Commit Graph

28667 Commits

Author SHA1 Message Date
Pauli
4551763efc doc: life-cycle descritpion for MACs
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14522)
2021-03-26 18:21:37 +10:00
Pauli
10b63e9756 doc: note that MAC lifecycle transitions will be enforced at some point
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14522)
2021-03-26 18:21:37 +10:00
Pauli
b0b63654e9 doc: life-cycle descritpion for RANDs
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14522)
2021-03-26 18:21:37 +10:00
Pauli
632bc4dff3 doc: note that RAND lifecycle transitions will be enforced at some point
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14522)
2021-03-26 18:21:36 +10:00
Pauli
77d12ae049 doc: life-cycle description for KDFs/PRFs
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14522)
2021-03-26 18:21:36 +10:00
Pauli
2e1a40d037 doc: note that KDF/PRF transitions will be enforced at some future point
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14522)
2021-03-26 18:21:36 +10:00
Pauli
4aac71f705 doc: add life-cycle source files
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14522)
2021-03-26 18:21:36 +10:00
Pauli
8c63532002 test: fix coverity 1473609 & 1473610: unchecked return values
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14615)
2021-03-26 08:46:02 +10:00
Pauli
8eca93f8fb evp: fix coverity 1473378: unchecked return value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14615)
2021-03-26 08:46:02 +10:00
Pauli
27f37279df params: fix coverity 1473069: unchecked return values
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14615)
2021-03-26 08:46:02 +10:00
Pauli
40d6e05cf8 evp: fix coverity 1467500 & 1467502: unchecked return values
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14615)
2021-03-26 08:46:02 +10:00
Pauli
8cdcb63fc0 apps: fix coverity 1455340: unchecked return value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14615)
2021-03-26 08:46:02 +10:00
Pauli
3352a4f6fa test: fix coverity 1451550: unchecked return value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14615)
2021-03-26 08:46:02 +10:00
Pauli
f47865156a test: fix coverity 1429210: unchecked return value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14615)
2021-03-26 08:46:02 +10:00
Pauli
b8cb90cdb6 test: fix coverity 1416888: unchecked return value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14615)
2021-03-26 08:46:01 +10:00
Pauli
0d2b8bd261 test: fix coverity 1414451: unchecked return value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14615)
2021-03-26 08:46:01 +10:00
Pauli
a02d70dd51 apps: fix coverity 1358776, 1451513, 1451519, 1451531 & 1473387: unchecked return values
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14615)
2021-03-26 08:46:01 +10:00
Pauli
6a6844a219 test: fix coverity 1338157: unchecked return value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14615)
2021-03-26 08:46:01 +10:00
Pauli
3c4c8dd84a encoder: fix coverity 1473235: null dereference
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14618)
2021-03-26 08:44:04 +10:00
Pauli
26d5244253 apps: fix coverity 1470781: explicit null dereference
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14618)
2021-03-26 08:44:04 +10:00
Pauli
fbe286a36e sm2: fix coverity 1467503: explicit null dereference
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14618)
2021-03-26 08:44:04 +10:00
Pauli
993237a8b6 rsa: fix coverity 1463571: explicit null dereference
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14618)
2021-03-26 08:44:04 +10:00
Pauli
8f4cddbc90 rand: fix coverity 1473636: data race condition
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14651)
2021-03-26 08:41:32 +10:00
Pauli
9aa4be691f x509: fix coverity 1474424: data race condition
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14651)
2021-03-26 08:41:32 +10:00
Pauli
96a68f21c3 x509: fix coverity 1461225: data race condition
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14651)
2021-03-26 08:41:32 +10:00
Tomas Mraz
4f0831b837 EVP_PKCS82PKEY: Create provided keys if possible
Use OSSL_DECODER to decode the PKCS8 data to create provided keys.

If that fails fallback to the legacy implementation.

Fixes #14302

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14659)
2021-03-25 15:24:00 +01:00
Matt Caswell
468d9d5564 Update CHANGES.md and NEWS.md for new release
Reviewed-by: Tomas Mraz <tomas@openssl.org>
2021-03-25 13:12:42 +00:00
Matt Caswell
39a140597d Ensure buffer/length pairs are always in sync
Following on from CVE-2021-3449 which was caused by a non-zero length
associated with a NULL buffer, other buffer/length pairs are updated to
ensure that they too are always in sync.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
2021-03-25 09:48:08 +00:00
Peter Kaestle
02b1636fe3 ssl sigalg extension: fix NULL pointer dereference
As the variable peer_sigalgslen is not cleared on ssl rehandshake, it's
possible to crash an openssl tls secured server remotely by sending a
manipulated hello message in a rehandshake.

On such a manipulated rehandshake, tls1_set_shared_sigalgs() calls
tls12_shared_sigalgs() with the peer_sigalgslen of the previous
handshake, while the peer_sigalgs has been freed.
As a result tls12_shared_sigalgs() walks over the available
peer_sigalgs and tries to access data of a NULL pointer.

