EVP_CIPHER_CTX_get_algor_params() may attempt to access params array
at position -1 (prams[=1]).

The issue has been reported by coverity check.

Reviewed-by: Richard Levitte <lev

EVP_CIPHER_CTX_get_algor_params() may attempt to access params array
at position -1 (prams[=1]).

The issue has been reported by coverity check.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25303)

show more ...

s390x: Fix prehash-by-caller handling for ED25519 and ED448

In case of prehash or prehash-by-caller is set skip the s390x specific
acceleration an fallback to the non-accelerated code pa

s390x: Fix prehash-by-caller handling for ED25519 and ED448

In case of prehash or prehash-by-caller is set skip the s390x specific
acceleration an fallback to the non-accelerated code path.

Fixes: 66966827740a04249300b0b25735e9d4c9bcab26

Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25351)

show more ...

s390x: Disable HMAC hardware acceleration when an engine is used for the digest

The TLSProxy uses the 'ossltest' engine to produce known output for digests
and HMAC calls. However, when

s390x: Disable HMAC hardware acceleration when an engine is used for the digest

The TLSProxy uses the 'ossltest' engine to produce known output for digests
and HMAC calls. However, when running on a s390x system that supports
hardware acceleration of HMAC, the engine is not used for calculating HMACs,
but the s390x specific HMAC implementation is used, which does produce correct
output, but not the known output that the engine would produce. This causes
some tests (i.e. test_key_share, test_sslextension, test_sslrecords,
test_sslvertol, and test_tlsextms) to fail.

Disable the s390x HMAC hardware acceleration if an engine is used for the
digest of the HMAC calculation. This provides compatibility for engines that
provide digest implementations, and assume that these implementations are also
used when calculating an HMAC.

Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25287)

show more ...

Add CVE-2024-5535 to CHANGES and NEWS

Reviewed-by: Neil Horman <nhorman@openssl.org>
Release: yes
(cherry picked from commit abcb0f83d060eb816503a6a36959ce8498a24111)

Updated CHANGES and NEWS for CVE-2024-6119 fix

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(cherry picked from commit cf384d35aa7142cc3

Updated CHANGES and NEWS for CVE-2024-6119 fix

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(cherry picked from commit cf384d35aa7142cc3b5de19f64d3972e77d3ff74)

show more ...

Avoid type errors in EAI-related name check logic.

The incorrectly typed data is read only, used in a compare operation, so
neither remote code execution, nor memory content disclosure w

Avoid type errors in EAI-related name check logic.

The incorrectly typed data is read only, used in a compare operation, so
neither remote code execution, nor memory content disclosure were possible.
However, applications performing certificate name checks were vulnerable to
denial of service.

The GENERAL_TYPE data type is a union, and we must take care to access the
correct member, based on `gen->type`, not all the member fields have the same
structure, and a segfault is possible if the wrong member field is read.

The code in question was lightly refactored with the intent to make it more
obviously correct.

Fixes CVE-2024-6119

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>

show more ...

Add CHANGES.md and NEWS.md updates for the 3.4 release

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosg

Add CHANGES.md and NEWS.md updates for the 3.4 release

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25339)

show more ...

Add support for elf_aux_info() on OpenBSD

CLA: trivial

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas

Add support for elf_aux_info() on OpenBSD

CLA: trivial

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25346)

show more ...

Missing .rodata for AVX2/AVX512 codepaths

This is a follow-up to #23997

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by:

Missing .rodata for AVX2/AVX512 codepaths

This is a follow-up to #23997

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25340)

show more ...

Detect MinGW 32 bit for NO_INTERLOCKEDOR64

Builds using 32 bit MinGW will fail, due to the same reasoning described in commit 2d46a44ff24173d2cf5ea2196360cb79470d49c7.

CLA: trivial

Detect MinGW 32 bit for NO_INTERLOCKEDOR64

Builds using 32 bit MinGW will fail, due to the same reasoning described in commit 2d46a44ff24173d2cf5ea2196360cb79470d49c7.

