Tomas Mraz [Mon, 24 Mar 2025 09:53:02 +0000 (10:53 +0100)]
qlog_event_helpers.c: Fix inverted condition
We want to skip up to PACKET_remaining() and not "at least"
PACKET_remaining() bytes.
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27138)
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27059)
Martin Oliveira [Wed, 12 Mar 2025 17:09:04 +0000 (11:09 -0600)]
Fix gettable_params() for ECX
The OSSL_PKEY_PARAM_MANDATORY_DIGEST parameter is only handled by the
ed25519_get_params() and ed448_get_params(). The x25519 and x448
versions of get_params() always ignore that parameter, so it should not
be in the list of gettable params.
Fixes: 1a7328c88256 ("PROV: Ensure that ED25519 & ED448 keys have a mandatory digest")
cla: trivial
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/27043)
Bernd Edlinger [Sun, 9 Mar 2025 10:20:43 +0000 (11:20 +0100)]
Do some more cleanup in the RCU code
Only a minimum of 2 qp's are necessary: one for the readers,
and at least one that writers can wait on for retirement.
There is no need for one additional qp that is always unused.
Also only one ACQUIRE barrier is necessary in get_hold_current_qp,
so the ATOMIC_LOAD of the reader_idx can be changed to RELAXED.
And finally clarify some comments.
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27012)
Bernd Edlinger [Mon, 3 Mar 2025 22:46:12 +0000 (23:46 +0100)]
Fix a memory order issue with weakly ordered systems
this adds a dummy atomic release operation to update_qp, which
should make sure that the new value of reader_idx is visible in
get_hold_current_qp, directly after incrementing the users count.
Fixes: #26875 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26964)
Danny Tsen [Tue, 11 Feb 2025 18:48:01 +0000 (13:48 -0500)]
Fix Minerva timing side-channel signal for P-384 curve on PPC
1. bn_ppc.c: Used bn_mul_mont_int() instead of bn_mul_mont_300_fixed_n6()
for Montgomery multiplication.
2. ecp_nistp384-ppc64.pl:
- Re-wrote p384_felem_mul and p384_felem_square for easier maintenance with
minumum perl wrapper.
- Implemented p384_felem_reduce, p384_felem_mul_reduce and p384_felem_square_reduce.
- Implemented p384_felem_diff64, felem_diff_128_64 and felem_diff128 in assembly.
3. ecp_nistp384.c:
- Added wrapper function for p384_felem_mul_reduce and p384_felem_square_reduce.
Signed-off-by: Danny Tsen <dtsen@us.ibm.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26709)
Tomas Mraz [Tue, 4 Mar 2025 17:43:18 +0000 (18:43 +0100)]
Keep the provided peer EVP_PKEY in the EVP_PKEY_CTX too
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26976)
Andrew Dinh [Tue, 4 Mar 2025 15:32:56 +0000 (22:32 +0700)]
Fix RCU TODOs
- Update allocate_new_qp_group to take unsigned int
- Move id_ctr in rcu_lock_st for better stack alignment
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26972)
Bernd Edlinger [Mon, 3 Mar 2025 07:22:31 +0000 (08:22 +0100)]
RCU: Ensure that qp's are actually retired in order
The current retirement code for rcu qp's has a race condition,
which can cause use-after-free errors, but only if more than
3 QPs are allocated, which is not the default configuration.
This fixes an oversight in commit 5949918f9afa ("Rework and
simplify RCU code")
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26952)
Matt Caswell [Fri, 28 Feb 2025 08:51:43 +0000 (08:51 +0000)]
Move ssl_err.c into libcrypto
We move ssl_err.c out of libssl and into libcrypto. This file is entirely
self contained and is used to load error strings into the libcrypto error
tables. By moving this file into libcrypto, libssl can be unloaded safely
without having dangling references to this error information.
Fixes #26672
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26931)
14MM4CH1N3 [Fri, 14 Feb 2025 17:11:01 +0000 (12:11 -0500)]
Update doc README URLs
This updates the openssl documentation link to the one currently in use,
and removes the standards.txt section as that URL leads to the normal
documentation page and there is no "standards" page in the openssl
documentation site.
