slontis [Mon, 18 Mar 2024 00:46:12 +0000 (11:46 +1100)]
Add 'documentation policy' link to CONTRIBUTING guide.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23875)
Bernd Edlinger [Thu, 8 Feb 2024 21:21:55 +0000 (22:21 +0100)]
Fix handling of NULL sig parameter in ECDSA_sign and similar
The problem is, that it almost works to pass sig=NULL to the
ECDSA_sign, ECDSA_sign_ex and DSA_sign, to compute the necessary
space for the resulting signature.
But since the ECDSA signature is non-deterministic
(except when ECDSA_sign_setup/ECDSA_sign_ex are used)
the resulting length may be different when the API is called again.
This can easily cause random memory corruption.
Several internal APIs had the same issue, but since they are
never called with sig=NULL, it is better to make them return an
error in that case, instead of making the code more complex.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23529)
Bernd Edlinger [Fri, 23 Feb 2024 09:32:14 +0000 (10:32 +0100)]
Fix openssl req with -addext subjectAltName=dirName
The syntax check of the -addext fails because the
X509V3_CTX is used to lookup the referenced section,
but the wrong configuration file is used, where only
a default section with all passed in -addext lines is available.
Thus it was not possible to use the subjectAltName=dirName:section
as an -addext parameter. Probably other extensions as well.
This change affects only the syntax check, the real extension
was already created with correct parameters.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23669)
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23977)
Simo Sorce [Thu, 21 Mar 2024 14:00:52 +0000 (10:00 -0400)]
Explicitly state what -keys does
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/23919)
Jiasheng Jiang [Thu, 21 Mar 2024 20:22:01 +0000 (20:22 +0000)]
Replace size_t with int and add the check for the EVP_MD_get_size()
Replace the type of "digest_size" with int to avoid implicit conversion when it is assigned by EVP_MD_get_size().
Moreover, add the check for the "digest_size".
Fixes: 29ce1066bc ("Update the demos/README file because it is really old. New demos should provide best practice for API use. Add demonstration for computing a SHA3-512 digest - digest/EVP_MD_demo") Signed-off-by: Jiasheng Jiang <jiasheng@purdue.edu> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23924)
Jiasheng Jiang [Thu, 21 Mar 2024 19:55:34 +0000 (19:55 +0000)]
Replace unsigned with int
Replace the type of "digest_length" with int to avoid implicit conversion when it is assigned by EVP_MD_get_size().
Otherwise, it may pass the following check and cause the integer overflow error when EVP_MD_get_size() returns negative numbers. Signed-off-by: Jiasheng Jiang <jiasheng@purdue.edu> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23922)
olszomal [Thu, 21 Mar 2024 10:10:04 +0000 (11:10 +0100)]
Fixed a typo and grammar in openssl-ts.pod
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23913)
Matt Hauck [Fri, 15 Mar 2024 01:25:11 +0000 (18:25 -0700)]
Update FIPS hmac key documentation
The documentation is slightly incorrect about the FIPS hmac key.
CLA: trivial
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23846)
Matt Caswell [Wed, 13 Mar 2024 15:19:43 +0000 (15:19 +0000)]
Fix unbounded memory growth when using no-cached-fetch
When OpenSSL has been compiled with no-cached-fetch we do not cache
algorithms fetched from a provider. When we export an EVP_PKEY to a
provider we cache the details of that export in the operation cache for
that EVP_PKEY. Amoung the details we cache is the EVP_KEYMGMT that we used
for the export. When we come to reuse the key in the same provider that
we have previously exported the key to, we check the operation cache for
the cached key data. However because the EVP_KEYMGMT instance was not
cached then instance will be different every time and we were not
recognising that we had already exported the key to the provider.
This causes us to re-export the key to the same provider everytime the key
is used. Since this consumes memory we end up with unbounded memory growth.
The fix is to be more intelligent about recognising that we have already
exported key data to a given provider even if the EVP_KEYMGMT instance is
different.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/23841)
In the man page for SSL_add_dir_cert_subjects_to_stack(), the functions
returning int have undocumented return values.
