| Age | Commit message (Collapse) | Author |
|---|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
Release: yes
|
|
OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical
numeric text form. For gigantic sub-identifiers, this would take a very
long time, the time complexity being O(n^2) where n is the size of that
sub-identifier.
To mitigate this, a restriction on the size that OBJ_obj2txt() will
translate to canonical numeric text form is added, based on RFC 2578
(STD 58), which says this:
> 3.5. OBJECT IDENTIFIER values
>
> An OBJECT IDENTIFIER value is an ordered list of non-negative numbers.
> For the SMIv2, each number in the list is referred to as a sub-identifier,
> there are at most 128 sub-identifiers in a value, and each sub-identifier
> has a maximum value of 2^32-1 (4294967295 decimal).
Fixes otc/security#96
Fixes CVE-2023-2650
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
|
The invocation of ossl_policy_level_add_node in tree_calculate_user_set
did not have any error handling. Add it to prevent a memory leak for the
allocated extra policy data.
Also add error handling to sk_X509_POLICY_NODE_push to ensure that if
a new node was allocated, but could not be added to the stack, it is
freed correctly.
Fix error handling if tree->user_policies cannot be allocated by
returning 0, indicating failure, rather than 1.
Signed-off-by: Clemens Lang <cllang@redhat.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21040)
(cherry picked from commit 95a8aa6dc0e283b1560dd3258d2e9115c02659b1)
|
|
ossl_policy_level_add_node() first adds the new node to the level->nodes
stack, and then attempts to add extra data if extra_data is true. If
memory allocation or adding the extra data to tree->extra_data fails,
the allocated node (that has already been added to the level->nodes
stack) is freed using ossl_policy_node_free(), which leads to
a potential use after free.
Additionally, the tree's node count and the parent's child count would
not be updated, despite the new node being added.
Fix this by either performing the function's purpose completely, or not
at all by reverting the changes on error.
Signed-off-by: Clemens Lang <cllang@redhat.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21040)
(cherry picked from commit de53817ec386ea9e943d8f33716945dd9dbe1f31)
|
|
Signed-off-by: lan1120 <lanming@huawei.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21022)
(cherry picked from commit b501df3cefebcdaaeb7d6480b7a7b82d68927873)
|
|
This is an alternative to #20893
Additionally this fixes also a possible issue in UI_UTIL_read_pw:
When UI_new returns NULL, the result code would still be zero
as if UI_UTIL_read_pw succeeded, but the password buffer is left
uninitialized, with subsequent possible stack corruption or worse.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20957)
(cherry picked from commit a64c48cff88e032cf9513578493c4536df725a22)
|
|
The CTRL translation is missing for SM2 key types.
Fixes #20899
Signed-off-by: Yuan, Shuai <shuai.yuan@intel.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20900)
(cherry picked from commit 43d5dac9d00ac486823d949f85ee3ad650b62af8)
|
|
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20832)
(cherry picked from commit e0f1ec3b2ec1b137695abc3199a62def5965351f)
|
|
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20832)
(cherry picked from commit 2d6585986f3b754750b25e7a296a08e7129a5320)
|
|
Signed-off-by: Yuan, Shuai <shuai.yuan@intel.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20922)
(cherry picked from commit be6497aa208948c960a28363bac98a429677bd9d)
|
|
Fixes #20870
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20880)
(cherry picked from commit 8c63b14296f117b07781509ced529a8955d78fb9)
|
|
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20489)
(cherry picked from commit 32344a74b7ee2693a5bfda361c40ec60ab5be624)
|
|
The fuzzer was creating a config file with large numbers of includes
which are expensive to process. However this should not cause a security
issue, and should never happen in normal operation so we can ignore it.
Fixes ossfuzz issue 57718.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20839)
(cherry picked from commit 5f3adf396b06ee3b81938468995e69cff4ca64d1)
|
|
The negative integer check is done to prevent potential overflow.
Fixes #20719.
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20862)
(cherry picked from commit 1258a8e4361320cd3cfaf9ede692492ce01034c8)
|
|
Fixes #20841
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/20843)
(cherry picked from commit 56547da9d3fa24f54b439497d322b12beb004c80)
|
|
Ensure that ctx.ctrl_cmd defaults to translation->cmd_num
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20780)
(cherry picked from commit 1009940c14716ac03d5f161bdb4ae626ec6fe729)
|
|
This function didn't prepare space to get the param string, which causes
the default_fixup_args() call to fail.
Fixes #20161
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20780)
(cherry picked from commit ac52fe5f5ae7a1d062f09adab7744e3a3b2ddbcf)
|
|
We swap p and q in that case except when ACVP tests are being run.
