Viktor Dukhovni [Mon, 17 Mar 2025 04:24:33 +0000 (15:24 +1100)]
Tolerate PKCS#8 V2 with optional public keys
- Presently any included public key is unused.
- We don't check that v1 PKCS#8 structures omit the public key.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27076)
Ingo Franzki [Mon, 17 Mar 2025 08:57:40 +0000 (09:57 +0100)]
Doc fix in EVP_PKEY-ML-DSA/KEM.pod files
Fix the references to OSSL_PROVIDER_add_conf_parameter in the 'SEE ALSO'
section.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27077)
Martin Oliveira [Wed, 12 Mar 2025 17:09:04 +0000 (11:09 -0600)]
Fix gettable_params() for ECX
The OSSL_PKEY_PARAM_MANDATORY_DIGEST parameter is only handled by the
ed25519_get_params() and ed448_get_params(). The x25519 and x448
versions of get_params() always ignore that parameter, so it should not
be in the list of gettable params.
Fixes: 1a7328c88256 ("PROV: Ensure that ED25519 & ED448 keys have a mandatory digest")
cla: trivial
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/27043)
ak4153 [Sat, 8 Mar 2025 19:37:59 +0000 (21:37 +0200)]
Fix missing OSSL_FUNC_DIGEST_GET_PARAMS in provider-digest.pod
Fixes #26626
CLA: trivial
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/27009)
sashan [Mon, 17 Mar 2025 09:23:19 +0000 (10:23 +0100)]
require GNU assembler 2.30 or higher to build aesni-xtx-avx512.pl
The peralsm in aesni-xts-avx512 currently checks for GNU assembler 2.26
or higher. According to reporters it looks like we need 2.30.
This PR just attempts fix version check so people with older
tool chains can build OpenSSL.
Fixes #27049
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/27078)
Nicola Tuveri [Fri, 14 Mar 2025 12:09:10 +0000 (14:09 +0200)]
docs(provider-base): Add HISTORY note for OSSL_CAPABILITY_TLS_SIGALG_MIN_DTLS (and MAX)
This commit adds a small note about
definitions for
`OSSL_CAPABILITY_TLS_SIGALG_MIN_DTLS` and
`OSSL_CAPABILITY_TLS_SIGALG_MAX_DTLS`
being first added in OpenSSL 3.5.
PR #26975 added these definitions for OpenSSL 3.5, but the documentation
update omitted a history note for the addition.
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27063)
Bernd Edlinger [Sun, 9 Mar 2025 10:20:43 +0000 (11:20 +0100)]
Do some more cleanup in the RCU code
Only a minimum of 2 qp's are necessary: one for the readers,
and at least one that writers can wait on for retirement.
There is no need for one additional qp that is always unused.
Also only one ACQUIRE barrier is necessary in get_hold_current_qp,
so the ATOMIC_LOAD of the reader_idx can be changed to RELAXED.
And finally clarify some comments.
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27012)
Bernd Edlinger [Mon, 3 Mar 2025 22:46:12 +0000 (23:46 +0100)]
Fix a memory order issue with weakly ordered systems
this adds a dummy atomic release operation to update_qp, which
should make sure that the new value of reader_idx is visible in
get_hold_current_qp, directly after incrementing the users count.
Fixes: #26875 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26964)
Neil Horman [Fri, 14 Mar 2025 20:08:04 +0000 (16:08 -0400)]
Fix interop ci yaml
Somehow I mistakenly listed clients in the exlude list, when it should
have been servers, resulting in an invalid yml file
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/27066)
Danny Tsen [Tue, 11 Feb 2025 18:48:01 +0000 (13:48 -0500)]
Fix Minerva timing side-channel signal for P-384 curve on PPC
1. bn_ppc.c: Used bn_mul_mont_int() instead of bn_mul_mont_300_fixed_n6()
for Montgomery multiplication.
