Age | Commit message (Collapse) | Author |
|
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Release: yes
|
|
evp_cipher_init_internal() takes a params array argument and this is processed
late in the initialisation process for some ciphers (AEAD ones).
This means that changing the IV length as a parameter will either truncate the
IV (very bad if SP 800-38d section 8.2.1 is used) or grab extra uninitialised
bytes.
Truncation is very bad if SP 800-38d section 8.2.1 is being used to
contruct a deterministic IV. This leads to an instant loss of confidentiality.
Grabbing extra bytes isn't so serious, it will most likely result in a bad
decryption.
Problem reported by Tony Battersby of Cybernetics.com but earlier discovered
and raised as issue #19822.
Fixes CVE-2023-5363
Fixes #19822
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
|
|
The 'rand_generate' method is not well suited for being used with
weak entropy sources in the 'get_entropy' callback, because the
caller needs to provide a preallocated buffer without knowing
how much bytes are actually needed to collect the required entropy.
Instead we use the 'rand_get_seed' and 'rand_clear_seed' methods
which were exactly designed for this purpose: it's the callee who
allocates and fills the buffer, and finally cleans it up again.
The 'rand_get_seed' and 'rand_clear_seed' methods are currently
optional for a provided random generator. We could fall back to
using 'rand_generate' if those methods are not implemented.
However, imo it would be better to simply make them an officially
documented requirement for seed sources.
Fixes #22332
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22394)
(cherry picked from commit 7998e7dc07d8f1f516af32887f2490c03cd8c594)
|
|
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22394)
(cherry picked from commit 0a8faac3c7cc2e88f46a8bdce5bd039dc22abdec)
|
|
The `get_user_{entropy,nonce}` callbacks were add recently to the
dispatch table in commit 4cde7585ce8e. Instead of adding corresponding
`cleanup_user_{entropy,nonce}` callbacks, the `cleanup_{entropy,nonce}`
callbacks were reused. This can cause a problem in the case where the
seed source is replaced by a provider: the buffer gets allocated by
the provider but cleared by the core.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22423)
(cherry picked from commit 5516d20226c496c2b22fa741698b4d48dad0428f)
|
|
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22432)
(cherry picked from commit fa9e6ad46860ea92aa2e1ba997b20c6dff76b42c)
|
|
Its not required that crt params be available in an RSA key, so don't
perform an error check on them
Fixes #29135
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22334)
(cherry picked from commit 2647726bd3ca63dc5f07ae3f10e16dff35d95626)
|
|
Theres no reason we should gate ossl_rsa_todata on there being a minimum
set of parameters. EVP_PKEY_todata makes no guarantees about the
validity of a key, it only returns the parameters that are set in the
requested key, whatever they may be. Remove the check.
Fixes #21935
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22334)
(cherry picked from commit 4ad3a44ba45a4026170336161228d435f6784564)
|
|
This makes them zeroes otherwise
where NULLs actually mean the values aren't present.
Fixes #21935
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/22334)
(cherry picked from commit 15a39e7025e0ed4e31664c499894006e41582068)
|
|
external calls to OBJ_new_nid will fail on an attempt to lock the
ossl_obj_nid_lock as it won't have been initalized yet.
Bifurcate OBJ_new_nid into an external and internal variant, in which
the former calls ossl_obj_write_lock (ensuring that the nid_lock is
initalized), while OBJ_create (the sole internal caller) uses the latter
to avoid having to drop and re-acquire the lock
Fixes #22337
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22350)
(cherry picked from commit cd920f8fa1bb603a620bea697027f5573fadc12e)
|
|
Fixes #22225
In OBJ_nid2obj(), if the NID does not have an OID, then a pointer to
the special "undefined" ASN1_OBJECT is returned. Check for the
undefined-ASN1_OBJECT and return an error. Also, add a test for this
in 80-test_cms.t.
Testing:
#!/bin/bash -x
shopt -s expand_aliases
alias openssl="LD_LIBRARY_PATH=~/git/openssl ~/git/openssl/apps/openssl"
echo "This is a confidential message. It should be encrypted." > msg.txt
## this should fail b/c there is no OID for aes-256-ctr
openssl cms -encrypt -in msg.txt -aes-256-ctr -out msg.txt.cms -recip demos/cms/signer.pem
echo $?
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22392)
(cherry picked from commit bd160912dcc5e39bcdc925d9aa6538f20e37ad16)
|
|
CLA: trivial
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22108)
(cherry picked from commit a47fc4ed401da4e2d84e035cc4add566e85b03d0)
|
|
According to the manual page, EVP_PKEY_CTX_set0_rsa_oaep_label()
should accept NULL as the label argument, though the function
currently rejects it while setting the corresponding octet string
parameter with OSSL_PARAM_construct_octet_string, which expects
non-NULL input. This adds a workaround to the caller for backward
compatibility.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22397)
(cherry picked from commit 21b98da9d80c561b6273b0c51c259196d6740e70)
|
|
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22390)
(cherry picked from commit 410c80dc7bf2085167553ab9fa517189eed2b3a6)
|
|
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22390)
(cherry picked from commit 72a99ef665b26fa207c0eee6e7e4842d1e42752c)
|
|
This is used for memory allocation failure debugging only
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22347)
(cherry picked from commit 3b107b86ca7d1c6309bc7071ead59acb8c098f3b)
|
|
The semantics of ossl_ffc_validate_public_key() and
ossl_ffc_validate_public_key_partial() needs to be changed
to not return error on non-fatal problems.