Fixes #23171
Signed-off-by: Shakti Shah <shaktishah33@gmail.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23433)
Neil Horman [Thu, 14 Mar 2024 16:04:17 +0000 (12:04 -0400)]
Fix ASLR to be smaller during asan/tsan/ubsan runs
Recently asan/tsan/ubsan runs have been failing randomly. It appears
that a recent runner update may have led to the Address Space Layout
Randomization setting in the linux kernel of ubuntu-latest runner
getting set to too high a value (it defaults to 30). Such a setting
leads to the possibility that a given application will have memory
mapped to an address space that the sanitizer code typically uses to do
its job. Lowering this value allows a/t/ubsan to work consistently
again
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23842)
Fix dasync_rsa_decrypt to call EVP_PKEY_meth_get_decrypt
Signed-off-by: Vladimirs Ambrosovs <rodriguez.twister@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23825)
谭九鼎 [Sun, 10 Mar 2024 02:18:05 +0000 (02:18 +0000)]
Doc: fix style
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23805)
Bernd Edlinger [Wed, 28 Feb 2024 06:14:08 +0000 (07:14 +0100)]
Try to fix intermittent CI failures in sslapitest
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/23774)
Bernd Edlinger [Fri, 23 Feb 2024 11:04:38 +0000 (12:04 +0100)]
Dont run the self-hosted workflows when not available
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23678)
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23404)
Hamilton Chapman [Wed, 21 Feb 2024 13:47:19 +0000 (13:47 +0000)]
Ensure `$(MAKE)` commands and `CFLAGS` are appropriately quoted in the Makefile.
If a user's `make` command came from a path that contained a space then both the
`$(MAKE)` variable (and parts of the generated `CFLAGS`, when building for iOS)
would not be properly quoted and the build would fail.
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23663)
Michael Baentsch [Mon, 19 Feb 2024 05:41:35 +0000 (06:41 +0100)]
SSL_set1_groups_list(): Fix memory corruption with 40 groups and more
Fixes #23624
The calculation of the size for gid_arr reallocation was wrong.
A multiplication by gid_arr array item size was missing.
Testcase is added.
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/23659)
响马 [Sat, 17 Feb 2024 22:57:57 +0000 (06:57 +0800)]
chachap10-ppc.pl: Fix truncated relocation
Fix error: relocation truncated to fit: R_PPC64_REL14 (stub)
against symbol `ChaCha20_ctr32_vsx_8x'
CLA: trivial
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23618)
MrRurikov [Wed, 21 Feb 2024 08:11:34 +0000 (11:11 +0300)]
s_cb.c: Add missing return value checks
Return value of function 'SSL_CTX_ctrl', that is called from
SSL_CTX_set1_verify_cert_store() and SSL_CTX_set1_chain_cert_store(),
is not checked, but it is usually checked for this function.
CLA: trivial
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23647)
Add atexit configuration option to using atexit() in libcrypto at build-time.
This fixes an issue with a mix of atexit() usage in DLL and statically linked
libcrypto that came out in the test suite on NonStop, which has slightly
different DLL unload processing semantics compared to Linux. The change
allows a build configuration to select whether to register OPENSSL_cleanup()
with atexit() or not, so avoid situations where atexit() registration causes
SIGSEGV.
INSTALL.md and CHANGES.md have been modified to include and describe this
option.
Signed-off-by: Randall S. Becker <randall.becker@nexbridge.ca> Signed-off-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23642)
Matt Caswell [Tue, 20 Feb 2024 15:11:26 +0000 (15:11 +0000)]
Don't print excessively long ASN1 items in fuzzer
Prevent spurious fuzzer timeouts by not printing ASN1 which is excessively
long.
This fixes a false positive encountered by OSS-Fuzz.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/23640)
Neil Horman [Sat, 16 Dec 2023 20:32:48 +0000 (15:32 -0500)]
Check for NULL cleanup function before using it in encoder_process
encoder_process assumes a cleanup function has been set in the currently
in-use encoder during processing, which can lead to segfaults if said
function hasn't been set
Add a NULL check for this condition, returning -1 if it is not set
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23069)
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23544)
Tomas Mraz [Wed, 7 Feb 2024 09:27:50 +0000 (10:27 +0100)]
Fix memory leaks on error cases during drbg initializations
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/23503)
Angel Baez [Wed, 7 Feb 2024 15:34:48 +0000 (10:34 -0500)]
Rearrange terms in gf_mul to prevent segfault
CLA: trivial
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23512)
Tomas Mraz [Fri, 12 Jan 2024 17:47:56 +0000 (18:47 +0100)]
Fix testcases to run on duplicated keys
The existing loop pattern did not really run the expected
tests on the duplicated keys.
