 20 Sep 2021 16:52:23 +0000 (19:52 +0300)]
RISC-V support for the SHA512
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16638)
Erik Lax [Thu, 29 Jul 2021 23:43:36 +0000 (01:43 +0200)]
Update manual to reference the IANA TLS Cipher Suites Registry
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16179)
Erik Lax [Thu, 29 Jul 2021 22:47:46 +0000 (00:47 +0200)]
Allow cipher strings to be given using its standard name
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16179)
Tomas Mraz [Mon, 27 Sep 2021 07:45:31 +0000 (09:45 +0200)]
BIO_ctrl: Avoid spurious error being raised on NULL bio parameter
Some of the functions are being called on NULL bio with the
expectation that such call will not raise an error.
Fixes #16681
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16686)
Tianjia Zhang [Wed, 1 Sep 2021 08:54:15 +0000 (16:54 +0800)]
providers: Add SM4 GCM implementation
The GCM mode of the SM4 algorithm is specifieded by RFC8998.
Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16491)
Peiwei Hu [Sun, 26 Sep 2021 07:28:19 +0000 (15:28 +0800)]
Fix return value of BIO_free
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16682)
Peiwei Hu [Sun, 26 Sep 2021 07:44:42 +0000 (15:44 +0800)]
Fix some documentation errors
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16684)
Tianjia Zhang [Sat, 25 Sep 2021 10:06:15 +0000 (18:06 +0800)]
ssl: Correct comment for ssl3_read_bytes()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16680)
Pauli [Sun, 26 Sep 2021 23:20:20 +0000 (09:20 +1000)]
test: add some PVK KDF unit test cases
These cases were generated using OpenSSL.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15968)
Pauli [Sun, 26 Sep 2021 23:06:01 +0000 (09:06 +1000)]
changes: note that PVK KDF has moved to the legacy provider
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15968)
Pauli [Sun, 26 Sep 2021 23:05:32 +0000 (09:05 +1000)]
doc: note that these KDFs require the legacy provider to be available
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15968)
Pauli [Thu, 1 Jul 2021 04:48:49 +0000 (14:48 +1000)]
doc: include PVK KDFdocumentation in build.info
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15968)
Pauli [Thu, 1 Jul 2021 04:40:44 +0000 (14:40 +1000)]
include PVK KDF in legacy provider algorithm list
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15968)
Pauli [Thu, 1 Jul 2021 04:40:27 +0000 (14:40 +1000)]
doc: add page for PVK KDF
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15968)
Pauli [Thu, 1 Jul 2021 04:11:17 +0000 (14:11 +1000)]
pvk: use PVK KDF
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15968)
Pauli [Thu, 1 Jul 2021 04:10:04 +0000 (14:10 +1000)]
kdf: Add PVK KDF to providers.
Add PIN Verification Key key derevation function to providers.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15968)
Mingjun.Yang [Mon, 6 Sep 2021 07:30:19 +0000 (15:30 +0800)]
Add sm2 encryption test case from GM/T 0003.5-2012
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16511)
Mattias Ellert [Sat, 25 Sep 2021 02:57:57 +0000 (04:57 +0200)]
Fix variable name mis-match in example code
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16676)
Mattias Ellert [Sat, 25 Sep 2021 02:55:24 +0000 (04:55 +0200)]
EVP_PKEY_keygen_init has no argument named pkey
int EVP_PKEY_keygen_init(EVP_PKEY_CTX *ctx);
So it should not mention it in the man page description.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16675)
Tianjia Zhang [Fri, 24 Sep 2021 08:55:03 +0000 (16:55 +0800)]
ssl: Correct filename in README
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16671)
Pauli [Fri, 24 Sep 2021 00:28:13 +0000 (10:28 +1000)]
ci: add additional operating system specific builds
These are an attempt to cover off on older OS versions that the main CIs
do not cover.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16669)
Pauli [Sat, 25 Sep 2021 00:41:02 +0000 (10:41 +1000)]
Add changes entry indicating that the OBJ_* calls are now thread safe
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15713)
Pauli [Mon, 14 Jun 2021 01:11:16 +0000 (11:11 +1000)]
test: add threading test for object creation
In addition, rework the multi tests to use common code.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15713)
Pauli [Fri, 11 Jun 2021 09:10:49 +0000 (19:10 +1000)]
doc: add note to indicate that the OBJ_ functions were not thread safe in 3.0
Also remove OBJ_thread from the list of non-threadsafe functions.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15713)
Pauli [Thu, 24 Jun 2021 13:51:53 +0000 (23:51 +1000)]
doc: Document that the OBJ creation functions are now thread safe.
