| Age | Commit message (Collapse) | Author |
|---|
|
These aren't currently checked when they are called in cipher_aes_gcm_hw_armv8.inc,
but they are declared as returning as size_t the number of bytes they have processed,
and the aes_gcm_*_*_kernel (unroll by 4) versions of these do return the correct
values.
Change-Id: Ic3eaf139e36e29e8779b5bd8b867c08fde37a337
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20191)
(cherry picked from commit 4596c20b86871b2bb0f9a7f6b855c0b7f0d4fbf3)
|
|
This function returns an errorcode <= 0, but only < 0 is checked. Other
callers that check the return value perform this check correctly. Fix it
by changing the check to <= 0.
CLA: trivial
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20186)
(cherry picked from commit 826374921a6b92293fd87655416eda8ef07301c8)
|
|
BIO_dup_state() returns an error code <= 0 according to my analysis tool
and the documentation. Currently only == 0 is checked. Fix it by
changing the check condition.
CLA: trivial
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20194)
(cherry picked from commit 89601c72471a4b6bbb9e877f5c54f20eceba5f01)
|
|
CMS_SharedInfo_encode() can also return a negative error value, but this
is not checked in the current check, only the zero error return value is
covered. A previous PR [1] fixed the other caller's check of
CMS_SharedInfo_encode in this file, but it seems like this place was
missed. Fix it by changing the check to <= 0.
[1] https://github.com/openssl/openssl/pull/12628/commits/a752fc4da5e1dfd5b3a730d95272c2e2b0c48f1a
CLA: trivial
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20181)
(cherry picked from commit ba061818e9d76f332e8914dfe9168577b2378dde)
|
|
default_check() can return a zero value to indicate an internal error in
one condition for the PRE_CTRL_STR_TO_PARAMS state. This state can be
reached from the default_fixup_args() function which does not check for
a zero value. All other callers of default_check() in that file do check
for a zero return value. Fix it by changing the check to <= 0.
CLA: trivial
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20175)
(cherry picked from commit 650f0474282330e3eb2a3df0eff5864bbdcf5845)
|
|
BIO_set_md() can return an error value <= 0 according to my analysis
tool and the documentation. But only an error value == 0 is currently
checked. Fix it by changing the check condition.
CLA: trivial
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20195)
(cherry picked from commit abf654645dee168b229f3fa6a365f6a8e4dd7c31)
|
|
Documentation is necessary as static and dynamic linking cause SIGSEGV
during atexit() processing on the platform.
Fixes: 19951
Signed-off-by: Randall S. Becker <randall.becker@nexbridge.ca>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19952)
|
|
Allocate memory for a new SSL session.
If any of these steps fail,
free the key memory and the tmpsess object
before returning 0 to prevent a memory leak.
Fixes: #20110
CLA: trivial
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20213)
(cherry picked from commit 8e2552b1eac4957214fed55457f64d7d5164ca37)
|
|
BIO_set_accept_name() can return error values -1 and 0 according to
my analysis tool and the documentation. Documentation says a value of 1
indicates success. Currently, only an error value != 0 is checked which
erroneously interprets a -1 error return value as success.
Fix it by changing the check condition.
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20206)
(cherry picked from commit a811b6305b1f98e8ec66b8a426d359150fea69b2)
|
|
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/19307)
(cherry picked from commit f9171a06416c6dd9b7b8cd7e4bc08e23a4fab242)
|
|
Two key 3DES only sets two keys and the random generation errors out if fewer
than three keys are required. It shouldn't.
Fixes #20212
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20224)
(cherry picked from commit 587e0407803af330c0b04238fcbce78521ce35d7)
|
|
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 7a21a1b5fa2dac438892cf3292d1f9c445d870d9)
(cherry picked from commit 2ad9928170768653d19d81881deabc5f9c1665c0)
|
|
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/20219)
(cherry picked from commit 4072a762664020524f536361a6de43e8de19a4f8)
|
|
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/20219)
(cherry picked from commit 92c0e33e375b9f3ba191484fff84a5aba41f1f6e)
|
|
With FIPS 186-5 being published, these can again be validated.
https://csrc.nist.gov/publications/detail/fips/186/5/final
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/20219)
(cherry picked from commit 09627a8ceb69e19d2855b36228f44a3660af177a)
|
|
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
|
|
These calls invoke EVP_DigestInit() which can fail for digests
with implicit fetches. Subsequent EVP_DigestUpdate() from BIO_write()
or EVP_DigestFinal() from BIO_read() will segfault on NULL
dereference. This can be triggered by an attacker providing
PKCS7 data digested with MD4 for example if the legacy provider
is not loaded.