Fixes #23129
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23292)
Richard Levitte [Thu, 1 Feb 2024 09:57:51 +0000 (10:57 +0100)]
Fix a few incorrect paths in some build.info files
The following files referred to ../liblegacy.a when they should have
referred to ../../liblegacy.a. This cause the creation of a mysterious
directory 'crypto/providers', and because of an increased strictness
with regards to where directories are created, configuration failure
on some platforms.
Fixes #23436
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/23452)
The commit was wrong. With 3.x versions the engines must be themselves
responsible for creating their EVP_PKEYs in a way that they are treated
as legacy - either by using the respective set1 calls or by setting
non-default EVP_PKEY_METHOD.
The workaround has caused more problems than it solved.
Fixes #22945
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23063)
Richard Levitte [Mon, 29 Jan 2024 07:51:52 +0000 (08:51 +0100)]
Fix error reporting in EVP_PKEY_{sign,verify,verify_recover}
For some reason, those functions (and the _init functions too) would
raise EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE when the passed
ctx is NULL, and then not check if the provider supplied the function
that would support these libcrypto functions.
This corrects the situation, and has all those libcrypto functions
raise ERR_R_PASS_NULL_PARAMETER if ctx is NULL, and then check for the
corresponding provider supplied, and only when that one is missing,
raise EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE.
Because 0 doesn't mean error for EVP_PKEY_verify(), -1 is returned when
ERR_R_PASSED_NULL_PARAMETER is raised. This is done consistently for all
affected functions.
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23411)
Bernd Edlinger [Sun, 28 Jan 2024 22:50:16 +0000 (23:50 +0100)]
Fix a possible memleak in bind_afalg
bind_afalg calls afalg_aes_cbc which allocates
cipher_handle->_hidden global object(s)
but if one of them fails due to out of memory,
the function bind_afalg relies on the engine destroy
method to be called. But that does not happen
because the dynamic engine object is not destroyed
in the usual way in dynamic_load in this case:
If the bind_engine function fails, there will be no
further calls into the shared object.
See ./crypto/engine/eng_dyn.c near the comment:
/* Copy the original ENGINE structure back */
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23409)
Neil Horman [Fri, 26 Jan 2024 16:33:18 +0000 (11:33 -0500)]
fix missing null check in kdf_test_ctrl
Coverity issue 1453632 noted a missing null check in kdf_test_ctrl
recently. If a malformed value is passed in from the test file that
does not contain a ':' character, the p variable will be NULL, leading
to a NULL derefence prepare_from_text
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/23398)
Richard Levitte [Tue, 23 Jan 2024 12:17:31 +0000 (13:17 +0100)]
Have OSSL_PARAM_allocate_from_text() fail on odd number of hex digits
The failure would be caught later on, so this went unnoticed, until someone
tried with just one hex digit, which was simply ignored.
Fixes #23373
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23374)
Matt Caswell [Fri, 19 Jan 2024 14:32:18 +0000 (14:32 +0000)]
Add some tests for various PKCS12 files with NULL ContentInfo
PKCS7 ContentInfo fields held within a PKCS12 file can be NULL, even if the
type has been set to a valid value. CVE-2024-0727 is a result of OpenSSL
attempting to dereference the NULL pointer as a result of this.
We add test for various instances of this problem.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23362)
Matt Caswell [Fri, 19 Jan 2024 11:28:58 +0000 (11:28 +0000)]
Add NULL checks where ContentInfo data can be NULL
PKCS12 structures contain PKCS7 ContentInfo fields. These fields are
optional and can be NULL even if the "type" is a valid value. OpenSSL
was not properly accounting for this and a NULL dereference can occur
causing a crash.
CVE-2024-0727
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23362)
Bernd Edlinger [Mon, 22 Jan 2024 15:02:59 +0000 (16:02 +0100)]
Fix a possible memory leak in req_main
if the private key is output to stdout using the HARNESS_OSSL_PREFIX,
out is a stack of BIOs and must therefore free'd using BIO_free_all.
Steps to reproduce:
$ HARNESS_OSSL_PREFIX=x OPENSSL_CONF=apps/openssl.cnf util/shlib_wrap.sh apps/openssl req -new -keyout - -passout pass: </dev/null
[...]