Fixes #20823
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20833)
(cherry picked from commit dc231eb598460aec239c7f597f560bca47d9f72a)
|
|
Signed-off-by: Liu-ErMeng <liuermeng2@huawei.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20829)
(cherry picked from commit 004bd8f97d11bb7ac5f2de89f7060e03222b60fe)
|
|
CLA: trivial
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20810)
(cherry picked from commit e7cbb09fdf8d835bd0d88b4b288edfd525be569c)
|
|
Signed-off-by: Liu-ErMeng <liuermeng2@huawei.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20797)
(cherry picked from commit 4df13d1054e143f1cbf13fa347491807289f87b7)
|
|
default_context_do_init may be never called and CRYPTO_THREAD_init_local
inside it may be never called too. But corresponding
CRYPTO_THREAD_cleanup_local is always called at cleanup stage. This lead
to undefined behavior.
So, add flag to check that default_context_do_init will be called
successfully or not.
Fix: #20697
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20801)
(cherry picked from commit 31295ca02c0a2d7209a33047c7f6dd1dabc12c93)
|
|
According to docs, EVP_PKEY_get_int_param should return 1 on Success, and
0 on Failure. So, fix checking of this return value at check_curve
CLA: trivial
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20770)
(cherry picked from commit 4e5f3d691343a691ddae739c51f7ae71e9893c98)
|
|
Original author: Nevine Ebeid (Amazon)
Fixes: CVE-2023-1255
The buffer overread happens on decrypts of 4 mod 5 sizes.
Unless the memory just after the buffer is unmapped this is harmless.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/20759)
(cherry picked from commit 72dfe46550ee1f1bbfacd49f071419365bc23304)
|
|
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20257)
(cherry picked from commit 44e816bd540c8687c1b4995febbde2626a655338)
|
|
request of a transaction
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20257)
(cherry picked from commit 7cd91d221f630f18eb2cc5c01c4204e31c0a15aa)
|
|
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20257)
(cherry picked from commit 56d5c55de779f35d4e66ae4b791ef1488ab1f57a)
|
|
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20257)
(cherry picked from commit 40eea44884dff96ffd753bfe66c025145a69191b)
|
|
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20257)
(cherry picked from commit 2eb7a11035144b5556b81aa7e8233927165a5880)
|
|
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20298)
(cherry picked from commit 25b18e629d5cab40f88b33fd9ecf0d69e08c7707)
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20748)
(cherry picked from commit dcfeb617477dd957f69e713cbc61fd4dca0f2db4)
|
|
We no longer need to cast function pointers to PTR_SIZE_INT.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20748)
(cherry picked from commit f659f7a1c70709caa1727bb0b7f836d170d35bb5)
|
|
Bit-fiddling pointers is technically implementation defined behavior
in the C specification so the following code is not supported in all
platforms:
PTR_SIZE_INT mask;
void * a, b, c;
int boolean_flag;
mask = 0 - boolean_flag;
/* Not guaranteed to be a valid ptr to a or b on all platforms */
a = (void *)
((((PTR_SIZE_INT) b & ~mask) | (((PTR_SIZE_INT)) c & mask)));
Using a ternary conditional operator is supported on all platforms
(i.e. `a = boolean_flag ? b : c;`).
On most modern compilers/CPUs, this will be faster, since it will
get converted to a CMOV instruction.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20748)
(cherry picked from commit 326af4ad171b849ba1e76fd425d8f337718c4108)
|
|
Fixes #20693
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/20708)
(cherry picked from commit efbff4de3e259cee71a4e1bbd86b30ebd86bbdae)
|
|
Signed-off-by: Yuan, Shuai <shuai.yuan@intel.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20680)
(cherry picked from commit 40f4884990a1717755df366e2aa06d01a1affd63)
|
|
This is about a timing leak in the topmost limb
of the internal result of RSA_private_decrypt,
before the padding check.
There are in fact at least three bugs together that
caused the timing leak:
First and probably most important is the fact that
the blinding did not use the constant time code path
at all when the RSA object was used for a private
decrypt, due to the fact that the Montgomery context
rsa->_method_mod_n was not set up early enough in
rsa_ossl_private_decrypt, when BN_BLINDING_create_param
needed it, and that was persisted as blinding->m_ctx,
although the RSA object creates the Montgomery context
just a bit later.
Then the infamous bn_correct_top was used on the
secret value right after the blinding was removed.
And finally the function BN_bn2binpad did not use
the constant-time code path since the BN_FLG_CONSTTIME
was not set on the secret value.