CLA: trivial

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25025)

show more ...

s390x: Fix HMAC digest detection

Use EVP_MD_is_a() instead of EVP_MD_get_type() to detect the digest
type. EVP_MD_get_type() does not always return the expected NID, e.g.
when runnin

s390x: Fix HMAC digest detection

Use EVP_MD_is_a() instead of EVP_MD_get_type() to detect the digest
type. EVP_MD_get_type() does not always return the expected NID, e.g.
when running in the FIPS provider, EVP_MD_get_type() returns zero,
causing to skip the HMAC acceleration path.

Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25304)

show more ...

Improve base64 BIO correctness and error reporting

Also improve related documentation.

- The BIO_FLAGS_BASE64_NO_NL flag did not behave as advertised, only
leading and trailin

Improve base64 BIO correctness and error reporting

Also improve related documentation.

- The BIO_FLAGS_BASE64_NO_NL flag did not behave as advertised, only
leading and trailing, but not internal, whitespace was supported:

$ echo 'AA AA' | openssl base64 -A -d | wc -c
0

- Switching from ignored leading input to valid base64 input misbehaved
when the length of the skipped input was one more than the length of
the second and subsequent valid base64 lines in the internal 1k
buffer:

$ printf '#foo\n#bar\nA\nAAA\nAAAA\n' | openssl base64 -d | wc -c
0

- When the underlying BIO is retriable, and a read returns less than
1k of data, some of the already buffered input lines that could have
been decoded and returned were retained internally for a retry by the
caller. This is somewhat surprising, and the new code decodes as many
of the buffered lines as possible. Issue reported by Michał Trojnara.

- After all valid data has been read, the next BIO_read(3) should
return 0 when the input was all valid or -1 if an error was detected.
This now occurs in more consistently, but further tests and code
refactoring may be needed to ensure this always happens.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25253)

show more ...

fix: ossl_digest_get_approved_nid() returns NID_undef on invalid digest

We checked using 'md_nid < 0', which is faulty.

Impact: DSA and ECDSA signature provider implementations

fix: ossl_digest_get_approved_nid() returns NID_undef on invalid digest

We checked using 'md_nid < 0', which is faulty.

Impact: DSA and ECDSA signature provider implementations

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24992)

show more ...

Refactor OpenSSL 'ECDSA' EVP_SIGNATURE to also include ECDSA+hash composites

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-b

Refactor OpenSSL 'ECDSA' EVP_SIGNATURE to also include ECDSA+hash composites

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24992)

show more ...

Refactor OpenSSL 'DSA' EVP_SIGNATURE to also include DSA+hash composites

(in the code, "sigalg" is used to refer to these composite algorithms,
which is a nod to libcrypto and libssl, wh

Refactor OpenSSL 'DSA' EVP_SIGNATURE to also include DSA+hash composites

(in the code, "sigalg" is used to refer to these composite algorithms,
which is a nod to libcrypto and libssl, where that term is commonly used
for composite algorithms)

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24992)

show more ...

endecode_test.c: Fix !fips v3.0.0 check

The fips_provider_version_* functions return true if the FIPS provider isn't
loaded. This is somewhat counterintuitive and the fix in #25327 negl

endecode_test.c: Fix !fips v3.0.0 check

The fips_provider_version_* functions return true if the FIPS provider isn't
loaded. This is somewhat counterintuitive and the fix in #25327 neglected
this nuance resulting in not running the SM2 tests when the FIPS provider
wasn't being loaded.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25331)

show more ...

exporters for pkg-config: align with the changes for CMake

The latest CMake exporter changes reworked the the variables in builddata.pm
and installdata.pm. Unfortunately, the pkg-config

exporters for pkg-config: align with the changes for CMake

The latest CMake exporter changes reworked the the variables in builddata.pm
and installdata.pm. Unfortunately, the pkg-config exporter templates were
forgotten in that effort.

Fixes #25299

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25308)

show more ...

endecode_test.c: Avoid running the SM2 tests with 3.0.0 FIPS provider

Fixes #25326

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.o

endecode_test.c: Avoid running the SM2 tests with 3.0.0 FIPS provider

Fixes #25326

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25327)

show more ...

Check for excess data in CertificateVerify

As reported by Alicja Kario, we ignored excess bytes after the
signature payload in TLS CertificateVerify Messages. These
should not be pr

Check for excess data in CertificateVerify

As reported by Alicja Kario, we ignored excess bytes after the
signature payload in TLS CertificateVerify Messages. These
should not be present.

