Richard Levitte [Tue, 15 Oct 2024 12:25:34 +0000 (14:25 +0200)]
fix: let util/mkbuildinf.pl use SOURCE_DATE_EPOCH, even if it's zero
Doing this allows reproducible builds, for those who want this.
Fixes #25475
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25699)
Tomas Mraz [Wed, 16 Oct 2024 18:00:19 +0000 (20:00 +0200)]
openssl-info.pod.in: Add windowscontext option to synopsis in doc
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25712)
mem: Don't use posix_memalign() and friends with custom wrapper
If the application provides custom memory allocations functions via
CRYPTO_set_mem_functions() then those should be used instead something
else like posix_memalign(). The applications might verify alloc and free
calls and pointers from posix_memalign() were never returned by the
implementations.
At least stunnel4 complains here.
Use posix_memalign() or if aligned_alloc() only if the application did
not provide a custom malloc() implementation. In case of a custom
implementation use CRYPTO_malloc() and align the memory accordingly.
Fixes #25678
Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25682)
Signed-off-by: dependabot[bot] <support@github.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25701)
Viktor Dukhovni [Wed, 18 Sep 2024 15:02:40 +0000 (01:02 +1000)]
Harden BN_GF2m_poly2arr against misuse.
The BN_GF2m_poly2arr() function converts characteristic-2 field
(GF_{2^m}) Galois polynomials from a representation as a BIGNUM bitmask,
to a compact array with just the exponents of the non-zero terms.
These polynomials are then used in BN_GF2m_mod_arr() to perform modular
reduction. A precondition of calling BN_GF2m_mod_arr() is that the
polynomial must have a non-zero constant term (i.e. the array has `0` as
its final element).
Internally, callers of BN_GF2m_poly2arr() did not verify that
precondition, and binary EC curve parameters with an invalid polynomial
could lead to out of bounds memory reads and writes in BN_GF2m_mod_arr().
The precondition is always true for polynomials that arise from the
standard form of EC parameters for characteristic-two fields (X9.62).
See the "Finite Field Identification" section of:
The OpenSSL GF(2^m) code supports only the trinomial and pentanomial
basis X9.62 forms.
This commit updates BN_GF2m_poly2arr() to return `0` (failure) when
the constant term is zero (i.e. the input bitmask BIGNUM is not odd).
Additionally, the return value is made unambiguous when there is not
enough space to also pad the array with a final `-1` sentinel value.
The return value is now always the number of elements (including the
final `-1`) that would be filled when the output array is sufficiently
large. Previously the same count was returned both when the array has
just enough room for the final `-1` and when it had only enough space
for non-sentinel values.
Finally, BN_GF2m_poly2arr() is updated to reject polynomials whose
degree exceeds `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against
CPU exhausition attacks via excessively large inputs.
The above issues do not arise in processing X.509 certificates. These
generally have EC keys from "named curves", and RFC5840 (Section 2.1.1)
disallows explicit EC parameters. The TLS code in OpenSSL enforces this
constraint only after the certificate is decoded, but, even if explicit
parameters are specified, they are in X9.62 form, which cannot represent
problem values as noted above.
Initially reported as oss-fuzz issue 71623.
A closely related issue was earlier reported in
<https://github.com/openssl/openssl/issues/19826>.
Severity: Low, CVE-2024-9143
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25639)
Update documentation for SSL_SESSION_set_time_ex()
Fixes #24322
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25665)
Niels Dossche [Wed, 9 Oct 2024 13:42:37 +0000 (15:42 +0200)]
Fix memory leak in tls_parse_ctos_psk()
`sess` is not NULL at this point, and is freed on the success path, but
not on the error path. Fix this by going to the `err` label such that
`SSL_SESSION_free(sess)` is called.
CLA: trivial
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25643)
Niels Dossche [Wed, 9 Oct 2024 21:00:13 +0000 (23:00 +0200)]
Fix potential double free through SRP_user_pwd_set1_ids()
If SRP_user_pwd_set1_ids() fails during one of the duplications, or id
is NULL, then the old pointer values are still stored but they are now dangling.
Later when SRP_user_pwd_free() is called these are freed again,
leading to a double free.
Although there are no such uses in OpenSSL as far as I found,
it's still a public API.
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25655)
In all cases the argument is an int, the value of which shall
be representable as an unsigned char or shall equal the value
of the macro EOF. If the argument has any other value, the
behavior is undefined.
This is because they're designed to work with the int values returned
by getc or fgetc; they need extra work to handle a char value.
If EOF is -1 (as it almost always is), with 8-bit bytes, the allowed
inputs to the ctype.h functions are:
{-1, 0, 1, 2, 3, ..., 255}.
