summaryrefslogtreecommitdiff
path: root/crypto
Commit message (Collapse)AuthorAgeFilesLines
* Fix checking return code of EVP_PKEY_get_int_param at check_curvePetr Mikhalicin2023-04-211-1/+1
| | | | | | | | | | | According to docs, EVP_PKEY_get_int_param should return 1 on Success, and 0 on Failure. So, fix checking of this return value at check_curve CLA: trivial Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20770)
* aesv8-armx.pl: Avoid buffer overrread in AES-XTS decryptionTomas Mraz2023-04-201-1/+3
| | | | | | | | | | | | Original author: Nevine Ebeid (Amazon) Fixes: CVE-2023-1255 The buffer overread happens on decrypts of 4 mod 5 sizes. Unless the memory just after the buffer is unmapped this is harmless. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/20759)
* crmf_lib.c: clean up coments on OSSL_CRMF_CERTTEMPLATE*()Dr. David von Oheimb2023-04-181-6/+2
| | | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/20736)
* OSSL_CRMF_CERTTEMPLATE_get0_publicKey(): fix return type and docDr. David von Oheimb2023-04-181-1/+1
| | | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/20736)
* crypto/cmp: fix CertReqId to use in p10cr transactions acc. to RFC 4210Dr. David von Oheimb2023-04-184-26/+48
| | | | | | | Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/20298)
* bn_local: remove unused `PTR_SIZE_INT` definitionAlois Klink2023-04-161-18/+0
| | | | | | Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20748)
* bn_nist: remove unused type-punning union `u`Alois Klink2023-04-161-21/+12
| | | | | | | | We no longer need to cast function pointers to PTR_SIZE_INT. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20748)
* bn_nist: replace pointer bit-fiddling with ternaryAlois Klink2023-04-161-45/+19
| | | | | | | | | | | | | | | | | | | | | | | | | Bit-fiddling pointers is technically implementation defined behavior in the C specification so the following code is not supported in all platforms: PTR_SIZE_INT mask; void * a, b, c; int boolean_flag; mask = 0 - boolean_flag; /* Not guaranteed to be a valid ptr to a or b on all platforms */ a = (void *) ((((PTR_SIZE_INT) b & ~mask) | (((PTR_SIZE_INT)) c & mask))); Using a ternary conditional operator is supported on all platforms (i.e. `a = boolean_flag ? b : c;`). On most modern compilers/CPUs, this will be faster, since it will get converted to a CMOV instruction. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20748)
* Fix a HPKE API to put libctx, propq as last (optional parameters).slontis2023-04-141-6/+4
| | | | | | | | | This keeps the interface consistent with other HPKE API's. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20583)
* Fix the LCM computation in the RSA multiprime key checkTomas Mraz2023-04-131-6/+10
| | | | | | | | Fixes #20693 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/20708)
* Fix UEFI support on win32Aidan Khoury2023-04-133-4/+4
| | | | | | Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20714)
* Fixes #19580 ECX keygenYuan, Shuai2023-04-121-1/+1
| | | | | | | | Signed-off-by: Yuan, Shuai <shuai.yuan@intel.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/20680)
* Alternative fix for CVE-2022-4304Bernd Edlinger2023-04-045-69/+101
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is about a timing leak in the topmost limb of the internal result of RSA_private_decrypt, before the padding check. There are in fact at least three bugs together that caused the timing leak: First and probably most important is the fact that the blinding did not use the constant time code path at all when the RSA object was used for a private decrypt, due to the fact that the Montgomery context rsa->_method_mod_n was not set up early enough in rsa_ossl_private_decrypt, when BN_BLINDING_create_param needed it, and that was persisted as blinding->m_ctx, although the RSA object creates the Montgomery context just a bit later. Then the infamous bn_correct_top was used on the secret value right after the blinding was removed. And finally the function BN_bn2binpad did not use the constant-time code path since the BN_FLG_CONSTTIME was not set on the secret value. In order to address the first problem, this patch makes sure that the rsa->_method_mod_n is initialized right before the blinding context. And to fix the second problem, we add a new utility function bn_correct_top_consttime, a const-time variant of bn_correct_top. Together with the fact, that BN_bn2binpad is already constant time if the flag BN_FLG_CONSTTIME is set, this should eliminate the timing oracle completely. In addition the no-asm variant may also have branches that depend on secret values, because the last invocation of bn_sub_words in bn_from_montgomery_word had branches when the function is compiled by certain gcc compiler versions, due to the clumsy coding style. So additionally this patch stream-lined the no-asm C-code in order to avoid branches where possible and improve the resulting code quality. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20281)
* Revert "Fix Timing Oracle in RSA decryption"Bernd Edlinger2023-04-045-664/+22
