The markdownlint rule MD032, which checks for blank lines surrounding lists,
is disabled because it is buggy and produces false positives. This change
prevents unnecessary build failures caused by incorrect linting.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29004)
Add a new "Examples" section to the design document to illustrate the intended
behavior of the self-test mechanism. These examples cover simple tests,
composite algorithms, and the specific semantics of the `also_satisfies` and
`depends_on` lists.
This change also clarifies several key points:
- The `also_satisfies` list is not processed recursively, while `depends_on`
is.
- The entire FIPS module will enter a failure state if any individual self-
test fails.
Finally, the document is updated with various grammatical fixes and improved
wording for better readability.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29004)
Add a "Current Implementation" section to the FIPS deferred tests design
document.
This section details the mechanism used to execute on-demand self-tests in a
thread-safe manner. It explains the roles of the core functions, the use of a
global lock to serialize test execution, and the thread-local storage strategy
to prevent deadlocks during nested test calls.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29004)
This commit introduces a design document for a new FIPS self-test execution
model.
The proposed design moves from the current model, where all Known Answer Tests
(KATs) run at provider load time, to a deferred model. In this new approach,
each algorithm's self-test is executed on-demand, the first time that
algorithm is requested for use.
The primary motivation is to reduce the noticeable startup latency caused by
running all FIPS self-tests unconditionally. This change will benefit
applications that only use a small subset of the available cryptographic
algorithms. The document details requirements for on-demand execution, failure
handling, dependency management, and thread safety, while maintaining FIPS
140-3 compliance.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29004)
This is required for FIPS, allow to customize minimum password length,
allow opting in doing the same for the default provider too.
Set FIPS provider default to minimum length of 8, and default provider
to 0. Controlled by -no_pbkdf2_lower_bound_check and indicated with
fips-approved indicator.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25621)
Removed pseudo-DER encoding of (unsigned) BNs from output of ASN1_bn_print() and
print_labeled_bignum() in providers/implementations/encode_decode/encode_key2text.c
Also adapt test output reference files where needed.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8136)
Using SSL_CTX_set_cert_verify_callback but still calling
X509_verify_cert is useful if applications want to dynamically
configure the X509_STORE_CTX, or postprocess the result, in a way that
does not quite fit the somewhat unpredictable behavior of the
SSL_CTX_set_verify callback. (In my experience, applications rarely
realize it is called multiple times. It's also too late at that point to
reconfigure the X509_STORE_CTX as verification has already started.)
There is one note in the docs that the callback needs to stash the
verify result with X509_STORE_CTX_set_error, but it is not immediately
obvious that X509_verify_cert will do so, or that it is the built-in
behavior. Add a paragraph discussing this.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28960)
This has been deprecated since 1.1.0 and is in the way for
improvements that could make ASN1_STRING opaque. (#29177)
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29149)
Balance ERR_set_mark by calling ERR_clear_last_mark on the success path.
Prevents a stale mark from skewing later error handling.
Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28882)
On BIO_listen or BIO_sock_info failure we close the socket but leave
accept_sock and b->num pointing at the old fd. Later cleanup can double
close.
Set both to INVALID_SOCKET immediately after BIO_closesocket.
Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28904)
- Document significant limitations in CONF_module_load_file() in OpenSSL 3.x
- Given the limitations, deëmphasise the use of CONF_module_load_file()
in SSL_CTX_config(3) documentation, showing an example with the default
config file instead.
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28650)
of the openssl cms command.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29175)
It was not entirely clear from the sole description, what is the reason
for preferring OPENSSL_cleanse() over memset(). Add a note about situations
in which OPENSSL_cleanse() should be chosen.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29174)
Just run the quicapitest (which attempts to create quic connections)
while using a config that specifies recordpadding, which quic should
ignore
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28992)
QUIC connections always pad data at the packet level during packet
encryption, and so have no ability to do padding at the record level.
We want to be able to inform the user of this condition when
applications call SSL_set_block_padding_ex directly by returning an
error, we have no idea of what kind of SSL objects are created when the
config file is written.
As such, silently ignore this config file option when QUIC objects are created.
Fixes#28953
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28992)
Like SSL_is_quic, it would be helpful to know if SSL_CTX objects create
QUIC SSL's or not.
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28992)
Use ERR_LIB_RAND when reporting RAND_R_ALREADY_INSTANTIATED from
RAND_set_DRBG_type() and RAND_set_seed_source_type() so the error
message references the RAND subsystem instead of CRYPTO.
Fixes#29039
CLA: trivial
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29109)
Updated CHANGES.md for commit e2990825a2
Co-authored-by: Viktor Dukhovni <viktor1ghub@dukhovni.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29136)
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29134)
The OSSL_FUNC_signature_{sign,verify}_message_* functions were added
in OpenSSL 3.4 but weren't documented in the HISTORY section of
provider-signature(7), while the corresponding EVP_PKEY_sign_message_*
functions are properly documented in EVP_PKEY_sign(3).
