Resolves some magic values that has a hello_retry_request enum type.
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21636)
crypto/cmp: fix clash of OSSL_CMP_CERTREQID_NONE with error result of ossl_cmp_asn1_get_int()
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/21579)
Wo'O Ideafarm [Tue, 1 Aug 2023 17:47:16 +0000 (10:47 -0700)]
formatting: shift one space to right
per request.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21595)
Code that includes applink.c can now define APPLINK_NO_INCLUDES to suppress the include preprocessor lines in that file. This might be needed if, for example, applink.c is being included into a source file that will be compiled to reference a C library built using different calling conventions. (Example: Open Watcom.)
This pull request is intended to replace an identical pull request that I screwed up.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21595)
Tianjia Zhang [Tue, 1 Aug 2023 06:21:02 +0000 (14:21 +0800)]
Fix typo in function name
Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21608)
Matt Caswell [Fri, 28 Jul 2023 14:32:57 +0000 (15:32 +0100)]
Extend the test_quic_write_read() test to include resumption
We add an additional loop around test_quic_write_read() to repeat the
test but using a session obtained from the initial iteration to confirm
that we can successfully resume the session.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21591)
Matt Caswell [Fri, 28 Jul 2023 15:04:14 +0000 (16:04 +0100)]
Ensure the QUIC TLS SSL object is marked as shutdown
If we shutdown the QUIC connection then we should mark the underlying
TLS SSL object as shutdown as well. Otherwise any sessions are considered
unusable for resumption.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21591)
Matt Caswell [Thu, 27 Jul 2023 12:48:02 +0000 (13:48 +0100)]
Keep doing ossl_quic_tls_tick() even after handshake completion
There may be post-handshake messages to process so make sure we keep
ticking things even if the handshake has finished. We do this simply by
calling SSL_read(). There should never be app data to read but we will
process any handshake records we encounter.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21591)
Matt Caswell [Thu, 27 Jul 2023 14:30:17 +0000 (15:30 +0100)]
Ensure SSL_has_pending() always works even before a connection
s_client calls SSL_has_pending() even before the connection has been
established. We expect it to return 0 in this case and not put any errors
on the stack.
We change things so that SSL_has_pending() always returns 0 if there is
no stream available.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21578)
Matt Caswell [Mon, 31 Jul 2023 11:32:16 +0000 (12:32 +0100)]
The PEM_read_bio_Parameters() function should not ask for a password
The PEM_read_bio_Parameters[_ex] function does not have the capability
of specifying a password callback. We should not use the fallback password
callback in this case because it will attempt to send a prompt for the
password which might not be the correct thing to do. We should just not
use a password in that case.
Fixes #21588
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21603)
Matt Caswell [Mon, 31 Jul 2023 11:30:34 +0000 (12:30 +0100)]
Always add a suitable error if we fail to decode
We're always supposed to add the fallback "unsupported" error if we don't
have anything better. However in some cases this wasn't happening because
we were incorrectly setting "flag_construct_called" - even though the
construct function had failed.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21603)
In the definition of the latest revised LoongArch64 vector instruction manual,
it is clearly pointed out that the undefined upper three bits of each byte in
the control register of the vshuf.b instruction should not be used, otherwise
uncertain results may be obtained. Therefore, it is necessary to correct the
use of the vshuf.b instruction in the existing vpaes-loongarch64.pl code to
avoid erroneous calculation results in future LoongArch64 processors.
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21530)
speed: Unify output messages regarding number of ops per time
Always report "<algo> ops in <time>", instead of "<algo>'s in <time>" or
similar. Avoid the use of apostrophes and/or plural with algorithm names.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21383)
Ingo Franzki [Tue, 20 Jun 2023 11:40:41 +0000 (13:40 +0200)]
speed: Also measure RSA encrypt/decrypt, not only RSA sign/verify
While RSA encrypt/decrypt and sign/verify are basically the same mod-expo
operations, the speed of the operation may still differ, due to different
padding, as well as the use of implicit rejection for RSA decrypt.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21383)
Matt Caswell [Thu, 27 Jul 2023 11:09:47 +0000 (12:09 +0100)]
Fix a regression in X509_VERIFY_PARAM_add0_policy()
Also fixes a similar regression in X509_VERIFY_PARAM_add0_table().