| | | | | | | | | | This reverts commit b1892d21f8f0435deb0250f24a97915dc641c807. Except for the moving derive_kdk to a separate function. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20281)
* Erase temporary buffer in EVP_PKEY_get_bn_param()Anatolii Lishchynskyi2023-04-041-1/+8
| | | | | | | | | | | | | | Function EVP_PKEY_get_bn_param() uses temporary buffer (on stack or heap allocated) to store serialized bignum, but after deserializing it into BIGNUM*, the buffer is not erased and may contain sensitive data. This change makes sure the buffer is erased if it was successfully filled before. Unfortunately, it does not distinguish between public and private key components, and will always erase the buffer. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20639)
* Don't call OPENSSL_init_crypto from inside a RUN_ONCEMatt Caswell2023-04-041-3/+2
| | | | | | | | | | | | | | | | | | Calling OPENSSL_init_crypto from inside a RUN_ONCE seems like a bad idea. This is especially bad if OPENSSL_init_crypto can recursively end up attempting to call the RUN_ONCE that we're already inside. The initialisation in OPENSSL_init_crypto is already "run once" protected. There is no need to protect it "twice". Fixes #20653 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20662) (cherry picked from commit a9745427cd5d44a76b31690b4a2c6bef2ee677c4)
* FFC cleanupsslontis2023-04-035-76/+50
| | | | | | | | | | | | | | | | | Discovered during coverage testing. Remove unneccesary check when using ossl_dh_get0_params() and ossl_dsa_get0_params(). These point to addresses and can not fail for any existing calls. Make dsa keygen tests only available in the FIPS module - as they are not used in the default provider. Change ossl_ffc_set_digest() to return void as it cannot fail. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20359)
* Avoid calling into provider with the same iv_len or key_lenTomas Mraz2023-04-031-0/+8
| | | | | | | | | Fixes #20625 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20664)
* Fix compilation error when using clang-cl 16 or higherAnthony Roberts2023-04-031-1/+1
| | | | | | | | | | | | Fixes a "Incompatible function pointer types" error. In prior versions, this was a warning, but is now an error. CLA: trivial Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20654)
* Make DSA_sign() test for negative p,q,g values.slontis2023-03-312-2/+5
| | | | | | | | | | | | | | | | | | | | | | Related to #20268 DSA_sign() assumes that the signature passed in is related to DSA_size(). If q is negative then DSA_size() actually fails and returns 0. A test that tries to allocate the signature buffer using DSA_size() and then pass it to DSA_sign() will then either. (1) Have a signature buffer of NULL. In this case it was leaking data returned via i2d_DSA_SIG. (2) Cause a seg fault because we created a buffer that was not large enough to hold the signature. As it already checked zero we also now check for negative values also. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from https://github.com/openssl/openssl/pull/20553)
* Incorrect null pointer checkafshinpir2023-03-311-1/+1
| | | | | | | | | | CLA: trivial There is an incorrect null pointer check and this ccommit resolves it. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from https://github.com/openssl/openssl/pull/20646)
* Fix mem leak in ECDSA_sign().slontis2023-03-312-3/+3
| | | | | | | | | | | | | | Similiar to the issue found in PR #20553 for DSA_sign(). ECDSA_sign() leaked memory if the signature was NULL when i2d_ECDSA_SIG was called. Note that this does not affect the higher level EVP functions as they correctly handle NULL. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from https://github.com/openssl/openssl/pull/20554)
* Coverity 1524597: null pointer dereferencePauli2023-03-301-7/+11
| | | | | | | Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20629)
* Use correct function to wait for condvarHugo Landau2023-03-302-8/+7
| | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20348)
* Revise build.infoHugo Landau2023-03-301-2/+9
| | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20348)
* QUIC Thread Assisted mode: miscellaneous fixesHugo Landau2023-03-301-2/+1
| | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20348)
* Refactor build.infoHugo Landau2023-03-301-2/+2
| | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20348)
* QUIC Thread Assisted Mode: Refactor locking to be infallibleHugo Landau2023-03-301-3/+0
| | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20348)
* QUIC Thread Assisted Mode: Support Windows XPHugo Landau2023-03-304-30/+129
| | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20348)
* threading: Add ossl_crypto_condvar_wait_timeoutHugo Landau2023-03-302-0/+63
| | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20348)
* Ensure there's only one copy of OPENSSL_armcap_P in libcrypto.aTom Cosgrove2023-03-299-11/+8
| | | | | | | | Change-Id: Ia94e528a2d55934435de6a2949784c52eb38d82f Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20621)
* RFC7250 (RPK) supportTodd Short2023-03-283-20/+204
