Add a flag so finalised contexts are not reused

The EVP layer should not rely on the underlying low level code to
handle catching incorrect reuse of contexts.
Add a flag to mark a co

Add a flag so finalised contexts are not reused

The EVP layer should not rely on the underlying low level code to
handle catching incorrect reuse of contexts.
Add a flag to mark a context as finalised as needed and then catch and
immediately error on Update/Final operations if called improperly.

Signed-off-by: Simo Sorce <simo@redhat.com>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/20375)

show more ...

Add test for context duplication failure

This checks that the first operation successfully completes even if
context duplication fails. But follwing operations get errors as
if the c

Add test for context duplication failure

This checks that the first operation successfully completes even if
context duplication fails. But follwing operations get errors as
if the context was finlised.

Signed-off-by: Simo Sorce <simo@redhat.com>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/20375)

show more ...

Do not fail if ctx dup does not succeed

If the ctx was *really* needed we'll probably fail later with an error
anyway, so no point in failing immediately.

Document that this beh

Do not fail if ctx dup does not succeed

If the ctx was *really* needed we'll probably fail later with an error
anyway, so no point in failing immediately.

Document that this behavior is dependent on the provider used to
implement the signature/verification.

Signed-off-by: Simo Sorce <simo@redhat.com>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/20375)

show more ...

Improve the performance of d2i_AutoPrivateKey and friends

Probe first to see if we have a PKCS8 file to improve decoder performance.

Reviewed-by: Tomas Mraz <tomas@openssl.org>

Improve the performance of d2i_AutoPrivateKey and friends

Probe first to see if we have a PKCS8 file to improve decoder performance.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/20416)

show more ...

Document remaining obsolete SSL_OP_NETSCAPE_*_BUG

SSL_OP_NETSCAPE_CA_DN_BUG became obsolete in 3c33c6f6b1086435 and
support for SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG was removed by

Document remaining obsolete SSL_OP_NETSCAPE_*_BUG

SSL_OP_NETSCAPE_CA_DN_BUG became obsolete in 3c33c6f6b1086435 and
support for SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG was removed by
7a4dadc3a6a487db. The definitions are still listed under "OBSOLETE
OPTIONS retained for compatibility" in ssl.h.in, so this commit adds
them to the list of obsolete options in doc/man3.

Refs: https://github.com/nodejs/node/pull/46954

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20443)

show more ...

Add missing assignment to EVP_get_digestbynid()

The assignment of the result of EVP_get_digestbynid() did not happen
which made the fallback not actually perform the fallback.

C

Add missing assignment to EVP_get_digestbynid()

The assignment of the result of EVP_get_digestbynid() did not happen
which made the fallback not actually perform the fallback.

CLA: trivial

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20447)

show more ...

doc/man3/X509_STORE_CTX_get_error.pod: make order consistent, add some missing entries

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged

doc/man3/X509_STORE_CTX_get_error.pod: make order consistent, add some missing entries

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20450)

show more ...

Segmentation fault in parent rng cleanup

CLA: trivial
When `cleanup_entropy()` is called to cleanup parent by calling
provided `OSSL_FUNC_rand_clear_seed_fn` method, incorrect random

Segmentation fault in parent rng cleanup

CLA: trivial
When `cleanup_entropy()` is called to cleanup parent by calling
provided `OSSL_FUNC_rand_clear_seed_fn` method, incorrect random
context is passed to the method. So accessing that context creates
a segmentation fault. Parent context should be passed rather than
DRBG's own context.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20454)

show more ...

Updated `rsa_has()` for correct validation

CLA: trivial
In RSA, `(n,e)` and `(n,d)` identify public key and private key.
Modulus `n` is the common part. So I updated `rsa_has()` to v

Updated `rsa_has()` for correct validation

CLA: trivial
In RSA, `(n,e)` and `(n,d)` identify public key and private key.
Modulus `n` is the common part. So I updated `rsa_has()` to validate
these pairs correctly. `OSSL_KEYMGMT_SELECT_KEYPAIR` is common part
for both public and private key, so I changed it to check `n` of
RSA and for `OSSL_KEYMGMT_SELECT_PUBLIC_KEY`, `e` is checked. Before
this change, if `selection` was `OSSL_KEYMGMT_SELECT_PRIVATE_KEY` and
only `e` and `d` was in the RSA structure, the function returns 1
while it was incorrect.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20455)

show more ...

Fix size_t/int mismatch in cms_ec.c and rsa_sig.c

Fixes #20435

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from ht

Fix size_t/int mismatch in cms_ec.c and rsa_sig.c

Fixes #20435

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20457)

show more ...

aes/asm/bsaes-armv7.pl: Replace adrl with add

"adrl" is a pseudo-instruction used to calculate an address relative
to PC. It's not recognized by clang resulting in a compilation error.

aes/asm/bsaes-armv7.pl: Replace adrl with add

"adrl" is a pseudo-instruction used to calculate an address relative
to PC. It's not recognized by clang resulting in a compilation error.
I've stumbled upon it when trying to integrate the bsaes-armv7 assmebly
logic into FreeBSD kernel, which uses clang as it's default compiler.
Note that this affect the build only if BSAES_ASM_EXTENDED_KEY is
defined, which is not the default option in OpenSSL.

The solution here is to replace it with an add instruction.
This mimics what has already been done in !BSAES_ASM_EXTENDED_KEY logic.
Because of that I've marked this as trivial CLA.

CLA: trivial
Signed-off-by: Kornel Dulęba <mindal@semihalf.com>

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20458)

show more ...

Remove duplicate code

since this code is also under GCM_HW_SET_KEY_CTR_FN macro

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>

Remove duplicate code

since this code is also under GCM_HW_SET_KEY_CTR_FN macro

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/20491)

show more ...

