We allocate an EC_POINT with EC_POINT_new here, but in failing a
subsequent check, we don't free it, correct that.
Fixes#26779
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/26799)
(cherry picked from commit 20a2f3beba)
Updated snprintf to BIO_snprintf for consistency with previous changes. #24008
CLA: trivial
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26749)
(cherry picked from commit aa6b7ac875)
The "openssl speed -testmode -seconds 1 -bytes 1 aes-128-cbc" test
revealed that the assembly code is crashing if length is less than 16.
The code shifts the provided length by 4 and than subtracts one until
the length hits zero. If it was already zero then it underflows the
counter and continues until it segfaults on reading or writing.
Replace the check against 0 with less than 15.
Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25637)
(cherry picked from commit c71c65b922)
We were using the first (or second) argument containing a '.' as the
output name file, but it may be incorrect as -march=la64v1.0 may be in
the command line. If the builder specifies -march=la64v1.0 in the
CFLAGS, the script will write to a file named "-march=la64v1.0" and
cause a build error with cryptic message:
ld: crypto/pem/loader_attic-dso-pvkfmt.o: in function `i2b_PVK':
.../openssl-3.4.1/crypto/pem/pvkfmt.c:1070:(.text+0x11a8): undefined reference to `OPENSSL_cleanse'
Adapt the approach of ARM and RISC-V (they have similar flags like
-march=v8.1-a or -misa-spec=2.2) to fix the issue.
Signed-off-by: Xi Ruoyao <xry111@xry111.site>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26717)
(cherry picked from commit f48c14e94e)
Running this test on heavily loaded systems may cause the SSL_read_ex() to
take more than 20ms, due to concurrent workload.
Increase the timeout to 40ms to allow a little bit more time.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26693)
(cherry picked from commit 0e93f64723)
A bug existed where provider added cert algorithms caused a crash when
they were configured via a config file. We add a test for this scenario.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26663)
(cherry picked from commit e2bfb61f61)
A crash could occur when attempting to configure a certificate via a
config file, where the algorithm for the certificate key was added
dynamically via a provider.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26663)
(cherry picked from commit 9cbaa8763c)
- The signature algorithms are already loaded in SSL_CTX_new()
- Calling ssl_load_sigalgs() again is non-productive, and does
not look thread safe.
- And of course avoiding the call is cheaper.
- Also fix broken loop test in ssl_cert_lookup_by_pkey()
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26671)
(cherry picked from commit 3252fe646b)
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(cherry picked from commit 3908f0dda6)
While RPK performs X.509 checks correctly, at the SSL layer the
SSL_VERIFY_PEER flag was not honoured and connections were allowed to
complete even when the server was not verified. The client can of
course determine this by calling SSL_get_verify_result(), but some
may not know to do this.
Added tests to make sure this does not regress.
Fixes CVE-2024-12797
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(cherry picked from commit 87ebd203fe)
With MSVC v143, C++ Clang Compiler for Windows (18.1.8) there are
many errors similar to:
crypto\aes\libcrypto-lib-aesv8-armx.obj.asm:3795:7: error: unknown token in expression
ld1 {v2.16b},[x0],#16
CLA: trivial
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26603)
(cherry picked from commit becc0078f8)
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26541)
(cherry picked from commit 39cd63bdc9)
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/25923)
Fixes#26521
CLA: trivial
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26523)
(cherry picked from commit b6f2ff9363)
Variables tntmp and tnst are declared in the same declaration and thus
share storage class specifiers (static). This is unfortunate as tntmp is
used during iteration through tnst array and shouldn't be static.
In particular this leads to two problems that may arise when multiple
threads are executing asn1_str2tag() concurrently:
1. asn1_str2tag() might return value that doesn't correspond to tagstr
parameter. This can happen if other thread modifies tntmp to point to
a different tnst element right after a successful name check in the
if statement.
2. asn1_str2tag() might perform an out-of-bounds read of tnst array.
This can happen when multiple threads all first execute tntmp = tnst;
line and then start executing the loop. If that case those threads
can end up incrementing tntmp past the end of tnst array.
CLA: trivial
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26504)
(cherry picked from commit 7262c0bcc4)
Use mac_gen_cleanup() instead of just freeing the gctx.
Fixes Coverity 1638702
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/26500)
(cherry picked from commit 2455ef2112)
Otherwise doublefree happens with further usage.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/26488)
(cherry picked from commit 901b108154)
This adds missing GMT indication when printing the local time as
it is converted to the UTC timezone before printing.
Also fixing the fractional seconds printing on EBCDIC platforms.
Fixes#26313
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26344)
(cherry picked from commit c81ff97866)
When `-naccept` is passed (i.e with `s_server`), the listening socket remains open while handling
client, even after `naccept` is supposed to reach `0`.
