Commit Graph

35236 Commits

Author SHA1 Message Date
Ingo Franzki
184d29dbab speed: Fix regression of measuring shake with -evp
After commit b911fef216 speed with shake128 or
shake256 does not run anymore:

  # openssl speed -seconds 1 -evp shake128 -bytes 256
  Doing shake128 ops for 1s on 256 size blocks: shake128 error!
  000003FF9B7F2080:error:1C8000A6:Provider routines:keccak_final:invalid digest
                     length:providers/implementations/digests/sha3_prov.c:117:
  version: 3.4.0-dev
  ...
  type            256 bytes
  shake128             0.00

Function EVP_Digest_loop() must use EVP_DigestInit_ex2(), EVP_DigestUpdate(),
and EVP_DigestFinalXOF() in case of shake instead of just EVP_Digest() to get
around this.

Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24462)
2024-05-28 08:48:36 +02:00
Dimitri John Ledkov
05faa4ffee rand: remove unimplemented librandom stub code
Clean up of unsuable / no-op code.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24465)
2024-05-24 12:03:21 +02:00
Max Ammann
46f55238d2 EVP_CIPHER_CTX_get_key_length(): Add null check of ctx->cipher
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22964)
2024-05-24 11:57:10 +02:00
Max Ammann
f3b988dc29 Add provider fuzzer
Test recipe 99-test_fuzz_provider.t added.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22964)
2024-05-24 11:56:41 +02:00
Randall S. Becker
b9e084f139 Added an explicit yield (OP_SLEEP) to QUIC testing for cooperative threading.
Fixes: #24442

Signed-off-by: Randall S. Becker <randall.becker@nexbridge.ca>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24443)
2024-05-22 17:29:03 +02:00
Dimitri John Ledkov
a0da3cb468 test: remove the just added, but now unrealistic, shake128 OAEP tests
These were added as a POC in #24387. However, such combinations are no
longer unusable since #24105 got merged.

This should unbreak all build failures on mainline.

Partially reverts: 1bfc8d17f3 (rsa-oaep: block SHAKE usage in FIPS
mode, 2024-05-13)

Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@surgut.co.uk>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24463)
2024-05-22 17:02:00 +02:00
PiotrBzdrega
3472732cd2 signal.h included two times
CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24445)
2024-05-22 15:33:12 +02:00
Dimitri John Ledkov
1bfc8d17f3 rsa-oaep: block SHAKE usage in FIPS mode
NIST SP 800-56 rev2 only allows using approved hash algorithms in
OAEP. Unlike FIPS 186-5 it doesn't have text allowing to use XOF SHAKE
functions. Maybe future revisions of SP 800-56 will adopt similar text
to FIPS 186-5 and allow XOF as MD and MGF (not MGF1).

RFC documents do not specify if SHAKE is allowed or blocked for usage
(i.e. there is no equivalent of RFC 8692 or RFC 8702 for OAEP). Status
quo allows their usage.

Add test cases for SHAKE in RSA-OAEP as allowed in default provider,
and blocked in fips.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24387)
2024-05-22 15:31:00 +02:00
Dimitri John Ledkov
973ddaa03f rsa-pss: add tests checking for SHAKE usage in RSA-PSS
FIPS 186-5, RFC 8692, RFC 8702 all agree and specify that Shake shall
be used directly as MGF (not as a hash in MGF1). Add tests that try to
specify shake hash as MGF1 to ensure that fails.

Separately the above standards specify how to use SHAKE as a message
digest with either fixed or minimum output lengths. However, currently
shake is not part of allowed hashes.

Note that rsa_setup_md()/rsa_setup_mgf1_md() call
ossl_digest_rsa_sign_get_md_nid() ->
ossl_digest_get_approved_nid_with_sha1() ->
ossl_digest_get_approved_nid() which only contain sha1/sha2/sha3
digests without XOF.

The digest test case will need to be replace if/when shake with
minimum output lengths is added to ossl_digest_get_approved_nid().

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24387)
2024-05-22 15:31:00 +02:00
Alexandr Nedvedicky
7884bedc04 fix crash in ecp_nistz256_point_add_affine()
The .rodata section with precomputed constant `ecp_nistz256_precomputed` needs to be
terminated by .text, because the ecp_nistz256_precomputed' happens to be the
first section in the file. The lack of .text makes code to arrive into the same
.rodata section where ecp_nistz256_precomputed is found. The exception is raised
as soon as CPU attempts to execute the code from read only section.

