Commit Graph

35647 Commits

Author SHA1 Message Date
Dmitry Belyavskiy
8d28402ce3 We can't check policy if we got an empty stack of certs
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25186)
2024-08-17 18:09:15 +02:00
Neil Horman
7c3c7374ce Move docker files to test
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25091)
2024-08-16 14:34:08 -04:00
Neil Horman
4c2242b67c Add workflow to do nightly build of interop container and push to quay
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25091)
2024-08-16 14:34:08 -04:00
Neil Horman
8ffdfea639 Add dockerfile for generation of a quic interop container
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25091)
2024-08-16 14:34:08 -04:00
Bernd Edlinger
d550d2aae5 Fix unpredictible refcount handling of d2i functions
The passed in reference of a ref-counted object
is free'd by d2i functions in the error handling.
However if it is not the last reference, the
in/out reference variable is not set to null here.
This makes it impossible for the caller to handle
the error correctly, because there are numerous
cases where the passed in reference is free'd
and set to null, while in other cases, where the
passed in reference is not free'd, the reference
is left untouched.

Therefore the passed in reference must be set
to NULL even when it was not the last reference.

Fixes #23713

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22809)
2024-08-16 10:07:52 +02:00
Bernd Edlinger
83951a9979 Extend test case for reused PEM_ASN1_read_bio
This is related to #22780, simply add test cases
for the different failure modes of PEM_ASN1_read_bio.
Depending on whether the PEM or the DER format is valid or not,
the passed in CRL may be deleted ot not, therefore a statement
like this:

reused_crl = PEM_read_bio_X509_CRL(b, &reused_crl, NULL, NULL);

must be avoided, because it can create memory leaks.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22809)
2024-08-16 10:07:52 +02:00
Pauli
dcc118cde0 replace static declarations
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25192)
2024-08-16 11:34:24 +10:00
Pauli
c14003578a Revert "fipsinstall: add ed_no_verify_digested option"
This reverts commit 70b6d57fd9.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25192)
2024-08-16 11:34:24 +10:00
Pauli
a6aa2d1f03 Revert "doc: add documentation for -eddsa_no_verify_digested fipsinstall option"
This reverts commit b00ea9a6a2.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25192)
2024-08-16 11:34:24 +10:00
Pauli
682b4fe553 Revert "doc: add verify-digested param for EdDSA"
This reverts commit ab02a297eb.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25192)
2024-08-16 11:34:24 +10:00
Pauli
3e7334f3c2 Revert "param: add OSSL_SIGNATURE_PARAM_EDDSA_VERIFY_DIGESTED"
This reverts commit 5abd7e5f79.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25192)
2024-08-16 11:34:24 +10:00
Pauli
f1b17245b6 Revert "fips: add no digested option to FIPS provider"
This reverts commit 889277effb.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25192)
2024-08-16 11:34:22 +10:00
Pauli
7de4770234 Revert "EdDSA: disallow verification from a pregenerated hash when in FIPS"
This reverts commit 2d759937e2.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25192)
2024-08-16 11:32:37 +10:00
Pauli
f9e1117cca Revert "test: update EdDSA tests for FIPS and no pre-hashing"
This reverts commit 09eaf16771.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25192)
2024-08-16 11:32:37 +10:00
Pauli
357e3265a4 Revert "test: omit failing test when using a FIPS provider that supports eddsa_no_verify_digested"
This reverts commit 54933db9f0.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25192)
2024-08-16 11:32:37 +10:00
Pauli
1348f4b5cf Revert "Apply the FIPS_eddsa_no_verify_digested indicator on prehash EdDSA only"
This reverts commit ca112fccdd.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25192)
2024-08-16 11:32:37 +10:00
slontis
4b7b40f2f7 FIPS: Remove ability to bypass the FIPS self tests
This is a FIPS 140-3 requirement.
It should not be done as a FIPS indicator.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25147)
2024-08-16 10:14:24 +10:00
slontis
a595d624c8 Change existing evp_test KeyGen Ctrls to use provider algorithm
parameter names.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25008)
2024-08-15 15:21:14 -04:00
slontis
2a53830958 Update evp_test KeyGen
The EVP_PKEY_CTX is now created in keygen_test_run().
keygen_test_parse() inserts all values into KEYGEN_TEST_DATA.
The 'Ctrl' parameters have been changed to just be settables,
rather than using legacy controls.

