Age | Commit message (Collapse) | Author |
|
Fixes CVE-2023-6237
If a large and incorrect RSA public key is checked with
EVP_PKEY_public_check() the computation could take very long time
due to no limit being applied to the RSA public key size and
unnecessarily high number of Miller-Rabin algorithm rounds
used for non-primality check of the modulus.
Now the keys larger than 16384 bits (OPENSSL_RSA_MAX_MODULUS_BITS)
will fail the check with RSA_R_MODULUS_TOO_LARGE error reason.
Also the number of Miller-Rabin rounds was set to 5.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23243)
(cherry picked from commit e09fc1d746a4fd15bb5c3d7bbbab950aadd005db)
|
|
If the value of a->length is large (>= 2^12), then an integer overflow will
occur for the signed type, which according to the C standard is UB.
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23274)
(cherry picked from commit 486ab0fb003d05f89620662260486d31bd3faa8c)
|
|
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22529)
(cherry picked from commit d4d9b57530b2ecdca6b4263b5841b42c820e5275)
|
|
OpenSSL's encoding of SM2 keys used the SM2 OID for the algorithm OID
where an AlgorithmIdentifier is encoded (for encoding into the structures
PrivateKeyInfo and SubjectPublicKeyInfo).
Such keys should be encoded as ECC keys.
Fixes #22184
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22529)
(cherry picked from commit 1d490694dfa790d8e47f8f2ea62ea1d9b1251179)
|
|
When parsing the stable section of a config such as this:
openssl_conf = openssl_init
[openssl_init]
stbl_section = mstbl
[mstbl]
id-tc26 = min
Can lead to a SIGSEGV, as the parsing code doesnt recognize min as a
proper section name without a trailing colon to associate it with a
value. As a result the stack of configuration values has an entry with
a null value in it, which leads to the SIGSEGV in do_tcreate when we
attempt to pass NULL to strtoul.
Fix it by skipping any entry in the config name/value list that has a
null value, prior to passing it to stroul
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22988)
(cherry picked from commit 0981c20f8efa68bf9d68d7715280f83812c19a7e)
|
|
Add test case for re-using a cipher context with the same key, iv and
cipher. It detects, if the hardware-specific cipher context is reset
correctly, like reported in issue #23175.
This test has encrypt and decrypt iterations for cfb128 and
ofb128. All iteations use the same key, iv and plaintext.
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23201)
(cherry picked from commit 3cb1b51dddf4deaf5e3886b827f3245d81670bc7)
|
|
Use the number of processed bytes information (num) from the generic
cipher context for the partial block handling in cfb and ofb also in
s390x-legacy code. For more details see 4df92c1a14 ("Fix partial block
encryption in cfb and ofb for s390x").
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23201)
(cherry picked from commit f9ccd209c3d121668c51a992613c698f2a774cb3)
|
|
Use the number of processed bytes information (num) from the generic
cipher context for the partial block handling in cfb and ofb, instead
of keep this information in the s390x-specific part of the cipher
context. The information in the generic context is reset properly,
even if the context is re-initialized without resetting the key or iv.
Fixes: #23175
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23201)
(cherry picked from commit 576a3572bebf6115df1c03527114cbf74d06f861)
|
|
For GMAC/CMAC, its not possible to re-init the algorithm without
explicitly passing an OSSL_MAC_PARAM_IV to each init call, as it is
not possible to extract the IV value from the prior init call (be it
explicitly passed or auto generated). As such, document the fact that
re-initalization requires passing an IV parameter
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23235)
(cherry picked from commit 7c1d533a512181b13de3bc0b7fa2fd8c481032d3)
|
|
Fixes #23226
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23238)
(cherry picked from commit da840c3775f52fc9766c654b5ad6ee031ffc9fd9)
|
|
Even in the good case there was memory leak here.
Add a simple test case to have at least some test coverage.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23234)
(cherry picked from commit 398011848468c7e8e481b295f7904afc30934217)
|
|
When a subsequent call to SXNET_add_id_asc fails
e.g. because user is a string larger than 64 char
or the zone is a duplicate zone id,
or the zone is not an integer,
a memory leak may be the result.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23234)
(cherry picked from commit 0151e772195fc03cce0f12e5e266e51dc15243a0)
|
|
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23200)
(cherry picked from commit 858c7bc210a406cc7f891ac2aed78692d2e02937)
|
|
Fixes CVE-2023-6129
The POLY1305 MAC (message authentication code) implementation in OpenSSL for
PowerPC CPUs saves the the contents of vector registers in different order
than they are restored. Thus the contents of some of these vector registers
is corrupted when returning to the caller. The vulnerable code is used only
on newer PowerPC processors supporting the PowerISA 2.07 instructions.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23200)
(cherry picked from commit 8d847a3ffd4f0b17ee33962cf69c36224925b34f)
|
|
Fixes Coverity 1560046
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23211)
(cherry picked from commit 7054fc1ca3945342777f588fba43b77f669509ad)
|
|
The pointer size support is already in the code, and is present for
all other supported hardwares.
