4811efe1 | 25-Jul-2024 |
Neil Horman |
fix Coverity 1604662 Coverity flagged an issue in our bio_enc tests in which we failed to check the return code of BIO_read for an error condition which can lead to our length comput
fix Coverity 1604662 Coverity flagged an issue in our bio_enc tests in which we failed to check the return code of BIO_read for an error condition which can lead to our length computation going backwards. Just check the error code before adding it to length Fixes openssl/project#779 Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/25006)
show more ...
|
32185d51 | 24-Jul-2024 |
Neil Horman |
Fix second error from Coverity-161057 Coverity flagged a second error in this code we're comparing block_padding and hs_padding for >= 0, which is always true With the
Fix second error from Coverity-161057 Coverity flagged a second error in this code we're comparing block_padding and hs_padding for >= 0, which is always true With the change to the use of strtoul, inputs that are preceded with a - (i.e. negative values), are caught already, so the check is redundant just remove the check entirely Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/24993)
show more ...
|
31cd9cd8 | 24-Jul-2024 |
Neil Horman |
Fix coverity-993406 Coverity flagged an overflow warning in the cmsapitest. Its pretty insignificant, but if a huge file is passed in via BIO, its possible for the length variab
Fix coverity-993406 Coverity flagged an overflow warning in the cmsapitest. Its pretty insignificant, but if a huge file is passed in via BIO, its possible for the length variable returned to overflow. Just check it as we read to silence coverity on it. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/24995)
show more ...
|
bc431587 | 22-Jul-2024 |
slontis |
Add FIPS indicator support for Triple-DES encryption. This leaves 3DES with the FIPS query "FIPS=yes", which allows Triple-DES to be used for Decryption by default. Disallow CMA
Add FIPS indicator support for Triple-DES encryption. This leaves 3DES with the FIPS query "FIPS=yes", which allows Triple-DES to be used for Decryption by default. Disallow CMAC using Triple-DES in FIPS. This does not use a FIPS indicator. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from https://github.com/openssl/openssl/pull/24960)
show more ...
|
8fe150cc | 25-Jul-2024 |
Pauli |
test: fix failing KDF tests with changed behaviour Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.co
test: fix failing KDF tests with changed behaviour Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/24917)
show more ...
|
50a91de4 | 24-Jul-2024 |
Pauli |
changes: add no_short_mac entry Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/p
changes: add no_short_mac entry Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/24917)
show more ...
|
3762a56b | 17-Jul-2024 |
Pauli |
test: add unit tests for no-short-mac Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/ope
test: add unit tests for no-short-mac Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/24917)
show more ...
|
98fbe679 | 17-Jul-2024 |
Pauli |
prov: add no-short-mac code to KMAC Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/opens
prov: add no-short-mac code to KMAC Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/24917)
show more ...
|
d791c2c4 | 17-Jul-2024 |
Pauli |
fips: wire in the no-short-mac option Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/ope
fips: wire in the no-short-mac option Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/24917)
show more ...
|
3440a9a0 | 17-Jul-2024 |
Pauli |
doc: document no-short-mac param Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/
doc: document no-short-mac param Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/24917)
show more ...
|
3f15ec76 | 17-Jul-2024 |
Pauli |
paramnames: add params for no-short-mac option Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/op
paramnames: add params for no-short-mac option Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/24917)
show more ...
|
fc98a2f6 | 17-Jul-2024 |
Pauli |
doc: document no_short_mac option to fipsinstall Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/
doc: document no_short_mac option to fipsinstall Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/24917)
show more ...
|
00231a6a | 17-Jul-2024 |
Pauli |
fipsinstall: add no_short_mac option Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/open
fipsinstall: add no_short_mac option Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/24917)
show more ...
|
4a002f51 | 17-Jul-2024 |
Pauli |
evp_test: check MAC FIPS approved flag Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/op
evp_test: check MAC FIPS approved flag Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/24917)
show more ...
|
85caa417 | 04-Jul-2024 |
slontis |
Disable DSA signing in the FIPS provider. This is a FIPS 140-3 requirement. This uses a FIP indicator if either the FIPS configurable "dsa_sign_disabled" is set to 0, OR OSSL_SIGNATU
Disable DSA signing in the FIPS provider. This is a FIPS 140-3 requirement. This uses a FIP indicator if either the FIPS configurable "dsa_sign_disabled" is set to 0, OR OSSL_SIGNATURE_PARAM_FIPS_SIGN_CHECK is set to 0 in the dsa signing context. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24799)
show more ...