Added EC keygen tests

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25008)
2024-08-15 15:21:14 -04:00
slontis
e3a453c838 Restrict FIPS EC Keygen to only allow curves with a security strength
>=112 bits

Add a FIPS indicator to EC keygen

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25008)
2024-08-15 15:21:14 -04:00
Matt Caswell
8781087a69 Ensure the msg_callback is called on CCS receipt in TLSv1.3
CCS records are ignore in TLSv1.3. But we should still call the msg_callback
anyway.

Fixes #25166

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25169)
2024-08-15 20:17:39 +02:00
slontis
05681e0e3e Add FIPS Indicator for ECDH cofactor.
FIPS KAS requires use of ECC CDH.

The EC 'B' and 'K' curves have a cofactor that is not 1, and this
MUST be multiplied by the private key when deriving the shared secret.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25139)
2024-08-15 19:48:15 +02:00
Andreas Treichel
0813ffee2f apps/cms.c, apps/smime.c: Fix -crlfeol help messages
CLA: trivial

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24434)
2024-08-15 19:45:20 +02:00
David Benjamin
2ec4e95014 Fix SSL_CTX_set1_groups documentation on preference orders
The documentation currently describes SSL_CTX_set1_groups as a
preference order, but this does not match the typical interpretation of
"preference order" in OpenSSL and TLS. Typically, an application can
order more secure options ahead of less secure ones and pick up TLS's
usual downgrade protection guarantees.

TLS 1.3 servers need to balance an additional consideration: some
options will perform worse than others due to key share prediction. The
prototypical selection procedure is to first select the set of more
secure options, then select the most performant among those.

OpenSSL follows this procedure, but it *unconditionally* treats all
configured curves as equivalent security. Per discussion on GitHub,
OpenSSL's position is that this is an intended behavior.

While not supported by built-in providers, OpenSSL now documents that
external providers can extend the group list and CHANGES.md explicitly
cites post-quantum as a use case. With post-quantum providers, it's
unlikely that application developers actually wanted options to be
equivalent security. To avoid security vulnerabilities arising from
mismatched expectations, update the documentation to clarify the server
behavior.

Per the OTC decision in
https://github.com/openssl/openssl/issues/22203#issuecomment-1744465829,
this documentation fix should be backported to stable branches.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23776)
2024-08-15 19:42:50 +02:00
Bhaskar Metiya
1d2cbd9b5a apps/req.c: No warning reading from stdin if redirected
CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25179)
2024-08-15 17:59:28 +02:00
Bhaskar Metiya
02b8b7b836 Return SSL_AD_DECRYPT_ERROR alert on PSK binder validation failure (RFC 8446)
CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25176)
2024-08-15 11:21:24 +02:00
Dimitri John Ledkov
8945f406a7 fips: allow to customize provider vendor name
FIPS providers need to specify identifiable names and versions. Allow
to customize the fips provider name prefix, via VERSION.dat which
already allows to customize version & buildinfo. With this patch
in-place it removes the need of patching code to set customized
provider name.

E.g. echo FIPS_VENDOR=ACME >> VERSION.dat, results in

```
$ OPENSSL_CONF=fips-and-base.cnf ../util/wrap.pl ../apps/openssl list -providers --verbose
Providers:
  base
    name: OpenSSL Base Provider
    version: 3.4.0
    status: active
    build info: 3.4.0-dev
    gettable provider parameters:
      name: pointer to a UTF8 encoded string (arbitrary size)
      version: pointer to a UTF8 encoded string (arbitrary size)
      buildinfo: pointer to a UTF8 encoded string (arbitrary size)
      status: integer (arbitrary size)
  fips
    name: ACME FIPS Provider for OpenSSL
    version: 3.4.0
    status: active
    build info: 3.4.0-dev
    gettable provider parameters:
      name: pointer to a UTF8 encoded string (arbitrary size)
      version: pointer to a UTF8 encoded string (arbitrary size)
      buildinfo: pointer to a UTF8 encoded string (arbitrary size)
      status: integer (arbitrary size)
      security-checks: integer (arbitrary size)
      tls1-prf-ems-check: integer (arbitrary size)
      drbg-no-trunc-md: integer (arbitrary size)
```