However, on platforms where char is signed, such as x86 with the
usual ABI, code like
char *p = ...;
... isspace(*p) ...
may pass in values in the range:
{-128, -127, -126, ..., -2, -1, 0, 1, ..., 127}.
This has two problems:
1. Inputs in the set {-128, -127, -126, ..., -2} are forbidden.
2. The non-EOF byte 0xff is conflated with the value EOF = -1, so
even though the input is not forbidden, it may give the wrong
answer.
Casting char inputs to unsigned char first works around this, by
mapping the (non-EOF character) range {-128, -127, ..., -1} to {128,
129, ..., 255}, leaving no collisions with EOF. So the above
fragment needs to be:
char *p = ...;
... isspace((unsigned char)*p) ...
This patch inserts unsigned char casts where necessary. Most of the
cases I changed, I compile-tested using -Wchar-subscripts -Werror on
NetBSD, which defines the ctype.h functions as macros so that they
trigger the warning when the argument has type char. The exceptions
are under #ifdef __VMS or #ifdef _WIN32. I left alone calls where
the input is int where the cast would obviously be wrong; and I left
alone calls where the input is already unsigned char so the cast is
unnecessary.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25113)
And from there doing manual inspection, as the list was short at that
point.
As in compile with keeping pre-processed source code; and use `git
grep --cached -p` to find these preprocessed files, and scan for calls
to return or opssl_prov_is_running, with function name printed. And
then exclude one from the other, to hopefully get a list of all the
functions that do not check for ossl_prov_is_running.
As number of functions without "func-without-ossl_prov_is_running"
check is large, I do wonder which other functions are "interesting" to
check for. I think I'm not scanning for _update functions
correctly. Any tips on improving above analysis will help with
maintaining such checks going forward.
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25580)
improve and move text on OPENSSL_TRACE from doc/man1/openssl.pod to doc/man7/openssl-env.pod
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25540)
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25608)
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25608)
Pauli [Mon, 7 Oct 2024 23:38:26 +0000 (10:38 +1100)]
evp_libctx_test: fix provider compat CI regression
The regression was introduced by #25522.
Fixes #25632
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25633)
Niels Dossche [Thu, 3 Oct 2024 14:58:30 +0000 (16:58 +0200)]
Fix potential memory leak in save_statusInfo()
If sk_ASN1_UTF8STRING_push() fails then the duplicated string will leak
memory. Add a ASN1_UTF8STRING_free() to fix this.
CLA: trivial
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25604)
Niels Dossche [Wed, 2 Oct 2024 19:53:52 +0000 (21:53 +0200)]
Fix potential memory leak in PKCS7_signatureVerify()
Fixes #25594
The code jumps to an error block when EVP_VerifyUpdate fails.
This error block does not free abuf.
In the success path the abuf memory is freed.
Move the free operation to the error block.
CLA: trivial
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25596)
Pauli [Wed, 2 Oct 2024 02:11:30 +0000 (12:11 +1000)]
doc: add note about the configuration option for the jitter source.
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25591)
`wc` does not output a file name if the input is stdin.
`awk` reads its file argument; there's no need for `cat`.
`sort -u` outputs unique lines. It should be supported on all platforms,
as it's specified by POSIX.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25562)
Neil Horman [Fri, 27 Sep 2024 13:33:35 +0000 (09:33 -0400)]
Add some documentation to describe the encap/decap requirements
Document the fact that we now require unwrappedlen/wrappedlen to be set
to the size of the unwrapped/wrapped buffers
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25522)
Neil Horman [Tue, 24 Sep 2024 17:54:14 +0000 (13:54 -0400)]
Adjust tests to fetch the output len for EVP_PKEY_[en|de]cap
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25522)
Neil Horman [Mon, 23 Sep 2024 18:14:18 +0000 (14:14 -0400)]
Update rsasve_recover to properly store outlen on success
Outlen was never validated in this function prior to use, nor is it set
to the decrypted value on sucess. Add both of those operations
Fixes #25509
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25522)
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25503)
Signed-off-by: lan1120 <lanming@huawei.com> Reviewed-by: Hugo Landau <hlandau@devever.net> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23094)
Richard Levitte [Tue, 1 Oct 2024 07:52:59 +0000 (09:52 +0200)]
Update fips-label.yml to make 'Cleanup artifact' conditional
If it's not conditional in the same manner as the other steps, it fails
because the artifacts aren't present => job failure.
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25584)
Simo Sorce [Mon, 30 Sep 2024 13:25:48 +0000 (09:25 -0400)]
Use the correct length value for input salt
In this function the salt can be either a zero buffer of exactly mdlen
length, or an arbitrary salt of prevsecretlen length.