Fixes #24184

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24192)
2024-05-22 15:15:04 +02:00
Ruslan Baratov
a73e07dbb7 [Docs] Default value for verification flags is 'SSL_VERIFY_NONE'
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24435)
2024-05-22 15:12:24 +02:00
Richard Levitte
4e8c4b77ef Add installation documentation and notes on ANSI C and POSIX
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24173)
2024-05-22 09:59:32 +02:00
Richard Levitte
8cf9ac9c20 When defining ossl_ssize_t = ssize_t, remember to include sys/types.h
ssize_t isn't a C language type in any C language level, but is a POSIX type
defined in <sys/types.h>, so make sure to include that before use.

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24173)
2024-05-22 09:59:32 +02:00
Richard Levitte
f352c808ed For Unix, refactor OSSL_sleep() to use nanosleep() instead of usleep()
usleep() is obsolete since POSIX.1-2001 and removed in POSIX.1-2008,
in favor of nanosleep(), which has been present since POSIX.1-2001.

The exceptions for DJGPP and TANDEM are preserved.  Also, just in case
nanosleep() turns out to be unavailable on any Unix machinery that we
are unaware of, we allow a revert to using usleep() by defining
OPENSSL_USE_USLEEP.

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24173)
2024-05-22 09:59:32 +02:00
Richard Levitte
34f35473c0 Work on ANSI C compatibility: modifying the github workflow
The github workflow that attempts to check that OpenSSL ANSI C compatible
defined '_DEFAULT_SOURCE', which effectively turns gcc and clang into a C99
compiler...  perhaps not with regard to pure language features, but it enables
a few too many types and functions that aren't defined in ANSI C library, or
in some cases, in any C language level library.

Instead of '_DEFAULT_SOURCE', this modification defines '_XOPEN_SOURCE=1' and
'_POSIX_SOURCE=200809L', to enable the use of 'timezone', 'ssize_t' and 'strdup()'.

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24173)
2024-05-22 09:59:31 +02:00
Hongren Zheng
a192b2439c fips provider: explicitly setup cpuid when initializing
Fixes: #23979

Previously fips module relied on OPENSSL_cpuid_setup
being used as constructor by the linker to correctly
setup the capability vector, either via .section .init
(for x86_64) or via __attribute__((constructor)).

This would make ld.so call OPENSSL_cpuid_setup before
the init function for fips module. However, this early
constructing behavior has several disadvantages:

1. Not all platform/toolchain supports such behavior

2. Initialisation sequence is not well defined, and
some function might not be initialized when cpuid_setup
is called

3. Implicit path is hard to maintain and debug

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24419)
2024-05-20 10:14:39 +02:00
shridhar kalavagunta
4dbd4925df Fix mem leak in threadpool_test.c
Fixes #24104

Added a goto label for cleanup.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24412)
2024-05-20 10:11:35 +02:00
James Muir
45f5d51b72 Fix typo in CONTRIBUTING.md
CLA: trivial

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24413)
2024-05-17 09:09:59 +02:00
Tomas Mraz
85ccbab216 Check DSA parameters for excessive sizes before validating
This avoids overly long computation of various validation
checks.

Fixes CVE-2024-4603

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/24346)
2024-05-16 15:44:40 +02:00
Tomas Mraz
e91579db09 Sync up CHANGES.md with 3.3 branch
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/24346)
2024-05-16 15:44:32 +02:00
Andrew Golovashevich
a6afe2b29a Additional testcases for bn_gcd
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24332)
2024-05-15 13:38:24 +02:00
Andrew Golovashevich
aaa1bda718 Optimizated calculation of shared power of 2 in bn_gcd
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24332)
2024-05-15 13:37:48 +02:00
DominikN
5a0c92cf09 Update openssl-smime.pod.in
Remove duplicate entries for -nocerts and -noattr

CLA:trivial

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24052)
2024-05-15 13:28:43 +02:00
Ruslan Baratov
987baef4fa [Docs] 'SSL_CTX_set_cert_store' ownership of 'store'
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24375)
2024-05-15 12:22:40 +02:00
Matt Caswell
50153ad2bb Suppress a spurious error from the sysdefault test
Running the sysdefault test results in spurious error output - even
though the test has actually passed

Fixes #24383

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24384)
2024-05-15 12:14:24 +02:00
Tomas Mraz
ad3f28c5fb Document that SHAKE-128 and SHAKE-256 have no default digest length
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/24105)
2024-05-15 12:10:32 +02:00
Tomas Mraz
b911fef216 Intentionally break EVP_DigestFinal for SHAKE128 and SHAKE256
It will work only if OSSL_DIGEST_PARAM_XOFLEN is set.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/24105)
2024-05-15 12:10:32 +02:00
Liu-Ermeng
170620675d fix sm2 encryption implementation bug.
According to the "GB/T 32918.4-2016"
section 6.1 encryption, step A5:
If result of the "KDF" is all zeros, we should go back to
the begin(step A1).

section 7.1 decryption, step B4:
If result of the "KDF" is all zeros, we should raise error and exit.