|
86fd4c1d | 23-Jul-2024 |
Neil Horman |
Fix Coverity-1604641 Coverity flagged an overflow warning here that can occur if BIO_write returns an error. The overflow itself is a bit of a non-issue, but if BIO_write return
Fix Coverity-1604641 Coverity flagged an overflow warning here that can occur if BIO_write returns an error. The overflow itself is a bit of a non-issue, but if BIO_write returns < 0, then the return from i2a_ASN1_OBJECT will be some odd value representing whatever the offset from the error code to the number of bytes the dump may or may not have written (or some larger negative error code if both fail. So lets fix it. Only do the dump if the BIO_write call returned 0 or greaater. Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Paul Yang <kaishen.yy@antfin.com> (Merged from https://github.com/openssl/openssl/pull/24976)
show more ...
|
3c6e1149 | 24-Jul-2024 |
pohsingwu |
Fix typo in mk-fipsmodule-cnf.pl Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Paul Dale <pauli@openssl.org> (
Fix typo in mk-fipsmodule-cnf.pl Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24977)
show more ...
|
34e8ddfc | 10-Jul-2024 |
Jonathan M. Wilbur |
doc: the basicAttConstraints X.509v3 extension Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/open
doc: the basicAttConstraints X.509v3 extension Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24847)
show more ...
|
aa51de6d | 10-Jul-2024 |
Jonathan M. Wilbur |
test: the basicAttConstraints X.509v3 extension Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/ope
test: the basicAttConstraints X.509v3 extension Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24847)
show more ...
|
7f5db0c9 | 10-Jul-2024 |
Jonathan M. Wilbur |
feat: support the basicAttConstraints X.509v3 extension Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/ope
feat: support the basicAttConstraints X.509v3 extension Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24847)
show more ...
|
ec1d8ead | 23-Jul-2024 |
Neil Horman |
Fix strtoul test on alpine/musl The strtoul tests that were recently added had a compile time check for __WORDSIZE to properly determine the string to use for an maximal unsigned lon
Fix strtoul test on alpine/musl The strtoul tests that were recently added had a compile time check for __WORDSIZE to properly determine the string to use for an maximal unsigned long. Unfortunately musl libc doesn't define __WORDSIZE so we were in a position where on that platform we fall to the 32 bit unsigned long variant, which breaks on x86 platforms. Fix it by doing a preprocessor comparisong on ULONG_MAX instead. NOTE: This works because preprocessors do arithmetic evaluation on macros for every compiler we support. We should be wary of some more esoteric compilers though. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/24974)
show more ...
|
14e46600 | 17-Jul-2024 |
pohsingwu |
Restrict digest in set_ctx_params In this commit, we also return different error if the digest is XOF. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale
Restrict digest in set_ctx_params In this commit, we also return different error if the digest is XOF. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23889)
show more ...
|
5e25b8af | 12-Jul-2024 |
pohsingwu |
Add FIPS indicator tests for KDFs Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/
Add FIPS indicator tests for KDFs Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23889)
show more ...
|
6d47e819 | 02-Jun-2024 |
pohsingwu |
Restrict digest algorithm used in KDFs Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/
Restrict digest algorithm used in KDFs Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23889)
show more ...
|
4f619ca6 | 09-Jul-2024 |
Neil Horman |
Ensure cmd from fuzz buffer is always valid The quic-srtm fuzzer uses a loop in which an integer command is extracted from the fuzzer buffer input to determine the action to take, sw
Ensure cmd from fuzz buffer is always valid The quic-srtm fuzzer uses a loop in which an integer command is extracted from the fuzzer buffer input to determine the action to take, switching on the values between 0 and 3, and ignoring all other commands. Howver in the failing fuzzer test case here: https://oss-fuzz.com/testcase-detail/5618331942977536 The buffer provided shows a large number of 0 values (indicating an SRTM add command), and almost no 1, 2, or 3 values. As such, the fuzzer only truly exercises the srtm add path, which has the side effect of growing the SRTM hash table unboundedly, leading to a timeout when 10 entries need to be iterated over when the hashtable doall command is executed. Fix this by ensuring that the command is always valid, and reasonably distributed among all the operations with some modulo math. Introducing this change bounds the hash table size in the reproducer test case to less than half of the initially observed size, and avoids the timeout. Fixes openssl/project#679 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24827)
show more ...
|