Commit Graph

34649 Commits

Author SHA1 Message Date
Drokov Pavel
afd8e29c36 Remove receiving of unused return value
CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23277)
2024-01-15 17:19:34 +01:00
Matt Caswell
8aa3781bfc Move discovery of the legacy alg type into the keymgmt
During creation of the EVP_PKEY_CTX we were trying to discover what legacy
alg it corresponds to every time which was slow. Instead we move this into
the construction of the EVP_KEYMGMT.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23265)
2024-01-15 16:37:32 +01:00
Frederik Wedel-Heinen
575117efe1 Error in s_server when -rev option is used with dtls.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23278)
2024-01-15 16:34:06 +01:00
David Benjamin
08cecb4448 Add X509_STORE_get1_objects
X509_STORE_get0_objects returns a pointer to the X509_STORE's storage,
but this function is a bit deceptive. It is practically unusable in a
multi-threaded program. See, for example, RUSTSEC-2023-0072, a security
vulnerability caused by this OpenSSL API.

One might think that, if no other threads are mutating the X509_STORE,
it is safe to read the resulting list. However, the documention does not
mention that other logically-const operations on the X509_STORE, notably
certifcate verifications when a hash_dir is installed, will, under a
lock, write to the X509_STORE. The X509_STORE also internally re-sorts
the list on the first query.

If the caller knows to call X509_STORE_lock and X509_STORE_unlock, it
can work around this. But this is not obvious, and the documentation
does not discuss how X509_STORE_lock is very rarely safe to use. E.g.
one cannot call any APIs like X509_STORE_add_cert or
X509_STORE_CTX_get1_issuer while holding the lock because those
functions internally expect to take the lock. (X509_STORE_lock is
another such API which is not safe to export as public API.)

Rather than leave all this to the caller to figure out, the API should
have returned a shallow copy of the list, refcounting the values. Then
it could be internally locked and the caller can freely inspect the
result without synchronization with the X509_STORE.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23224)
2024-01-15 16:29:54 +01:00
Gopal Sharma
ffeae4c4e7 Removed logically dead code from function i2r_issuer_sign_tool
Since new_line is assigned with 0 in the very begging of the function check added at line no. 106 will never become true. Hence removing.

CLA: trivial

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23284)
2024-01-15 08:55:06 -05:00
Tomas Mraz
38b2508f63 Add CHANGES.md and NEWS.md entries for CVE-2023-6237
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23243)
2024-01-15 10:54:34 +01:00
Tomas Mraz
e09fc1d746 Limit the execution time of RSA public key check
Fixes CVE-2023-6237

If a large and incorrect RSA public key is checked with
EVP_PKEY_public_check() the computation could take very long time
due to no limit being applied to the RSA public key size and
unnecessarily high number of Miller-Rabin algorithm rounds
used for non-primality check of the modulus.

Now the keys larger than 16384 bits (OPENSSL_RSA_MAX_MODULUS_BITS)
will fail the check with RSA_R_MODULUS_TOO_LARGE error reason.
Also the number of Miller-Rabin rounds was set to 5.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23243)
2024-01-15 10:54:34 +01:00
Drokov Pavel
486ab0fb00 Fix arithmetic expression overflow
If the value of a->length is large (>= 2^12), then an integer overflow will
occur for the signed type, which according to the C standard is UB.

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23274)
2024-01-15 10:49:25 +01:00
Akshat Maheshwari
441b3b7ba1 Fix grammar in documentation
CLA: trivial

Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23266)
2024-01-15 10:46:35 +01:00
barracuda156
7068e5e2dc poly1305_ieee754.c: fix PowerPC macros
Fixes #23264

cla: trivial

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23267)
2024-01-15 10:45:07 +01:00
Drokov Pavel
6b92a966e0 Check ASN1_OBJECT_new result
CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23270)
2024-01-15 10:43:44 +01:00
Job Snijders
4e5bf93313 Add apps/x509 -set_issuer & -set_subject option to override issuer & subject
This changeset adds the counterpart to the '-subj' option to allow overriding
the Issuer. For consistency, the `-subj` option is aliased to `-set_subject`.

The issuer can be specified as following apps/openssl x509 -new -set_issuer
'/CN=example-nro-ta' -subj '/CN=2a7dd1d787d793e4c8af56e197d4eed92af6ba13' ...

This is useful in constructing specific test-cases or rechaining PKI trees

Joint work with George Michaelson (@geeohgeegeeoh)

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23257)
2024-01-15 10:40:01 +01:00
barracuda156
df04e81794 aes_platform.h, gcm128.c: fix Darwin PowerPC macro to include ppc64
Current PowerPC-related defines omit Darwin ppc64 case.
Use __POWERPC__ in place of __ppc__ + __ppc64__
Fixes #23220

CLA: trivial

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23245)
2024-01-12 19:33:33 +01:00
sharad3001
d8184e982c ossl_rsa_fips186_4_gen_prob_primes(): Remove unused Xpout and Xqout
CLA: trivial

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23253)
2024-01-12 17:28:14 +01:00
Richard Levitte
d4d9b57530 Add test/recipes/15-test_gensm2.t, to test SM2 key generation results
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22529)
2024-01-12 11:07:39 +01:00
Richard Levitte
1d490694df Fix the encoding of SM2 keys
OpenSSL's encoding of SM2 keys used the SM2 OID for the algorithm OID
where an AlgorithmIdentifier is encoded (for encoding into the structures
PrivateKeyInfo and SubjectPublicKeyInfo).

