mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-02-11 14:22:43 +08:00
Code Issues Packages Projects Releases Wiki Activity
35,806 Commits 34 Branches 385 Tags 461 MiB
f6b2ab0ba4
Commit Graph

35806 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
pohsingwu
f3c03be3ad Restrict salt length for RSA-PSS in the FIPS provider 
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25115)
 2024-08-13 09:55:36 +10:00
pohsingwu
878f74eb08 Setup padding mode correctly in acvp_test 
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25115)
 2024-08-12 10:26:42 +08:00
Pauli
2f33265039 fipsmodule.cnf: set the signature digest checks option on installation 
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25020)
 2024-08-12 09:30:50 +10:00
Pauli
fc5c86b8c1 fips: support signature-digest-checks in FIPS provider 
Fixes #24936

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25020)
 2024-08-12 09:30:50 +10:00
Pauli
db9eb0f96c test: add unit tests for disallowed XOF digests 
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25020)
 2024-08-12 09:30:43 +10:00
Pauli
5ab9f7e249 signatures: disallow XOF digests when doing signatures 
Except for Ed448 and RSA PSS where they are mandatory and allow respectively.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25020)
 2024-08-12 09:30:43 +10:00
Pauli
d8783a1807 fipsinstall: use correct macro for no drbg trunc digest option 
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25020)
 2024-08-12 09:30:43 +10:00
Pauli
fcf8390503 test: update fipsinstall tests to cover signature_digest_check option 
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25020)
 2024-08-12 09:30:43 +10:00
Pauli
c613f080ca Add signature digest check option to fipsinstall 
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25020)
 2024-08-12 09:30:43 +10:00
Pauli
5d6e692c36 doc: document -signature_digest_check option to fipsinstall 
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25020)
 2024-08-12 09:30:42 +10:00
Neil Horman
a46abbd66e Fix typing on call to interlockedExchange for windows 
mingw is complaining on builds about the use of InterlockedExchange on a
uint32_t type, as the input parameter here is expected to be LONG
(defined as signed 32 bit on all versions of windows).

the input value (reader_idx) will never grow larger than the group size
of the lock (nominally 2, but always a reasonably small value), so it
should be safe to just cast it to the appropriate type here.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25015)
 2024-08-11 08:23:19 -04:00
Dmitry Belyavskiy
d7b659e185 Fix PBMAC1 MAC verification in FIPS mode 
The check for fetchability PKCS12KDF doesn't make sense when we have a
different MAC mechanism

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25144)
 2024-08-11 10:11:33 +02:00
Pauli
3416c0bff9 test: add error reasons to KBKDF tests 
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25135)
 2024-08-10 16:36:03 +10:00
Pauli
fb51e4f611 test: add positive FIPS indicator failure tests for DRBGs 
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25135)
 2024-08-10 16:36:03 +10:00
Pauli
dc16db61f1 test: add error reasons to TLS 1 PRF tests 
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25135)
 2024-08-10 16:35:54 +10:00
Pauli
90f64d064e test: add error reasons to X9.63 test 
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25135)
 2024-08-10 16:35:54 +10:00
Pauli
0acf9f8934 test: add error reasons to X9.42 test 
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25135)
 2024-08-10 16:35:54 +10:00
Pauli
41a9aeb672 test: add error reasons to TLS 1.3 KDF tests 
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25135)
 2024-08-10 16:35:54 +10:00
Pauli
a969c466b1 test: add error reasons to TLS 1.2 PRF tests 
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25135)
 2024-08-10 16:35:54 +10:00
Pauli
3cccd17eed test: add error reasons to Single Step KDF tests 
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25135)
 2024-08-10 16:35:54 +10:00
Pauli
20284908c4 test: add error reasons to SSHKDF tests 
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25135)
 2024-08-10 16:35:54 +10:00
Pauli
bb3b3abfd5 test: add error reasons to PBKDF2 tests 
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25135)
 2024-08-10 16:35:54 +10:00
Pauli
8c24acda18 test: add error reasons to HKDF tests 
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25135)
 2024-08-10 16:35:54 +10:00
Pauli
77915ae8eb test: add error reasons to KMAC tests 
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25135)
 2024-08-10 16:35:53 +10:00
Pauli
068c9bee37 test: add error reasons to RSA tests 
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25135)
 2024-08-10 16:35:53 +10:00
Pauli
8e316edd71 fips: change from function call to macro in rsa_enc.c 
Use of the function instead of the macro for the indicator unapproved check was
noted in: https://github.com/openssl/openssl/pull/25070#discussion_r1706564363
Fix things to use the macro properly.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25134)
 2024-08-10 16:34:51 +10:00
Neil Horman
11adb943ab amend! fixup! limit bignums to 512 bytes 
fixup! limit bignums to 512 bytes