This adds the missing HISTORY entry to document when these provider
functions were introduced.
Fixes#29088
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29130)
s_time loaded CA material but never turned verification on, so
-verify only changed the depth while handshakes skipped verification.
Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28857)
This fixes the following compilation error on HP-UX:
```
11:07:19 crypto/evp/bio_ok.c: In function 'block_in':
11:07:19 crypto/evp/bio_ok.c:579: error: 'SIZE_MAX' undeclared (first use in this function)
11:07:19 crypto/evp/bio_ok.c:579: error: (Each undeclared identifier is reported only once
11:07:19 crypto/evp/bio_ok.c:579: error: for each function it appears in.)
```
Signed-off-by: Lars Erik Wik <lars.erik.wik@northern.tech>
CLA: trivial
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28793)
(cherry picked from commit 695a5aaf0b)
The result of PEM_write_bio_PrivateKey was not checked, which could lead
to silent failure when writing a generated DSA private key to output.
Now verify the return value and report an error if the write fails,
matching the error handling pattern used for other write operations.
Signed-off-by: Anton Moryakov <ant.v.moryakov@gmail.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29075)
ARMV8_UNROLL8_EOR3 gives a performance improvement of 6-35%.
ARMV8_HAVE_SHA3_AND_WORTH_USING gives 3-4% improvement.
Still no performance gain from ARMV8_UNROLL12_EOR3.
Change-Id: I692ad5711e7ff728cd59baba64830cd3f69c3687
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29053)
Much like our handshake test, x509 has several operations that can be
tested easily in such a way that we ensure memory failures don't cause
cascading asan failures, and increase our test coverage.
Add a test to exercise some X509 apis to do so.
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28736)
Previously, EVP_CIPHER_CTX_get_params would not report the length of the
tag parameter when called with a NULL data pointer. This change makes the
function behave as documented.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28232)
Previously, EVP_CIPHER_CTX_get_params would not report the length of the
IV parameters when called with a NULL data pointer. This change makes the
function behave as documented.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28232)
After this flag is set, the generic OSSL_ENCODER/DECODER_CTX_set_*()
functions shouldn't be called anymore, so they return error in this case.
Fixes#28249
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29120)
If BIO_read returns 0 with no buffered data, raise ASN1_R_NOT_ENOUGH_DATA
so callers see a specific error instead of a generic -1.
Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28883)
In ossl_ec_curve_nid_from_params, EC_GROUP_get0_cofactor may return NULL,
but BN_is_zero was called on it unconditionally, leading to a potential
segmentation fault.
Now check that cofactor != NULL before calling BN_is_zero or BN_is_word,
aligning with safe practices used elsewhere in the codebase.
This fixes a critical NULL pointer dereference vulnerability that could
be triggered by EC groups with unset cofactor, preventing DoS via segfault.
Signed-off-by: Anton Moryakov <ant.v.moryakov@gmail.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29069)
Fixes: #6570
CLA: trivial
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29022)
Use ERR_R_PASSED_NULL_PARAMETER instead.
Fixes e9e643bc58
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29006)
Implement EVP_SIGNATURE_hash_message_update() to check for support
of EVP_PKEY_sign_message_update() and EVP_PKEY_verify_message_update() and
use this function to replace the has_msg_update column in CMS.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28923)
Add CMS test cases for no-attribute signing for ML-DSA, SLH-DSA
amd EdDSA (Ed448 and Ed25519 keys).
Fixes: #11915
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28923)
Enable signature verification for hashless signing schemes, such as ML-DSA
and EdDSA, for the non-attribute case of CMS. Also in this case the BIO
with the plain input data needs to be passed through to the signature
verification function so that the pure-mode signature verification method
can hash the plain data itself.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28923)
Enable the ability to sign with a hashless signing schemes, such as ML-DSA
in pure mode, in case no attributes are used in CMS. To support this, pass
the BIO with the plain data through to the signing function so that key's
pure mode signing scheme can hash the data itself.
The current implementation relies on a seek'able BIO so that the data
stream can be read multiple times for support of multiple keys.
Some signing schemes, such as ML-DSA, support the message_update function
when signing data, others, such as EdDSA keys do not support it. The former
allows for reading data in smaller chunks and calling
EVP_PKEY_sign_message_update with the data, while the latter requires that
all data are all read into memory and then passed for signing. This latter
method could run into out-of-memory issue when signing very large files.
Fixes: #28279
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28923)
Simo Sorce
Dimitri John Ledkov
Tomas Mraz
David von Oheimb
David Benjamin
Bob Beck
Joshua Rogers
bleeqer
Viktor Dukhovni
Igor Ustinov
Eugene Syromiatnikov
Shohei YOSHIDA
Neil Horman
Teshan Kannangara
Daniel Kubec
zhoulu
Dr. David von Oheimb
Samaresh Kumar Singh
Lars Erik Wik
Anton Moryakov
Tom Cosgrove
Leon Timmermans
Dmitry Misharov
Soumik Sarker
KubaBoi
Stefan Berger