CLA: trivial
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26759)
Tomas Mraz [Fri, 28 Feb 2025 10:13:27 +0000 (11:13 +0100)]
apps: Escape control characters in DNs by default
When displaying distinguished names the control characters
are escaped by default.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26932)
slontis [Tue, 25 Feb 2025 06:03:38 +0000 (17:03 +1100)]
Encoder : Fix floating pointer when OSSL_ENCODER_to_data() is called
twice.
Fixes #26862
This only happens when using the FIPS provider, since it needs to export
the key.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26891)
Viktor Dukhovni [Wed, 26 Feb 2025 09:59:38 +0000 (20:59 +1100)]
Tolerate 3.5+ FIPS providers in kem_rsa_params test
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26911)
Neil Horman [Sun, 16 Feb 2025 13:35:38 +0000 (08:35 -0500)]
Change cipher suite alert for 0 length cipher_suites
From RFC 8446:
Note: TLS defines two generic alerts (see Section 6) to use upon
failure to parse a message. Peers which receive a message which
cannot be parsed according to the syntax (e.g., have a length
extending beyond the message boundary or contain an out-of-range
length) MUST terminate the connection with a "decode_error" alert.
Peers which receive a message which is syntactically correct but
semantically invalid (e.g., a DHE share of p - 1, or an invalid enum)
MUST terminate the connection with an "illegal_parameter" alert.
A zero length cipher suite list I think is considered out of range, and
so we should return "decode_error" rather than "illegal_parameter"
Fixes #25309
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26781)
Fix read out of buffer bounds when dealing with BIO_ADDR
This issue was discoevered while I was testing SSL_new_from_listener()
using a newly created unit test. It has turned out the QUIC stack
at few places contain pattern as follows:
foo(QUIC_WHATEVER *q, BIO_ADDR *a)
{
q->a = *a;
}
The problem is that derefencning a that way is risky. If the address `a`
comes from BIO_lookup_ex() it may actually be shorter than sizeof(BIO_ADDR).
Using BIO_ADDR_copy() is the right thing to do here.
Fixes #26241
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26252)
Niels Dossche [Tue, 21 Jan 2025 11:04:44 +0000 (12:04 +0100)]
Fix potential memory leak in policy_section()
If sk_POLICYQUALINFO_push() fails, qual is not freed.
Fix it by adding POLICYQUALINFO_free() to the error path.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26499)
Tomas Mraz [Wed, 22 Jan 2025 08:57:36 +0000 (09:57 +0100)]
add_uris_recursive(): Avoid OSSL_STORE_INFO leak on error
Fixes #26480
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26511)
Niels Dossche [Wed, 22 Jan 2025 13:35:25 +0000 (14:35 +0100)]
Fix potential leak in error path in cert_response()
get1_cert_status() returns an object that must be freed,
but the error path does not do that.
Fix it by adding a call to X509_free() in the error path.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26513)
Niels Dossche [Wed, 22 Jan 2025 14:43:14 +0000 (15:43 +0100)]
Fix potential memory leaks in error paths in ossl_rsa_multiprime_derive()
There are several cases where new BIGNUM instances are created, not
using the context, but not freed when an error occurs.
Fix this by adding the necessary calls to BN_free().
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26515)
Burkov Egor [Wed, 19 Feb 2025 13:42:07 +0000 (16:42 +0300)]
fix: add OOM handler for x509 fuzz test
CLA: trivial
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26830)
Bernd Edlinger [Mon, 24 Feb 2025 06:51:16 +0000 (07:51 +0100)]
Revert wrong macos RCU fix
This reverts #23974 which seems to be no longer needed now,
due to other fixes nearby. Most likely the change did just
slightly decrease the performance of the reader threads, and
did therefore create the wrong impression that it fixed the issue.
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26881)
Bernd Edlinger [Wed, 19 Feb 2025 17:55:42 +0000 (18:55 +0100)]
Re-enable RCU torture test on MACOSX
This test was disabled due to "Stochastic failures in
the RCU test on MACOSX" by #23967, which sounds like an
issue that is probably fixed now.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26834)
Shakti Shah [Wed, 19 Feb 2025 16:08:36 +0000 (21:38 +0530)]
Make org.openssl.winstore: work in openssl-ts
Fixes #26739
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26833)
Neil Horman [Mon, 17 Feb 2025 15:13:32 +0000 (10:13 -0500)]
Free hashtable prior to freeing atomic worker_lock
lhash_test uses a hashtable that may not be empty at the end of the test
Given that the free function frees the elements in the list and uses the
atomic worker_lock to do so, we need to free the hash table prior to
freeing the working lock to avoid the use of unallocated memory.