Fixes #22899
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/23081)
|
|
An effort was made to update the VMS installation data to align with
configuration data. This touched the script templates in VMS/, but
didn't update the generation of vmsconfig.pm to match... and also
missed a spot.
This change adds the missing updates
Ref:
https://github.com/openssl/openssl/pull/16842
Fixes #22899
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/23081)
|
|
kdf_pbkdf1_do_derive stores key derivation information in a stack
variable, which is left uncleansed prior to returning. Ensure that the
stack information is zeroed prior to return to avoid potential leaks of
key information
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23194)
(cherry picked from commit 5963aa8c196d7c5a940a979299a07418527932af)
|
|
There are several points during x509 extension creation which rely on
configuration options which may have been incorrectly parsed due to
invalid settings. Preform a value check for null in those locations to
avoid various crashes/undefined behaviors
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23183)
(cherry picked from commit bac7e687d71b124b09ad6ad3e15be9b38c08a1ba)
|
|
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22726)
(cherry picked from commit b062a3c552bf283319dede3437598f1747730053)
|
|
Fedora has some fairly nice interoperability tests that we can leverage
to build a PR and test it against gnutls and nss libraries. This commit
adds the interop-tests.yml ci job to do that work, and run the interop
tests from beaker.
Fixes #20685
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22726)
(cherry picked from commit 83783dd16e767483020e5b2dc3b1c0ac26520917)
|
|
It was pointed out the GITHUB_WORKSPACE points to the container path of
the workspace, so we can use it instead of hardcoding the
__w/openssl/openssl path
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22726)
(cherry picked from commit 638ad52ae53ece2e870984430493e454f75d048a)
|
|
Fedora has some fairly nice interoperability tests that we can leverage
to build a PR and test it against gnutls and nss libraries. This commit
adds the interop-tests.yml ci job to do that work, and run the interop
tests from beaker.
Fixes #20685
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22726)
(cherry picked from commit 337eb99c8474ed380f3aa6fbd6b2a4ab5d39aa26)
|
|
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23203)
(cherry picked from commit 63256ca9edfc94d06de0a68097950039515fe852)
|
|
In the dupctx fixups I missed a pointer that needed to be repointed to
the surrounding structures AES_KEY structure for the sm4/aes/aria
ccm/gcm variants. This caused a colliding use of the key and possible
use after free issues.
Fixes #22076
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23102)
|
|
Pretty straightforward, just clone the requested context, no pointers to
fixup
Fixes #21887
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23102)
|
|
Same as chacha20 in the last commit, just clone the ctx and its
underlying tlsmac array if its allocated
Fixes #21887
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23102)
|
|
create a dupctx method for aes_WRAP implementations of all sizes
Fixes #21887
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23102)
|
|
Add dupctx method support to to ciphers implemented with IMPLEMENT_aead_cipher
This includes:
aes-<kbits>-gcm
aria-<kbits>-ccm
aria-<kbits>-gcm
Fixes #21887
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23102)
|
|
There should be no reason that a cipher can't be duplicated
Fixes #21887
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23102)
|
|
X509_REQ_add_extensions{,_nid}()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(cherry picked from commit 47dc828c6b652feb9cef5b0e4186d010986f197c)
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/23190)
(cherry picked from commit 8632c09a2cd7be884b62e3cc94de84167c806f3d)
|
|
Issue #23151 asks a question about the meaning of the PKCS12
documentation. This PR attempts to clarify how friendlyName and localKeyID
are added to the PKCS12 structure.
Fixes #23151
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/23188)
(cherry picked from commit 3348713ad390372ba5a0a0f98b46b2f637475e47)
|
|
As in the provider compatibility tests we also run the
3.1.2 fips provider against the up-to-date 3.0 branch
the CI would still fail as 3.1.2 provider would be
expected to pass this check.
