Commit Graph

28674 Commits

Author SHA1 Message Date
Richard Levitte
53eecb5de5 TEST: Cleanup test recipes
Name mixups cleared, and a few more test case result files that
arent't removed, making forensics on failed tests easier.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14505)
2021-03-27 09:03:55 +01:00
Tomas Mraz
bf5b37cedf Make the SM2 group the default group for the SM2 algorithm
Fixes #14481

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14684)
2021-03-26 16:11:09 +01:00
Tomas Mraz
cede07dc51 Remove the external BoringSSL test
Fixes #14424

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14682)
2021-03-26 14:24:06 +01:00
Alexander Traud
6b2e51dd36 ssl/ssl_ciph.c: update format string, again
Commit 2664810 changed everything except the encoding.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14673)
2021-03-26 13:42:01 +01:00
Dr. David von Oheimb
6466cc97e8 HTTP: Fix mem leak of OSSL_HTTP_REQ_CTX_transfer(), rename to ossl_http_req_ctx_transfer()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14678)
2021-03-26 13:25:55 +01:00
Dr. David von Oheimb
1c8505fb7d HTTP: Rename OSSL_HTTP_REQ_CTX_i2d() to OSSL_HTTP_REQ_CTX_set1_req()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14677)
2021-03-26 13:22:41 +01:00
Richard Levitte
814581bb7a RSA-PSS: When printing parameters, always print the trailerfield ASN.1 value
The legacy implementation would print the ASN.1 value of the trailerfield,
except when it wasn't set (i.e. is default).

For better consistency, we now always print the ASN.1 value, both in the
legacy and the provided implementation.

Fixes #14363

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14676)
2021-03-26 11:25:48 +01:00
Pauli
4551763efc doc: life-cycle descritpion for MACs
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14522)
2021-03-26 18:21:37 +10:00
Pauli
10b63e9756 doc: note that MAC lifecycle transitions will be enforced at some point
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14522)
2021-03-26 18:21:37 +10:00
Pauli
b0b63654e9 doc: life-cycle descritpion for RANDs
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14522)
2021-03-26 18:21:37 +10:00
Pauli
632bc4dff3 doc: note that RAND lifecycle transitions will be enforced at some point
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14522)
2021-03-26 18:21:36 +10:00
Pauli
77d12ae049 doc: life-cycle description for KDFs/PRFs
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14522)
2021-03-26 18:21:36 +10:00
Pauli
2e1a40d037 doc: note that KDF/PRF transitions will be enforced at some future point
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14522)
2021-03-26 18:21:36 +10:00
Pauli
4aac71f705 doc: add life-cycle source files
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14522)
2021-03-26 18:21:36 +10:00
Pauli
8c63532002 test: fix coverity 1473609 & 1473610: unchecked return values
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14615)
2021-03-26 08:46:02 +10:00
Pauli
8eca93f8fb evp: fix coverity 1473378: unchecked return value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14615)
2021-03-26 08:46:02 +10:00
Pauli
27f37279df params: fix coverity 1473069: unchecked return values
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14615)
2021-03-26 08:46:02 +10:00
Pauli
40d6e05cf8 evp: fix coverity 1467500 & 1467502: unchecked return values
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14615)
2021-03-26 08:46:02 +10:00
Pauli
8cdcb63fc0 apps: fix coverity 1455340: unchecked return value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14615)
2021-03-26 08:46:02 +10:00
Pauli
3352a4f6fa test: fix coverity 1451550: unchecked return value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14615)
2021-03-26 08:46:02 +10:00
Pauli
f47865156a test: fix coverity 1429210: unchecked return value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14615)
2021-03-26 08:46:02 +10:00
Pauli
b8cb90cdb6 test: fix coverity 1416888: unchecked return value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14615)
2021-03-26 08:46:01 +10:00
Pauli
0d2b8bd261 test: fix coverity 1414451: unchecked return value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14615)
2021-03-26 08:46:01 +10:00
Pauli
a02d70dd51 apps: fix coverity 1358776, 1451513, 1451519, 1451531 & 1473387: unchecked return values
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14615)
2021-03-26 08:46:01 +10:00
Pauli
6a6844a219 test: fix coverity 1338157: unchecked return value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14615)
2021-03-26 08:46:01 +10:00
Pauli
3c4c8dd84a encoder: fix coverity 1473235: null dereference
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14618)
2021-03-26 08:44:04 +10:00
Pauli
26d5244253 apps: fix coverity 1470781: explicit null dereference
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14618)
2021-03-26 08:44:04 +10:00
Pauli
fbe286a36e sm2: fix coverity 1467503: explicit null dereference
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14618)
2021-03-26 08:44:04 +10:00
Pauli
993237a8b6 rsa: fix coverity 1463571: explicit null dereference
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14618)
2021-03-26 08:44:04 +10:00
Pauli
8f4cddbc90 rand: fix coverity 1473636: data race condition
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14651)
2021-03-26 08:41:32 +10:00
Pauli
9aa4be691f x509: fix coverity 1474424: data race condition
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14651)
2021-03-26 08:41:32 +10:00
Pauli
96a68f21c3 x509: fix coverity 1461225: data race condition
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14651)
2021-03-26 08:41:32 +10:00
Tomas Mraz
4f0831b837 EVP_PKCS82PKEY: Create provided keys if possible
Use OSSL_DECODER to decode the PKCS8 data to create provided keys.

