The documentation was misleading in that it suggests that this environment
variable will record information about all allocations. While this is true
it doesn't record the most useful information that you might expect such
as the requested size of the allocation! It is mainly for use in
conjunction with OPENSSL_MALLOC_FAILURES, and reports information about
what chance an allocation has of failing.
We also clarify that the mem_debug functions are actually no-ops in 3.0.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18967)
The -provider and -propquery options did not work on genrsa. Fix this
and add a test that checks that operations that would usually fail with
the FIPS provider work when run with
| -provider default -propquery '?fips!=yes'
See also 30b2c3592e, which previously
fixed the same problem in dsaparam and gendsa. See also the initial
report in https://bugzilla.redhat.com/show_bug.cgi?id=2094956.
Signed-off-by: Clemens Lang <cllang@redhat.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18717)
The -provider and -propquery options did not work on dgst when using it
for signing or signature verification (including HMACs). Fix this and
add tests that check that operations that would usually fail with the
FIPS provider work when run with
| -provider default -propquery '?fips!=yes'
Additionally, modify the behavior of dgst -list to also use the current
library context and property query. This reduces the output below the
headline "Supported digests" to a list of the digest algorithms that
will actually work with the current configuration, which is closer to
what users probably expect with this headline.
See also 30b2c3592e, which previously
fixed the same problem in dsaparam and gendsa. See also the initial
report in https://bugzilla.redhat.com/show_bug.cgi?id=2094956.
Signed-off-by: Clemens Lang <cllang@redhat.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18717)
Property query support works correctly for apps/pkey, but there does not
seem to be a test for it yet, so add one.
See also 30b2c3592e, which previously
fixed a similar problem in dsaparam and gendsa. See also the initial
report in https://bugzilla.redhat.com/show_bug.cgi?id=2094956.
Signed-off-by: Clemens Lang <cllang@redhat.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18717)
The -provider and -propquery options did not work on pkeyparam. Fix this
and add tests that check that operations that would usually fail with
the FIPS provider work when run with
| -provider default -propquery '?fips!=yes'
See also 30b2c3592e, which previously
fixed the same problem in dsaparam and gendsa. See also the initial
report in https://bugzilla.redhat.com/show_bug.cgi?id=2094956.
Signed-off-by: Clemens Lang <cllang@redhat.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18717)
The -provider and -propquery options did not work on ecparam. Fix this
and add tests that check that operations that would usually fail with
the FIPS provider work when run with
| -provider default -propquery '?fips!=yes'
See also 30b2c3592e, which previously
fixed the same problem in dsaparam and gendsa. See also the initial
report in https://bugzilla.redhat.com/show_bug.cgi?id=2094956.
Signed-off-by: Clemens Lang <cllang@redhat.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18717)
The -provider and -propquery options did not work on dhparam. Fix this
and add tests that check that operations that would usually fail with
the FIPS provider work when run with
| -provider default -propquery '?fips!=yes'
See also 30b2c3592e, which previously
fixed the same problem in dsaparam and gendsa. See also the initial
report in https://bugzilla.redhat.com/show_bug.cgi?id=2094956.
Signed-off-by: Clemens Lang <cllang@redhat.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18717)
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18821)
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18821)
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18821)
Running bio_tfo_test under asan yields
==172342==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 380 byte(s) in 5 object(s) allocated from:
#0 0x3ff89bba251 in malloc (/lib64/libasan.so.8+0xba251)
#1 0x3ff88cf9fd5 in gaih_inet.constprop.0 (/lib64/libc.so.6+0xf9fd5)
#2 0x3ff88cfaf6f in getaddrinfo (/lib64/libc.so.6+0xfaf6f)
#3 0x3ff89ba52a9 in __interceptor_getaddrinfo.part.0 (/lib64/libasan.so.8+0xa52a9)
#4 0x1004909 in test_fd_tfo test/bio_tfo_test.c:241
[...]
and fails the test.
Fix this by freeing the return addrinfo on exit.
Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18979)
Running test_tfo_cli under asan yields
==166214==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60700000d57c at pc 0x03ffa004ed86 bp 0x03ffe2977e80 sp 0x03ffe2977668
READ of size 112 at 0x60700000d57c thread T0
#0 0x3ffa004ed85 in memcpy (/lib64/libasan.so.8+0x4ed85)
#1 0x3ff9f3615b7 in BIO_ADDR_dup crypto/bio/bio_addr.c:77
[...]
and fails the test.
Fix this by copying the right structure of the union.
Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18979)
This prevents misuses creeping in.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18882)
If there is no timer available to seed the stochastic flushing, revert to a
global seed that gets updated each flush.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18906)
s390x GHASH assembler implementation assumed it was called from a
gcm128_context structure where the Xi paramter to the ghash function was
embedded in that structure. Since the structure layout resembles the paramter
block required for kimd-GHASH, the assembler code simply assumed the 128 bytes
after Xi are the hash subkey.
This assumption was broken with the introduction of AES-GCM-SIV which uses the
GHASH implementation without a gcm128_context structure. Furthermore, the
bytes following the Xi input parameter to the GHASH function do not contain
the hash subkey. To fix this, we remove the assumption about the calling
context and build the parameter block on the stack. This requires some
copying of data to and from the stack. While this introduces a performance
degradation, new systems anyway use kma for GHASH/AES-GCM.