Signed-off-by: Liu-Ermeng <liuermeng2@huawei.com>

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23210)
2024-05-15 11:17:14 +02:00
Tomas Mraz
f6e4698085 sslapitest.c: With fips skip tests depending on X25519 and X448
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24347)
2024-05-14 18:10:02 +02:00
Tomas Mraz
d2af5e4c94 90-test_sslapi.t: Fix execution of sslapitest with fips provider
Default configuration of the fips provider for tests is pedantic
which means that sslapitest was not fully executed with fips provider.

The ems check must be switched off for full execution.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24347)
2024-05-14 18:10:02 +02:00
Tomas Mraz
887572b85d Add 3.2 and 3.3 branches to Provider compat CI
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24347)
2024-05-14 18:10:02 +02:00
irosay
3e9d933882 Release pkey_ctx on initialization failure
CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24366)
2024-05-14 17:58:34 +02:00
Jonathan M. Wilbur
50f2e2146a fix: extension critical definition to default false
Signed-off-by: Jonathan M. Wilbur <jonathan@wilbur.space>

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21230)
2024-05-14 16:04:51 +02:00
Trust-Worthy
77a30b70eb evp_test: Added the special private key that triggers bug (CVE-2011-4354)
The bug triggers in 32 bit linux distros running openssl 0.9.8g.

This adds a regression test case.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24235)
2024-05-14 15:57:19 +02:00
Alexandr Nedvedicky
fb323b2775 zeroize rsa->p,rsa->q on error
this is rquired by fipd-186-5 section A.1.6, step 7:
	Zeroize the internally generated values that are not returned

In OpenSSL code we need to zero p, q members of rsa structure. The rsa
structure is provided by ossl_rsa_fips186_4_gen_prob_primes() caller.

The remaining values (variables) mentioned by standard are zeroed
already in functions we call from ossl_rsa_fips186_4_gen_prob_primes().

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24358)
2024-05-14 15:55:41 +02:00
Rajeev Ranjan
b6a5e80167 Add support for integrity-only cipher suites for TLS v1.3
- add test vectors for tls1_3 integrity-only ciphers
- recmethod_local.h: add new member for MAC
- tls13_meth.c: add MAC only to tls 1.3
- tls13_enc.c: extend function to add MAC only
- ssl_local.h: add ssl_cipher_get_evp_md_mac()
- s3_lib.c: add the new ciphers and add #ifndef OPENSSL_NO_INTEGRITY_ONLY_CIPHERS
- ssl_ciph.c : add ssl_cipher_get_evp_md_mac() and use it
- tls13secretstest.c: add dummy test function
- Configure: add integrity-only-ciphers option
- document the new ciphers

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22903)
2024-05-14 15:39:15 +02:00
Rajeev Ranjan
61f32392dd cipher_null.c: add NULL check
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22903)
2024-05-14 15:38:52 +02:00
naaysayer
f5462572a1 apps/pkcs12: Not writing the private key file until the import password is verified
Fixes #904

CLA: trivial

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23729)
2024-05-14 15:36:33 +02:00
Frederik Wedel-Heinen
125719ba11 Remove SSL_ENC_FLAG_EXPLICIT_IV which is only set and never read.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24036)
2024-05-14 15:34:07 +02:00
Jacob Champion
a401aaf9ed Add reason codes with the correct offset for two alerts
Fixes #24300. The current values of SSL_R_NO_APPLICATION_PROTOCOL and
SSL_R_PSK_IDENTITY_NOT_FOUND don't allow for a correct lookup of the
corresponding reason strings.

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24351)
2024-05-14 15:27:17 +02:00
Georgi Valkov
d8dd1dfdf5 threads_win: fix build error with VS2010
VC 2010 or earlier compilers do not support static inline.
To work around this problem, we can use the ossl_inline macro.

