noticed by @sftcd
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25111)
(cherry picked from commit 4688f9b821)
CLA: trivial
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24434)
(cherry picked from commit 0813ffee2f)
Fixes#24892
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25046)
(cherry picked from commit 871c534d39)
Also fixes Coverity 1604639
There is no point in checking ba_ret as it can never be NULL.
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24931)
(cherry picked from commit 4fa9d1f40f)
Coverity issued an error in the opt_uintmax code, detecting a potential
overflow on a cast to ossl_intmax_t
Looks like it was just a typo, casting m from uintmax_t to ossl_intmax_t
Fix it by correcting the cast to be ossl_uintmax_t, as would be expected
Theres also some conditionals that seem like they should be removed, but
I'll save that for later, as there may be some corner cases in which
ossl_uintmax_t isn't equal in size to uintmax_t..maybe.
Fixesopenssl/private#567
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24897)
(cherry picked from commit a753547eef)
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24776)
(cherry picked from commit cfe0bbdeca)
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24776)
(cherry picked from commit bb90a7861c)
Some versions if the VMS C system header files seem to require this.
Fixes#24466 on release older than 3.3.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/24471)
Add the OPENSSL_free() in the error handler to release the "*md_value"
allocated by app_malloc(). To make the code clear and avoid possible
future errors, combine the error handler in the "err" tag.
Then, we only need to use "goto err" instead of releasing the memory
separately.
Since the EVP_MD_get_size() may return negative numbers when an error occurs,
create_query() may fail to catch the error since it only considers 0 as an
error code.
Therefore, unifying the error codes of create_digest() from non-positive
numbers to 0 is better, which also benefits future programming.
Fixes: c7235be ("RFC 3161 compliant time stamp request creation, response generation and response verification.")
Signed-off-by: Jiasheng Jiang <jiasheng@purdue.edu>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/23873)
(cherry picked from commit beb82177dd)
When using CCM, openssl speed uses the loop function EVP_Update_loop_ccm() which
sets a (fake) tag when decrypting. When using -aead (which benchmarks a different
sequence than normal, to be comparable to TLS operation), the loop function
EVP_Update_loop_aead() is used, which also sets a tag when decrypting.
However, when using defaults, the loop function EVP_Update_loop() is used, which
does not set a tag on decryption, leading to "Error finalizing cipher loop".
To fix this, set a fake tag value if we're doing decryption on an AEAD cipher in
EVP_Update_loop(). We don't check the return value: this shouldn't really be able
to fail, and if it does, the following EVP_DecryptUpdate() is almost certain to
fail, so that can catch it.
The decryption is certain to fail (well, almost certain, but with a very low
probability of success), but this is no worse than at present. This minimal
change means that future benchmarking data should be comparable to previous
benchmarking data.
(This is benchmarking code: don't write real apps like this!)
Fixes#23657
Change-Id: Id581cf30503c1eb766464e315b1f33914040dcf7
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23757)
(cherry picked from commit b3be6cc89e)
The syntax check of the -addext fails because the
X509V3_CTX is used to lookup the referenced section,
but the wrong configuration file is used, where only
a default section with all passed in -addext lines is available.
Thus it was not possible to use the subjectAltName=dirName:section
as an -addext parameter. Probably other extensions as well.
This change affects only the syntax check, the real extension
was already created with correct parameters.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23669)
(cherry picked from commit 387418893e)
Printing content of an invalid test certificate causes application crash, because of NULL dereference:
user@user:~/openssl$ openssl pkcs12 -in test/recipes/80-test_pkcs12_data/bad2.p12 -passin pass: -info
MAC: sha256, Iteration 2048
MAC length: 32, salt length: 8
PKCS7 Encrypted data: Segmentation fault (core dumped)
Added test cases for pkcs12 bad certificates
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23632)
(cherry picked from commit a4cbffcd89)
Return value of function 'SSL_CTX_ctrl', that is called from
SSL_CTX_set1_verify_cert_store() and SSL_CTX_set1_chain_cert_store(),
is not checked, but it is usually checked for this function.
CLA: trivial
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23647)
(cherry picked from commit 6f794b461c)
if the private key is output to stdout using the HARNESS_OSSL_PREFIX,
out is a stack of BIOs and must therefore free'd using BIO_free_all.
Steps to reproduce:
$ HARNESS_OSSL_PREFIX=x OPENSSL_CONF=apps/openssl.cnf util/shlib_wrap.sh apps/openssl req -new -keyout - -passout pass: </dev/null
[...]
Direct leak of 128 byte(s) in 1 object(s) allocated from:
#0 0x7f6f692b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x7f6f686eda00 in CRYPTO_malloc crypto/mem.c:202
#2 0x7f6f686edba0 in CRYPTO_zalloc crypto/mem.c:222
#3 0x7f6f68471bdf in BIO_new_ex crypto/bio/bio_lib.c:83
#4 0x7f6f68491a8f in BIO_new_fp crypto/bio/bss_file.c:95
#5 0x555c5f58b378 in dup_bio_out apps/lib/apps.c:3014
#6 0x555c5f58f9ac in bio_open_default_ apps/lib/apps.c:3175
#7 0x555c5f58f9ac in bio_open_default apps/lib/apps.c:3203
#8 0x555c5f528537 in req_main apps/req.c:683
#9 0x555c5f50e315 in do_cmd apps/openssl.c:426
#10 0x555c5f4c5575 in main apps/openssl.c:307
#11 0x7f6f680461c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
SUMMARY: AddressSanitizer: 128 byte(s) leaked in 1 allocation(s).