Such keys should be encoded as ECC keys.

Fixes #22184

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22529)
2024-01-12 11:07:39 +01:00
Neil Horman
0981c20f8e Fix NULL pointer deref when parsing the stable section
When parsing the stable section of a config such as this:
openssl_conf = openssl_init
[openssl_init]
stbl_section = mstbl
[mstbl]
id-tc26 = min

Can lead to a SIGSEGV, as the parsing code doesnt recognize min as a
proper section name without a trailing colon to associate it with a
value.  As a result the stack of configuration values has an entry with
a null value in it, which leads to the SIGSEGV in do_tcreate when we
attempt to pass NULL to strtoul.

Fix it by skipping any entry in the config name/value list that has a
null value, prior to passing it to stroul

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22988)
2024-01-12 10:37:22 +01:00
Holger Dengler
3cb1b51ddd Add tests for re-using cipher contexts
Add test case for re-using a cipher context with the same key, iv and
cipher. It detects, if the hardware-specific cipher context is reset
correctly, like reported in issue #23175.

This test has encrypt and decrypt iterations for cfb128 and
ofb128. All iteations use the same key, iv and plaintext.

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23201)
2024-01-12 10:34:39 +01:00
Holger Dengler
f9ccd209c3 Fix partial block encryption in cfb and ofb for s390x (legacy)
Use the number of processed bytes information (num) from the generic
cipher context for the partial block handling in cfb and ofb also in
s390x-legacy code. For more details see 4df92c1a14 ("Fix partial block
encryption in cfb and ofb for s390x").

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23201)
2024-01-12 10:34:39 +01:00
Holger Dengler
576a3572be Fix partial block encryption in cfb and ofb for s390x
Use the number of processed bytes information (num) from the generic
cipher context for the partial block handling in cfb and ofb, instead
of keep this information in the s390x-specific part of the cipher
context. The information in the generic context is reset properly,
even if the context is re-initialized without resetting the key or iv.

Fixes: #23175

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23201)
2024-01-12 10:34:39 +01:00
Fs
0856bf519f uplink-x86_64.pl: make x86_64-xlate.pl accept $flavour parameter
Match behavior of all other x86_64 asm.

CLA: trivial

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23219)
2024-01-12 08:56:14 +01:00
Hugo Landau
9eabb30ab4 QUIC RCIDM: Minor updates
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23022)
2024-01-11 11:16:27 +01:00
Hugo Landau
ad08c814d8 Update fuzz corpora
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23022)
2024-01-11 11:14:18 +01:00
Hugo Landau
8e1593e647 QUIC RCIDM: Update fuzz corpora
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23022)
2024-01-11 11:14:18 +01:00
Hugo Landau
3ba9345eb9 QUIC RCIDM: Fix ANSI compliance
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23022)
2024-01-11 11:14:18 +01:00
Hugo Landau
433ef94187 QUIC RCIDM: Add test
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23022)
2024-01-11 11:14:18 +01:00
Hugo Landau
9575b21851 QUIC RCIDM: Add counters to support RCID count enforcement
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23022)
2024-01-11 11:14:18 +01:00
Hugo Landau
044fd04cb4 QUIC SRTM: Fixes for clang
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23022)
2024-01-11 11:14:18 +01:00
Hugo Landau
3fe0899ab7 QUIC RCIDM: Minor fixes
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23022)
2024-01-11 11:14:18 +01:00
Hugo Landau
d0bac943c9 QUIC RCIDM: Add fuzzer
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23022)
2024-01-11 11:14:18 +01:00
Hugo Landau
63f77f0454 QUIC RCIDM: Add RCIDM
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23022)
2024-01-11 11:14:18 +01:00
Neil Horman
7c1d533a51 Update Docs for EVP_MAC
For GMAC/CMAC, its not possible to re-init the algorithm without
explicitly passing an OSSL_MAC_PARAM_IV to each init call, as it is
not possible to extract the IV value from the prior init call (be it
explicitly passed or auto generated).  As such, document the fact that
re-initalization requires passing an IV parameter

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23235)
2024-01-11 11:12:10 +01:00
Tomas Mraz
493ad484e9 Disable build of HWAES on PPC Macs
Fixes #22818

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22860)
2024-01-11 11:08:31 +01:00
sashan
da840c3775 evp_fetch.c: Check meth_id instead of name_id
Fixes #23226

