This is required for FIPS, allow to customize minimum password length,
allow opting in doing the same for the default provider too.
Set FIPS provider default to minimum length of 8, and default provider
to 0. Controlled by -no_pbkdf2_lower_bound_check and indicated with
fips-approved indicator.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25621)
Removed pseudo-DER encoding of (unsigned) BNs from output of ASN1_bn_print() and
print_labeled_bignum() in providers/implementations/encode_decode/encode_key2text.c
Also adapt test output reference files where needed.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8136)
This has been deprecated since 1.1.0 and is in the way for
improvements that could make ASN1_STRING opaque. (#29177)
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29149)
Balance ERR_set_mark by calling ERR_clear_last_mark on the success path.
Prevents a stale mark from skewing later error handling.
Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28882)
On BIO_listen or BIO_sock_info failure we close the socket but leave
accept_sock and b->num pointing at the old fd. Later cleanup can double
close.
Set both to INVALID_SOCKET immediately after BIO_closesocket.
Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28904)
Use ERR_LIB_RAND when reporting RAND_R_ALREADY_INSTANTIATED from
RAND_set_DRBG_type() and RAND_set_seed_source_type() so the error
message references the RAND subsystem instead of CRYPTO.
Fixes#29039
CLA: trivial
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29109)
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29134)
This fixes the following compilation error on HP-UX:
```
11:07:19 crypto/evp/bio_ok.c: In function 'block_in':
11:07:19 crypto/evp/bio_ok.c:579: error: 'SIZE_MAX' undeclared (first use in this function)
11:07:19 crypto/evp/bio_ok.c:579: error: (Each undeclared identifier is reported only once
11:07:19 crypto/evp/bio_ok.c:579: error: for each function it appears in.)
```
Signed-off-by: Lars Erik Wik <lars.erik.wik@northern.tech>
CLA: trivial
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28793)
(cherry picked from commit 695a5aaf0b)
ARMV8_UNROLL8_EOR3 gives a performance improvement of 6-35%.
ARMV8_HAVE_SHA3_AND_WORTH_USING gives 3-4% improvement.
Still no performance gain from ARMV8_UNROLL12_EOR3.
Change-Id: I692ad5711e7ff728cd59baba64830cd3f69c3687
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29053)
After this flag is set, the generic OSSL_ENCODER/DECODER_CTX_set_*()
functions shouldn't be called anymore, so they return error in this case.
Fixes#28249
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29120)
If BIO_read returns 0 with no buffered data, raise ASN1_R_NOT_ENOUGH_DATA
so callers see a specific error instead of a generic -1.
Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28883)
In ossl_ec_curve_nid_from_params, EC_GROUP_get0_cofactor may return NULL,
but BN_is_zero was called on it unconditionally, leading to a potential
segmentation fault.
Now check that cofactor != NULL before calling BN_is_zero or BN_is_word,
aligning with safe practices used elsewhere in the codebase.
This fixes a critical NULL pointer dereference vulnerability that could
be triggered by EC groups with unset cofactor, preventing DoS via segfault.
Signed-off-by: Anton Moryakov <ant.v.moryakov@gmail.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29069)
Fixes: #6570
CLA: trivial
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29022)
Use ERR_R_PASSED_NULL_PARAMETER instead.
Fixes e9e643bc58
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29006)
Implement EVP_SIGNATURE_hash_message_update() to check for support
of EVP_PKEY_sign_message_update() and EVP_PKEY_verify_message_update() and
use this function to replace the has_msg_update column in CMS.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28923)
Enable signature verification for hashless signing schemes, such as ML-DSA
and EdDSA, for the non-attribute case of CMS. Also in this case the BIO
with the plain input data needs to be passed through to the signature
verification function so that the pure-mode signature verification method
can hash the plain data itself.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28923)
Enable the ability to sign with a hashless signing schemes, such as ML-DSA
in pure mode, in case no attributes are used in CMS. To support this, pass
the BIO with the plain data through to the signing function so that key's
pure mode signing scheme can hash the data itself.
The current implementation relies on a seek'able BIO so that the data
stream can be read multiple times for support of multiple keys.
Some signing schemes, such as ML-DSA, support the message_update function
when signing data, others, such as EdDSA keys do not support it. The former
allows for reading data in smaller chunks and calling
EVP_PKEY_sign_message_update with the data, while the latter requires that
all data are all read into memory and then passed for signing. This latter
method could run into out-of-memory issue when signing very large files.
Fixes: #28279
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28923)
Get a default hash for hash-less signing schemes such as ML-DSA, SLH-DSA,
and EdDSA in the case when signed attributes are present as well as for the
no signed attributes case. For the latter case, EdDSA is the only signing
scheme that has a required hash (sha512 for ED25519 and shake256 for
ED448), all other ones have a suggested hash. Only use the suggested hash
if the hash provided by the caller of CMS_add1_signer passed a NULL pointer
for md. Use the required hash in any case, overriding any choice of the
caller.
Fixes: #13523
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28923)
BIO_C_SET_ACCEPT with num == 0 unconditionally set b->init = 1 even if
BIO_parse_hostserv failed. Only mark the BIO initialized when parsing
succeeds to avoid inconsistent state.
Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28912)
Label an empty digest list as `signed-data` instead of `certs-only`.
Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28881)
BIO_CTRL_RESET zeroed compress.bufsize and did not reinitialize the ZSTD
streams or buffer positions. After a reset, the next write could try to use
a 0 byte buffer and stall or behave unpredictably.
Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28844)
This changes x509 verification to use int64 values of epoch
seconds internally instead of time_t. While time values from
a system will still come from/to a platform dependant time_t
which could be range constrained, we can simplify this
to convert the certificate time to a posix time and then
just do a normal comparison of the int64_t values. This
removes the need to do further computation to compare values
which potentially do not cover the range of certificate times,
and makes the internal functions a bit more readable.
This also modifies the tests to ensure the full range of
times are tested, without depending on time_t, and adds
tests for checking CRL expiry, which were lacking before.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28987)
The documentation now reference(s) FIPS 186-5 instead of FIPS 186-4,
and clarifies the keygen method used.
This PR also adds the new FIPS 186-5 2 optional parameters that allow
the generated probable primes to be congruent to a value mod 8.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28349)
Unlike Neoverse N1, the Neoverse N2 and Neoverse N3 cores support the
EOR3 instruction. Enabling ARMV8_UNROLL12_EOR3 on these cores gives
performance uplift of 9-10% for AES-CTR 128/192/256 ciphers at larger
block sizes.
Signed-off-by: Gowtham Suresh Kumar <gowtham.sureshkumar@arm.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29044)
Add cpu MIDR and ensure relevant optimisations are enabled.
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29044)
In slh_sign_internal(), if calling PACKET_buf_init() failed, this
function return without free wpkt. Replace `return 0` with `goto err`
to free wpkt before return.
CLA: trivial
Signed-off-by: Lidong Yan <502024330056@smail.nju.edu.cn>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29041)
MSVC complained about possible loss of data on assignment, and it seems
that constant_time_select_bn is more suitable here than
constant_time_select_64, change the call to the former.
Fixes: 6d702cebfc "Add an extra reduction step to RSAZ mod_exp implementations"
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/29040)
Add validation to ensure Certificate Issuer extensions in CRL entries
only appear when the Indirect CRL flag is TRUE in the Issuing
Distribution Point (IDP) extension, as required by RFC 5280 section
5.3.3.
Fixes#27465
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29018)
Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/28991)
Encrypted Data does not support AEAD algorithms. If you wish to
use AEAD algorithms you will have to use a CMS_AuthEnvelopedData
structure. Therefore, when AEAD algorithms are used with
CMS_EncryptedData_set1_key will now return an error.
Fixes: #28607
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28711)
Prefix the base architecture to the displayed RISC-V
architecture string, so the displayed OPENSSL_riscvcap
environment value can be used as is, since otherwise
the OPENSSL_cpuid_setup would ignore the first extension,
as it is expected to be the base architecture, usually
"RV64GC" or similar.
See the comment at parse_env in crypto/riscvcap.c
Furthermore also print the VLEN value, if the V-extension
is given, since that makes a significant difference
which assembler modules are activated by the V-extension.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28760)
Adding a test that called PKCS12_set_pbmac1_pbkdf2() with a saltlen of
zero, pointed out that the libctx and propq were not being propagated.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29068)
This change includes bss_sock.c to deal with introduction of EPROTO use.
Reroll of rsa_ossl.c changes made at 3.5 downward.
Build a workaround in timing_load_creds.c on NonStop for lack of rusage.
This simulates getrusage() that is not available on NonStop.
Update bioprinttest.c to handle missing PTRxPRT definitions from inttypes.h.
Fixes: #29023
Signed-off-by: Randall S. Becker <randall.becker@nexbridge.ca>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29024)
Do not use new assembler code for CPUs with SHA512 support in case the assembler only supports avx but not avx2.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/28488)
The lock contention checker uses the gettid() syscall to get a unique
thread id for each thread contending on a lock. While MACOS has this
syscall, it does something completely different:
https://elliotth.blogspot.com/2012/04/gettid-on-mac-os.html
Resulting in -1 being returned for all threads. Use a macos specific
call to get the thread id instead
Fixesopenssl/project#1699
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/29031)
If not set, bn_check_top() trips when BN_DEBUG is defined
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28801)
ossl_assert() has been modified so much that it no longer fits the
purpose of bn_check_top() when BN_DEBUG is defined in a debug build,
which is to abort and tell where the BIGNUM is inconsistent. This
is by design.
This has remained undiscovered because no one has tried BN_DEBUG
for quite a while.
Assertions in bn_check_top() are also rearranged to better show what
the actual problem is.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28801)
Dimitri John Ledkov
David von Oheimb
Bob Beck
Joshua Rogers
bleeqer
Teshan Kannangara
zhoulu
Dr. David von Oheimb
Tomas Mraz
Lars Erik Wik
Tom Cosgrove
Igor Ustinov
Anton Moryakov
KubaBoi
Stefan Berger
nia
slontis
Gowtham Suresh Kumar
Paul Elliott
Lidong Yan
Eugene Syromiatnikov
Daniel Kubec
Nikola Pajkovsky
Ryan Hooper
Bernd Edlinger
Randall S. Becker
rainerjung
Neil Horman
Richard Levitte