Skip DES based tests in FIPS mode

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merge

Skip DES based tests in FIPS mode

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/19510)

show more ...

rand: add set0 calls for the private and public DRBGs

The FIPS 140-3 DSA and ECDSA tests need to be known answer tests which means
the entropy needs to be cooked. This permits this.

rand: add set0 calls for the private and public DRBGs

The FIPS 140-3 DSA and ECDSA tests need to be known answer tests which means
the entropy needs to be cooked. This permits this.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/19510)

show more ...

Dependabot configuration is not a workflow

Moving it one level up so it does not confuse CI.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.

Dependabot configuration is not a workflow

Moving it one level up so it does not confuse CI.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19515)

show more ...

punycode: add unit tests

These tests verify basic functionality and specifically test for
CVE-2022-3602.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz

punycode: add unit tests

These tests verify basic functionality and specifically test for
CVE-2022-3602.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(cherry picked from commit f0f530216bf93e9cdc9c2c9e3c095229d216da15)

show more ...

Fix CVE-2022-3786 in punycode decoder.

Fixed the ossl_a2ulabel() function which also contained a potential
buffer overflow, albeit without control of the contents.
This overflow coul

Fix CVE-2022-3786 in punycode decoder.

Fixed the ossl_a2ulabel() function which also contained a potential
buffer overflow, albeit without control of the contents.
This overflow could result in a crash (causing a denial of service).

The function also did not NUL-terminate the output in some cases.

The two issues fixed here were dentified and reported
by Viktor Dukhovni while researching CVE-2022-3602.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(cherry picked from commit c42165b5706e42f67ef8ef4c351a9a4c5d21639a)

show more ...

Fix CVE-2022-3602 in punycode decoder.

An off by one error in the punycode decoder allowed for a single unsigned int
overwrite of a buffer which could cause a crash and possible code exe

Fix CVE-2022-3602 in punycode decoder.

An off by one error in the punycode decoder allowed for a single unsigned int
overwrite of a buffer which could cause a crash and possible code execution.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(cherry picked from commit fe3b639dc19b325846f4f6801f2f4604f56e3de3)

show more ...

crypto/dso/dso_vms.c: Better definition of DSO_MALLOC()

Now we cover all possible cases.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gma

crypto/dso/dso_vms.c: Better definition of DSO_MALLOC()

Now we cover all possible cases.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19529)

show more ...

providers/implementations/kdfs/pvkkdf.c: Ensure SIZE_MAX is defined

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas

providers/implementations/kdfs/pvkkdf.c: Ensure SIZE_MAX is defined

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19529)

show more ...

tests: clear error queue before executing a testcase

There can be errors in the queue from previous tests and
we look at it to verify we do not add spurious errors in
some testcases.

tests: clear error queue before executing a testcase

There can be errors in the queue from previous tests and
we look at it to verify we do not add spurious errors in
some testcases.

Fixes #19477

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19483)

(cherry picked from commit 4bae06d47ae26b37a948d31f11884e1813f6d669)

show more ...

Fix parameter names for RSA private key example

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/opens

Fix parameter names for RSA private key example

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19443)

show more ...

Make openVMS seeding less dependent of OpenVMS version

SYS$GETTIM_PREC is a very new function, only available on OpenVMS v8.4.
OpenSSL binaries built on OpenVMS v8.4 become unusable on o

Make openVMS seeding less dependent of OpenVMS version

SYS$GETTIM_PREC is a very new function, only available on OpenVMS v8.4.
OpenSSL binaries built on OpenVMS v8.4 become unusable on older OpenVM
versions, but building for the older CRTL version will make the high
precision time functions unavailable.

Tests have shown that on Alpha and Itanium, the time update granularity
between SYS$GETTIM and SYS$GETTIM_PREC is marginal, so the former plus
a sequence number turns out to be better to guarantee a unique nonce.

Fixes #18727

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18731)

show more ...