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23365)
(cherry picked from commit ff78d94b13)
Printing the hostname on bio_out clutters the output and breaks
pipe like forwarding via openssl.
Print the hostname via bio_err.
Fixes#23013
Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23056)
(cherry picked from commit 8a1694f225)
In the event that a config file contains this sequence:
=======
openssl_conf = openssl_init
config_diagnostics = 1
[openssl_init]
oid_section = oids
[oids]
testoid1 = 1.2.3.4.1
testoid2 = A Very Long OID Name, 1.2.3.4.2
testoid3 = ,1.2.3.4.3
======
The leading comma in testoid3 can cause a heap buffer overflow, as the
parsing code will move the string pointer back 1 character, thereby
pointing to an invalid memory space
correct the parser to detect this condition and handle it by treating it
as if the comma doesn't exist (i.e. an empty long oid name)
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22957)
(cherry picked from commit a552c23c65)
At some point the asn1parse applet was changed to default the inform to
PEM, and defalt input file to stdin. Doing so broke the -genstr|conf options,
in that, before we attempt to generate an ASN1 block from the provided
genstr string, we attempt to read a PEM input from stdin. As a result,
this command:
openssl asn1parse -genstr OID:1.2.3.4
hangs because we are attempting a blocking read on stdin, waiting for
data that never arrives
Fix it by giving priority to genstr|genconf, such that, if set, will just run
do_generate on that string and exit
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22957)
(cherry picked from commit 749fcc0e3c)
The ASN1_OBJECT otmp was leaked if X509_VERIFY_PARAM_add0_policy fails.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22922)
(cherry picked from commit d6688e45fa)
The OPENSSL_DIR_end was missing in case of error.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22920)
(cherry picked from commit 01709fcb8b)
sscanf can return -1 on an empty input string. We need to appropriately
handle such an invalid case.
The instance in OSSL_HTTP_parse_url could cause an uninitialised read of
sizeof(unsigned int) bytes (typically 4). In many cases this uninit read
will immediately fail on the following check (i.e. if the read value
>65535).
If the top 2 bytes of a 4 byte unsigned int are zero then the value will
be <=65535 and the uninitialised value will be returned to the caller and
could represent arbitrary data on the application stack.
The OpenSSL security team has assessed this issue and consider it to be
a bug only (i.e. not a CVE).
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/22961)
(cherry picked from commit 322517d817)
On some systems it is too small although the system allows longer
filenames.
Fixes#22886
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22889)
(cherry picked from commit de8e0851a1)
When a provider can't return parameters, make that a warning instead of an
error, and continue to list further providers.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/22866)
(cherry picked from commit 7ebaab7689)
When the CMS_ReceiptRequest cannot be created,
the rct_to and rct_from may be leaked.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22742)
(cherry picked from commit bed7a87810)
The `aarch64-linux-android33-clang` cross-compiler (v14.0.6)
complains twice about an unsupported '%n' format specifier,
preventing a successful `--strict-warnings` build:
error: '%n' specifier not supported on this platform [-Werror,-Wformat]
BIO_snprintf(buf, buflen, "%s%s%n%08x.%s%d",
This is a false positive, because BIO_snprintf() implements its
own format parsing (which is implemented in the _dopr() function).
This commit fixes the problem by rewriting the code to dispense with
the dubious '%n' format specifier. As a side-effect, the code becomes
a little bit more comprehensible and self-explaining.
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22511)
(cherry picked from commit ec0d22fe15)
We should accept that many bytes without failing
Fixes#22551
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/22558)
(cherry picked from commit 74ff15e1a1)
In s_client, when using quic, if we have data from the user to write then we shouldn't
hang in "select" waiting for something to happen.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22480)
The callback that makes -debug print the data sent/received needed extending
for the new QUIC callback codes.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22480)
Setup the loopargs array for all jobs, not only for the very first one.
It may fail with "Could not allocate 0 bytes for sig sign loop" and/or will
cause the loop functions to fail silently, because they operate on a NULL
PKEY context when "-async_jobs <n>" is specified.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/22399)
Free the PKEYs created for KEM and signature algorithms.
Free the encrypt/decrypt PKEY contexts for RSA.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/22399)
Creating JDK compatible pkcs12 files requires a bit more than just
adding the Trusted Key Usage OID to a certbag in the pkcs12 file.
Additionally the JDK currently requires that pkcs12 files setting this
oid _not_ contain any additional keys, and in response will produce
unpredictable results.
This could be solved by implying --nokeys when the pkcs12 utility is run
and the config option is set, but thatcould confuse users who didn't
specify nokeys on the command line. As such, remove the config file
setting for this feature, and replace it with a -jdktrust command line
option, that is documented to assert nokeys when a users specifies the
new command line option.
Fixes#22215
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22422)
Call app_bail_out if RAND_bytes() fails.
Also changed the output parameter of RAND_bytes() to inp as
writing to encrypted output buffer does not make sense.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21706)
XZ-X
Tomas Mraz
FdaSilvaYY
Andreas Treichel
Marc Brooks
Neil Horman
Dr. David von Oheimb
Richard Levitte
naaysayer
Rajeev Ranjan
Jiasheng Jiang
Tom Cosgrove
Bernd Edlinger
Viliam Lejčík
MrRurikov
Matt Caswell
Frederik Wedel-Heinen
Sebastian Andrzej Siewior
Alexey Fofanov
Matthias St. Pierre
Ingo Franzki
Dr. David von Oheimb
Klavishnik