This is caused to to the decrementation of `naccept` and closing of the socket
happening a little too late in the `do_server` function.
Signed-off-by: Nadav Tasher <tashernadav@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26228)
(cherry picked from commit 113c12ee8c)
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/26429)
(cherry picked from commit c3144e1025)
There is a timing signal of around 300 nanoseconds when the top word of
the inverted ECDSA nonce value is zero. This can happen with significant
probability only for some of the supported elliptic curves. In particular
the NIST P-521 curve is affected. To be able to measure this leak, the
attacker process must either be located in the same physical computer or
must have a very fast network connection with low latency.
Attacks on ECDSA nonce are also known as Minerva attack.
Fixes CVE-2024-13176
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/26429)
(cherry picked from commit 63c40a66c5)
(cherry picked from commit 392dcb3364)
flag, it will сrash to X509_up_ref. Passing NULL here is not valid,
return 0 if cert == NULL.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/26267)
(cherry picked from commit 3c7db9e0fd)
This drops OSSL_PKEY_PARAM_IMPLICIT_REJECTION - which is a meaningless
name - everywhere apart from still existing (for API stability, in
case someone uses that macro).
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26421)
(cherry picked from commit 1df07c761b)
1064616012 introduced and optimized RSA NEON implementation
for AArch64 architecture, namely Cortex-A72 and Neoverse N1.
This implementation is broken in Big Endian mode, which is not
widely used, therefore not properly verified.
Here we disable this optimized implementation when Big Endian
platform is used.
Fixes: #22687
CLA: trivial
Signed-off-by: Nikolay Nikolaev <nicknickolaev@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26257)
(cherry picked from commit b26894ec69)
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26389)
(cherry picked from commit 0b1d3ebb70)
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26389)
(cherry picked from commit 5b81f942d5)
In this test there is a random test output corruption.
`make test TESTS=test_evp_pkey_provided V=1` has some random output,
that can with a certain probability start a line with "ok" or so:
# Setting up a OSSL_ENCODER context with passphrase
# Testing with no encryption
jLixONcRPi/m64CGie4KKKDuGeTjtYwfima3BNYCGlgbLGeK3yYxBfZb9JjviOJ4
# nHaNsRsONTAKyg==
This happens because large random data is output to bio_out
but some data remains buffered, and then test_note() is used to print
some comments on the bio_err file. This causes output corruption that
confuses the TAP parser.
Fix that by flushing any pending output with test_flush_stdout() first.
Fixes#23992
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26383)
(cherry picked from commit c37f564bb8)
la.pcrel
openssl will not be built successfully with binutils-2.43.50.20241230
which checks if global symbols are accessed by PC-relative in shared
library.
CLA: trivial
Reviewed-by: Hugo Landau <hlandau@devever.net>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26336)
(cherry picked from commit dd7a79fc6f)
output to stderr is unbuffered bypassing the normal output, which does
not happen at line boundaries and is therefore confusing the TAP parser.
This is known to cause random test failures like this one:
80-test_cmp_http.t (Wstat: 0 Tests: 5 Failed: 0)
Parse errors: Tests out of sequence. Found (6) but expected (5)
Bad plan. You planned 6 tests but ran 5.
Fixes#23992
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26363)
(cherry picked from commit 37a954e5c3)
Some (non-AEAD) ciphers require an IV to be used. Always pass a (dummy) IV
when setting the key. It is ignored by ciphers that do not use an IV.
Commit 607a46d003 corrected the use of AEAD
ciphers, but removed the IV from being passed to EVP_CipherInit_ex() for
non-AEAD ciphers.
Fixes: 607a46d003
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Hugo Landau <hlandau@devever.net>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26346)
(cherry picked from commit b8028d4890)
Builds may be configured with CC or CFLAGS containing space and
double quotes. In particular on Windows, this may lead to passing
more than two arguments into mkbuildinf.pl.
In addition, backslashes must be escaped for constructing the C string.
Fixes#26253.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26315)
(cherry picked from commit e87a3473fd)
Bernd Edlinger
Shakti Shah
Burkov Egor
Neil Horman
Kim, Hyuk
Sebastian Andrzej Siewior
Xi Ruoyao
Ingo Franzki
Matt Caswell
Viktor Dukhovni
openssl-machine
Viktor Dukhovni
Auto Vincent
Dmitry Misharov
Richard Levitte
Dr. David von Oheimb
Mae
Stas Cymbalov
Tomas Mraz
Michael Baentsch
Nadav Tasher
otherddn1978
Nikolay Nikolaev
Peter Bierma
Tom Fay
Tom Cosgrove
Wang Xin
Alicja Kario
Kai Pastor