Add missing copyright header

This file was only recently introduced and the missing header slipped through
the review process.

Fixes #20461

Reviewed-by: Richard Levitte

Add missing copyright header

This file was only recently introduced and the missing header slipped through
the review process.

Fixes #20461

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20470)

show more ...

doc: document that prediction resistance comes with a hidden cost

In the default setup, using prediction resistance cascades to a reseeding
of all DRBGs. The cost for this will be exces

doc: document that prediction resistance comes with a hidden cost

In the default setup, using prediction resistance cascades to a reseeding
of all DRBGs. The cost for this will be excessive for highly threaded
applications.

Fixes #20414

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/20452)

show more ...

apps/x509 etc.: allow private key input when public key is expected

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: David

apps/x509 etc.: allow private key input when public key is expected

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19076)

show more ...

test/smime-certs/{mksmime-certs.sh,ca.cnf}: simplify and speed up cert generation

Also remove inconsistent key usages from non-RSA certs.

Reviewed-by: Tomas Mraz <tomas@openssl.org>

test/smime-certs/{mksmime-certs.sh,ca.cnf}: simplify and speed up cert generation

Also remove inconsistent key usages from non-RSA certs.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19076)

show more ...

apps/{dsa,ec,rsa,pkey}.c: harmonize coding w.r.t. 'pubin' variable

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: David v

apps/{dsa,ec,rsa,pkey}.c: harmonize coding w.r.t. 'pubin' variable

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19076)

show more ...

Fix how util/wrap.pl is used in OpenSSL::Util::fixup_cmd()

The mechanism was pretty tentative and wasn't well tested for diverse
situations.

Reviewed-by: Dmitry Belyavskiy <beld

Fix how util/wrap.pl is used in OpenSSL::Util::fixup_cmd()

The mechanism was pretty tentative and wasn't well tested for diverse
situations.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20415)

show more ...

Fix util/wrap.pl.in for VMS usage

In the name of consistency, make sure that this same script is used
across more platforms, in this case VMS. This removes the need for
util/local_s

Fix util/wrap.pl.in for VMS usage

In the name of consistency, make sure that this same script is used
across more platforms, in this case VMS. This removes the need for
util/local_shlib.com.in and util/unlocal_shlib.com.in, which were
under-used anyway.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20415)

show more ...

Run the punycode-test over the fuzz corpora during test.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@

Run the punycode-test over the fuzz corpora during test.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20246)

show more ...

fips: Use salt >= 16 bytes in PBKDF2 selftest

NIST SP 800-132 [1] section 5.1 says "[t]he length of the
randomly-generated portion of the salt shall be at least
128 bits", which impl

fips: Use salt >= 16 bytes in PBKDF2 selftest

NIST SP 800-132 [1] section 5.1 says "[t]he length of the
randomly-generated portion of the salt shall be at least
128 bits", which implies that the salt for PBKDF2 must be at least 16
bytes long (see also Appendix A.2.1).

The FIPS 140-3 IG [2] section 10.3.A requires that "the lengths and the
properties of the Password and Salt parameters, as well as the desired
length of the Master Key used in a CAST shall be among those supported
by the module in the approved mode."

As a consequence, the salt length in the self test must be at least 16
bytes long for FIPS 140-3 compliance. Switch the self test to use the
only test vector from RFC 6070 that uses salt that is long enough to
fulfil this requirement. Since RFC 6070 does not provide expected
results for PBKDF2 with HMAC-SHA256, use the output from [3], which was
generated with python cryptography, which was tested against the RFC
6070 vectors with HMAC-SHA1.

[1]: https://doi.org/10.6028/NIST.SP.800-132
[2]: https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf
[3]: https://github.com/brycx/Test-Vector-Generation/blob/master/PBKDF2/pbkdf2-hmac-sha2-test-vectors.md

Signed-off-by: Clemens Lang <cllang@redhat.com>

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20429)

show more ...

Add option to FIPS module to enforce EMS check during KDF TLS1_PRF.

Fixes #19989

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merg

Add option to FIPS module to enforce EMS check during KDF TLS1_PRF.

Fixes #19989

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20241)

show more ...

S390X: Accelerate keccak XOF

The keccak XOF used for KMAC can be simplified by using klmd. This speeds up
XOF processing in cases where more than one result block is needed.

Si

S390X: Accelerate keccak XOF

The keccak XOF used for KMAC can be simplified by using klmd. This speeds up
XOF processing in cases where more than one result block is needed.

Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20431)

show more ...

test//bio_dgram_test.c: Skip test when BIO_bind() fails

This test isn't supposed to test BIO_bind() itself, so we can be a bit
sloppy and assume that it fails because the attempted bindi

test//bio_dgram_test.c: Skip test when BIO_bind() fails

This test isn't supposed to test BIO_bind() itself, so we can be a bit
sloppy and assume that it fails because the attempted binding is not
supported on the platform where this is run. For example, BIO_bind()
fails when it's given an IPv6 address and the platform where this is
run doesn't support that address family.

In a case like this, it's sensible enough to simply skip the test when
BIO_bind() fails.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20449)

show more ...

bss_dgram.c: Use BIO_ADDR_sockaddr() and BIO_ADDR_sockaddr_size()

Especially, it's important to use BIO_ADDR_sockaddr_size() instead of
taking sizeof(addr), as BIO_ADDR is a union of sev

bss_dgram.c: Use BIO_ADDR_sockaddr() and BIO_ADDR_sockaddr_size()

Especially, it's important to use BIO_ADDR_sockaddr_size() instead of
taking sizeof(addr), as BIO_ADDR is a union of several sockaddr variants
with different sizes, and some sendto() implementations are very picky
that the size is correct for the indicated sockaddr family.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20449)

show more ...