If BIO_set_md() fails the md BIO cannot be used.
CVE-2023-0401
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
|
|
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
|
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
|
|
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
|
|
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
|
|
Fixes CVE-2023-0217
When attempting to do a BN_Copy of params->p there was no NULL check.
Since BN_copy does not check for NULL this is a NULL reference.
As an aside BN_cmp() does do a NULL check, so there are other checks
that fail because a NULL is passed. A more general check for NULL params
has been added for both FFC public and private key validation instead.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
|
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
|
|
Fixes CVE-2023-0216
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
|
|
Test for the issue fixed in the previous commit
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
|
If the aux->asn1_cb() call fails in BIO_new_NDEF then the "out" BIO will
be part of an invalid BIO chain. This causes a "use after free" when the
BIO is eventually freed.
Based on an original patch by Viktor Dukhovni and an idea from Theo
Buehler.
Thanks to Octavio Galland for reporting this issue.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
|
Call PEM_read_bio_ex() and expect a failure. There should be no dangling
ptrs and therefore there should be no double free if we free the ptrs on
error.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
|
In the event of a failure in PEM_read_bio_ex() we free the buffers we
allocated for the header and data buffers. However we were not clearing
the ptrs stored in *header and *data. Since, on success, the caller is
responsible for freeing these ptrs this can potentially lead to a double
free if the caller frees them even on failure.
Thanks to Dawei Wang for reporting this issue.
Based on a proposed patch by Kurt Roeckx.
CVE-2022-4450
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
|
A timing based side channel exists in the OpenSSL RSA Decryption
implementation which could be sufficient to recover a plaintext across
a network in a Bleichenbacher style attack. To achieve a successful
decryption an attacker would have to be able to send a very large number
of trial messages for decryption. The vulnerability affects all RSA
padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
Patch written by Dmitry Belyavsky and Hubert Kario
CVE-2022-4304
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
|
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
|
|
This function assumes that if the "gen" is an OtherName, then the "base"
is a rfc822Name constraint. This assumption is not true in all cases.
If the end-entity certificate contains an OtherName SAN of any type besides
SmtpUtf8Mailbox and the CA certificate contains a name constraint of
OtherName (of any type), then "nc_email_eai" will be invoked, with the
OTHERNAME "base" being incorrectly interpreted as a ASN1_IA5STRING.
Reported by Corey Bonnell from Digicert.
CVE-2022-4203
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
|
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20201)
(cherry picked from commit 77c8d6d703efd1d935b5c2603fd31f4b15b1214d)
|
|
... and therefore all options must be given before the final file/URI arg.
This is essentially a backport of the doc portion of #20156 to 3.0 and 3.1,
where the missing error checking/reporting likely will not be added.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20179)
(cherry picked from commit 36d85b02cef2ca34253619acae35623989258277)
|
|
That function is a wrapper around evp_cipher_param_to_asn1_ex() which
can return 0 as an error value via its ret <= 0 check [1].
Furthermore, all other callers of this function check against <= 0
instead of < 0 and this is also in line with what the documentation
tells us. Fix the incomplete check by changing it to <= 0 as well.
CLA: trivial
[1] https://github.com/openssl/openssl/blob/114d99b46bfb212ffc510865df317ca2c1542623/crypto/evp/evp_lib.c#L164-L165
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20180)
(cherry picked from commit e3663717fc16bd140f54ee7f1600bdced7f9ea66)
|
|
If the user specifies an alternative build file than the default, this
alternative is recorded in $config{build_file}, not $target{build_file}.
Therefore, the former should be used, leaving the latter as a mere default.