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25013)
 2024-08-09 07:59:03 -04:00
Neil Horman
f0768376e1 limit bignums to 128 bytes 
Keep us from spinning forever doing huge amounts of math in the fuzzer

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25013)
 2024-08-09 07:59:03 -04:00
slontis
250a7adbea Add "no-fips-post" configure option. 
Using this option disables the OpenSSL FIPS provider
self tests.
This is intended for debugging purposes only,
as it breaks FIPS compliance.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25063)
 2024-08-09 09:12:45 +10:00
slontis
ea3888a397 Fix FIPS indicator defines for larger indicies. 
A newer PR is using setable3 now so these indicies should be fixed.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25118)
 2024-08-09 07:16:29 +10:00
Pauli
fd39d1c80c test: add negative tests for KBKDF key size check under FIPS 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25095)
 2024-08-08 08:44:42 +10:00
Pauli
ae87c48895 fips: add kbkdf key length check as per SP 800-131a revision 2 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25095)
 2024-08-08 08:44:38 +10:00
Pauli
6cb6b17171 fips: add kbkdf key check checking function 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25095)
 2024-08-08 08:43:00 +10:00
Pauli
57fb8841dc doc: docment key-check param for kbkdf 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25095)
 2024-08-08 08:42:59 +10:00
Pauli
8d52cf525b doc: document kbkdf key check argument for fipsinstall 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25095)
 2024-08-08 08:42:59 +10:00
Pauli
243b7f399a fips: install with the kbkdf key check option set 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25095)
 2024-08-08 08:42:59 +10:00
Pauli
c2b8af893f params: add kbkdf key check param 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25095)
 2024-08-08 08:42:59 +10:00
Pauli
090247b2e2 fipsinstall: add kbkdf key check option 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25095)
 2024-08-08 08:42:59 +10:00
JulieDzeze1
e77eb1dc0b Update BN_add.pod documentation so it is consistent with header declarations 
CLA: trivial

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24215)
 2024-08-07 19:55:57 +02:00
Mathis Marion
de8861a7e3 Remove duplicate colon in otherName display 
The colon is already added in X509V3_EXT_val_prn(). In fact, the other
branches from i2v_GENERAL_NAME() do not include a trailing colon.

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23428)
 2024-08-07 19:53:49 +02:00
Mathis Marion
387491d537 Add OIDs id-kp-wisun-fan-device and id-on-hardwareModule 
Sub-OIDs for {iso(1) identified-organization(3) dod(6) internet(1)
private(4) enterprise(1) 45605} are recorded in the document "Wi-SUN
Assigned Value Registry" (WAVR).

OID id-on-hardwareModule is defined in RFC 4108.

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23428)
 2024-08-07 19:53:19 +02:00
Matt Caswell
c0c4e6ba0a Remove the event queue code 
PR #18345 added some code for an event queue. It also added a test for it.
Unfortunately this event queue code has never been used for anything.
Additionally the test was never integrated into a test recipe, so it never
actually gets invoked via "make test". This makes the code entirely dead,
unnecessarily bloats the size of libssl and causes a decrease in our
testing code coverage value.

We remove the dead code.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25100)
 2024-08-07 19:48:26 +02:00
Tomas Mraz
e70e34d857 dh_kmgmt.c: Avoid expensive public key validation for known safe-prime groups 
The partial validation is fully sufficient to check the key validity.

Thanks to Szilárd Pfeiffer for reporting the issue.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25088)
 2024-08-07 19:47:00 +02:00
Tomas Mraz
7bcfb41489 ossl_print_attribute_value(): use a sequence value only if type is a sequence 
Move the switch to print a distinguished name inside the
switch by the printed attribute type, otherwise a malformed
attribute will cause a crash.

Updated the fuzz corpora with the testcase

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25087)
 2024-08-07 19:43:34 +02:00
Tomas Mraz
217e215e99 rsa_pss_compute_saltlen(): Avoid integer overflows and check MD and RSA sizes 
Fixes Coverity 1604651

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25085)
 2024-08-07 19:41:52 +02:00
Tomas Mraz
e3e15e77f1 do_print_ex(): Avoid possible integer overflow 
Fixes Coverity 1604657
Fixes openssl/project#780

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25084)
 2024-08-07 19:39:26 +02:00
Pauli
00f32b22b8 test: update SSL API test in light of PKCS#1 version 1.5 padding change under FIPS 
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25070)
 2024-08-07 19:35:51 +02:00
Pauli
d0575619ad test: update SSL old test in light of PKCS#1 version 1.5 padding change under FIPS 
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25070)
 2024-08-07 19:35:51 +02:00
Pauli
449bc104c8 sslapitest: add meaningful skip messages 
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25070)
 2024-08-07 19:35:51 +02:00
Pauli
29a0f0403f cms: fix tests in light of PKCS#1 version 1.5 padding check 
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25070)
 2024-08-07 19:35:51 +02:00