In order to address the first problem, this patch
makes sure that the rsa->_method_mod_n is initialized
right before the blinding context.
And to fix the second problem, we add a new utility
function bn_correct_top_consttime, a const-time
variant of bn_correct_top.
Together with the fact, that BN_bn2binpad is already
constant time if the flag BN_FLG_CONSTTIME is set,
this should eliminate the timing oracle completely.
In addition the no-asm variant may also have
branches that depend on secret values, because the last
invocation of bn_sub_words in bn_from_montgomery_word
had branches when the function is compiled by certain
gcc compiler versions, due to the clumsy coding style.
So additionally this patch stream-lined the no-asm
C-code in order to avoid branches where possible and
improve the resulting code quality.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20282)
|
|
This reverts commit 8022a4799fe884b3bf8d538e2b4c4ec323663118.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20282)
|
|
Function EVP_PKEY_get_bn_param() uses temporary buffer (on stack or
heap allocated) to store serialized bignum, but after deserializing it
into BIGNUM*, the buffer is not erased and may contain sensitive data.
This change makes sure the buffer is erased if it was successfully
filled before. Unfortunately, it does not distinguish between public and
private key components, and will always erase the buffer.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20639)
(cherry picked from commit 34e4a962bca998cc2d6eb4be721153fbde2f4c35)
|
|
Calling OPENSSL_init_crypto from inside a RUN_ONCE seems like a bad idea.
This is especially bad if OPENSSL_init_crypto can recursively end up
attempting to call the RUN_ONCE that we're already inside.
The initialisation in OPENSSL_init_crypto is already "run once" protected.
There is no need to protect it "twice".
Fixes #20653
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20662)
|
|
Fixes #20625
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20664)
(cherry picked from commit eb52450f5151e8e78743ab05de21a344823316f5)
|
|
Related to #20268
DSA_sign() assumes that the signature passed in is related to DSA_size().
If q is negative then DSA_size() actually fails and returns 0.
A test that tries to allocate the signature buffer using DSA_size() and then
pass it to DSA_sign() will then either.
(1) Have a signature buffer of NULL. In this case it was leaking data
returned via i2d_DSA_SIG.
(2) Cause a seg fault because we created a buffer that was not large
enough to hold the signature. As it already checked zero we also now
check for negative values also.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20553)
(cherry picked from commit 9559ad0e8d433a2a212b63cc848fa2ac82a9b048)
|
|
CLA: trivial
There is an incorrect null pointer check and this ccommit resolves it.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20646)
(cherry picked from commit 6469043bbabc9728aed61d7708c32e2ae319be1d)
|
|
Similiar to the issue found in PR #20553 for DSA_sign().
ECDSA_sign() leaked memory if the signature was NULL
when i2d_ECDSA_SIG was called.
Note that this does not affect the higher level EVP
functions as they correctly handle NULL.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20554)
(cherry picked from commit 4befe81a99b89c52b749a87eece82c1cba4fab12)
|
|
Fixes #20613
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20615)
|
|
Even though we check the leaf cert to confirm it is valid, we
later ignored the invalid flag and did not notice that the leaf
cert was bad.
Fixes: CVE-2023-0465
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20586)
|
|
CLA: trivial
The the provider, context duplication method for signature, key
exchange, asymmetric cipher, and key encapsulation is optional. But if
they are missing, we will get a segmentation fault in `EVP_PKEY_CTX_dup`
because they are called without null pointer checking.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20581)
(cherry picked from commit 864c70e43ea5f1d7fe20bfea457e53e79fd46b6e)
|
|
OSSL_CMP_MSG_update_recipNonce()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20204)
(cherry picked from commit b75d56dee09ac6f1fdb75169da891668cf181066)
|
|
Fixes a regression from 3.0 from the obj creation refactoring.
Fixes #20555
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20556)
(cherry picked from commit 908ba3ed9adbb3df90f7684a3111ca916a45202d)
|
|
The changes from the following commit should also apply to
Visual Studio 2010
https://github.com/openssl/openssl/commit/2d46a44ff24173d2cf5ea2196360cb79470d49c7#r104867505
Fixes build errors: undefined symbol InterlockedOr64
on Windows 2003, Visual Studio 2010 for x86 target.
CLA: trivial
Signed-off-by: Georgi Valkov <gvalkov@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20557)
(cherry picked from commit 8bdc3708964814ea0b7002df020fbd459e3a813f)
|
|
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20543)
(cherry picked from commit 175645a1a695017a312155a2c1d864ad8bff4eaa)
|