2. ecp_nistp384-ppc64.pl:
- Re-wrote p384_felem_mul and p384_felem_square for easier maintenance with
minumum perl wrapper.
- Implemented p384_felem_reduce, p384_felem_mul_reduce and p384_felem_square_reduce.
- Implemented p384_felem_diff64, felem_diff_128_64 and felem_diff128 in assembly.
3. ecp_nistp384.c:
- Added wrapper function for p384_felem_mul_reduce and p384_felem_square_reduce.
Signed-off-by: Danny Tsen <dtsen@us.ibm.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26709)
Wrap use of poll.h to prevent including on NonStop.
Fixes: #26724 Signed-off-by: Randall S. Becker <randall.becker@nexbridge.ca> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/26726)
Tomas Mraz [Tue, 4 Mar 2025 17:43:18 +0000 (18:43 +0100)]
Keep the provided peer EVP_PKEY in the EVP_PKEY_CTX too
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26976)
Andrew Dinh [Tue, 4 Mar 2025 15:32:56 +0000 (22:32 +0700)]
Fix RCU TODOs
- Update allocate_new_qp_group to take unsigned int
- Move id_ctr in rcu_lock_st for better stack alignment
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26972)
Neil Horman [Sun, 9 Mar 2025 19:19:40 +0000 (15:19 -0400)]
Exclude retry test with msquic server from interop
With the addition of larger ml-kem keys in our tls handshake, we've
uncovered a interop failure, as described here:
https://github.com/microsoft/msquic/issues/4905
In short, when we send a client hello that spans multiple datagrams, the
servers sends an ACK frame in a datagram prior to sending its server
hello. msquic however, recomputes a new SCID always when sending its
sserver hello, which is fine nominally, but because in this test the
server sends a retry frame to update the SCID, followed by an ACK using
that SCID (which is an initial packet), msquic violates the RFC in
section 7.2 which states:
Once a client has received a valid Initial packet from the server, it MUST
discard any subsequent packet it receives on that connection with a
different Source Connection ID
Because msquic sent an initial packet with that ACK frame, we are
required to discard subsequent frames on the connection containing a
different SCID.
Until msquic fixes that in their implementation we are going to fail the
retry interop test, so for now, lets exclude the test.
Also, while we're at it, re-add chrome into the client list for our
server tests, as that seems to have been lost during the merge.
Fixes openssl/project#1132
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27014)
Signature schemes like Ed25519 or ML-DSA use "pure" signing,
i.e. they directly sign the tbs data instead of signing a digest.
This is already supported in the X509 code, but not in CMS.
This commit adds support for such schemes to CMS.
This is a minimalistic set of changes, based in the work done
by David von Oheimb.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26867)
Viktor Dukhovni [Thu, 6 Mar 2025 14:44:06 +0000 (01:44 +1100)]
Make group names case-insensitive
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26991)
Viktor Dukhovni [Wed, 5 Mar 2025 19:02:28 +0000 (06:02 +1100)]
Refactor sigalg handling
- The default sigalg list now puts ML-DSA-65 first, then ML-DSA-87
and then ML-DSA-44. (87 vs. 44 Subject to bikeshedding).
- The mintls and maxtls versions are now taken into account for
both built-in and provided algorithms.
- Some algorithms have a separate TLSv1.2-specific name for future
reporting via openssl-list(1).
- ML-DSA aside, any new provided algorithms go at the end of the
default list (backwards-compatible inclusion).
- The built-in algorithms now also have min/max DTLS versions.
