Document that SHAKE-128 and SHAKE-256 have no default digest length

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https:/

Document that SHAKE-128 and SHAKE-256 have no default digest length

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/24105)

show more ...

Intentionally break EVP_DigestFinal for SHAKE128 and SHAKE256

It will work only if OSSL_DIGEST_PARAM_XOFLEN is set.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Shane

Intentionally break EVP_DigestFinal for SHAKE128 and SHAKE256

It will work only if OSSL_DIGEST_PARAM_XOFLEN is set.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/24105)

show more ...

fix sm2 encryption implementation bug.

According to the "GB/T 32918.4-2016"
section 6.1 encryption, step A5:
If result of the "KDF" is all zeros, we should go back to
the begin(s

fix sm2 encryption implementation bug.

According to the "GB/T 32918.4-2016"
section 6.1 encryption, step A5:
If result of the "KDF" is all zeros, we should go back to
the begin(step A1).

section 7.1 decryption, step B4:
If result of the "KDF" is all zeros, we should raise error and exit.

Signed-off-by: Liu-Ermeng <liuermeng2@huawei.com>

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23210)

show more ...

sslapitest.c: With fips skip tests depending on X25519 and X448

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github

sslapitest.c: With fips skip tests depending on X25519 and X448

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24347)

show more ...

90-test_sslapi.t: Fix execution of sslapitest with fips provider

Default configuration of the fips provider for tests is pedantic
which means that sslapitest was not fully executed with

90-test_sslapi.t: Fix execution of sslapitest with fips provider

Default configuration of the fips provider for tests is pedantic
which means that sslapitest was not fully executed with fips provider.

The ems check must be switched off for full execution.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24347)

show more ...

Add 3.2 and 3.3 branches to Provider compat CI

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/open

Add 3.2 and 3.3 branches to Provider compat CI

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24347)

show more ...

Release pkey_ctx on initialization failure

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.

Release pkey_ctx on initialization failure

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24366)

show more ...

fix: extension critical definition to default false

Signed-off-by: Jonathan M. Wilbur <jonathan@wilbur.space>

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas

fix: extension critical definition to default false

Signed-off-by: Jonathan M. Wilbur <jonathan@wilbur.space>

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21230)

show more ...

evp_test: Added the special private key that triggers bug (CVE-2011-4354)

The bug triggers in 32 bit linux distros running openssl 0.9.8g.

This adds a regression test case.

evp_test: Added the special private key that triggers bug (CVE-2011-4354)

The bug triggers in 32 bit linux distros running openssl 0.9.8g.

This adds a regression test case.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24235)

show more ...

zeroize rsa->p,rsa->q on error

this is rquired by fipd-186-5 section A.1.6, step 7:
Zeroize the internally generated values that are not returned

In OpenSSL code we need

zeroize rsa->p,rsa->q on error

this is rquired by fipd-186-5 section A.1.6, step 7:
Zeroize the internally generated values that are not returned

In OpenSSL code we need to zero p, q members of rsa structure. The rsa
structure is provided by ossl_rsa_fips186_4_gen_prob_primes() caller.

The remaining values (variables) mentioned by standard are zeroed
already in functions we call from ossl_rsa_fips186_4_gen_prob_primes().

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24358)

show more ...

Add support for integrity-only cipher suites for TLS v1.3

- add test vectors for tls1_3 integrity-only ciphers
- recmethod_local.h: add new member for MAC
- tls13_meth.c: add MAC onl

Add support for integrity-only cipher suites for TLS v1.3

- add test vectors for tls1_3 integrity-only ciphers
- recmethod_local.h: add new member for MAC
- tls13_meth.c: add MAC only to tls 1.3
- tls13_enc.c: extend function to add MAC only
- ssl_local.h: add ssl_cipher_get_evp_md_mac()
- s3_lib.c: add the new ciphers and add #ifndef OPENSSL_NO_INTEGRITY_ONLY_CIPHERS
- ssl_ciph.c : add ssl_cipher_get_evp_md_mac() and use it
- tls13secretstest.c: add dummy test function
- Configure: add integrity-only-ciphers option
- document the new ciphers

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22903)

show more ...

cipher_null.c: add NULL check

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>

cipher_null.c: add NULL check

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22903)

show more ...

apps/pkcs12: Not writing the private key file until the import password is verified

Fixes #904

CLA: trivial

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-

apps/pkcs12: Not writing the private key file until the import password is verified

Fixes #904

CLA: trivial

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23729)

show more ...

Remove SSL_ENC_FLAG_EXPLICIT_IV which is only set and never read.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github

Remove SSL_ENC_FLAG_EXPLICIT_IV which is only set and never read.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24036)

show more ...

