Make OSSL_TIME a structure

This prevents misuses creeping in.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https:

Make OSSL_TIME a structure

This prevents misuses creeping in.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18882)

show more ...

VC++ 2008 or earlier x86 compilers do not have an inline implementation of InterlockedOr64 for 32bit and will fail to run on Windows XP 32bit.
See: https://docs.microsoft.com/en-us/cpp/intrinsics

VC++ 2008 or earlier x86 compilers do not have an inline implementation of InterlockedOr64 for 32bit and will fail to run on Windows XP 32bit.
See: https://docs.microsoft.com/en-us/cpp/intrinsics/interlockedor-intrinsic-functions#requirements
To work around this problem, we implement a manual locking mechanism for only VC++ 2008 or earlier x86 compilers.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18856)

show more ...

property: make cache flushing slight less deterministic

If there is no timer available to seed the stochastic flushing, revert to a
global seed that gets updated each flush.

Rev

property: make cache flushing slight less deterministic

If there is no timer available to seed the stochastic flushing, revert to a
global seed that gets updated each flush.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18906)

show more ...

Fix GHASH-ASM implementation on s390x

s390x GHASH assembler implementation assumed it was called from a
gcm128_context structure where the Xi paramter to the ghash function was
embed

Fix GHASH-ASM implementation on s390x

s390x GHASH assembler implementation assumed it was called from a
gcm128_context structure where the Xi paramter to the ghash function was
embedded in that structure. Since the structure layout resembles the paramter
block required for kimd-GHASH, the assembler code simply assumed the 128 bytes
after Xi are the hash subkey.

This assumption was broken with the introduction of AES-GCM-SIV which uses the
GHASH implementation without a gcm128_context structure. Furthermore, the
bytes following the Xi input parameter to the GHASH function do not contain
the hash subkey. To fix this, we remove the assumption about the calling
context and build the parameter block on the stack. This requires some
copying of data to and from the stack. While this introduces a performance
degradation, new systems anyway use kma for GHASH/AES-GCM.

Finally fixes #18693 for s390x.

Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18939)

show more ...

test/evp_test: Test if EVP_DigestSign() set signature's length.

Increase the signature's length, that is passed to EVP_DigestSign(). The
implementation should set this parameter back to

test/evp_test: Test if EVP_DigestSign() set signature's length.

Increase the signature's length, that is passed to EVP_DigestSign(). The
implementation should set this parameter back to the actual length, that
has been written.

This (oneshot_digestsign_test_run()) fails for the ed25519/ ed448
implementation of s390 prio the fix. The change in digestsign_test_run()
follows the same pattern and is for collecting bonus points.

Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/18928)

show more ...

providers: Set the size of EC signature on s390.

The s390x provides its custom implementation for the creation of the
ed448 and ed25519 signatures. Unfortunately it does not set the size

providers: Set the size of EC signature on s390.

The s390x provides its custom implementation for the creation of the
ed448 and ed25519 signatures. Unfortunately it does not set the size.
Users that rely of this return parameter end up with wrong values and
will compare wrong sizes of signature.

Set the proper size of the returned signature on success. Set an error
if the signing operation fails.

Fixes: #18912
Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/18928)

show more ...

Change name of parameter in documentation from sigret to sig

The rest of the documentation talks about sig, not sigret

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by:

Change name of parameter in documentation from sigret to sig

The rest of the documentation talks about sig, not sigret

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18943)

show more ...

Properly document deprecation of DH_new() and related functions

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Hugo Landau <hla

Properly document deprecation of DH_new() and related functions

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18925)

show more ...

Fix EC_KEY_set_private_key() NULL priv_key docs

Updates the docs to describe EC_KEY_set_private_key() function behavior
when a NULL priv_key argument is passed.

Reviewed-by: Nic

Fix EC_KEY_set_private_key() NULL priv_key docs

Updates the docs to describe EC_KEY_set_private_key() function behavior
when a NULL priv_key argument is passed.

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/18942)

show more ...

Add test for EC_KEY_set_private_key()

This tests the behavior and API of the EC_KEY_set_private_key function.
It tests compliance with legacy features related to NULL private keys
to

Add test for EC_KEY_set_private_key()

This tests the behavior and API of the EC_KEY_set_private_key function.
It tests compliance with legacy features related to NULL private keys
too.

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/18942)

show more ...

Fix EC_KEY_set_private_key() priv_key regression

This allows to set EC_KEY's private key to NULL and fixes regression
issue following OTC guideline in
https://github.com/openssl/open

Fix EC_KEY_set_private_key() priv_key regression

This allows to set EC_KEY's private key to NULL and fixes regression
issue following OTC guideline in
https://github.com/openssl/openssl/issues/18744#issuecomment-1195175696

Fixes #18744.

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/18942)

show more ...

Note that EVP_CIPHER_get_iv_length returns negative values on error

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https:

Note that EVP_CIPHER_get_iv_length returns negative values on error

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18875)

show more ...

Fix bug in EVP_CIPHER_CTX_get_iv_length()

Out of range values could possibly be returned due to a lack of range checking.
Very unlikely to be exploitable for our provider because sensibl

Fix bug in EVP_CIPHER_CTX_get_iv_length()

Out of range values could possibly be returned due to a lack of range checking.
Very unlikely to be exploitable for our provider because sensible values are
returned for all ciphers.