Although in practice OpenSSL will always pass in a salt of mdlen size
bytes in the current TLS 1.3 code, the openssl kdf command can pass in
arbitrary values (I did it for testing), and a future change in the
higher layer code could also result in unmatched lengths.
If prevsecretlen is > mdlen this will cause incorrect salt expansion, if
prevsecretlen < mdlen this could cause a crash or reading random
information. Inboth case the generated output would be incorrect.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25579)
Pauli [Tue, 1 Oct 2024 05:16:37 +0000 (15:16 +1000)]
ci: add 3.4 to prov-compat-label tests
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25583)
Pauli [Tue, 1 Oct 2024 05:05:29 +0000 (15:05 +1000)]
ci: add 3.4 to the provider compatibility test
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25583)
Pauli [Mon, 30 Sep 2024 23:23:28 +0000 (09:23 +1000)]
test: add FIPS version check for EC cofactor derive tests
These were added in #25548 but didn't include a FIPS version check which
causes failures testing older FIPS providers against later versions.
Also change some skips to use TEST_skip.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25582)
The code was not detecting that the cofactor was set up correctly
if OSSL_PKEY_PARAM_USE_COFACTOR_ECDH was set, resulting in an incorrect
FIPS indicator error being triggered.
Added a test for all possible combinations of a EVP_PKEY setting
OSSL_PKEY_PARAM_USE_COFACTOR_ECDH and the derive context setting
OSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE.
This only affects the B & K curves (which have a cofactor that is not 1).
Bug reported by @abkarcher
Testing this properly, also detected a memory leak of privk when the
FIPS indicator error was triggered (in the case where mode = 0 and
use_cofactor was 1).
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25548)
Similar to other KDFs, the input key should be 112 bits long.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25529)
docs: document options added in openssl-fipsinstall 3.4+
Document new command line options added in 3.4.0
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25546)
docs: document options added in openssl-fipsinstall 3.2+
Document new command line options added in 3.2.0
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25546)
docs: document options added in openssl-fipsinstall 3.1+
Document new command line options added in 3.1.0
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25546)
docs: add HISTORY section to openssl-fipsinstall (3.0+)
Documents when the command was added.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25546)
Pauli [Thu, 5 Sep 2024 00:24:07 +0000 (10:24 +1000)]
fips: continuous random bit generator tests
For FIPS 140-3 the continuous tests specified in SP 800-90B need to be
included on the output of any entropy source.
They are implemented here as a replacement for the primary DRBG in the FIPS
provider. This results in a setup that looks like this:
+-------------+
| |
| Seed Source |
| |
+------+------+
|
|
v
+-------------+
| |
| CRNG Test |
| |
++----------+-+
| |
| |
v v
+--------------+ +--------------+
| | | |
| Public DRBG | | Private DRBG |
| | | |
+--------------+ +--------------+
An additional benefit, that of avoiding DRBG chains, is also gained.
The current standards do not permit the output of one DRBG to be used
as the input for a second (i.e. a chain).
This also leaves open the future possibility of incorporating a seed
source inside the FIPS boundary.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25526)
See Section 5 Key Agreement Using Diffie-Hellman and MQV of
[NIST SP 800-131Ar2](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf).
Strengths less than 112bits is disallowed, thus eliminating SHA1.
Skip cms test case that requires use of SHA1 with X9.42 DH.
Rename ossl_fips_ind_digest_check to ossl_fips_ind_digest_exch_check
Add myself to Changes for fips indicator work
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25517)
Fix examples in EVP_PKEY_encapsulate/decapsulate documentation
Fixes #25448
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25450)
Neil Horman [Mon, 23 Sep 2024 16:11:01 +0000 (12:11 -0400)]
Rename list macros
The quic implementation defined a set of LIST_* macros for list
manipulation, which conflicts with the generally support BSD api found
in the queue.h system header. While this isn't normally a problem, A
report arrived indicating that MacOSX appears to implicitly include
queue.h from another system header which causes definition conflicts.
As the openssl macros are internal only, it seems the most sensible
thing to do is place them in a well known namespace for our library to
avoid the conflict, so add an OSSL_ prefix to all our macros
Fixes #25516
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/25519)
Pauli [Mon, 23 Sep 2024 04:45:41 +0000 (14:45 +1000)]
ctr-drbg: always use the DF for OpenSSL's DRBGs
Force the use of the derivation function when creating OpenSSL's internal
DRBGs.