Fixes #26798
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26800)
SPARC assembly: Don't file aes-cbc on T4 with small sizes.
The "openssl speed -testmode -seconds 1 -bytes 1 aes-128-cbc" test
revealed that the assembly code is crashing if length is less than 16.
The code shifts the provided length by 4 and than subtracts one until
the length hits zero. If it was already zero then it underflows the
counter and continues until it segfaults on reading or writing.
Replace the check against 0 with less than 15.
Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25637)
Xi Ruoyao [Wed, 12 Feb 2025 08:42:00 +0000 (16:42 +0800)]
LoongArch: Fix output file name detection for Perl scripts
We were using the first (or second) argument containing a '.' as the
output name file, but it may be incorrect as -march=la64v1.0 may be in
the command line. If the builder specifies -march=la64v1.0 in the
CFLAGS, the script will write to a file named "-march=la64v1.0" and
cause a build error with cryptic message:
ld: crypto/pem/loader_attic-dso-pvkfmt.o: in function `i2b_PVK':
.../openssl-3.4.1/crypto/pem/pvkfmt.c:1070:(.text+0x11a8): undefined reference to `OPENSSL_cleanse'
Adapt the approach of ARM and RISC-V (they have similar flags like
-march=v8.1-a or -misa-spec=2.2) to fix the issue.
Signed-off-by: Xi Ruoyao <xry111@xry111.site> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26717)
Ingo Franzki [Mon, 10 Feb 2025 14:45:26 +0000 (15:45 +0100)]
test/quicapitest.c: Increase timeout of test_fin_only_blocking to 40ms
Running this test on heavily loaded systems may cause the SSL_read_ex() to
take more than 20ms, due to concurrent workload.
Increase the timeout to 40ms to allow a little bit more time.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26693)
Matt Caswell [Fri, 7 Feb 2025 11:53:59 +0000 (11:53 +0000)]
Add a test for configuring provider certs via config
A bug existed where provider added cert algorithms caused a crash when
they were configured via a config file. We add a test for this scenario.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26663)
Matt Caswell [Fri, 7 Feb 2025 12:11:41 +0000 (12:11 +0000)]
Fix configuring provider certificate algs via config file
A crash could occur when attempting to configure a certificate via a
config file, where the algorithm for the certificate key was added
dynamically via a provider.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26663)
Viktor Dukhovni [Thu, 19 Dec 2024 17:26:20 +0000 (04:26 +1100)]
Use ERR marks also when verifying server X.509 certs
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(cherry picked from commit 739c4b2e92116952e4baf3e14d219b82f871ec6a)
Viktor Dukhovni [Thu, 19 Dec 2024 17:25:15 +0000 (04:25 +1100)]
With SSL_VERIFY_PEER client RPK should abort on X509 error
While RPK performs X.509 checks correctly, at the SSL layer the
SSL_VERIFY_PEER flag was not honoured and connections were allowed to
complete even when the server was not verified. The client can of
course determine this by calling SSL_get_verify_result(), but some
may not know to do this.
Added tests to make sure this does not regress.
Fixes CVE-2024-12797
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(cherry picked from commit 6ae8e947d8e3f3f03eeb7d9ad993e341791900bc)
sashan [Wed, 29 Jan 2025 09:57:14 +0000 (10:57 +0100)]
perlasm: Replace .previous with the actual previous section
Older versions of darwin (10.8 and earlier) don't understand .previous.
this tweak emits the previous section directive which preceeds the
rodata (for example .text) instead of using .previous. We use the
same for mingw.