Though the provider TLS-SIGALG capability was extended to also report
the DTLS version range, the minimum supported DTLS is 1.3, which we
don't yet have, so it is not yet possible to add DTLS sigalgs via a
provider
- The TLS 1.3 brainpool sigalgs got their correct IANA names, with
the legacy names as purported TLS 1.2 alternatives, but since
these are for TLS 1.3 and up those names are for matching only,
the reported value will still be the 1.3 name.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26975)
Neil Horman [Fri, 7 Mar 2025 21:35:47 +0000 (16:35 -0500)]
Orphan packets from qrx
It may occur that the qrx we allocate in port_default_packet handler to
do AEAD validation isn't the one the channel ultimately uses (like if we
turn off address validation). In that event, we need to ensure that
anything we have on that qrx isn't returned to its free list to avoid
early freeing when we free the qrx at the end of
port_default_packet_handler, while those frames are still pending on the
channel qrx
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27004)
Neil Horman [Sat, 8 Mar 2025 02:52:03 +0000 (21:52 -0500)]
If our server channel creates its own qrx, set its initial secret
With the addition of larger client hellos, stemming from the use of
larger PQC key shares, it may happen that we get a client hello accross
multiple datagrams. Normally this is not a problem as
port_default_packet_handler allocates a qrx and initializes its initial
secret immediately. But if server address validation is disabled, then
the channel creates the qrx in port_bind_channel itself, without initial
secrets. As a result, we validate the first datagram in
port_default_packet_handler, but the subsequent datagrams containing the
remaining client hello fragments fail decode.
Fix it by ensuring that we add the initial secret in port_bind_channel
if we don't give it a preconfigured qrx
Fixes openssl/project#1131
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27006)
Neil Horman [Tue, 4 Mar 2025 13:20:29 +0000 (08:20 -0500)]
Fix build on windows xp
Windows XP doesn't support setting socket handles to be non-inheritable,
but the rio_notifier attempts to do so. WSASocketA will there return
an error when the NO_INHERIT flag is set. In that case, just retry the
call without the flag.
Fixes #26943
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26970)
Bernd Edlinger [Mon, 3 Mar 2025 07:22:31 +0000 (08:22 +0100)]
RCU: Ensure that qp's are actually retired in order
The current retirement code for rcu qp's has a race condition,
which can cause use-after-free errors, but only if more than
3 QPs are allocated, which is not the default configuration.
This fixes an oversight in commit 5949918f9afa ("Rework and
simplify RCU code")
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26952)
Andrew Dinh [Sat, 1 Mar 2025 16:19:38 +0000 (23:19 +0700)]
QUIC server post-rebase nits
- Apply doc nits suggested by Viktor from https://github.com/openssl/openssl/pull/26762
- Update CHANGES.md & NEWS.md saying there is now support for QUIC server
- Added copyright header in: test/radix/quic_ops.c
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26944)
Ivan Stanković [Tue, 4 Mar 2025 16:30:34 +0000 (17:30 +0100)]
x509: allow SAN URIs to contain userinfo
The way we're currently handling SAN URIs does not allow for userinfo,
meaning the name constraint check on such URIs will fail. Fix this by
skipping over the userinfo component:
authority = [ userinfo "@" ] host [ ":" port ]
(per RFC 3986).
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25861)
Tomas Mraz [Mon, 3 Mar 2025 11:02:29 +0000 (12:02 +0100)]
doc: Fix type of OSSL_KEM_PARAM_IKME for ML-KEM
Fixes #26945
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26954)
Pauli [Mon, 3 Mar 2025 01:40:20 +0000 (12:40 +1100)]
run ECX KEM evp_test tests
The FIPS providers that support ECX (3.0.x & maybe 3.1.x) do not support ECX
KEM so there is little point to testing these algorithms under FIPS. Consequently,
they are being tested only with the default provider.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26946)
Pauli [Mon, 3 Mar 2025 01:40:02 +0000 (12:40 +1100)]
ecx kem: add evp_test data for ECX KEM testing
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26946)
Pauli [Mon, 3 Mar 2025 00:45:48 +0000 (11:45 +1100)]
evp_test: fully test RSA
The evppkey_rsa.txt data were only tested against the default provider.
Change this so that they are tested against the FIPS provider too.