Direct leak of 128 byte(s) in 1 object(s) allocated from:
#0 0x7f6f692b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x7f6f686eda00 in CRYPTO_malloc crypto/mem.c:202
#2 0x7f6f686edba0 in CRYPTO_zalloc crypto/mem.c:222
#3 0x7f6f68471bdf in BIO_new_ex crypto/bio/bio_lib.c:83
#4 0x7f6f68491a8f in BIO_new_fp crypto/bio/bss_file.c:95
#5 0x555c5f58b378 in dup_bio_out apps/lib/apps.c:3014
#6 0x555c5f58f9ac in bio_open_default_ apps/lib/apps.c:3175
#7 0x555c5f58f9ac in bio_open_default apps/lib/apps.c:3203
#8 0x555c5f528537 in req_main apps/req.c:683
#9 0x555c5f50e315 in do_cmd apps/openssl.c:426
#10 0x555c5f4c5575 in main apps/openssl.c:307
#11 0x7f6f680461c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
SUMMARY: AddressSanitizer: 128 byte(s) leaked in 1 allocation(s).
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23365)
Tomas Mraz [Fri, 19 Jan 2024 09:59:03 +0000 (10:59 +0100)]
tlsfuzzer.sh: Use python3
Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/23342)
Tomas Mraz [Thu, 18 Jan 2024 15:32:33 +0000 (16:32 +0100)]
tlsfuzzer.sh: Make it more informative on errors
Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/23342)
Tomas Mraz [Fri, 5 Jan 2024 10:22:28 +0000 (11:22 +0100)]
tlsfuzzer.sh: Run openssl version on the built app and not system one
Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/23342)
Tomas Mraz [Wed, 3 Jan 2024 11:36:10 +0000 (12:36 +0100)]
gost_engine.sh: Set OPENSSL_ENGINES_DIR
Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/23342)
shashankmca80 [Sat, 13 Jan 2024 12:46:25 +0000 (18:16 +0530)]
Uninitialized array variable
array"key" is uninitialized and it is being read directly in function SipHash_Init() as per the below statements making a way for the garbage values :
uint64_t k0 = U8TO64_LE(k);
uint64_t k1 = U8TO64_LE(k + 8);
CLA: trivial
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23298)
Matt Caswell [Mon, 15 Jan 2024 08:55:48 +0000 (08:55 +0000)]
Document SSL_R_UNEXPECTED_EOF_WHILE_READING
Also document that it is ok to use this for control flow decisions.
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23327)
X509_dup.pod: add caveat that extra data is not copied and hints, e.g., to use X509_up_ref() instead
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23043)
Kevin Jerebica [Tue, 16 Jan 2024 15:30:26 +0000 (16:30 +0100)]
Add a deprecation warning for a function in docs
The function in question is SSL_get_peer_certificate()
CLA: trivial
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23315)
Tomas Mraz [Tue, 9 Jan 2024 17:08:22 +0000 (18:08 +0100)]
Add CHANGES.md and NEWS.md entries for CVE-2023-6237
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23243)
Tomas Mraz [Fri, 22 Dec 2023 15:25:56 +0000 (16:25 +0100)]
Limit the execution time of RSA public key check
Fixes CVE-2023-6237
If a large and incorrect RSA public key is checked with
EVP_PKEY_public_check() the computation could take very long time
due to no limit being applied to the RSA public key size and
unnecessarily high number of Miller-Rabin algorithm rounds
used for non-primality check of the modulus.
Now the keys larger than 16384 bits (OPENSSL_RSA_MAX_MODULUS_BITS)
will fail the check with RSA_R_MODULUS_TOO_LARGE error reason.
Also the number of Miller-Rabin rounds was set to 5.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23243)
Richard Levitte [Fri, 27 Oct 2023 07:01:19 +0000 (09:01 +0200)]
Fix the encoding of SM2 keys
OpenSSL's encoding of SM2 keys used the SM2 OID for the algorithm OID
where an AlgorithmIdentifier is encoded (for encoding into the structures
PrivateKeyInfo and SubjectPublicKeyInfo).
Such keys should be encoded as ECC keys.
Fixes #22184
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22529)
Neil Horman [Thu, 7 Dec 2023 21:56:39 +0000 (16:56 -0500)]
Fix NULL pointer deref when parsing the stable section
When parsing the stable section of a config such as this:
openssl_conf = openssl_init
[openssl_init]
stbl_section = mstbl
[mstbl]
id-tc26 = min
Can lead to a SIGSEGV, as the parsing code doesnt recognize min as a
proper section name without a trailing colon to associate it with a
value. As a result the stack of configuration values has an entry with
a null value in it, which leads to the SIGSEGV in do_tcreate when we
attempt to pass NULL to strtoul.