Fixes #26447
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26585)
Dmitry Misharov [Thu, 23 Jan 2025 15:40:31 +0000 (16:40 +0100)]
backport make-release.yml workflow to openssl-3.x branches
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26541)
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25716)
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25716)
Mae [Wed, 22 Jan 2025 16:54:43 +0000 (16:54 +0000)]
Fix passing struct by value rather than by reference to syscall
Fixes #26521
CLA: trivial
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26523)
Stas Cymbalov [Tue, 21 Jan 2025 13:42:19 +0000 (16:42 +0300)]
Fix data race in asn1_str2tag() on tntmp which was accidentally made static
Variables tntmp and tnst are declared in the same declaration and thus
share storage class specifiers (static). This is unfortunate as tntmp is
used during iteration through tnst array and shouldn't be static.
In particular this leads to two problems that may arise when multiple
threads are executing asn1_str2tag() concurrently:
1. asn1_str2tag() might return value that doesn't correspond to tagstr
parameter. This can happen if other thread modifies tntmp to point to
a different tnst element right after a successful name check in the
if statement.
2. asn1_str2tag() might perform an out-of-bounds read of tnst array.
This can happen when multiple threads all first execute tntmp = tnst;
line and then start executing the loop. If that case those threads
can end up incrementing tntmp past the end of tnst array.
CLA: trivial
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26504)
Signed-off-by: Alexander Heinlein <alexander.heinlein@web.de> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26497)
Bernd Edlinger [Tue, 21 Jan 2025 15:12:18 +0000 (16:12 +0100)]
Give DTLS tests more time to complete
Increase the timeout for DTLS tests to 10 seconds.
But do that only for DTLS as this would waste time
for other tests, most of the TLS tests do not need
this at all.
Fixes #26491
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26502)
When this pattern occurs, the atomic or operation fails to see the published
value of CPU1 and when the or-ed value is written back to ram, the incremented
value in get_hold_current_qp is overwritten, meaning the hold that the reader
placed on the rcu lock is lost, allowing the writer to complete early, freeing
memory before a reader is done reading any held memory.
Why this is only observed on ppc64le I'm not sure, but it seems like a pretty
clear problem.
fix it by implementing ATOMIC_COMPARE_EXCHANGE_N, so that, on the write side in
update_qp, we can ensure that updates are only done if the read side hasn't
changed anything. If it has, retry the operation.
With this fix, I'm able to run the threads test overnight (4000 iterations and
counting) without failure.
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26478)
Nadav Tasher [Fri, 20 Dec 2024 15:59:01 +0000 (17:59 +0200)]
s_socket: naccept: close listening socket after accepting clients
When `-naccept` is passed (i.e with `s_server`), the listening socket remains open while handling
client, even after `naccept` is supposed to reach `0`.
This is caused to to the decrementation of `naccept` and closing of the socket
happening a little too late in the `do_server` function.
Signed-off-by: Nadav Tasher <tashernadav@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26228)
Restoring [sp, #64] into d15,d16 instead of d14,d15.
Fixes: #26466
CLA: trivial
Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26469)
Tomas Mraz [Wed, 15 Jan 2025 17:29:52 +0000 (18:29 +0100)]
Add CHANGES.md and NEWS.md updates for CVE-2024-13176
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/26429)
Tomas Mraz [Wed, 15 Jan 2025 17:27:02 +0000 (18:27 +0100)]
Fix timing side-channel in ECDSA signature computation
There is a timing signal of around 300 nanoseconds when the top word of
the inverted ECDSA nonce value is zero. This can happen with significant
probability only for some of the supported elliptic curves. In particular
the NIST P-521 curve is affected. To be able to measure this leak, the
attacker process must either be located in the same physical computer or
must have a very fast network connection with low latency.
Attacks on ECDSA nonce are also known as Minerva attack.
Fixes CVE-2024-13176
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/26429)
otherddn1978 [Thu, 26 Dec 2024 10:26:34 +0000 (13:26 +0300)]
If you call X509_add_cert with cert == NULL and the X509_ADD_FLAG_UP_REF
flag, it will сrash to X509_up_ref. Passing NULL here is not valid,
return 0 if cert == NULL.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/26267)
Richard Levitte [Wed, 15 Jan 2025 09:14:41 +0000 (10:14 +0100)]
Fix documentation of OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION
This drops OSSL_PKEY_PARAM_IMPLICIT_REJECTION - which is a meaningless
name - everywhere apart from still existing (for API stability, in
case someone uses that macro).