Commit 38ebfc3 introduced a regression in 3.0.6 that changed the return
value of the two functions above from 1 on success to the number of entries
in the stack. If there are more than one entry then this is a change in
behaviour which should not have been introduced into a stable release.
This reverts the behaviour back to what it was prior to the change. The code
is slightly different to the original code in that we also handle a possible
-1 return value from the stack push function. This should never happen in
reality because we never pass a NULL stack as a parameter - but for the sake
of robustness we handle it anyway.
Note that the changed behaviour exists in all versions of 3.1 (it never had
the original version). But 3.1 should be fully backwards compatible with 3.0
so we should change it there too.
Fixes #21570
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/21576)
Removes unused parameter 'sending' from derive_secret_key_and_iv()
Fixes #21569
CLA: trivial
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21569)
Xi Ruoyao [Fri, 21 Jul 2023 02:07:04 +0000 (02:07 +0000)]
vpaes: LoongArch: Use getauxval(AT_HWCAP) for LSX detection
Running LSX instructions requires both the hardware support and the
kernel support. The `cpucfg` instruction only tests the hardware
support, causing a SIGILL if the hardware supports LSX but the kernel
does not.
Use `getauxval(AT_HWCAP)` as the ["Software Development and Build
Convention for LoongArch Architectures"][1] manual suggests.
The LOONGARCH_HWCAP_LSX and LOONGARCH_HWCAP_LASX bits are copied from
the manual too. In Glibc 2.38 they'll be provided by <sys/auxv.h> as
well, but they are unavailable in earlier Glibc versions so we cannot
rely on it.
The getauxval syscall and Glibc wrapper are available since day one
(Linux-5.19 and Glibc-2.36) for LoongArch.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21509)
John Kohl [Wed, 26 Jul 2023 12:41:31 +0000 (08:41 -0400)]
fix compile error (SIZE_MAX not found) on HP-UX
Fixes #21554
CLA: trivial
Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21562)
x509/by_file.c: fix unreachable and redundant code
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/21545)
Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/21535)
John Kohl [Wed, 26 Jul 2023 12:16:54 +0000 (08:16 -0400)]
Include <openssl/err.h> in include/refcount.h
Fixes #21555
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/21561)
Tomas Mraz [Tue, 25 Jul 2023 13:35:34 +0000 (15:35 +0200)]
Add CHANGES.md and NEWS.md entries for CVE-2023-3817
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/21550)
Tomas Mraz [Tue, 25 Jul 2023 13:23:43 +0000 (15:23 +0200)]
dhtest.c: Add test of DH_check() with q = p + 1
This must fail with DH_CHECK_INVALID_Q_VALUE and
with DH_CHECK_Q_NOT_PRIME unset.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/21550)
Tomas Mraz [Tue, 25 Jul 2023 13:22:48 +0000 (15:22 +0200)]
DH_check(): Do not try checking q properties if it is obviously invalid
If |q| >= |p| then the q value is obviously wrong as q
is supposed to be a prime divisor of p-1.
We check if p is overly large so this added test implies that
q is not large either when performing subsequent tests using that
q value.
Otherwise if it is too large these additional checks of the q value
such as the primality test can then trigger DoS by doing overly long
computations.
Fixes CVE-2023-3817
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/21550)
Make DH_check set some error bits in recently added error
The pre-existing error cases where DH_check returned zero
are not related to the dh params in any way, but are only
triggered by out-of-memory errors, therefore having *ret
set to zero feels right, but since the new error case is
triggered by too large p values that is something different.
On the other hand some callers of this function might not
be prepared to handle the return value correctly but only
rely on *ret. Therefore we set some error bits in *ret as
additional safety measure.
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21524)
get_cert_by_subject_ex(): Check result of X509_STORE_lock()
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21515)
MrRurikov [Thu, 29 Jun 2023 14:06:08 +0000 (17:06 +0300)]
bio_print.c: Delete unreachable code at lines 710 and 711
CLA: trivial
The purpose of adding the conditional operator on line 710 is to check
if the value of the variable 'fplace' exceeds the size of the array
'fconvert', and to reduce the value of 'fplace' by 1, so that later on
we can set the value to zero of the array element with the index 'fplace'
and not make any calls beyond the array edges.
However, the condition on line 710 will always be false, because
the size of 'fconvert' is strictly specified at the beginning of
the 'fmtfp()' function (line 571), so it is reasonable to remove
this conditional operator, as well as the unreachable decrementation
code of the variable 'fplace'.