Fixes: #25298

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25302)

show more ...

s390x: support CPACF sha3/shake performance improvements

On newer machines the SHA3/SHAKE performance of CPACF instructions KIMD and KLMD
can be enhanced by using additional modifier bit

s390x: support CPACF sha3/shake performance improvements

On newer machines the SHA3/SHAKE performance of CPACF instructions KIMD and KLMD
can be enhanced by using additional modifier bits. This allows the application
to omit initializing the ICV, but also affects the internal processing of the
instructions. Performance is mostly gained when processing short messages.

The new CPACF feature is backwards compatible with older machines, i.e. the new
modifier bits are ignored on older machines. However, to save the ICV
initialization, the application must detect the MSA level and omit the ICV
initialization only if this feature is supported.

Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25235)

show more ...

doc: Document properties param for Argon2 KDF

The Argon2 KDF uses OSSL_KDF_PARAM_PROPERTIES to fetch implementations
of blake2bmac and blake2b512 if ctx->mac and ctx->md are NULL. This

doc: Document properties param for Argon2 KDF

The Argon2 KDF uses OSSL_KDF_PARAM_PROPERTIES to fetch implementations
of blake2bmac and blake2b512 if ctx->mac and ctx->md are NULL. This
isn't documented in the manpage, so users that might, for example, want
to fetch an instance of Argon2 with the -fips property query to obtain
a working Argon2 KDF even though the default property query requires
fips=yes are left wondering why this fails.

Fortunately, EVP_KDF(3)/PARAMETERS already explains what the properties
are used for, so we really just need to add a single line.

Signed-off-by: Clemens Lang <cllang@redhat.com>

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25306)

show more ...

Refactor and Enhance Compression Field Testing

Fixes #7940: Enhances the existing test for compression methods in the ClientHello message, aligning with RFC 8446 specifications.

Ref

Refactor and Enhance Compression Field Testing

Fixes #7940: Enhances the existing test for compression methods in the ClientHello message, aligning with RFC 8446 specifications.

Refactored the test code to improve modularity and maintainability, making it easier to extend and modify in the future.

Added checks for the appropriate alerts, ensuring that `SSL_AD_ILLEGAL_PARAMETER` or `SSL_AD_DECODE_ERROR` are correctly triggered as per the RFC 8446 guidelines.

Expanded Test Coverage: Introduced additional test cases to cover scenarios involving:
- Lists of unknown compression methods
- Absence of any compression method
- Validation of a single null compression method, which should always succeed.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25255)

show more ...

Correct Alert Handling for Missing Compression Methods

Fixes #7940: Updated the compression check logic to improve protocol compliance. The code now returns `SSL_AD_DECODE_ERROR` when no com

Correct Alert Handling for Missing Compression Methods

Fixes #7940: Updated the compression check logic to improve protocol compliance. The code now returns `SSL_AD_DECODE_ERROR` when no compression method is provided in the ClientHello message. It returns `SSL_AD_ILLEGAL_PARAMETER` if the “null” compression method (0x00) is missing.

Additionally, refactored the related test code for enhanced readability and maintainability.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25255)

show more ...

Add ED25519 and ED448 support for EVP_PKEY_{sign,verify}_init_ex2()

In this mode, only the ph instances are supported, and must be set
explicitly through a parameter. The caller is assu

Add ED25519 and ED448 support for EVP_PKEY_{sign,verify}_init_ex2()

In this mode, only the ph instances are supported, and must be set
explicitly through a parameter. The caller is assumed to pass a
prehash to EVP_PKEY_{sign,verify}().

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24975)

show more ...

Refactor OpenSSL 'EdDSA' EVP_SIGNATURE to allow use with EVP_PKEY functions

Add EVP_PKEY_{sign,verify}_message support for our Ed25519 and Ed448
implementations, including ph and ctx var

Refactor OpenSSL 'EdDSA' EVP_SIGNATURE to allow use with EVP_PKEY functions

Add EVP_PKEY_{sign,verify}_message support for our Ed25519 and Ed448
implementations, including ph and ctx variants.

Tests are added with test_evp stanzas.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24975)

show more ...