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24368)
2024-08-15 08:33:48 +10:00
Tomas Mraz
ca112fccdd Apply the FIPS_eddsa_no_verify_digested indicator on prehash EdDSA only
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25188)
2024-08-14 14:52:47 -04:00
Matt Caswell
096a54ee45 Don't compile in support for DSA speed testing if not needed
If there is no DSA support in the library we should not compile in support
for speed testing of DSA. We should skip it in much the same way that we
do for other algorithms.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25153)
2024-08-14 18:22:10 +02:00
Matt Caswell
8e82304adb Fix a memory leak in the speed app
Make sure we free the ecdsa_key object after we have finished using it.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25153)
2024-08-14 18:22:10 +02:00
Matt Caswell
509022ddf8 Add a test recipe for testing the speed command
Previously there was no test for the speed command. We just do some simple
testing, running the command with various options to confirm that it doesn't
crash or report errors. We use the new -testmode option to ensure that this
happens quickly and doesn't really run full speed tests.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25153)
2024-08-14 18:22:10 +02:00
Matt Caswell
1867aac808 Document the new -testmode option to the speed command
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25153)
2024-08-14 18:21:28 +02:00
Matt Caswell
9309b0b8c7 Add a test mode to the speed app
We add a testmode option to the speed app which simply runs 1 iteration of
any speed tests. If anything fails along the way the app returns an error
code.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25153)
2024-08-14 18:21:28 +02:00
Shih-Yi Chen
dbe8059edf Update krb5 to latest master to pick up CVE fixes
CLA: trivial

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25131)

(cherry picked from commit 099a71b48b)
2024-08-14 17:57:43 +02:00
slontis
5f04124aab Add EDDSA FIPS self tests.
See FIPS 140-3 IG Section 10.3.A Part 11
Indicates ECDSA requires a sign and verify test.
Note 11 states that HashEdDSA is not required to be tested if PureEdDSA is tested.
Note 12 indicates that both ED25519 and X448 need to be tested.

Since ED uses the oneshot interface, additional API's needed to be exposed to the
FIPS provider using #ifdef FIPS_MODULE.

Changed ED25518 and ED448 to use fips=true in the FIPS provider.
Updated documentation for provider lists for EDDSA.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22112)
2024-08-14 16:17:47 +02:00
Dmitry Belyavskiy
12ba471c29 Improve the EVP_PKEY_CTX_set_kem_op() documentation
Fixes #25142

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25164)
2024-08-14 11:05:11 +02:00
Pauli
21bcae6561 test: Improve coverage for the PBKDF2 unit tests
Fixes #25136

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25160)
2024-08-14 08:17:45 +10:00
Dmitry Belyavskiy
bd3b24c3af Encap/decap in pkeyutl - tests
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25127)
2024-08-13 11:03:11 +02:00
Dmitry Belyavskiy
14fa2f5f47 Encap/decap in pkeyutl - documentation
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25127)
2024-08-13 11:03:11 +02:00
Dmitry Belyavskiy
12b2e5552b Support of en/decapsulation in the pkeyutl command
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25127)
2024-08-13 11:03:11 +02:00
Michael Baentsch
38a7183102 adds TLS signature algorithms list feature
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24821)
2024-08-13 11:48:54 +10:00
pohsingwu
f3c03be3ad Restrict salt length for RSA-PSS in the FIPS provider
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25115)
2024-08-13 09:55:36 +10:00
pohsingwu
878f74eb08 Setup padding mode correctly in acvp_test
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25115)
2024-08-12 10:26:42 +08:00
Pauli
2f33265039 fipsmodule.cnf: set the signature digest checks option on installation
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25020)
2024-08-12 09:30:50 +10:00
Pauli
fc5c86b8c1 fips: support signature-digest-checks in FIPS provider
Fixes #24936

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25020)
2024-08-12 09:30:50 +10:00
Pauli
db9eb0f96c test: add unit tests for disallowed XOF digests
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25020)
2024-08-12 09:30:43 +10:00
Pauli
5ab9f7e249 signatures: disallow XOF digests when doing signatures
Except for Ed448 and RSA PSS where they are mandatory and allow respectively.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25020)
2024-08-12 09:30:43 +10:00
Pauli
d8783a1807 fipsinstall: use correct macro for no drbg trunc digest option
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25020)
2024-08-12 09:30:43 +10:00
Pauli
fcf8390503 test: update fipsinstall tests to cover signature_digest_check option
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25020)
2024-08-12 09:30:43 +10:00
Pauli
c613f080ca Add signature digest check option to fipsinstall
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25020)
2024-08-12 09:30:43 +10:00