If that fails fallback to the legacy implementation.

Fixes #14302

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14659)
2021-03-25 15:24:00 +01:00
Matt Caswell
468d9d5564 Update CHANGES.md and NEWS.md for new release
Reviewed-by: Tomas Mraz <tomas@openssl.org>
2021-03-25 13:12:42 +00:00
Matt Caswell
39a140597d Ensure buffer/length pairs are always in sync
Following on from CVE-2021-3449 which was caused by a non-zero length
associated with a NULL buffer, other buffer/length pairs are updated to
ensure that they too are always in sync.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
2021-03-25 09:48:08 +00:00
Peter Kaestle
02b1636fe3 ssl sigalg extension: fix NULL pointer dereference
As the variable peer_sigalgslen is not cleared on ssl rehandshake, it's
possible to crash an openssl tls secured server remotely by sending a
manipulated hello message in a rehandshake.

On such a manipulated rehandshake, tls1_set_shared_sigalgs() calls
tls12_shared_sigalgs() with the peer_sigalgslen of the previous
handshake, while the peer_sigalgs has been freed.
As a result tls12_shared_sigalgs() walks over the available
peer_sigalgs and tries to access data of a NULL pointer.

This issue was introduced by c589c34e61 (Add support for the TLS 1.3
signature_algorithms_cert extension, 2018-01-11).

Signed-off-by: Peter Kästle <peter.kaestle@nokia.com>
Signed-off-by: Samuel Sapalski <samuel.sapalski@nokia.com>

CVE-2021-3449

CLA: trivial

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2021-03-25 09:48:08 +00:00
Matt Caswell
112580c27b Add a test for CVE-2021-3449
We perform a reneg handshake, where the second ClientHello drops the
sig_algs extension. It must also contain cert_sig_algs for the test to
work.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
2021-03-25 09:48:08 +00:00
Matt Caswell
ae937a096c Teach TLSProxy how to encrypt <= TLSv1.2 ETM records
Previously TLSProxy only knew how to "repack" messages for TLSv1.3.
Most of the handshake in <= TLSv1.2 is unencrypted so this hasn't been
too much of restriction. However we now want to modify reneg handshakes
which are encrypted so we need to add that capability.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
2021-03-25 09:48:08 +00:00
Rich Salz
eb78f95523 Make fipsinstall -out flag optional
If -out is not specified, send output to stdout.
Fix documentation errors.
Remove "-out -" from an invocation.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14623)
2021-03-24 17:46:40 +01:00
Andrey Matyukov
b238e78fe8 Rearranged .pdata entries in rsaz-avx512.pl to make them properly ordered.
Fixes #14660: Windows linking error

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14665)
2021-03-24 09:11:55 +00:00
Shane Lontis
1f085af02c Add coveralls to CI
Fixes #14013

Coverage reports were no longer generated when travis stopped being used.
This github action workflow schedules a coverage report once a week.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14526)
2021-03-24 18:31:11 +10:00
Juergen Christ
c08138e500 Fix compilation under -Werror
With strict warnings and warnings as error, openssl currently does not compile
due to a missing include.

Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14640)
2021-03-24 10:34:24 +10:00
FdaSilvaYY
0dd19e750f Fix a windows build break
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14635)
2021-03-24 10:04:08 +10:00
Pauli
218e1263c4 ec_keymgmt: fix coverity 1474427: resource leak
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14637)
2021-03-24 09:40:26 +10:00
Pauli
9d8c53ed16 dh: fix coverty 1474423: resource leak
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14637)
2021-03-24 09:40:26 +10:00
Pauli
9ca269af63 apps: fix coverity 1451544: improper use of negative value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14638)
2021-03-24 09:12:43 +10:00
Pauli
66325793cc test: fix coverity 1451534: improper use of negative value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14638)
2021-03-24 09:12:43 +10:00
Pauli
69fb52e028 test: fix coverity 1469427: impropery use of negative value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14638)
2021-03-24 09:12:43 +10:00
Pauli
51d1991ecd test: fix coverity 1454812: improper use of negative value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14638)
2021-03-24 09:12:43 +10:00
Pauli
9ba18520ff test: fix coverity 1451574: improper use of negative value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14638)
2021-03-24 09:12:43 +10:00