FIPS mandates the use of a derivation function, so 3.4 cannot be validated as
it stands which run counter to the indicator work that was included.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Hugo Landau <hlandau@devever.net>
(Merged from https://github.com/openssl/openssl/pull/25511)
David von Oheimb [Fri, 26 Jul 2024 13:34:05 +0000 (15:34 +0200)]
80-test_cmp_http.t: fix handling of IPv6 server host (localhost '::1')
Fixes 22467
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25010)
doc/man{1,3}: fix details on IPv6 host addresses and of whitespace in no_proxy
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25010)
OSSL_HTTP_adapt_proxy(): fix handling of escaped IPv6 host addresses and of whitespace in no_proxy
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25010)
OSSL_HTTP_open(): fix completion with default port for IPv6 host addresses
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25010)
David von Oheimb [Wed, 31 Jul 2024 17:36:16 +0000 (19:36 +0200)]
http_server.{c,h}: make clear that IPv4 or IPv6 is used by http_server_init()
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25010)
David von Oheimb [Wed, 31 Jul 2024 17:32:44 +0000 (19:32 +0200)]
http_server.c: fix checks of error return code in http_server_init()
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25010)
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25010)
Jakub Zelenka [Tue, 17 Sep 2024 13:21:33 +0000 (14:21 +0100)]
Fix smime-type for AuthEnvelopedData
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25482)
Alex Shaindlin [Wed, 18 Sep 2024 09:29:19 +0000 (12:29 +0300)]
doc/man3/OSSL_PARAM.pod: Correct the type of data_type
CLA: trivial
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25486)
Fixes #8331: Updated the description for setting the tag length in OCB mode to remove the misleading “when encrypting” and “during encryption” phrasing. This change emphasizes that setting a custom tag length requires a call with NULL, applicable to both encryption and decryption contexts.
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25424)
add-depends script scans one line at a time, so when the first line is
processed, the object file becomes a dependency itself.
Fix by removing -MT altogether.
This also fixes makedepend for nonstop platform.
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25455)
Add Missing Error Messages for AES-OCB Tag Length Validation
Related to #8331
Addressing found issues by adding specific error messages to improve
feedback when tag length checks fail for the `EVP_CTRL_AEAD_SET_TAG`
parameter in the AES-OCB algorithm.
- Added PROV_R_INVALID_TAG_LENGTH error to indicate when the current tag
length exceeds the maximum tag length of the algorithm.
- Added `PROV_R_INVALID_TAG_LENGTH` error to indicate when the current tag
length in the context does not match a custom tag length provided as
a parameter.
- Added `ERR_R_PASSED_INVALID_ARGUMENT` error to handle cases where an
invalid pointer is passed in encryption mode.
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25425)
Building with '-D OPENSSL_SMALL_FOOTPRINT' for aarch64 fails due to
'gcm_ghash_4bit' being undeclared. Fix that by not setting the function
pointer when building with OPENSSL_SMALL_FOOTPRINT, matching openssl
behavior on x86.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25419)
Tomas Mraz [Wed, 4 Sep 2024 09:34:12 +0000 (11:34 +0200)]
Reduce footprint of Windows CI
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Hugo Landau <hlandau@devever.net>
(Merged from https://github.com/openssl/openssl/pull/25378)
Tomas Mraz [Wed, 4 Sep 2024 07:27:52 +0000 (09:27 +0200)]
Add Windows build with enable-fips no-thread-pool no-quic
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Hugo Landau <hlandau@devever.net>
(Merged from https://github.com/openssl/openssl/pull/25378)
Tomas Mraz [Wed, 4 Sep 2024 07:27:28 +0000 (09:27 +0200)]
Fix no-thread-pool build on Windows
thread/arch/thread_win.c must be included into libcrypto as rcu depends
on ossl_crypto_mutex implementation on Windows.
Fixes #25337
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Hugo Landau <hlandau@devever.net>
(Merged from https://github.com/openssl/openssl/pull/25378)
Matt Caswell [Wed, 31 Jul 2024 13:24:12 +0000 (14:24 +0100)]
Don't restrict the ECDSA settable ctx params unnecessarily
We just allow all possible settables all the time. Some things like the
digest name can't actually be changed in some circumstances - but we already
have checks for those things. It's still possible to pass a digest of the
same name to one that's already been set for example.
Fixes #25012
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25057)
erbsland-dev [Wed, 28 Aug 2024 19:54:12 +0000 (21:54 +0200)]
Add note for non-interactive use of `s_client`
Fixes #8018
Documented the potential issue of premature connection closure in
non-interactive environments, such as cron jobs, when using `s_client`.
Added guidance on using the `-ign_eof` option and input redirection to
ensure proper handling of `stdin` and completion of TLS session data exchange.