Fixes:
crypto\threads_win.c(171) : error C2054: expected '(' to follow 'inline'
crypto\threads_win.c(172) : error C2085: 'get_hold_current_qp' : not in formal parameter list
crypto\threads_win.c(172) : error C2143: syntax error : missing ';' before '{'
crypto\threads_win.c(228) : warning C4013: 'get_hold_current_qp' undefined; assuming extern returning int
crypto\threads_win.c(228) : warning C4047: '=' : 'rcu_qp *' differs in levels of indirection from 'int'

Signed-off-by: Georgi Valkov <gvalkov@gmail.com>

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24370)
2024-05-14 15:25:38 +02:00
Hongren Zheng
f94d773f94 crypto/riscvcap: fix function declaration for hwprobe_to_cap
error: function declaration isn't a prototype [-Werror=strict-prototypes]

Fixes: 66ad636b9 ("riscv: use hwprobe syscall for capability detection")

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24373)
2024-05-14 15:24:26 +02:00
Daiki Ueno
7860bca22c doc: Fix description of EVP_CIPHER_CTX_dup
This fixes a couple of copy and paste error from EVP_MD_CTX_dup,
where: EVP_CIPHER_CTX_dup is useful to avoid multiple
EVP_CIPHER_fetch (instead of EVP_MD_fetch) and returns
EVP_CIPHER_CTX (instead of EVP_MD_CTX).

Signed-off-by: Daiki Ueno <dueno@redhat.com>

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24376)
2024-05-14 09:28:26 +02:00
Georgi Valkov
c02f952b48 quic_multistream_test: fix undefined symbol snprintf with VS2010
As snprintf is not available everywhere, use BIO_snprintf instead.

Fixes:
        IF EXIST test\quic_multistream_test.exe.manifest DEL /F /Q test\quic_multistream_test.exe.manifest
        "link" /nologo /debug setargv.obj /subsystem:console /opt:ref  /nologo /debug @V:\_tmp\nm4.tmp
quic_multistream_test-bin-quic_multistream_test.obj : error LNK2019: unresolved external symbol _snprintf referenced in function _helper_init
test\quic_multistream_test.exe : fatal error LNK1120: 1 unresolved externals
NMAKE : fatal error U1077: '"E:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\BIN\link.EXE"' : return code '0x460'

Signed-off-by: Georgi Valkov <gvalkov@gmail.com>

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24369)
2024-05-14 09:06:49 +02:00
Dimitri John Ledkov
fa338aa7cd fips: zeroization of public security parameters (PSPs)
ISO 19790:2012/Cor.1:2015 7.9 requires cryptographic module to provide
methods to zeroise all unproctected security sensitive parameters
(which inclues both Critical/Private **and** Public security
parameters). And those that are temprorarly stored are required to be
zeroised after they are no longer needed at security levels 2 and
higher.

Comply with the above requirements by always zeroising public security
parameters whenever they are freed.

This is currently done under the FIPS feature, however the requirement
comes from the ISO 19790:2012 which may also be needed in other
jurisdictions. If not always. Note FIPS 140-3 includes ISO 19790:2012
by reference.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24355)
2024-05-13 11:14:11 +02:00
willmafh
fa4ee40434 Typo fixes
and an addition of an empty line to follow the code style

CLA: trivial

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23721)
2024-05-13 11:10:35 +02:00
Hongren Zheng
87314d24c4 Implement riscv_vlen_asm for riscv32
riscvcap.c: undefined reference to 'riscv_vlen_asm'

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24270)
2024-05-10 17:02:49 +02:00
Tomas Mraz
3de3d481b2 tls_provider_init(): Rename prov_ctx to xor_prov_ctx to clarify
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24103)
2024-05-10 13:51:55 +02:00
Tomas Mraz
2a5d733e64 tls_provider_init(): Fix leaks in error cases
Fixes #24101

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24103)
2024-05-10 13:51:55 +02:00
Jiasheng Jiang
4a5088259e ssl_cipher_get_overhead(): Replace size_t with int and add the checks
Replace the type of "mac", "out", and "blk" with int to avoid implicit
conversion when it is assigned by EVP_MD_get_size(),
EVP_CIPHER_get_iv_length(), and EVP_CIPHER_get_block_size().
Moreover, add the checks to avoid integer overflow.

Fixes: 045bd04706 ("Add DTLS_get_data_mtu() function")
Signed-off-by: Jiasheng Jiang <jiasheng@purdue.edu>

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23935)
2024-05-10 11:35:22 +02:00