Also add the RSA KEM tests.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26946)
Pauli [Mon, 3 Mar 2025 00:45:43 +0000 (11:45 +1100)]
rsa kem: add evp_test data
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26946)
Pauli [Mon, 3 Mar 2025 00:45:27 +0000 (11:45 +1100)]
evp_test: fix untested errant code paths
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26946)
Pauli [Mon, 3 Mar 2025 00:18:11 +0000 (11:18 +1100)]
test: condition SHA1/MD5 tests on default provider in evp_test data file
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26946)
Pauli [Mon, 3 Mar 2025 00:17:45 +0000 (11:17 +1100)]
test: remove RSA KEM tests from evp_test data file
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26946)
14MM4CH1N3 [Fri, 14 Feb 2025 17:11:01 +0000 (12:11 -0500)]
Update doc README URLs
This updates the openssl documentation link to the one currently in use,
and removes the standards.txt section as that URL leads to the normal
documentation page and there is no "standards" page in the openssl
documentation site.
CLA: trivial
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26759)
Andrew Dinh [Thu, 27 Feb 2025 07:06:47 +0000 (14:06 +0700)]
SSL_CTX_set1_curves.pod: Move examples to own section
Also specify whether server or client preference
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26897)
Andrew Dinh [Tue, 25 Feb 2025 09:34:17 +0000 (16:34 +0700)]
doc: Add some clarifications for SSL_CTX_set1_curves()
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26897)
Signed-off-by: Ondrej Moris <omoris@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26899)
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/26925)
Tomas Mraz [Fri, 28 Feb 2025 10:13:27 +0000 (11:13 +0100)]
apps: Escape control characters in DNs by default
When displaying distinguished names the control characters
are escaped by default.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26932)
Tomas Mraz [Fri, 28 Feb 2025 10:09:55 +0000 (11:09 +0100)]
Sync CHANGES.md with 3.4 branch and fix formatting
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26932)
Neil Horman [Fri, 28 Feb 2025 18:58:48 +0000 (13:58 -0500)]
Remove empty buffer check in script_84 of quic_multistream_test
The quic_multistream_test occasionally fails script_84, specifically
failing on:
OP_CHECK2(check_write_buf_stat, 0, 0)
which fails due to the send stream buffer not reading zero after data is
sent on the stream
However, the send stream is culled of pending data, not after the stream
is sent, but rather only after the peer sends an ack confirming that the
data has been received. There is no guarantee that ACK will be sent
immediately, so occasionally timing discrepancies result in the test not
getting that ack by the time we check the send stream buffer.
We couldmodify the script to wait longer, or repeatedly tick the quic
stack to wait for that ack to be collected, but since its perfectly
valid for that data to live in the ring buffer for a period, and that
any true erroneous keeping of that data beyond its ack point would
manifest as any number of other duplicate transmissions, it seems more
sane to just remove the check.
Fixes openssl/project#1117
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26939)
Matt Caswell [Fri, 28 Feb 2025 08:51:43 +0000 (08:51 +0000)]
Move ssl_err.c into libcrypto
We move ssl_err.c out of libssl and into libcrypto. This file is entirely
self contained and is used to load error strings into the libcrypto error
tables. By moving this file into libcrypto, libssl can be unloaded safely
without having dangling references to this error information.
Fixes #26672
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26931)
Viktor Dukhovni [Thu, 27 Feb 2025 17:17:08 +0000 (04:17 +1100)]
Further decoder tuning possibly better perf
- The decoder should consider fewer options based on
more precise tracking of the desired input type
(DER, PVK, MSBLOB), algorithm (RSA, EC, ...),
input structure (SPKI, P8, ...).
How much this affects actual use-cases is harder to estimate, we'll just
have to run before/after perf tests.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26927)
Geert Hendrickx [Fri, 28 Feb 2025 13:50:32 +0000 (14:50 +0100)]
Fix `no-tls-deprecated-ec` documentation to match the actual option.