Fixes #22287
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22291)
(cherry picked from commit eaee1765a49c6a8ba728e3e2d18bb67bff8aaa55)
|
|
Allow 2 digits after the comma in percentage in OPENSSL_MALLOC_FAILURES.
Add OPENSSL_MALLOC_SEED to allow for some randomization.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22127)
(cherry picked from commit 3df5736cf303d2c69654ba1c295a9772b738608e)
|
|
Fixes #22189
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22198)
(cherry picked from commit 8ed76c62b5d3214e807e684c06efd69c6471c800)
|
|
Fixes #22216
Thanks to Leland Mills for investigation and testing.
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22272)
(cherry picked from commit 0f7a3b0caa33a87c900536dc1c02fa553d2193cc)
|
|
ossl_property_list_to_string() didn't quote strings correctly which
could result in a generated property string being unparsable.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22182)
(cherry picked from commit fb20e66c6b2651067f50bab8cf098c71e2caed4b)
|
|
The initialization was introduced in commit dc8de3e6f1ee and
changes the behaviour of the `init` method for DSA and DH
between 1.1.1 and 3.0, while the behaviour for RSA and EC_KEY
remains unchanged.
The initialization is not necessary in 3.x and master imho and
breaks the use-case of intercepting the methods of an existing
key.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22185)
(cherry picked from commit 706512ecbc31585d447b53c3aa89acdf6951f996)
|
|
With pre-3.0 OpenSSL, EVP_PKEY_print_private() calls the EVP_PKEY_ASN1_METHOD
function "priv_print", effectively asking the backend to print whatever it
regards as private key components.
In all backends that were built into libcrypto, this function printed what
was included in the private key structure, which usually includes the
public key components as well.
With OpenSSL 3.0, some of the corresponding key2text encoders got a
slightly different behavior, where the presence of the selector
OSSL_KEYMGMT_SELECT_PRIVATE_KEY without the presence of the selector
OSSL_KEYMGMT_SELECT_PUBLIC_KEY would only get what would intuitively be
regarded as private key components printed. This isn't entirely consistent,
though, as the RSA key2text encoder will still print the public key
components regardless.
To compensate for the changed backend behavior, EVP_PKEY_print_private()
was made to ask the encoder to print the keypair rather than just the
private key, thereby moving the backend semantics to the application API.
Unfortunately, this causes confusion for providers where the key2text
encoder really should print the private key only.
This change restores the built-in 1.1.1 backend behavior in the encoders
that OpenSSL provides, and renders EVP_PKEY_print_private() more true to its
documented behavior, leaving it to the backend to decide what it regards as
"private key components".
Fixes #22233
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22237)
(cherry picked from commit 1296c2ec7866a4f2f4d210432c771142e8de33a0)
|
|
Resolves #17092 (?)
Resolves #17286 (?)
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19965)
(cherry picked from commit 2b74e75331a27fc89cad9c8ea6a26c70019300b5)
|
|
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/22211)
(cherry picked from commit 6bd07949e54f9958eb8a0f9a597ceb3910753ab0)
|
|
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/22211)
(cherry picked from commit 15410839c668f97b5c03ee1a1bc1a2bf4315715f)
|
|
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22210)
|
|
We were neglecting to register the main thread to receive thread stop
notifications. This is important if the thread that starts the FIPS
provider is not the same one that is used when OPENSSL_cleanup() is
called.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22210)
|
|
Fixes #21909
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22210)
|
|
Rather than instantiate the private and primary DRBGs during the
selftest, instead use a test RNG. This leaves the DRBG setup
pristine and permits later replacement of the seed source despite
the very early running power up self tests.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22210)
|
|
Signing with an app method based key (i.e. an `EVP_PKEY` which wraps an
`RSA` key with an application defined `RSA_METHOD`) used to work in 1.1.1.
That feature was broken in commit 60488d2434, but later on fixed by @t8m
in commit b247113c05 (see #14859).
This commit corrects a minor flaw of the fix, which affects only
`no-engine` builds: the special treatment for foreign keys is guarded
by an `OPENSSL_NO_ENGINE` check.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/22163)
(cherry picked from commit 1acc3e8cc3c69187b55cc557c1bc03278ab38063)
|
|
sparse_array.o is not needed in libssl at 3.0.x version.
