When BIO_parse_hostserv() fails it may still have allocated memory, yet
this memory is not freed. Fix it by jumping to the err label.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25817)
(cherry picked from commit 32476957ead4151dceaf873306fc7e79cd262812)
This makes `ikmlen` have a length of at least `Nsk`.
Closes#26213
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26254)
(cherry picked from commit c93f4a1e75efbb10153b2520a10e5a19a4479fdf)
When we put algorithm to the store, we have a fallback to the
OSSL_LIB_CTX level store when store is NULL.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26197)
(cherry picked from commit b3bb214720f20f3b126ae4b9c330e9a48b835415)
A follow-up to #26038
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26197)
(cherry picked from commit f6097c7c5da84a6bd354c57fd6e0ffb2b549f30d)
When data contains only zero values a buffer overflow happens.
CLA: trivial
Signed-off-by: Andrey Tsygunka <aitsygunka@yandex.ru>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26190)
(cherry picked from commit bf2dea0e2c6f1cfe1a8222088052ebcc63ab1004)
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4880
Facing the below issue after openssl is upgraded
Edk2\CryptoPkg\Library\OpensslLib\openssl\include\internal/safe_math.h(19):
warning C4668: '__GNUC__' is not defined as a preprocessor macro, replacing
with '0' for '#if/#elif'
CLA: trivial
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Kalavakolanu Hema Anmisha <hema.anmisha.kalavakolanu@intel.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26204)
(cherry picked from commit 53b34561b56b60a812f8f65c777d469e18151e8d)
If it is NULL, ctx->pctx->pmeth dereference will cause a crash.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26176)
(cherry picked from commit 82e7a1130a7d10f4e15c19676a680990b5e3f8fe)
We just avoid the special handling needed for Apple M1.
Fixes#26135
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/26145)
(cherry picked from commit 79c9cbbe1f9c3b8314312b6d8bb25b7138831e04)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26146)
(cherry picked from commit 8cbe6e5a8109a831627a683e97e998a7f64401fe)
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/26142)
(cherry picked from commit a82c2bf5c9db9d00f16281b48c1e1430a6cfd76e)
Only absent parameters allowed in RFC 3370.
Fixes#25824
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26058)
(cherry picked from commit 02e72ccffacf2d01295810798ca1c86a438ee712)
We use REF_PRINT_COUNT to dump out the value of various reference
counters in our code
However, we commonly use this macro after an increment or decrement. On
increment its fine, but on decrement its not, because the macro
dereferences the object holding the counter value, which may be freed by
another thread, as we've given up our ref count to it prior to using the
macro.
The rule is that we can't reference memory for an object once we've
released our reference, so lets fix this by altering REF_PRINT_COUNT to
accept the value returned by CRYPTO_[UP|DOWN]_REF instead. The
eliminates the need to dereference the memory the object points to an
allows us to use the call after we release our reference count
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25664)
(cherry picked from commit dc10ffc2834e0d2f5ebc1c3e29bd97f1f43a0ead)
If we had refcounted object allowing lockless writes
the relaxed semantics on DOWN_REF would allow scheduling
these writes after simultaneous release of the object by
another thread.
We do not have any such objects yet, but better to make
the refcount correct just in case we will have them
in future.
TSAN doesn't properly understand this so we use
even stronger acq_rel semantics if building with TSAN.
Fixes#25660
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25664)
(cherry picked from commit 3bf273b21b3e21cca9cd143ed9016397bd7dbb57)
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25664)
(cherry picked from commit 420d5d6294449527f4dd986b4fed8681bd4ae8fb)
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26122)
(cherry picked from commit 5f9814d95cc16a6e45e45cc2afe8b98c1eeead25)
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/26080)
(cherry picked from commit 85f17585b0d8b55b335f561e2862db14a20b1e64)
We would dereference p7->d.sign pointer which can be NULL.
Reported by Han Zheng.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26078)
(cherry picked from commit f2348f1f844a54c7a95c32e2354cd29f0860c803)
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25849)
(cherry picked from commit 54332adf29ef4ddac9dea5ec06423b01dbb02996)
Free the stack return value `dsa` on each early exit.
Fixes#25905
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25948)
(cherry picked from commit f4550fb5b518d2b910222bca2317d813cf092b53)
At some point in time it was decided that the EC keymanagers ec_export()
function would only allow the selection to be both the public + private
parts. If just the private element is selected it returns an error.
Many openssl commandline apps use EVP_PKEY_print_private() which passes
EVP_PKEY_PRIVATE_KEY to the encoder. This selection propagates to
encoder_construct_pkey(). For external providers (such as the fips
provider this will call the keymanagers export() with the selection set
to just the private part.