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26934)
Valerii Krygin [Tue, 25 Feb 2025 15:57:26 +0000 (15:57 +0000)]
EVP_DecodeUpdate() should not produce padding zeros to the decoded output (Fixes #26677)
EVP_DecodeUpdate() should not produce zeros for input padding `=` signs to avoid writing to non-allocated memory regions.
To achieve this:
- Add `eof` parameter to `evp_decodeblock_int` function in `openssl/crypto/evp`. The parameter should either contain the number of the input padding characters to ignore or `-1` if the function has to count them.
- Use precalculated `eof` in `EVP_DecodeUpdate` to fix its behaviour.
- Use `eof = -1` in `EVP_DecodeFinal` to count it in `evp_decodeblock_int`.
- Do not ignore padding in `EVP_DecodeBlock` (`eof = 0`) because it should write padding zeros according to the documentation.
- Add the HISTORY section to EVP_EncodeInit documentation to describe the fix.
Other changes:
- Update AUTHORS.md
- Update the copyright date in the documentation.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26678)
Viktor Dukhovni [Wed, 26 Feb 2025 02:04:12 +0000 (13:04 +1100)]
Check full ML-KEM encoded key
When both seed and key are provided compare the full ML-KEM private key
with the seed keygen output, not just the public key.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26905)
doc/, CHANGES, NEWS: add missing entries and fix existing ones when which CMP feature was added
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/26908)
Andrew Dinh [Wed, 26 Feb 2025 14:39:20 +0000 (21:39 +0700)]
Update slh_dsa_test.c
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26916)
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26916)
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26916)
slontis [Tue, 25 Feb 2025 06:03:38 +0000 (17:03 +1100)]
Encoder : Fix floating pointer when OSSL_ENCODER_to_data() is called
twice.
Fixes #26862
This only happens when using the FIPS provider, since it needs to export
the key.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26891)
Viktor Dukhovni [Tue, 25 Feb 2025 07:17:02 +0000 (18:17 +1100)]
Use better data type info in decoders
The decoders in some cases failed to capture or propagate
information about what is being decoded, causing more work
happen to try unrelated decoders as a fallback.
We now try harder to keep track of the expected object (private key or
public key, if known), and the algorithm determined from the OID of a
PKCS8 object or SPKI. This leads in many cases to fewer decoder
invocations. With so many more algorithms now, trying every decoder
is increasingly best avoided.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26892)
slontis [Mon, 24 Feb 2025 23:06:26 +0000 (10:06 +1100)]
ML-DSA Add Wycheproof test vectors.
Added a python script to convert the json files into evp_test data.
Added a EVP_TEST_METHOD "KeyFromData" that can test failures when
loading raw keys. (The existing "PrivateKeyRaw" and "PublicKeyRaw"
were not fit for this purpose).
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26885)
slontis [Tue, 25 Feb 2025 02:31:46 +0000 (13:31 +1100)]
FIPS POST: Change PBKDF2 CAST to use less iterations.
Fixes #26876
The issue here is that the pbkdf2 'lower_bounds_checks' currently errors by default
in FIPS mode if iterations < 1000.
i.e. the "pkcs5" flag = 0 triggers an error..
Turning the flag on means the FIPS indicator is triggered (which is probably correct behaviour)
Not sure testing the fips state here is a good idea (i.e. taking a TSAN hit).
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26887)
Neil Horman [Mon, 24 Feb 2025 12:55:33 +0000 (07:55 -0500)]
fix slh-dsa incorrect prediction of result code
The slh_dsa fuzzer predicts failure in EVP_message_sign_init in the
event we pass a context_string param of more than 255 bytes. That makes
for an accurate prediction, but only if we actually create the param.
augment the setting of exepct_rc_init to be determined not only by our
allocation of a > 255 byte message, but also on selector bit 1, which
determines if we create the parameter at all.