This issue was introduced by c589c34e61 (Add support for the TLS 1.3
signature_algorithms_cert extension, 2018-01-11).

Signed-off-by: Peter Kästle <peter.kaestle@nokia.com>
Signed-off-by: Samuel Sapalski <samuel.sapalski@nokia.com>

CVE-2021-3449

CLA: trivial

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2021-03-25 09:48:08 +00:00
Matt Caswell
112580c27b Add a test for CVE-2021-3449
We perform a reneg handshake, where the second ClientHello drops the
sig_algs extension. It must also contain cert_sig_algs for the test to
work.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
2021-03-25 09:48:08 +00:00
Matt Caswell
ae937a096c Teach TLSProxy how to encrypt <= TLSv1.2 ETM records
Previously TLSProxy only knew how to "repack" messages for TLSv1.3.
Most of the handshake in <= TLSv1.2 is unencrypted so this hasn't been
too much of restriction. However we now want to modify reneg handshakes
which are encrypted so we need to add that capability.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
2021-03-25 09:48:08 +00:00
Rich Salz
eb78f95523 Make fipsinstall -out flag optional
If -out is not specified, send output to stdout.
Fix documentation errors.
Remove "-out -" from an invocation.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14623)
2021-03-24 17:46:40 +01:00
Andrey Matyukov
b238e78fe8 Rearranged .pdata entries in rsaz-avx512.pl to make them properly ordered.
Fixes #14660: Windows linking error

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14665)
2021-03-24 09:11:55 +00:00
Shane Lontis
1f085af02c Add coveralls to CI
Fixes #14013

Coverage reports were no longer generated when travis stopped being used.
This github action workflow schedules a coverage report once a week.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14526)
2021-03-24 18:31:11 +10:00
Juergen Christ
c08138e500 Fix compilation under -Werror
With strict warnings and warnings as error, openssl currently does not compile
due to a missing include.

Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14640)
2021-03-24 10:34:24 +10:00
FdaSilvaYY
0dd19e750f Fix a windows build break
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14635)
2021-03-24 10:04:08 +10:00
Pauli
218e1263c4 ec_keymgmt: fix coverity 1474427: resource leak
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14637)
2021-03-24 09:40:26 +10:00
Pauli
9d8c53ed16 dh: fix coverty 1474423: resource leak
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14637)
2021-03-24 09:40:26 +10:00
Pauli
9ca269af63 apps: fix coverity 1451544: improper use of negative value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14638)
2021-03-24 09:12:43 +10:00
Pauli
66325793cc test: fix coverity 1451534: improper use of negative value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14638)
2021-03-24 09:12:43 +10:00
Pauli
69fb52e028 test: fix coverity 1469427: impropery use of negative value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14638)
2021-03-24 09:12:43 +10:00
Pauli
51d1991ecd test: fix coverity 1454812: improper use of negative value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14638)
2021-03-24 09:12:43 +10:00
Pauli
9ba18520ff test: fix coverity 1451574: improper use of negative value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14638)
2021-03-24 09:12:43 +10:00
Pauli
1634b2df9f enc: fix coverity 1451499, 1451501, 1451506, 1451507, 1351511, 1451514, 1451517, 1451523, 1451526m 1451528, 1451539, 1451441, 1451549, 1451568 & 1451572: improper use of negative value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14638)
2021-03-24 09:12:43 +10:00
Pauli
fe10fa7521 test: fix coverity 1371689 & 1371690: improper use of negative values
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14638)
2021-03-24 09:12:43 +10:00
Pauli
5a14bd153a apps: fix coverity 271258: improper use of negative value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14638)
2021-03-24 09:12:43 +10:00
Pauli
a60b533125 err: fix coverity 1452768: dereference after null check
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14638)
2021-03-24 09:12:43 +10:00
Pauli
711d7ca594 pem: fix coverity 1474426: uninitialised scalar variable.
Based on the value, it would with work properly or produce an error.  Most likely seems to have been the former.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14638)
2021-03-24 09:12:43 +10:00
Matt Caswell
a669418c8e Be more selective about copying libcrypto symbols into legacy.so
Some private libcrypto symbols are also included in legacy.so.
Unfortunately this included some files with "RUN_ONCE" functions and
global data. This doesn't get properly cleaned up when OpenSSL exits.
Therefore we are more selective about the symbols we include in legacy.so.

Fixes #13560

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14646)
2021-03-23 17:24:47 +00:00
Randall S. Becker
ccdfcf07d9 Disable fips-securitychecks if no-fips is configured.
Fixes: #14629

Signed-off-by: Randall S. Becker <rsbecker@nexbridge.com>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14634)
2021-03-23 16:19:44 +00:00