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23238)
2024-01-11 10:18:25 +01:00
James Muir
ff7b32e1d7 doc: "digest" must be explicitly set with deterministic ECDSA/DSA
Fixes #23205

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23250)
2024-01-11 10:15:03 +01:00
Frederik Wedel-Heinen
0a40b23cb8 Remove wpend_ret that was only assigned and never used.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23191)
2024-01-11 10:04:14 +01:00
Bernd Edlinger
3980118484 Fix a similar memory leak in SXNET_add_id_INTEGER
Even in the good case there was memory leak here.
Add a simple test case to have at least some test coverage.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23234)
2024-01-10 17:59:53 +01:00
Bernd Edlinger
0151e77219 Fix a possible memory leak in sxnet_v2i
When a subsequent call to SXNET_add_id_asc fails
e.g. because user is a string larger than 64 char
or the zone is a duplicate zone id,
or the zone is not an integer,
a memory leak may be the result.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23234)
2024-01-10 17:59:53 +01:00
fangming.fang
1d1ca79fe3 Preserve callee-saved registers in aarch64 AES-CTR code
The AES-CTR assembly code uses v8-v15 registers, they are
callee-saved registers, they must be preserved before the
use and restored after the use.

Change-Id: If9192d1f0f3cea7295f4b0d72ace88e6e8067493

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23233)
2024-01-10 09:52:15 +01:00
Neil Horman
806bbafe2d Check appropriate OSSL_PARAM_get_* functions for NULL
The base type OSSL_PARAM getters will NULL deref if they are initalized
as null.  Add NULL checks for those parameters that have no expectation
of returning null (int32/64/uint32/64/BN).  Other types can be left as
allowing NULL, as a NULL setting may be meaningful (string, utf8str,
octet string, etc).

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23083)
2024-01-09 16:56:55 +01:00
Tomas Mraz
858c7bc210 Add CHANGES.md and NEWS.md entries for CVE-2023-6129
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23200)
2024-01-09 15:45:44 +01:00
Rohan McLure
8d847a3ffd poly1305-ppc.pl: Fix vector register clobbering
Fixes CVE-2023-6129

The POLY1305 MAC (message authentication code) implementation in OpenSSL for
PowerPC CPUs saves the the contents of vector registers in different order
than they are restored. Thus the contents of some of these vector registers
is corrupted when returning to the caller. The vulnerable code is used only
on newer PowerPC processors supporting the PowerISA 2.07 instructions.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23200)
2024-01-09 15:45:32 +01:00
Tomas Mraz
5dc2b72df7 Sync CHANGES.md and NEWS.md with 3.2 branch
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23200)
2024-01-09 15:45:32 +01:00
Neil Horman
f3be536686 Augment RSA provider to generate CRT coefficients on EVP_PKEY_fromdata()
It would be helpful to be able to generate RSA's dmp1/dmq1/iqmp values
when not provided in the param list to EVP_PKEY_fromdata.  Augment the
provider in ossl_rsa_fromdata to preform this generation iff:
a) At least p q n e and e are provided
b) the new parameter OSSL_PARAM_RSA_DERIVE_PQ is set to 1

Fixes #21826

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21875)
2024-01-09 12:03:32 +01:00
Will Sackfield
0a22436ea5 Fail the Configure script with no Configurations
* Print a message about why the failure is
happening.
* Send the usage information.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22855)
2024-01-08 14:17:16 +01:00
Tomas Mraz
7054fc1ca3 Avoid memory leak if SXNET_add_id_INTEGER() fails
Fixes Coverity 1560046

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23211)
2024-01-08 13:51:45 +01:00
Richard Levitte
8d8c1600ae VMS: Add the missing -p32 and -p64 variants for x86_64
The pointer size support is already in the code, and is present for
all other supported hardwares.

Fixes #22899

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/23081)

(cherry picked from commit a43f253d58)
2024-01-08 07:28:19 +01:00
Richard Levitte
3077bfb78e Fix VMS installation - update vmsconfig.pm for consistency
An effort was made to update the VMS installation data to align with
configuration data.  This touched the script templates in VMS/, but
didn't update the generation of vmsconfig.pm to match...  and also
missed a spot.

This change adds the missing updates

Ref:
https://github.com/openssl/openssl/pull/16842

Fixes #22899

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/23081)

(cherry picked from commit 4058e121cb)
2024-01-08 07:28:19 +01:00
Neil Horman
5963aa8c19 cleanse stack variable in kdf_pbkdf1_do_derive
kdf_pbkdf1_do_derive stores key derivation information in a stack
variable, which is left uncleansed prior to returning.  Ensure that the
stack information is zeroed prior to return to avoid potential leaks of
key information

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23194)
2024-01-05 14:25:55 -05:00
Neil Horman
bac7e687d7 Validate config options during x509 extension creation
There are several points during x509 extension creation which rely on
configuration options which may have been incorrectly parsed due to
invalid settings.  Preform a value check for null in those locations to
avoid various crashes/undefined behaviors

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23183)
2024-01-05 13:20:34 -05:00