Highlight potential issues with the `-ign_eof` flag and provide solutions for
graceful disconnection in SMTP and HTTP/1.1 scenarios to avoid indefinite hangs.
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25311)
Refactor Password Variables to Use `const char[]` Arrays
- Converted password declaration from `char*` to `const char[]`.
- Updated `memcpy` and `return` statements accordingly to use `sizeof` instead of predefined lengths.
- Renamed `key_password` into `weak_password` to match test name.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25330)
erbsland-dev [Fri, 30 Aug 2024 14:35:38 +0000 (16:35 +0200)]
Refactor Callback Tests for Improved Memory Management
Refactor the callback test code to replace global variables with local structures, enhancing memory management and reducing reliance on redundant cleanup logic.
Using a local struct containing a magic number and result flag to ensure the correct handling of user data and to verify that the callback function is invoked at least once during the test.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25330)
erbsland-dev [Fri, 30 Aug 2024 08:56:58 +0000 (10:56 +0200)]
Fix Edge Cases in Password Callback Handling
Fixes #8441: Modify the password callback handling to reserve one byte in the buffer for a null terminator, ensuring compatibility with legacy behavior that puts a terminating null byte at the end.
Additionally, validate the length returned by the callback to ensure it does not exceed the given buffer size. If the returned length is too large, the process now stops gracefully with an appropriate error, enhancing robustness by preventing crashes from out-of-bounds access.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25330)
erbsland-dev [Thu, 29 Aug 2024 21:08:46 +0000 (23:08 +0200)]
Add test for BIO password callback functionality
Related to #8441
This commit introduces a test suite for the password callback mechanism used when reading or writing encrypted and PEM or DER encoded keys via a BIO in OpenSSL. The test is designed to cover various edge cases, particularly focusing on scenarios where the password callback might return unexpected or malformed data from user code.
By simulating different callback behaviors, including negative returns, zero-length passwords, passwords that exactly fill the buffer and wrongly reported lengths. Also testing for the correct behaviour of binary passwords that contain a null byte in the middle.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25330)
Tomas Mraz [Thu, 5 Sep 2024 12:56:10 +0000 (14:56 +0200)]
libcrypto/libssl.num: Set the numbers for 3_4_0 symbols
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25393)
Tomas Mraz [Thu, 5 Sep 2024 12:53:04 +0000 (14:53 +0200)]
NEWS.md: Add missing link to 3.4 section
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25393)
s390x: Fix s390x_shake_squeeze() when MSA 12 is available
On the first squeeze call, when finishing the absorb process, also set
the NIP flag, if we are still in XOF_STATE_INIT state. When MSA 12 is
available, the state buffer A has not been zeroed during initialization,
thus we must also pass the NIP flag here. This situation can happen
when a squeeze is performed without a preceding absorb (i.e. a SHAKE
of the empty message).
Add a test that performs a squeeze without a preceding absorb and check
if the result is correct.
Fixes: https://github.com/openssl/openssl/commit/25f5d7b85f6657cd2f9f1ab7ae87f319d9bafe54 Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25388)
s390x: Fix s390x_sha3_absorb() when no data is processed by KIMD
If the data to absorb is less than a block, then the KIMD instruction is
called with zero bytes. This is superfluous, and causes incorrect hash
output later on if this is the very first absorb call, i.e. when the
xof_state is still XOF_STATE_INIT and MSA 12 is available. In this case
the NIP flag is set in the function code for KIMD, but KIMD ignores the
NIP flag when it is called with zero bytes to process.
Skip any KIMD calls for zero length data. Also do not set the xof_state
to XOF_STATE_ABSORB until the first call to KIMD with data. That way,
the next KIMD (with non-zero length data) or KLMD call will get the NIP
flag set and will then honor it to produce correct output.
Fixes: https://github.com/openssl/openssl/commit/25f5d7b85f6657cd2f9f1ab7ae87f319d9bafe54 Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25388)
Signed-off-by: dependabot[bot] <support@github.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25328)
Signed-off-by: dependabot[bot] <support@github.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25385)
Correctly display the number of requested threads and the number
of available threads.
CLA: trivial
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25375)
crypto/pkcs12/p12_mutl.c: Add check and EVP_MD_free() for EVP_MD_fetch()
Add check and EVP_MD_free() for EVP_MD_fetch() to avoid NULL pointer
dereference and memory leak, like "md_fetch".
Fixes: fe79159be0 ("Implementation of the RFC 9579, PBMAC1 in PKCS#12") Signed-off-by: Jiasheng Jiang <jiashengjiangcool@outlook.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25370)
projects / thirdparty / openssl.git / log