Signed-off-by: Huiyue Xu <xuhuiyue@huawei.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22111)
(cherry picked from commit a31cd07af1ca34cdbbd2b077a933208d447ed0b2)
|
|
When the realloc fails in contract, this not a fatal
error, since the memory is only shrinked. It is also no
option to exit the function at this point, since that
would leave the hash table in an inconsistent state.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22154)
(cherry picked from commit 5fbfd641aeebdf4b29a0749e13a79a1e59502878)
|
|
If an out of memory error happens when the index zero
is reserved in a newly created ip->meth stack object,
that reservation is not done in a second attempt, which makes
various X_set_ex_data overwrite the value of X_set_app_data.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22149)
(cherry picked from commit d4f22a915ac50570015a23ad794032c4fb9496cb)
|
|
Fixes coverity 1544699.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/22138)
(cherry picked from commit be01f609f98a8930f2c91b813715e515a88f4d54)
|
|
Reviewed-by: Matt Caswell <matt@openssl.org>
Release: yes
|
|
Prefer friendly name passed by the caller and calculated local
key id to ones found in certificate auxiliary data when creating
PKCS#12.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21675)
(cherry picked from commit 388a8e731445d190a46ec27b2ff5b4bf334d526b)
|
|
master version increments the struct_ref early
and needs to decrement the struct_ref on error,
while 3.1 and 3.0 increment the struct_ref later.
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22115)
|
|
Error handling in engine_cleanup_add_first/last was
broken and caused memory leaks.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21971)
(cherry picked from commit 00f2efccf5b9671a7af2b12571068258e9c255a5)
|
|
That seems to be only an issue for RSA-PSS with parameters.
Spotted by code review, so it looks like there is no test coverage for this.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22032)
(cherry picked from commit 285eb1688f05ad477fefc681bf05d0afedc46d40)
|
|
In the error handling case the memory in
vb->users_pwd was accidentally not released.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21981)
(cherry picked from commit 68e95f7840d0d8ac4e5e03381cf9d305578dd1c7)
|
|
When the provider's load function returned with an error, the libcrypto
error flag was only set if EOF hadn't been reached. This is troublesome,
as an error can very well occur during the last load before EOF is reached!
Also, the error flag was never reset, even though documentation specifies
that it should indicate an error in the last load (i.e. not the one before
that).
Fixes #21968
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21976)
(cherry picked from commit 17dd9a2c6262c00800301fddd9441a9c590a630e)
|
|
Fixes #21986
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/21988)
(cherry picked from commit 00a413e2483257a17239cef5dde52df14926284c)
|
|
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21938)
|
|
There is a rarely used feature that can be enabled
with `./config enable-crypto-mdebug` when additionally
the environment variable OPENSSL_MALLOC_FAILURES is used.
It turns out to be possible that CRYPTO_zalloc may
create a leak when the memory is allocated and then
the shouldfail happens, then the memory is lost.
Likewise when OPENSSL_realloc is used with size=0,
then the memory is to be free'd but here the shouldfail
check is too early, and the failure may prevent the
memory to be freed thus creating a bogus memory leak.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21944)
(cherry picked from commit e2cf38d5751d6b48c8625b622c3765d0a39958d7)
|
|
This affects some Poly1305 assembler functions
which are only used for certain CPU types.
Remove those functions for Windows targets,
as a simple interim solution.
Fixes #21522
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21808)
(cherry picked from commit 7b8e27bc2e02238986d89ef0ece067ec1b48e165)
|
|
This code was added in error and is entirely redundant. It is also an
expensive operation (e.g. see #21833).
Fixes #21834
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21902)
(cherry picked from commit 3961991593f788b3efb2a27563d358c7c58f854c)
|
|
OPENSSL_init_crypto() with OPENSSL_INIT_LOAD_CONFIG must load the configuration
into the initial global default library context, not the currently set default
library context.
OPENSSL_init_crypto() with OPENSSL_INIT_LOAD_CONFIG may be called within other
OpenSSL API functions, e.g. from within EVP_PKEY_CTX_new_xxx() when initializing
a pkey context, to perform implicit initialization, if it has not been
initialized yet. This implicit initialization may happen at a time when an
application has already create its own library context and made it the default
library context. So loading the config into the current default library context
would load it into the applications library context.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21897)
(cherry picked from commit ecb6cdf02a302af18fe4bc20097a9ea3177f897c)
|
|
The assembler will complain when we include loongarch_arch.h in
an assembly file as following:
crypto/loongarch_arch.h: Assembler messages:
crypto/loongarch_arch.h:12: Fatal error: no match insn: extern unsigned int OPENSSL_loongarch_hwcap_P
So, the sentence of `extern unsigned int OPENSSL_loongarch_hwcap_P`
should be guarded with "#ifndef __ASSEMBLER__".
Fixes #21838.
Signed-off-by: Min Zhou <zhoumin@loongson.cn>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21839)
(cherry picked from commit 84a0b1b169197e3afdadcdafc9fea65361ff672f)
|
|
Treat keys with EVP_PKEY_RSA_PSS the same as EVP_PKEY_RSA in EVP_PKEY_can_sign()
and detect_foreign_key() which is called by EVP_PKEY_assign().
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21819)
(cherry picked from commit e2972982c64f3f1ac10b3ebe1086d99ec67631bd)
|