So we either need to
1) change the selection in EVP_PKEY_print_private() or
2) modify the selection used in the export used in
encoder_construct_pkey
3) Change the ec_export to allow this.
I have chosen 2) but I am not sure if this is the correct thing to do
or whether it should conditionally do this when the output_type ==
'text'.
Issue was reported by Ilia Okomin (Oracle).
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26004)
(cherry picked from commit 79c98fc6ccab49f02528e06cc046ac61f841a753)
call to die() in perl templates is currently ignored.
any error printed by die() commad appears in template
output.
In order to make sure die() terminates processing we
must ensure we emite `undef` value. This is ensured
by adding a `BROKEN` callback to `fill_in()` Template
method. The callback must return undef to stop processing.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26064)
(cherry picked from commit 578760bb6aae6a9d7f3805eea66bab124d06c9b0)
If your custom BIO does not implement BIO_CTRL_FLUSH, it won't work, but
this is not document anywhere.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26060)
(cherry picked from commit 847a23757f7cbebaa882e15087efb926113a0670)
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26049)
(cherry picked from commit e50d4bac9d9018f09427f4600062a7415c1bdfc8)
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25913)
(cherry picked from commit ded80b3cc7b36f8ce425e4d53691920dfa875451)
When ecx_gen_set_params() returns 0, it could have duplicated the memory
for the parameter OSSL_KDF_PARAM_PROPERTIES already in gctx->propq,
leading to a memory leak.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26015)
(cherry picked from commit 98be2e8fb60aaece2e4c3d42e87671fe22c081a2)
Fixes#25601Fixes#22414
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22181)
(cherry picked from commit e131868678085f29adf90db8bd8058e9f2c8c6b0)
When writing to a blocking quic stream, we sometimes get duplicate
transmitted data. This occurs when a call to quic_write_blocking has to
wait for space to become available in the ring buffer. When we do a
wait, the call sets *written to the value returned in args.total_written
as filled out by the calls to block_until_pred->quic_write_again.
However, the value there is based on the amount we requested, which is
only the remaining data that we didn't append in xso_sstream_write. So
if we call quic_write_blocking with a buffer of length X, and initially
append Y bytes, and write the remainig X-Y bytes via a block_until_pred
call, then *written will return with the value X-Y, even though we wrote
the full X bytes to the ring buffer.
Fix it by recording the initial amount appended into *written, and then
add the args.total_written value if we have to wait on more space
Fixesopenssl/project#924
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26023)
(cherry picked from commit 2de7e1d69851a363cadd9d6bdd95302b89a4383b)
In case of memory allocation failure this
could happen.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25994)
(cherry picked from commit 93bfe97c5be0ca575411b39c9dec1103caa82f51)
This pull request fixes a typo in the documentation.
The phrase "the are" has been corrected to "there are".
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25977)
(cherry picked from commit 6f2c97d50a59033a78ac8edc7e72e7afb17e3c79)
macos-12 runners will be removed in December.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Hugo Landau <hlandau@devever.net>
(Merged from https://github.com/openssl/openssl/pull/25715)
(cherry picked from commit 6a3d5b6e62bf82639d0379e94e0581927251e638)
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25939)
(cherry picked from commit 5c5b8d2d7c59fc48981861629bb0b75a03497440)
(cherry picked from commit eac57efed2e32179a04d9d56cf2b1033be66c6d5)
Setting a new_session_cb should work for a QUIC object just as it does
with a normal TLS object.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25931)
(cherry picked from commit 315ecbdff4e4fc17b94f85ce429b6d4b990b23e5)
When processing a callback within libssl that applies to TLS the original
SSL object may have been created for TLS directly, or for QUIC. When making
the callback we must make sure that we use the correct SSL object. In the
case of QUIC we must not use the internal only SSL object.
Fixes#25788
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25931)
(cherry picked from commit e595f6cd323e0b8e9f9980abd89c4df6012af911)
In some cases a QUIC SSL_CONNECTION object needs to get hold of a reference
to the original SSL object as created by the user. We should keep a
reference to it.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25931)
(cherry picked from commit 6612799fb51eea3ddd0f077a76d01db873d43df9)
the parameters in the function definitions use `siglen` not `sig_len`,
this fixes the doc text.