Check whether buffers have actually been allocated/freed

In the sslbuffertest we test the operation of SSL_alloc_buffers() and
SSL_free_buffers(). However this was done entirely using th

Check whether buffers have actually been allocated/freed

In the sslbuffertest we test the operation of SSL_alloc_buffers() and
SSL_free_buffers(). However this was done entirely using the public API,
and did not confirm that the buffers were actually allocated/freed. We
now extend the test to confirm this.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19472)

show more ...

Remove some unused OSSL_RECORD_METHOD functions

Remove two function pointers from the OSSL_RECORD_METHOD. Those functions
were no-ops and were never called.

Reviewed-by: Tomas M

Remove some unused OSSL_RECORD_METHOD functions

Remove two function pointers from the OSSL_RECORD_METHOD. Those functions
were no-ops and were never called.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19472)

show more ...

Make SSL_alloc_buffers() and SSL_free_buffers() work again

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/

Make SSL_alloc_buffers() and SSL_free_buffers() work again

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19472)

show more ...

add dependabot to keep actions versions up-to-date

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/ope

add dependabot to keep actions versions up-to-date

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19441)

show more ...

Use RSA CRT parameters in FIPS self tests.

Fixes #19488

Use the correct OSSL_PKEY_PARAM_RSA CRT names fior the self tests.
The invalid names cause CRT parameters to be silently

Use RSA CRT parameters in FIPS self tests.

Fixes #19488

Use the correct OSSL_PKEY_PARAM_RSA CRT names fior the self tests.
The invalid names cause CRT parameters to be silently ignored.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19501)

show more ...

rand: remove the ossl_rand_pool_add_additional_data() function.

This function isn't called from anywhere and cannot easily be used
by the current RNG infrastructure.

Reviewed-by

rand: remove the ossl_rand_pool_add_additional_data() function.

This function isn't called from anywhere and cannot easily be used
by the current RNG infrastructure.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/19493)

show more ...

ssl_cipher_process_rulestr: don't read outside rule_str buffer

If rule_str ended in a "-", "l" was incremented one byte past the
end of the buffer. This resulted in an out-of-bounds rea

ssl_cipher_process_rulestr: don't read outside rule_str buffer

If rule_str ended in a "-", "l" was incremented one byte past the
end of the buffer. This resulted in an out-of-bounds read when "l"
is dereferenced at the end of the loop. It is safest to just return
early in this case since the condition occurs inside a nested loop.

CLA: trivial

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19166)

show more ...

Fix 32-bit Windows issues related to QUIC Wire functions

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/op

Fix 32-bit Windows issues related to QUIC Wire functions

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19345)

show more ...

Fix 32-bit Windows issues related to QUIC_STREAM

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/op

Fix 32-bit Windows issues related to QUIC_STREAM

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19345)

show more ...

Fix 32-bit Windows issues related to QUIC_ACKM / QUIC_CC

The re-occuring surprise is that in Win32, size_t is 32 bits...
Fixed by changing size_t to uint64_t in QUIC_CC

Reviewed

Fix 32-bit Windows issues related to QUIC_ACKM / QUIC_CC

The re-occuring surprise is that in Win32, size_t is 32 bits...
Fixed by changing size_t to uint64_t in QUIC_CC

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19345)

show more ...

Fix definitions of SHUT_RD and SHUT_WR

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull

Fix definitions of SHUT_RD and SHUT_WR

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19345)

show more ...

Github Actions: Enable building QUIC on Windows

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/ope

Github Actions: Enable building QUIC on Windows

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19345)

show more ...

Fix a lock in provider_remove_store_methods()

We were taking a read lock. It should have been a write lock.

Fixes #19474

Reviewed-by: Tim Hudson <tjh@openssl.org>
Revie

Fix a lock in provider_remove_store_methods()

We were taking a read lock. It should have been a write lock.

Fixes #19474

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19481)

show more ...

Fix test_tls13_encryption()

This test was disabled during the record write record layer refactor.
We can now enable it again.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Rev

Fix test_tls13_encryption()

This test was disabled during the record write record layer refactor.
We can now enable it again.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19470)

show more ...