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21325)
Adds separate configuration targets for intel i386/x86_64 and arm64 ios simulators
Fixes #21287
CLA: trivial
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21309)
When an early error happens in the test_pipelining
function and idx == 5 the error handling would try
to call OPENSSL_free(msg), but msg is at that time
just a string constant in read-only memory, so a
crash would be the result. Fixed that by using
fragsize as an indication when to free msg.
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21512)
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21495)
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21398)
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21398)
Enable ARMv8.2 accelerated SHA3 on compatible Apple CPUs
The hardware-assisted ARMv8.2 implementation is already in keccak1600-armv8.pl.
It is not called because the author mentioned that it's not actually obvious
that it will provide performance improvements. The test on Apple M1 Firestorm
shows that the ARMv8.2 implementation could improve about 36% for large blocks.
So let's enable ARMv8.2 accelerated SHA3 on Apple CPU family.
Fixes #21380
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21398)
Doing 253 bits sign Ed25519 ops for 10s: EdDSA sign failure 000003FF9306C7D0:error:030000BC:digital envelope routines:EVP_DigestSign:
final error:crypto/evp/m_sigver.c:585:
-1 253 bits Ed25519 sign ops in 0.00s
Doing 253 bits verify Ed25519 ops for 10s: EdDSA verify failure 000003FF9306C7D0:error:030000BC:digital envelope routines:EVP_DigestVerify:
final error:crypto/evp/m_sigver.c:694:
-1 253 bits Ed25519 verify ops in 0.00s
This is because the EVP_DigestSign/Verify() calls in the EdDSA_sign/verify_loop()
fail because the context has already been finalized by the previous
EVP_DigestSign/Verify call during the EdDSA signature test done by speed_main().
This happens since commit 3fc2b7d6b8f961144905330dfd4689f5bd515199 where the
EVP_DigestSign/Verify() functions have been changed to set a flag that the
context has been finalized.
Fix this by re-initializing the context using EVP_DigestSign/Verify() in the
EdDSA_sign/verify_loop().
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21491)
Free the signature stack after iterating over all found signatures.
Free the kem and signature stacks at the end of speed_main() if not
NULL.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21491)
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21474)
Matt Caswell [Thu, 13 Jul 2023 15:14:49 +0000 (16:14 +0100)]
Update CHANGES/NEWS for CVE-2023-3446
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21451)
Matt Caswell [Fri, 7 Jul 2023 13:39:48 +0000 (14:39 +0100)]
Add a test for CVE-2023-3446
Confirm that the only errors DH_check() finds with DH parameters with an
excessively long modulus is that the modulus is too large. We should not
be performing time consuming checks using that modulus.
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21451)
Matt Caswell [Thu, 6 Jul 2023 15:36:35 +0000 (16:36 +0100)]
Fix DH_check() excessive time with over sized modulus
The DH_check() function checks numerous aspects of the key or parameters
that have been supplied. Some of those checks use the supplied modulus
value even if it is excessively large.
There is already a maximum DH modulus size (10,000 bits) over which
OpenSSL will not generate or derive keys. DH_check() will however still
perform various tests for validity on such a large modulus. We introduce a
new maximum (32,768) over which DH_check() will just fail.
An application that calls DH_check() and supplies a key or parameters
obtained from an untrusted source could be vulnerable to a Denial of
Service attack.
The function DH_check() is itself called by a number of other OpenSSL
functions. An application calling any of those other functions may
similarly be affected. The other functions affected by this are
DH_check_ex() and EVP_PKEY_param_check().
CVE-2023-3446
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21451)
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21473)
Tomas Mraz [Mon, 17 Jul 2023 15:36:32 +0000 (17:36 +0200)]
Raise SSL_R_QUIC_PROTOCOL_ERROR on any QUIC protocol error
QUIC error code, frame type and reason is in error data
Fixes #21337
Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21476)
Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21467)
lan1120 [Sat, 10 Jun 2023 11:36:17 +0000 (19:36 +0800)]
Fix int_ctx_new() error when use 1.1.1n sm2 key and ec method engine
Signed-off-by: lan1120 <lanming@huawei.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21170)
Tomas Mraz [Fri, 14 Jul 2023 08:25:42 +0000 (10:25 +0200)]
no-module should not imply disabling DSO loading support
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21459)
Remove unreachable code from SSL_use_certificate_file() as in SSL_CTX_use_certificate_file()
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/21394)