Fix it by skipping any entry in the config name/value list that has a
null value, prior to passing it to stroul
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22988)
Holger Dengler [Thu, 4 Jan 2024 18:25:08 +0000 (19:25 +0100)]
Add tests for re-using cipher contexts
Add test case for re-using a cipher context with the same key, iv and
cipher. It detects, if the hardware-specific cipher context is reset
correctly, like reported in issue #23175.
This test has encrypt and decrypt iterations for cfb128 and
ofb128. All iteations use the same key, iv and plaintext.
Signed-off-by: Holger Dengler <dengler@linux.ibm.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23201)
Holger Dengler [Fri, 5 Jan 2024 13:16:53 +0000 (14:16 +0100)]
Fix partial block encryption in cfb and ofb for s390x (legacy)
Use the number of processed bytes information (num) from the generic
cipher context for the partial block handling in cfb and ofb also in
s390x-legacy code. For more details see 4df92c1a14 ("Fix partial block
encryption in cfb and ofb for s390x").
Signed-off-by: Holger Dengler <dengler@linux.ibm.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23201)
Holger Dengler [Thu, 4 Jan 2024 08:37:39 +0000 (09:37 +0100)]
Fix partial block encryption in cfb and ofb for s390x
Use the number of processed bytes information (num) from the generic
cipher context for the partial block handling in cfb and ofb, instead
of keep this information in the s390x-specific part of the cipher
context. The information in the generic context is reset properly,
even if the context is re-initialized without resetting the key or iv.
Fixes: #23175 Signed-off-by: Holger Dengler <dengler@linux.ibm.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23201)
Neil Horman [Mon, 8 Jan 2024 19:29:52 +0000 (14:29 -0500)]
Update Docs for EVP_MAC
For GMAC/CMAC, its not possible to re-init the algorithm without
explicitly passing an OSSL_MAC_PARAM_IV to each init call, as it is
not possible to extract the IV value from the prior init call (be it
explicitly passed or auto generated). As such, document the fact that
re-initalization requires passing an IV parameter
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23235)
Bernd Edlinger [Mon, 8 Jan 2024 14:31:32 +0000 (15:31 +0100)]
Fix a possible memory leak in sxnet_v2i
When a subsequent call to SXNET_add_id_asc fails
e.g. because user is a string larger than 64 char
or the zone is a duplicate zone id,
or the zone is not an integer,
a memory leak may be the result.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23234)
Tomas Mraz [Thu, 4 Jan 2024 09:32:32 +0000 (10:32 +0100)]
Add CHANGES.md and NEWS.md entries for CVE-2023-6129
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23200)
Rohan McLure [Thu, 4 Jan 2024 09:25:50 +0000 (10:25 +0100)]
poly1305-ppc.pl: Fix vector register clobbering
Fixes CVE-2023-6129
The POLY1305 MAC (message authentication code) implementation in OpenSSL for
PowerPC CPUs saves the the contents of vector registers in different order
than they are restored. Thus the contents of some of these vector registers
is corrupted when returning to the caller. The vulnerable code is used only
on newer PowerPC processors supporting the PowerISA 2.07 instructions.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23200)
Tomas Mraz [Fri, 5 Jan 2024 16:29:20 +0000 (17:29 +0100)]
Add missing sm4_ccm_dupctx() and sm4_gcm_dupctx()
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23217)
Richard Levitte [Wed, 20 Dec 2023 07:25:22 +0000 (08:25 +0100)]
VMS: Add the missing -p32 and -p64 variants for x86_64
The pointer size support is already in the code, and is present for
all other supported hardwares.
Fixes #22899
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/23081)
Richard Levitte [Mon, 18 Dec 2023 11:49:08 +0000 (12:49 +0100)]
Fix VMS installation - update vmsconfig.pm for consistency
An effort was made to update the VMS installation data to align with
configuration data. This touched the script templates in VMS/, but
didn't update the generation of vmsconfig.pm to match... and also
missed a spot.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/23081)
Neil Horman [Wed, 3 Jan 2024 18:47:05 +0000 (13:47 -0500)]
cleanse stack variable in kdf_pbkdf1_do_derive
kdf_pbkdf1_do_derive stores key derivation information in a stack
variable, which is left uncleansed prior to returning. Ensure that the
stack information is zeroed prior to return to avoid potential leaks of
key information
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23194)
Neil Horman [Tue, 2 Jan 2024 20:48:00 +0000 (15:48 -0500)]
Validate config options during x509 extension creation
There are several points during x509 extension creation which rely on
configuration options which may have been incorrectly parsed due to
invalid settings. Preform a value check for null in those locations to
avoid various crashes/undefined behaviors
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23183)
Neil Horman [Tue, 14 Nov 2023 11:01:51 +0000 (06:01 -0500)]
Adding interop tests
Fedora has some fairly nice interoperability tests that we can leverage
to build a PR and test it against gnutls and nss libraries. This commit
adds the interop-tests.yml ci job to do that work, and run the interop
tests from beaker.