Also fixed the defaulting code so that the cipher's IV length is returned if
the cipher ctx doesn't support getting.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18875)

show more ...

Avoid resource leaks in do_ssl3_write

Thanks Matt for pointing on it

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from ht

Avoid resource leaks in do_ssl3_write

Thanks Matt for pointing on it

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18924)

show more ...

Free up space in the session cache before adding.

Fixes #18690

In some circumstances, it's possible that when using an external
database for the session cache, that pulling in a

Free up space in the session cache before adding.

Fixes #18690

In some circumstances, it's possible that when using an external
database for the session cache, that pulling in an entry from that
cache to the internal cache will cause the newly added entry to
be deleted from the internal cache. This is likely to happen when
the internal cache is set to have a small size, and the newly added
entry's timeout places it at the end of the cache list.

This could be fixed by updating the timestamp of the session (via
`SSL_SESSION_set_time()` or `SSL_SESSION_set_timeout()`) before
adding to the cache. But that may not be desireable.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18905)

show more ...

Fix wrong default algorithm in openssl pkcs12 help

The default that pkcs12 -export uses is SHA256 and not SHA1.

CLA: Trivial

Reviewed-by: Todd Short <todd.short@me.com>

Fix wrong default algorithm in openssl pkcs12 help

The default that pkcs12 -export uses is SHA256 and not SHA1.

CLA: Trivial

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18904)

show more ...

Updating ifdefs to account for xlclang compiler frontend on AIX.

The fallback DEP works fine there. XLC should be unaffected.

CLA: trivial

Reviewed-by: Todd Short <todd.sho

Updating ifdefs to account for xlclang compiler frontend on AIX.

The fallback DEP works fine there. XLC should be unaffected.

CLA: trivial

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18892)

show more ...

Fix AES-GCM-SIV endian issues

Fixes #18911

`BSWAP`x/`GETU`xx are no-ops on big-endian. Change the byte swapper.
Fix big-endian issues in the `mulx_ghash()` function

Rev

Fix AES-GCM-SIV endian issues

Fixes #18911

`BSWAP`x/`GETU`xx are no-ops on big-endian. Change the byte swapper.
Fix big-endian issues in the `mulx_ghash()` function

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18920)

show more ...

Coverity 1507484: dereference before null check

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/ope

Coverity 1507484: dereference before null check

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18907)

show more ...

Check that IV length is not less than zero

As EVP_CIPHER_CTX_get_iv_length indicates failure with -1, this error
should be processed. Also the result of this function shouldn't be
as

Check that IV length is not less than zero

As EVP_CIPHER_CTX_get_iv_length indicates failure with -1, this error
should be processed. Also the result of this function shouldn't be
assigned to an unsigned variable.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18891)

show more ...

Test that swapping the first app data record with Finished msg works

If the first app data record arrives before the Finished message we should
be able to buffer it and move on to the Fi

Test that swapping the first app data record with Finished msg works

If the first app data record arrives before the Finished message we should
be able to buffer it and move on to the Finished message.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18868)

show more ...

Fix SSL_pending() and SSL_has_pending() with DTLS

If app data is received before a Finished message in DTLS then we buffer
it to return later. The function SSL_pending() is supposed to t

Fix SSL_pending() and SSL_has_pending() with DTLS

If app data is received before a Finished message in DTLS then we buffer
it to return later. The function SSL_pending() is supposed to tell you
how much processed app data we have already buffered, and SSL_has_pending()
is supposed to tell you if we have any data buffered (whether processed or
not, and whether app data or not).

Neither SSL_pending() or SSL_has_pending() were taking account of this
DTLS specific app data buffer.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18868)

show more ...

Implement AES-GCM-SIV (RFC8452)

Fixes #16721

This uses AES-ECB to create a counter mode AES-CTR32 (32bit counter, I could
not get AES-CTR to work as-is), and GHASH to implement

Implement AES-GCM-SIV (RFC8452)

Fixes #16721

This uses AES-ECB to create a counter mode AES-CTR32 (32bit counter, I could
not get AES-CTR to work as-is), and GHASH to implement POLYVAL. Optimally,
there would be separate polyval assembly implementation(s), but the only one
I could find (and it was SSE2 x86_64 code) was not Apache 2.0 licensed.

This implementation lives only in the default provider; there is no legacy
implementation.

The code offered in #16721 is not used; that implementation sits on top of
OpenSSL, this one is embedded inside OpenSSL.

Full test vectors from RFC8452 are included, except the 0 length plaintext;
that is not supported; and I'm not sure it's worthwhile to do so.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18693)

show more ...

QUIC Frame Encoding and Decoding Functions

This adds functions for encoding and decoding QUIC frames.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@o

QUIC Frame Encoding and Decoding Functions

This adds functions for encoding and decoding QUIC frames.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18795)

show more ...

Fixes segfault occurrence in PEM_write()

Checks if header is NULL or not before calling strlen().

CLA: trivial

Fixes #18825

Reviewed-by: Tomas Mraz <tomas@openssl.

Fixes segfault occurrence in PEM_write()

Checks if header is NULL or not before calling strlen().

CLA: trivial

Fixes #18825

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18865)

show more ...