This is a bug. While fixing it, document it better too.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20173)
(cherry picked from commit aa2d7e0ee15d1b7015479c38f370a25ceec690fc)
|
|
Fix issue #20063.
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20163)
(cherry picked from commit e788c772b12eea5ced4ce46619e13acf0e0eb6ba)
|
|
Add missing `I` to `<b>`
CLA: trivial
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20169)
(cherry picked from commit 0414899887b98f973067f286ac126d8b529873e3)
|
|
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20137)
(cherry picked from commit aea9b0e4b6c35c7f90b2e5a3475084500488775d)
|
|
If no-module or no-shared is used, the symbols from
libcrypto should not be duplicated in legacy.a
Also the BIGNUM functions are currently not needed
in legacy.a at all.
Fixes #20124
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20137)
(cherry picked from commit f6a6f7b6aa84dab44384780cb77050d15c5f575e)
|
|
OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT
https://github.com/openssl/openssl/pull/19901 backported the
"Honor OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT as set and default to
UNCOMPRESSED" changeset to 3.0.
This commit updates:
- the HISTORY notes of the relevant documentation to mark the change
happened since 3.0.8.
- the `CHANGES.md file` to sync up with the tip of the `openssl-3.0`
branch
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20003)
(cherry picked from commit f66c1272f92bed6bc8aa17f6a8956d9e2e5b7798)
|
|
X509V3_add1_i2d() can return both -1 and 0 as an error code. This check
only checked for 0. Change it into <= 0 to also catch the -1 error code.
CLA: trivial
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20157)
(cherry picked from commit ecd445464a73bb3f125327a604dd13ad16303ebc)
|
|
We cannot dynamically load the legacy provider into an application
that is linked statically to libcrypto as this causes
a double loading of libcrypto (one static and one dynamic) and
on NonStop this leads to a segfault in atexit().
Fixes #17537
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19844)
(cherry picked from commit 8bb55680e46c868b0aa09682c2bef954231841b5)
|
|
Fixes #20084
In the 3.0 provider implementation the generic code that handles IV's
only allows a 12 byte IV. Older code intentionally added the ability for
the IV to be truncated.
As this truncation is unsafe, the documentation has been updated to
state that this in no longer allowed. The code has been updated to
produce an error when the iv length is set to any value other than 12.
NOTE: It appears that this additional padding may have originated from the code
which uses a 12 byte IV, that is then passed to CHACHA which zero pads it to 16 bytes.
Note that legacy behaviour in e_chacha20_poly1305.c has not been
updated.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20151)
(cherry picked from commit a01152370676e7e11fb461cff8628eb50fa41b81)
|
|
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20132)
(cherry picked from commit a4347a9a57dcb985283bba03dd3b16294b55945b)
|
|
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20132)
(cherry picked from commit 00407fbf0b25d65f5e6d99defdb081432e810449)
|
|
Fixes #20130
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/20136)
(cherry picked from commit d4c5d8ff483d99f94d649fb67f1f26fce9694c92)
|
|
The lab tried doing a RSA decryption primitive using just n (using p, q) and d.
This failed for 2 reasons:
(1) e is required when importing
(2) Internally e is used for blinding.
Note n and e can be calculated using:
n = pq
e = (1/d) mod (p-1)(q-1)
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20133)
(cherry picked from commit 6e3b1c81736b1829584e3f40c2d00040fe1aa881)
|
|
The check is unnecessary as the condition is already checked
before the switch statement.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20121)
(cherry picked from commit 01a17b24f6649fc192ba6bb9ea34e28ce9678e6c)
|
|
This reverts commit e787c57c538d0922004e49a10be0d403af773272.
The current CI host system is Ubuntu 22.04, which ships with QEMU 6.2.
This QEMU release is too old for the required RISC-V extensions.
We would need at least QEMU 7.1 (Aug 2022) for this patch.
Let's revert the patch.
Signed-off-by: Christoph Müllner <christoph.muellner@vrull.eu>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20139)
(cherry picked from commit 45972000b44ce0d97adacfddb38f28710b49cfec)
|
|
Fixes #19730
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19732)
(cherry picked from commit a4aa977d3a8049d5386dc583e16c17727c712eaa)
|