With the OBJ_ thread locking in place, these documentation changes are not
required.
This reverts commit
0218bcdd3feab456135207c140998305df73ab7b.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15713)
Pauli [Thu, 17 Jun 2021 01:05:02 +0000 (11:05 +1000)]
obj: add locking to the OBJ sigid calls
This is done using a single global lock. The premise for this is that new
objects will most frequently be added at start up and never added subsequently.
Thus, the locking will be for read most of the time.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15713)
Pauli [Thu, 17 Jun 2021 02:41:36 +0000 (12:41 +1000)]
obj: make new NIDs use tsan if possible
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15713)
Pauli [Fri, 11 Jun 2021 07:05:20 +0000 (17:05 +1000)]
obj: make the OBJ_ calls thread safe
This is done using a single global lock. The premise for this is that new
objects will most frequently be added at start up and never added subsequently.
Thus, the locking will be for read most of the time.
This does, however, introduce the overhead of taking an uncontested read lock
when accessing the object database.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15713)
Pauli [Thu, 17 Jun 2021 02:36:33 +0000 (12:36 +1000)]
tsan: add an addition macro
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15713)
Dr. David von Oheimb [Mon, 12 Jul 2021 13:32:02 +0000 (15:32 +0200)]
80-test_cmp_http.t: Remove -certout option where not needed
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16052)
Dr. David von Oheimb [Mon, 12 Jul 2021 13:30:20 +0000 (15:30 +0200)]
cmp_client_test.c: Remove needless dependency on NDEBUG
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16052)
Dmitry Belyavskiy [Wed, 22 Sep 2021 14:40:13 +0000 (16:40 +0200)]
FIPS and KTLS may interfere
New Linux kernels (>= 5.11) enable KTLS CHACHA which is not
FIPS-suitable.
Fixes #16657
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16658)
Dominic Letz [Wed, 22 Sep 2021 16:03:28 +0000 (18:03 +0200)]
Update 15-ios.conf
CLA: trivial
I assume this has been an error in the initial ios conf file. In order to build for ios the shared engine library, needs to be disabled because iOS doesn't have the concept of shared libraries. But instead of only disabling `dynamic-engine` (or like in this commit disabled the `shared`) option the previous config did disable `engine` and with that the `static-engine` compilation as well. This restores the `static-engine` option being enabled by default, but keeping compilation going on iOS.
Cheers!
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16659)
Pauli [Thu, 23 Sep 2021 02:27:11 +0000 (12:27 +1000)]
tls/ccm8: reduce the cipher strength for CCM8 ciphers to 64 bits
This is the length of the tag they use and should be considered an upper bound
on their strength.
This lowers their security strength to level 0.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16652)
Pauli [Wed, 22 Sep 2021 00:32:49 +0000 (10:32 +1000)]
doc: document the change to the security level of CCM8 cipher suites
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16652)
Pauli [Wed, 22 Sep 2021 00:31:22 +0000 (10:31 +1000)]
tls: reduce the strength of CCM_8 ciphers due to their short IV.
Fixes #16154
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16652)
slontis [Wed, 22 Sep 2021 05:53:54 +0000 (15:53 +1000)]
Change TLS RC4 cipher strength check to be data driven.
This is a same pattern as used in PR #16652
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16656)
Kelvin Lee [Tue, 14 Sep 2021 07:55:50 +0000 (17:55 +1000)]
Explicitly #include <synchapi.h> is unnecessary
The header is already included by <windows.h> for WinSDK 8 or later.
Actually this causes problem for WinSDK 7.1 (defaults for VS2010) that
it does not have this header while SRW Locks do exist for Windows 7.
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16603)
Tavis Ormandy [Tue, 21 Sep 2021 22:48:27 +0000 (15:48 -0700)]
increase x509 code coverage metrics
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16651)