| | | | | | | | | | | | | | Add support for the RFC7250 certificate-type extensions. Alows the use of only private keys for connection (i.e. certs not needed). Add APIs Add unit tests Add documentation Add s_client/s_server support Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18185)
* Ensure that EXFLAG_INVALID_POLICY is checked even in leaf certsMatt Caswell2023-03-281-2/+10
| | | | | | | | | | | | Even though we check the leaf cert to confirm it is valid, we later ignored the invalid flag and did not notice that the leaf cert was bad. Fixes: CVE-2023-0465 Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20585)
* `EVP_PKEY_CTX_dup` segmentation fault fixafshinpir2023-03-271-8/+20
| | | | | | | | | | | | | CLA: trivial The the provider, context duplication method for signature, key exchange, asymmetric cipher, and key encapsulation is optional. But if they are missing, we will get a segmentation fault in `EVP_PKEY_CTX_dup` because they are called without null pointer checking. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20581)
* translation: EC legacy keys, handle OSSL_PKEY_PARAM_EC_PUB_X,Y requestsJorge Ramirez-Ortiz2023-03-271-0/+60
| | | | | | | | | | | Required by tpm2-tss to load legacy EC keys using the OpenSSL engine. Fixes: https://github.com/tpm2-software/tpm2-tss/issues/2581 Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20535)
* Avoid duplication of OPENSSL_armcap_P on 32bit ARMTomas Mraz2023-03-271-0/+2
| | | | | | Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20558)
* CMP add: fix -reqin option, which requires adding ↵Dr. David von Oheimb2023-03-252-0/+16
| | | | | | | | | OSSL_CMP_MSG_update_recipNonce() Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/20204)
* OBJ_nid2obj(): Return UNDEF object instead of NULL for NID_undefTomas Mraz2023-03-231-3/+2
| | | | | | | | | | | Fixes a regression from 3.0 from the obj creation refactoring. Fixes #20555 Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20556)
* VC++ 2010 x86 compilers do not have InterlockedOr64Georgi Valkov2023-03-221-1/+1
| | | | | | | | | | | | | | | | | The changes from the following commit should also apply to Visual Studio 2010 https://github.com/openssl/openssl/commit/2d46a44ff24173d2cf5ea2196360cb79470d49c7#r104867505 Fixes build errors: undefined symbol InterlockedOr64 on Windows 2003, Visual Studio 2010 for x86 target. CLA: trivial Signed-off-by: Georgi Valkov <gvalkov@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20557)
* Do not build P10-specific AES-GCM assembler on macOSEvan Miller2023-03-223-3/+3
| | | | | | Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20543)
* x509: excessive resource use verifying policy constraintsPauli2023-03-223-14/+42
| | | | | | | | | | | | | | | A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems. Fixes CVE-2023-0464 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/20571)
* nit: tidy-up code, and fix a typo.FdaSilvaYY2023-03-211-2/+2
| | | | | | Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/20436)
* thread: remove remnants of ossl_crypto_mem_barrierČestmír Kalina2023-03-212-9/+0
| | | | | | | | | | | | | | | | Commit ac21c1780a63a8d9a3a6217eb52fe0d188fa7655 VMS knows POSIX threads too! removed ossl_crypto_mem_barrier for POSIX systems. Remove it for Win32 and other architectures as well. Resolves issue #19506 Unable to build under bcc32c environment (Embarcadero clang compiler). Signed-off-by: Čestmír Kalina <ckalina@redhat.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20538)
* cmp_msg.c: free memory of certStatus before goto errJAVAID Mohammad-Habib2023-03-201-1/+3
| | | | | | | | CLA: trivial Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20406)
* Provide better errors for some QUIC failuresMatt Caswell2023-03-201-0/+1
| | | | | | | | | For example if would be helpful if we got more useful information if the caller forgot to set the peer address. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20514)
* sleep.c: Limit the sleep time instead of sleeping for days or even yearsTomas Mraz2023-03-181-32/+12
| | | | | | | | | | | | | As the sleep() call is interruptible, it is not even a good idea to call it in a loop if the caller uses some ridiculously large value as an infinity just waiting for an interrupt. Fixes #20524 Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/20533)
* rsaz-*k-avx512.pl: fix wrong name of avx512 flag variableTomas Mraz2023-03-173-6/+6
| | | | | | | | | Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20519) (cherry picked from commit d4765408c705f704f7cf33bd32bfb713061954a7)
* aes-gcm-avx512.pl: Fix the clang version detection on Apple OsesTomas Mraz2023-03-171-2/+11
| | | | | | | | | Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20519) (cherry picked from commit 110dac578358014c29b86cf18d9a4bfe5561e3bc)
* providers: add Argon2 KDFČestmír Kalina2023-03-171-1/+1
| | | | | | | | | | https://datatracker.ietf.org/doc/rfc9106/ Signed-off-by: Čestmír Kalina <ckalina@redhat.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12256)
* proverr: add PROV_R_{INVALID_MEMORY_SIZE,INVALID_THREAD_POOL_SIZE}Čestmír Kalina2023-03-171-0/+2
| | | | | | | | Signed-off-by: Čestmír Kalina <ckalina@redhat.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12256)
View Lorry Controller Status