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26421)
Nikolay Nikolaev [Tue, 24 Dec 2024 11:26:09 +0000 (13:26 +0200)]
Workaround for RSA on AArch64 Big Endian
10646160125 introduced and optimized RSA NEON implementation
for AArch64 architecture, namely Cortex-A72 and Neoverse N1.
This implementation is broken in Big Endian mode, which is not
widely used, therefore not properly verified.
Here we disable this optimized implementation when Big Endian
platform is used.
Fixes: #22687
CLA: trivial
Signed-off-by: Nikolay Nikolaev <nicknickolaev@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26257)
Peter Bierma [Sun, 12 Jan 2025 16:12:18 +0000 (11:12 -0500)]
Remove non-existing error code.
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26389)
Peter Bierma [Sat, 11 Jan 2025 17:02:45 +0000 (12:02 -0500)]
Synchronize openssl.txt with comperr.h
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26389)
Bernd Edlinger [Fri, 10 Jan 2025 07:45:20 +0000 (08:45 +0100)]
Fix dtls tests
The dtls server process exits too early when the input
has an EOF condition.
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26374)
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26374)
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26374)
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26374)
Bernd Edlinger [Fri, 10 Jan 2025 18:58:46 +0000 (19:58 +0100)]
Fix test failure in 30-test_evp_pkey_provided.t
In this test there is a random test output corruption.
`make test TESTS=test_evp_pkey_provided V=1` has some random output,
that can with a certain probability start a line with "ok" or so:
# Setting up a OSSL_ENCODER context with passphrase
# Testing with no encryption
jLixONcRPi/m64CGie4KKKDuGeTjtYwfima3BNYCGlgbLGeK3yYxBfZb9JjviOJ4
# nHaNsRsONTAKyg==
This happens because large random data is output to bio_out
but some data remains buffered, and then test_note() is used to print
some comments on the bio_err file. This causes output corruption that
confuses the TAP parser.
Fix that by flushing any pending output with test_flush_stdout() first.
Fixes #23992
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26383)
Neil Horman [Fri, 10 Jan 2025 19:37:28 +0000 (14:37 -0500)]
Fix premature reuse of qp's in rcu locks
An intermittent failure was noted on our new ppc64le CI runner, in which
what appeared to be a corrupted or invalid value getting returned from a
shared pointer under rcu protection
Investigation showed that the problem was with our small number of qp's
in a lock, and slightly incorrect accounting of the number of qp's
available we were prematurely recycling qp's, which led in turn to
premature completion of synchronization states, resulting in readers
reading memory that may have already been freed.
Fix it by:
a) Ensuring that we account for the fact that the first qp in an rcu
lock is allocated at the time the lock is created
and
b) Ensuring that we have a minimum number of 3 qp's:
1 that is free for write side allocation
1 that is in use by the write side currently
1 "next" qp that the read side can update while the prior qp is being
retired
With this change, the rcu threadstest runs indefinately in my testing
Fixes #26356
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26384)
Bernd Edlinger [Thu, 9 Jan 2025 14:14:15 +0000 (15:14 +0100)]
Fix intermittent test failure in 80-test_cmp_http.t
output to stderr is unbuffered bypassing the normal output, which does
not happen at line boundaries and is therefore confusing the TAP parser.
This is known to cause random test failures like this one:
80-test_cmp_http.t (Wstat: 0 Tests: 5 Failed: 0)
Parse errors: Tests out of sequence. Found (6) but expected (5)
Bad plan. You planned 6 tests but ran 5.
Fixes #23992
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26363)
Ingo Franzki [Wed, 8 Jan 2025 15:00:33 +0000 (16:00 +0100)]
speed: Pass IV to EVP_CipherInit_ex for -evp runs with non-AEAD ciphers
Some (non-AEAD) ciphers require an IV to be used. Always pass a (dummy) IV
when setting the key. It is ignored by ciphers that do not use an IV.
Commit 607a46d003f472d4bce646f3df6e85725094d68a corrected the use of AEAD
ciphers, but removed the IV from being passed to EVP_CipherInit_ex() for
non-AEAD ciphers.
Fixes: https://github.com/openssl/openssl/commit/607a46d003f472d4bce646f3df6e85725094d68a Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Hugo Landau <hlandau@devever.net> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26346)
projects / thirdparty / openssl.git / log