Fixes #20685
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22726)
Neil Horman [Tue, 19 Dec 2023 11:15:39 +0000 (06:15 -0500)]
Update workflow to use GITHUB_WORKSPACE
It was pointed out the GITHUB_WORKSPACE points to the container path of
the workspace, so we can use it instead of hardcoding the
__w/openssl/openssl path
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22726)
Neil Horman [Tue, 14 Nov 2023 11:01:51 +0000 (06:01 -0500)]
Adding interop tests
Fedora has some fairly nice interoperability tests that we can leverage
to build a PR and test it against gnutls and nss libraries. This commit
adds the interop-tests.yml ci job to do that work, and run the interop
tests from beaker.
Fixes #20685
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22726)
Neil Horman [Tue, 12 Sep 2023 21:09:06 +0000 (17:09 -0400)]
Fix a key repointing in various ciphers
In the dupctx fixups I missed a pointer that needed to be repointed to
the surrounding structures AES_KEY structure for the sm4/aes/aria
ccm/gcm variants. This caused a colliding use of the key and possible
use after free issues.
Fixes #22076
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23102)
Neil Horman [Fri, 1 Sep 2023 17:47:15 +0000 (13:47 -0400)]
Add dupctx support to rc4_hmac_md5 algo
Pretty straightforward, just clone the requested context, no pointers to
fixup
Fixes #21887
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23102)
Neil Horman [Fri, 1 Sep 2023 17:22:03 +0000 (13:22 -0400)]
implement dupctx for chacha20_poly1305
Same as chacha20 in the last commit, just clone the ctx and its
underlying tlsmac array if its allocated
Fixes #21887
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23102)
Neil Horman [Fri, 1 Sep 2023 15:28:33 +0000 (11:28 -0400)]
implement dupctx for aes_WRAP methods
create a dupctx method for aes_WRAP implementations of all sizes
Fixes #21887
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23102)
Neil Horman [Fri, 1 Sep 2023 13:10:35 +0000 (09:10 -0400)]
Add dupctx support to aead ciphers
Add dupctx method support to to ciphers implemented with IMPLEMENT_aead_cipher
This includes:
aes-<kbits>-gcm
aria-<kbits>-ccm
aria-<kbits>-gcm
Fixes #21887
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23102)
Neil Horman [Tue, 29 Aug 2023 19:42:48 +0000 (15:42 -0400)]
make inability to dup/clone ciphers an error
There should be no reason that a cipher can't be duplicated
Fixes #21887
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23102)
Dmitry Misharov [Thu, 4 Jan 2024 13:19:10 +0000 (14:19 +0100)]
fix buildtest job runner
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23203)
add missing doc of X509_REQ_get_extensions() and X509_REQ_add_extensions{,_nid}()
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(cherry picked from commit 47dc828c6b652feb9cef5b0e4186d010986f197c)
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/23190)
Matt Caswell [Wed, 3 Jan 2024 11:03:03 +0000 (11:03 +0000)]
Clarify the PKCS12 docs
Issue #23151 asks a question about the meaning of the PKCS12
documentation. This PR attempts to clarify how friendlyName and localKeyID
are added to the PKCS12 structure.
Fixes #23151
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/23188)
Neil Horman [Mon, 1 Jan 2024 14:25:03 +0000 (09:25 -0500)]
cleanse stack variable in blake2[b|s] finalization
If the output of a blake2[b|s] digest isn't a multipl of 8, then a stack
buffer is used to compute the final output, which is left un-zeroed
prior to return, allowing the potential leak of key data. Ensure that,
if the stack variable is used, it gets cleared prior to return.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23173)
Neil Horman [Mon, 1 Jan 2024 16:53:50 +0000 (11:53 -0500)]
validate requested key length in kdf_pbkdf1_do_derive
When using pbkdf1 key deriviation, it is possible to request a key
length larger than the maximum digest size a given digest can produce,
leading to a read of random stack memory.
fix it by returning an error if the requested key size n is larger than
the EVP_MD_size of the digest
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23174)
projects / thirdparty / openssl.git / log
