quic_tserver_test: Raise the initial timeout limit

There were intermitten failures on the test occasionally and
1s initial limit might be too short.

Fixes #22424

Review

quic_tserver_test: Raise the initial timeout limit

There were intermitten failures on the test occasionally and
1s initial limit might be too short.

Fixes #22424

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22475)

show more ...

rsa: Add SP800-56Br2 6.4.1.2.1 (3.c) check

The code did not yet check that the length of the RSA key is positive
and even.

Signed-off-by: Clemens Lang <cllang@redhat.com>

rsa: Add SP800-56Br2 6.4.1.2.1 (3.c) check

The code did not yet check that the length of the RSA key is positive
and even.

Signed-off-by: Clemens Lang <cllang@redhat.com>

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/22403)

show more ...

speed: Correct handling of async_jobs for KEM and signature algos

Setup the loopargs array for all jobs, not only for the very first one.

It may fail with "Could not allocate 0 byte

speed: Correct handling of async_jobs for KEM and signature algos

Setup the loopargs array for all jobs, not only for the very first one.

It may fail with "Could not allocate 0 bytes for sig sign loop" and/or will
cause the loop functions to fail silently, because they operate on a NULL
PKEY context when "-async_jobs <n>" is specified.

Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/22399)

show more ...

speed: Fix memory leaks

Free the PKEYs created for KEM and signature algorithms.
Free the encrypt/decrypt PKEY contexts for RSA.

Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.

speed: Fix memory leaks

Free the PKEYs created for KEM and signature algorithms.
Free the encrypt/decrypt PKEY contexts for RSA.

Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/22399)

show more ...

Create hierarchical demo Makefile.

Adds a Makefile with all, clean, and test targets.
This has only been added for demos that already contain Makefiles.
For problematic tests that re

Create hierarchical demo Makefile.

Adds a Makefile with all, clean, and test targets.
This has only been added for demos that already contain Makefiles.
For problematic tests that require inputs, the test target does nothing.

(Note: Demos should be self contained and not require unknown external
inputs. This PR does not attempt to fix this.)

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20546)

show more ...

Add a test for retries when sending app data

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openss

Add a test for retries when sending app data

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22473)

show more ...

Make sure we remember how much data we sent in the event of a retry

If a retry occurs we need to reset s->rlayer.wnum so that next time around
we remember how much data we already sent.

Make sure we remember how much data we sent in the event of a retry

If a retry occurs we need to reset s->rlayer.wnum so that next time around
we remember how much data we already sent.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22473)

show more ...

When requeueing deferred URXEs retain the order

If a URXE cannot be processed yet then we add it to the urx_deferred list.
Later, when they can be processed, we requeue them in the urx_p

When requeueing deferred URXEs retain the order

If a URXE cannot be processed yet then we add it to the urx_deferred list.
Later, when they can be processed, we requeue them in the urx_pending list.

We must not reverse the order when doing so. We want to process the URXEs
in the order that they were received.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22452)

show more ...

Adjust mdl configuration

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Re

Adjust mdl configuration

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22405)

show more ...

Add QUIC README file

Add notes on use of strdup

Added notes to OPENSSL_INIT_set_config_filename and
OPENSSL_INIT_set_config_appname explaining why strdup
is used instead of OPENSSL_strdup.

CLA:

Add notes on use of strdup

Added notes to OPENSSL_INIT_set_config_filename and
OPENSSL_INIT_set_config_appname explaining why strdup
is used instead of OPENSSL_strdup.

CLA: trivial

Co-authored-by: Jean Apolo <jean.apolo@garmin.com>
Signed-off-by: Jean Apolo <jean.apolo@garmin.com>
Signed-off-by: Nate Karstens <nate.karstens@garmin.com>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21742)

show more ...

test: add unit test for CVE-2023-5363

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>

changes and news entries for CVE-2023-5363

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>

evp: process key length and iv length early if present

evp_cipher_init_internal() takes a params array argument and this is processed
late in the initialisation process for some ciphers

evp: process key length and iv length early if present

evp_cipher_init_internal() takes a params array argument and this is processed
late in the initialisation process for some ciphers (AEAD ones).

This means that changing the IV length as a parameter will either truncate the
IV (very bad if SP 800-38d section 8.2.1 is used) or grab extra uninitialised
bytes.

Truncation is very bad if SP 800-38d section 8.2.1 is being used to
contruct a deterministic IV. This leads to an instant loss of confidentiality.

Grabbing extra bytes isn't so serious, it will most likely result in a bad
decryption.

Problem reported by Tony Battersby of Cybernetics.com but earlier discovered
and raised as issue #19822.

Fixes CVE-2023-5363
Fixes #19822

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>

show more ...

Fix Coverity 1547856: memset() uses only the lowest byte of c

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://git

Fix Coverity 1547856: memset() uses only the lowest byte of c

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/22430)

show more ...

rand: fix seeding from a weak entropy source

The 'rand_generate' method is not well suited for being used with
weak entropy sources in the 'get_entropy' callback, because the
caller

rand: fix seeding from a weak entropy source

The 'rand_generate' method is not well suited for being used with
weak entropy sources in the 'get_entropy' callback, because the
caller needs to provide a preallocated buffer without knowing
how much bytes are actually needed to collect the required entropy.

Instead we use the 'rand_get_seed' and 'rand_clear_seed' methods
which were exactly designed for this purpose: it's the callee who
allocates and fills the buffer, and finally cleans it up again.

The 'rand_get_seed' and 'rand_clear_seed' methods are currently
optional for a provided random generator. We could fall back to
using 'rand_generate' if those methods are not implemented.
However, imo it would be better to simply make them an officially
documented requirement for seed sources.

Fixes #22332

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22394)

show more ...

rand: improve error message for rand pool overflows

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org

rand: improve error message for rand pool overflows

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22394)

show more ...

quic_record, quicapi, and quicfaults tests do not support fuzzing builds

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from http

quic_record, quicapi, and quicfaults tests do not support fuzzing builds

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22472)

show more ...

run-checker-daily.yml: If the openssl app is not built do not run it

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https

run-checker-daily.yml: If the openssl app is not built do not run it

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22443)

show more ...

Don't run the QUIC client fuzzer if QUIC is disabled

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openss

Don't run the QUIC client fuzzer if QUIC is disabled

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22368)

show more ...

Update the corpora files to include the new quic-client subdir

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.

Update the corpora files to include the new quic-client subdir

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22368)

show more ...

Further tweaks to the CI runs for fuzzing

Have a new job just to run the fuzz tests with fuzzing build mode enabled.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hug

Further tweaks to the CI runs for fuzzing

Have a new job just to run the fuzz tests with fuzzing build mode enabled.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22368)

show more ...

Teach the quic-client fuzzer about time

We allow the fuzzer to influence the time between different packets using
the fake time capability.

Reviewed-by: Tomas Mraz <tomas@openss

Teach the quic-client fuzzer about time

We allow the fuzzer to influence the time between different packets using
the fake time capability.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22368)

show more ...

If an error occurs constructing the quic record layer, free it properly

We need to call quic_free() to free the record layer to ensure than any
BIO that was already set is also freed.

If an error occurs constructing the quic record layer, free it properly

We need to call quic_free() to free the record layer to ensure than any
BIO that was already set is also freed.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22368)

show more ...

Drop FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION for some builds

Some builds that weren't doing fuzzing were defining this which makes no
sense and is not appropriate for non-fuzzing builds

Drop FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION for some builds

Some builds that weren't doing fuzzing were defining this which makes no
sense and is not appropriate for non-fuzzing builds.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22368)

show more ...