Update the required fips provider version to be
>3.1.4 or <3.1.0 and >3.0.12 instead.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/23099)
|
|
If the output of a blake2[b|s] digest isn't a multipl of 8, then a stack
buffer is used to compute the final output, which is left un-zeroed
prior to return, allowing the potential leak of key data. Ensure that,
if the stack variable is used, it gets cleared prior to return.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23173)
(cherry picked from commit 8b9cf1bc2c3085b6e9493a057209ffd0bddf48a6)
|
|
When using pbkdf1 key deriviation, it is possible to request a key
length larger than the maximum digest size a given digest can produce,
leading to a read of random stack memory.
fix it by returning an error if the requested key size n is larger than
the EVP_MD_size of the digest
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23174)
(cherry picked from commit 8d89050f0f676b429043fd5445e5a570d54ad225)
|
|
Fix a typo from asymmmetric to asymmetric
CLA: trivial
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23164)
(cherry picked from commit cf8fea86f73c4606f132133cb34c07f8dad42482)
|
|
Partial fix for #8026
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22656)
(cherry picked from commit f1f0731ddf6cb31d62a2c0f406b009ae9817ed7f)
|
|
Fixes regression introduced with https://github.com/openssl/openssl/pull/21505
Fixes #22266
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23029)
(cherry picked from commit d7e707cb4983a35b1a265c6042da410d829f3b19)
|
|
If a name is passed to EVP_<OBJ>_fetch of the form:
name1:name2:name3
The names are parsed on the separator ':' and added to the store, but
during the lookup in inner_evp_generic_fetch, the subsequent search of
the store uses the full name1:name2:name3 string, which fails lookup,
and causes subsequent assertion failures in evp_method_id.
instead catch the failure in inner_evp_generic_fetch and return an error
code if the name_id against a colon separated list of names fails. This
provides a graceful error return path without asserts, and leaves room
for a future feature in which such formatted names can be parsed and
searched for iteratively
Add a simple test to verify that providing a colon separated name
results in an error indicating an invalid lookup.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/23110)
(cherry picked from commit 94be985cbcc1f0a5cf4f172d4a8d06c5c623122b)
|
|
If a malformed config file is provided such as the following:
openssl_conf = openssl_init
[openssl_init]
providers = provider_sect
[provider_sect]
= provider_sect
The config parsing library will crash overflowing the stack, as it
recursively parses the same provider_sect ad nauseum.
Prevent this by maintaing a list of visited nodes as we recurse through
referenced sections, and erroring out in the event we visit any given
section node more than once.
Note, adding the test for this revealed that our diagnostic code
inadvertently pops recorded errors off the error stack because
provider_conf_load returns success even in the event that a
configuration parse failed. The call path to provider_conf_load has been
updated in this commit to address that shortcoming, allowing recorded
errors to be visibile to calling applications.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/23120)
|
|
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/23068)
(cherry picked from commit aa3347ba9d670a747b46974ce46f2ed9ecb38662)
|
|
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20319)
(cherry picked from commit 26183614ed1dc03f509f26839b8a465684ca0f84)
|
|
Make EVP_PKEY_CTX_set_rsa_oaep_md() and
EVP_PKEY_CTX_get_rsa_oaep_md_name() only work for RSA keys.
Since these calls use "digest" as a OSSL_PARAM, they should not
work for other key types.
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20319)
(cherry picked from commit 0c3eb31b55d3c1544e4e044c2e3c939655bac93d)
|
|
If a call to EVP_PKEY_CTX_set_rsa_mgf1_md() fails then the caller
needs to free the label.
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20319)
(cherry picked from commit d32dd65053431ee744d213b336b9a03a035807e6)
|
|
Fixed - Windows compilation issue - unbale to find correct definitions of _InterlockedExchangeAdd.
Issue number - https://github.com/openssl/openssl/issues/21080
CLA: trivial
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23087)
|
|
Add a missing check of the return code of X509_ALGOR_set0,
otherwise the ASN1_STRING object wrap_str may be leaked.
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22998)
(cherry picked from commit a26635e0d7f3228035ae1d0d110ea88479f84754)
|
|
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/23028)
(cherry picked from commit 8f0f814d791e0825b96c30494594de619da3e5a5)
|
|
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 4.7.1 to 5.0.0.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](https://github.com/actions/setup-python/compare/v4.7.1...v5.0.0)
---
updated-dependencies:
- dependency-name: actions/setup-python
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
CLA: trivial
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22963)
(cherry picked from commit 51c85496dc227f277adbe0748d596e07d9a34bc2)
|
|
Add a missing check of the return code of X509_ALGOR_set0.
otherwise a memory leak may occur.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22999)
(cherry picked from commit 493d6c9ab37b18b110c977a2bc896f06b18f6065)
|
|
The newly introduced test case do not work
when configured with no-des, fix that by
choosing -aes128 as cipher.
Fixes ffed597882ba ("cms: avoid intermittent test failure")
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23086)
(cherry picked from commit 5b4f4474b2562c4422193e1719461a0ef5cbc3e5)
|