Finally fixes#18693 for s390x.
Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18939)
Increase the signature's length, that is passed to EVP_DigestSign(). The
implementation should set this parameter back to the actual length, that
has been written.
This (oneshot_digestsign_test_run()) fails for the ed25519/ ed448
implementation of s390 prio the fix. The change in digestsign_test_run()
follows the same pattern and is for collecting bonus points.
Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/18928)
The s390x provides its custom implementation for the creation of the
ed448 and ed25519 signatures. Unfortunately it does not set the size.
Users that rely of this return parameter end up with wrong values and
will compare wrong sizes of signature.
Set the proper size of the returned signature on success. Set an error
if the signing operation fails.
Fixes: #18912
Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/18928)
The rest of the documentation talks about sig, not sigret
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18943)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18925)
Updates the docs to describe EC_KEY_set_private_key() function behavior
when a NULL priv_key argument is passed.
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/18942)
This tests the behavior and API of the EC_KEY_set_private_key function.
It tests compliance with legacy features related to NULL private keys
too.
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/18942)
Out of range values could possibly be returned due to a lack of range checking.
Very unlikely to be exploitable for our provider because sensible values are
returned for all ciphers.
Also fixed the defaulting code so that the cipher's IV length is returned if
the cipher ctx doesn't support getting.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18875)
Fixes#18690
In some circumstances, it's possible that when using an external
database for the session cache, that pulling in an entry from that
cache to the internal cache will cause the newly added entry to
be deleted from the internal cache. This is likely to happen when
the internal cache is set to have a small size, and the newly added
entry's timeout places it at the end of the cache list.
This could be fixed by updating the timestamp of the session (via
`SSL_SESSION_set_time()` or `SSL_SESSION_set_timeout()`) before
adding to the cache. But that may not be desireable.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18905)
The default that pkcs12 -export uses is SHA256 and not SHA1.
CLA: Trivial
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18904)
The fallback DEP works fine there. XLC should be unaffected.
CLA: trivial
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18892)
Fixes#18911
`BSWAP`x/`GETU`xx are no-ops on big-endian. Change the byte swapper.
Fix big-endian issues in the `mulx_ghash()` function
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18920)
As EVP_CIPHER_CTX_get_iv_length indicates failure with -1, this error
should be processed. Also the result of this function shouldn't be
assigned to an unsigned variable.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18891)
If the first app data record arrives before the Finished message we should
be able to buffer it and move on to the Finished message.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18868)
If app data is received before a Finished message in DTLS then we buffer
it to return later. The function SSL_pending() is supposed to tell you
how much processed app data we have already buffered, and SSL_has_pending()
is supposed to tell you if we have any data buffered (whether processed or
not, and whether app data or not).
Neither SSL_pending() or SSL_has_pending() were taking account of this
DTLS specific app data buffer.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18868)
Fixes#16721
This uses AES-ECB to create a counter mode AES-CTR32 (32bit counter, I could
not get AES-CTR to work as-is), and GHASH to implement POLYVAL. Optimally,
there would be separate polyval assembly implementation(s), but the only one
I could find (and it was SSE2 x86_64 code) was not Apache 2.0 licensed.
This implementation lives only in the default provider; there is no legacy
implementation.
The code offered in #16721 is not used; that implementation sits on top of
OpenSSL, this one is embedded inside OpenSSL.
Full test vectors from RFC8452 are included, except the 0 length plaintext;
that is not supported; and I'm not sure it's worthwhile to do so.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18693)
This adds functions for encoding and decoding QUIC frames.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18795)
Checks if header is NULL or not before calling strlen().
CLA: trivial
Fixes#18825
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18865)
CLA: trivial
The description was incorrect. The uncompressed is the default value.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18889)
Directories and file names with spaces require quoting... again
Fixes#18880
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18881)
Currently the SMIME_crlf_copy result is ignored in all usages. It does
return failure when memory allocation fails.
This patch handles the SMIME_crlf_copy return code in all occurrences.
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18876)
The CMS_dataFinal result is important as signature may fail, however, it
is ignored while returning success from CMS_final.
The SMIME_crlf_copy result is returned while it is ignored in the rest
of the openssl code.
Prefer the CMS_dataFinal result.
This is regression from openssl-1.
Blame finds c1669f41ei as root cause of regression.
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18876)
Make the SSL object polymorphic based on whether this is
a traditional SSL connection, QUIC connection, or later
to be implemented a QUIC stream.
It requires adding if after every SSL_CONNECTION_FROM_SSL() call
which itself has to be added to almost every public SSL_ API call.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18612)
The previous commit added support to BIO_s_mem() for using datagrams. We
now add tests for that functionality.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18596)
We introduce a new BIO ctrl that switches a BIO_s_mem() into datagram
mode. Packet boundaries are respected.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18596)
Replaced OSSL_KDF_PARAM_KEY with OSSL_KDF_PARAM_SECRET as that seems to be the intended value from the code (OSSL_KDF_PARAM_KEY is also supported but looks like a fallback).
Fixed name for OSSL_KDF_PARAM_X942_USE_KEYBITS.
CLA: trivial
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18878)
It shouldn't be. This moves the reset to the init function instead and only
does the reset on a key change.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18860)