Signed-off-by: Alicja Kario <hkario@redhat.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25927)
(cherry picked from commit eaf4da97c9b9c09a407b9f1a47ad7dd99c05884c)
Add a test to the quic_multistream test suite to reset a stream after
all data has been received by a given stream, ensuring that we don't
crash in the reset operation
Fixes#25410
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25910)
(cherry picked from commit 15c6580a76814fb67bff07b9247bb97d40240011)
When calling SSL_stream_reset on a QUIC stream object that has received
all data that is expected to be sent (i.e. when the sender has sent a
STREAM frame with the FIN bit set), we encounter the following segfault:
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7f0bd28 in ossl_quic_sstream_get_final_size (qss=0x0, final_size=0x0) at ssl/quic/quic_sstream.c:273
273 if (!qss->have_final_size)
(gdb) bt
0) 0x00007ffff7f0bd28 in ossl_quic_sstream_get_final_size (qss=0x0, final_size=0x0) at ssl/quic/quic_sstream.c:273
1) 0x00007ffff7ef65bf in quic_validate_for_write (xso=0x5555555efcb0, err=0x7fffffffd5e0) at ssl/quic/quic_impl.c:2513
2) 0x00007ffff7ef8ae3 in ossl_quic_stream_reset (ssl=0x5555555efcb0, args=0x0, args_len=0) at ssl/quic/quic_impl.c:3657
3) 0x00007ffff7ebdaa6 in SSL_stream_reset (s=0x5555555efcb0, args=0x0, args_len=0) at ssl/ssl_lib.c:7635
4) 0x0000555555557527 in build_request_set (
req_list=0x55555555ebd0 "neil1.txt neil2.txt neil3.txt neil4.txt neil5.txt neil6.txt neil7.txt neil8.txt neil9.txt neil10.txt neil11.txt neil12.txt neil13.txt neil14.txt neil15.txt neil16.txt neil17.txt neil18.txt neil19.txt "..., ssl=0x5555555b6f80)
at demos/guide/quic-hq-interop.c:545
5) 0x00005555555587b2 in main (argc=4, argv=0x7fffffffe568) at demos/guide/quic-hq-interop.c:941
This occurs because:
1) When the stream FIN bit is set, the quic stack frees the underlying
stream structures immediately within the QUIC stack
and
2) when SSL_stream_reset is called, the call stack indicates we call
quic_validate_for_write, which attempts to access the
xso->stream->sstream QUIC_SSTREAM object, which was already freed in
(1)
The fix I think is pretty straightforward. On receipt of a STREAM frame
with a FIN bit set, the QUIC stack sets the QUIC_STREAM object state to
QUIC_SSTREAM_STATE_DATA_RECVD, which means we can use that state to
simply assert that the stream is valid for write, which allows it to be
reset properly.
Fixes#25410
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25910)
(cherry picked from commit bbfffbcaf38dff61fe7a1fcbfa6af9a818e1e188)
Otherwise we will calculate an incorrect header
size for higher stream ids and won't fit the
frame into the packet.
Fixes#25417
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25928)
(cherry picked from commit ba6f115ccfbb63fbeb2bc8df3c07918a7a59a186)
This fixes decryption failures for AE modes such as CCM, GCM,
OCB, SIV, and GCM-SIV.
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25887)
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25886)
(cherry picked from commit b10cfd93fd58cc1e9c876be159253b5389dc11a5)
Calling the functions SSL_CTX_set_cipher_list() or SSL_set_cipher_list() will
return the error "no cipher match" if no TLSv1.2 (or below) ciphers are enabled
after calling them. However this is normal behaviour for QUIC objects which do
not support TLSv1.2 ciphers. Therefore we should suppress that error in this
case.
Fixes#25878
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25886)
(cherry picked from commit 40237bf97aeb855856e7b74ed393e1767631e1a2)
param->ctrl translation: Fix fix_ecdh_cofactor()
In POST_PARAMS_TO_CTRL state the fix_ecdh_cofactor() function should
return value in ctx->p1
param->ctrl translation: fix evp_pkey_ctx_setget_params_to_ctrl
return
Since some of the ctrl operations may return 0 as valid value
(e.g. ecdh_cofactor value 0 is valid setting), before colling
POST_PARAMS_TO_CTRL, we need to check return value for 0 as well
otherwise the evp_pkey_ctx_setget_params_to_ctrl function fails
without a chance to fix the return value
param->ctrl translation: Set ecdh_cofactor default action_type GET
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22587)
(cherry picked from commit 2aaef03339a88e5d693f278406a889657b10fd2d)
Indent namingAuthority section with two spaces to match the parent
node.
Signed-off-by: oleg.hoefling <oleg.hoefling@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25814)
(cherry picked from commit 85a52f7292cb57662f823e4ac1a303f56d0531bf)
When sk_GENERAL_NAME_reserve() fails, ialt is not freed.
Add the freeing operation in the common error path.
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25876)
(cherry picked from commit fa856b0ce0f527d2f80c10c8c288201ace4a9efa)
Fix cases where `int` argument was passed instead of `size_t`.
CLA: trivial
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25857)
(cherry picked from commit ccaa754b5f66cc50d8ecbac48b38268e2acd715e)