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/26884)
Neil Horman [Sun, 16 Feb 2025 13:35:38 +0000 (08:35 -0500)]
Change cipher suite alert for 0 length cipher_suites
From RFC 8446:
Note: TLS defines two generic alerts (see Section 6) to use upon
failure to parse a message. Peers which receive a message which
cannot be parsed according to the syntax (e.g., have a length
extending beyond the message boundary or contain an out-of-range
length) MUST terminate the connection with a "decode_error" alert.
Peers which receive a message which is syntactically correct but
semantically invalid (e.g., a DHE share of p - 1, or an invalid enum)
MUST terminate the connection with an "illegal_parameter" alert.
A zero length cipher suite list I think is considered out of range, and
so we should return "decode_error" rather than "illegal_parameter"
Fixes #25309
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26781)
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25930)
fips-jitter: Force use jitter entropy in the FIPS 3.0.9 provider callback
FIPS 3.0.9 provider does not honor runtime seed configuration, thus if
one desires to use JITTER entropy source with FIPS 3.0.9 provider
something like this needs to be applied to the core (libcrypto) build.
Not sure if this is at all suitable for upstream.
With fips-jitter (3.5+) config, also ensure that core<->provider
callback for entropy uses jitter entropy source, rather than os seed
(getrandom syscall).
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25930)
Fix read out of buffer bounds when dealing with BIO_ADDR
This issue was discoevered while I was testing SSL_new_from_listener()
using a newly created unit test. It has turned out the QUIC stack
at few places contain pattern as follows:
foo(QUIC_WHATEVER *q, BIO_ADDR *a)
{
q->a = *a;
}
The problem is that derefencning a that way is risky. If the address `a`
comes from BIO_lookup_ex() it may actually be shorter than sizeof(BIO_ADDR).
Using BIO_ADDR_copy() is the right thing to do here.
Fixes #26241
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26252)
Niels Dossche [Tue, 21 Jan 2025 11:04:44 +0000 (12:04 +0100)]
Fix potential memory leak in policy_section()
If sk_POLICYQUALINFO_push() fails, qual is not freed.
Fix it by adding POLICYQUALINFO_free() to the error path.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26499)
Tomas Mraz [Wed, 22 Jan 2025 08:57:36 +0000 (09:57 +0100)]
add_uris_recursive(): Avoid OSSL_STORE_INFO leak on error
Fixes #26480
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26511)
Niels Dossche [Wed, 22 Jan 2025 13:35:25 +0000 (14:35 +0100)]
Fix potential leak in error path in cert_response()
get1_cert_status() returns an object that must be freed,
but the error path does not do that.
Fix it by adding a call to X509_free() in the error path.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26513)
Tomas Mraz [Mon, 24 Feb 2025 08:47:13 +0000 (09:47 +0100)]
Rename fnv1a_hash() to ossl_fnv1a_hash()
It is no longer static.
Also add it to libssl only with quic enabled.
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26882)
Niels Dossche [Wed, 22 Jan 2025 14:43:14 +0000 (15:43 +0100)]
Fix potential memory leaks in error paths in ossl_rsa_multiprime_derive()
There are several cases where new BIGNUM instances are created, not
using the context, but not freed when an error occurs.
Fix this by adding the necessary calls to BN_free().
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26515)
Neil Horman [Fri, 21 Feb 2025 17:22:17 +0000 (12:22 -0500)]
Convert test_bio_ssl to use fake time
The test_bio_ssl test in quicapitest is failing on windows. Something
about the timing there is causing wide variance in how long it takes to
establish a handshake (between 130-6500 iterations).
Convert it to use fake time to make it run consistently.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26801)
Viktor Dukhovni [Mon, 17 Feb 2025 15:41:51 +0000 (02:41 +1100)]
Add hybrid ML-KEM based groups to default TLS groups
- send two key shares by default
- trim down the list of default groups
The default TLS group list setting is now:
?*X25519MLKEM768 / ?*X25519:?secp256r1 / ?X448:?secp384r1:?secp521r1 / ?ffdhe2048:?ffdhe3072
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26801)
projects / thirdparty / openssl.git / log