Add reason codes with the correct offset for two alerts

Fixes #24300. The current values of SSL_R_NO_APPLICATION_PROTOCOL and
SSL_R_PSK_IDENTITY_NOT_FOUND don't allow for a correct looku

Add reason codes with the correct offset for two alerts

Fixes #24300. The current values of SSL_R_NO_APPLICATION_PROTOCOL and
SSL_R_PSK_IDENTITY_NOT_FOUND don't allow for a correct lookup of the
corresponding reason strings.

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24351)

show more ...

threads_win: fix build error with VS2010

VC 2010 or earlier compilers do not support static inline.
To work around this problem, we can use the ossl_inline macro.

Fixes:
cry

threads_win: fix build error with VS2010

VC 2010 or earlier compilers do not support static inline.
To work around this problem, we can use the ossl_inline macro.

Fixes:
crypto\threads_win.c(171) : error C2054: expected '(' to follow 'inline'
crypto\threads_win.c(172) : error C2085: 'get_hold_current_qp' : not in formal parameter list
crypto\threads_win.c(172) : error C2143: syntax error : missing ';' before '{'
crypto\threads_win.c(228) : warning C4013: 'get_hold_current_qp' undefined; assuming extern returning int
crypto\threads_win.c(228) : warning C4047: '=' : 'rcu_qp *' differs in levels of indirection from 'int'

Signed-off-by: Georgi Valkov <gvalkov@gmail.com>

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24370)

show more ...

crypto/riscvcap: fix function declaration for hwprobe_to_cap

error: function declaration isn't a prototype [-Werror=strict-prototypes]

Fixes: 66ad636b9 ("riscv: use hwprobe syscall

crypto/riscvcap: fix function declaration for hwprobe_to_cap

error: function declaration isn't a prototype [-Werror=strict-prototypes]

Fixes: 66ad636b9 ("riscv: use hwprobe syscall for capability detection")

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24373)

show more ...

doc: Fix description of EVP_CIPHER_CTX_dup

This fixes a couple of copy and paste error from EVP_MD_CTX_dup,
where: EVP_CIPHER_CTX_dup is useful to avoid multiple
EVP_CIPHER_fetch (in

doc: Fix description of EVP_CIPHER_CTX_dup

This fixes a couple of copy and paste error from EVP_MD_CTX_dup,
where: EVP_CIPHER_CTX_dup is useful to avoid multiple
EVP_CIPHER_fetch (instead of EVP_MD_fetch) and returns
EVP_CIPHER_CTX (instead of EVP_MD_CTX).

Signed-off-by: Daiki Ueno <dueno@redhat.com>

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24376)

show more ...

quic_multistream_test: fix undefined symbol snprintf with VS2010

As snprintf is not available everywhere, use BIO_snprintf instead.

Fixes:
IF EXIST test\quic_multistream

quic_multistream_test: fix undefined symbol snprintf with VS2010

As snprintf is not available everywhere, use BIO_snprintf instead.

Fixes:
IF EXIST test\quic_multistream_test.exe.manifest DEL /F /Q test\quic_multistream_test.exe.manifest
"link" /nologo /debug setargv.obj /subsystem:console /opt:ref /nologo /debug @V:\_tmp\nm4.tmp
quic_multistream_test-bin-quic_multistream_test.obj : error LNK2019: unresolved external symbol _snprintf referenced in function _helper_init
test\quic_multistream_test.exe : fatal error LNK1120: 1 unresolved externals
NMAKE : fatal error U1077: '"E:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\BIN\link.EXE"' : return code '0x460'

Signed-off-by: Georgi Valkov <gvalkov@gmail.com>

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24369)

show more ...

fips: zeroization of public security parameters (PSPs)

ISO 19790:2012/Cor.1:2015 7.9 requires cryptographic module to provide
methods to zeroise all unproctected security sensitive param

fips: zeroization of public security parameters (PSPs)

ISO 19790:2012/Cor.1:2015 7.9 requires cryptographic module to provide
methods to zeroise all unproctected security sensitive parameters
(which inclues both Critical/Private **and** Public security
parameters). And those that are temprorarly stored are required to be
zeroised after they are no longer needed at security levels 2 and
higher.

Comply with the above requirements by always zeroising public security
parameters whenever they are freed.

This is currently done under the FIPS feature, however the requirement
comes from the ISO 19790:2012 which may also be needed in other
jurisdictions. If not always. Note FIPS 140-3 includes ISO 19790:2012
by reference.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24355)

show more ...

Typo fixes

and an addition of an empty line to follow the code style

CLA: trivial

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openss

Typo fixes

and an addition of an empty line to follow the code style

CLA: trivial

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23721)

show more ...

Implement riscv_vlen_asm for riscv32

riscvcap.c: undefined reference to 'riscv_vlen_asm'

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>

Implement riscv_vlen_asm for riscv32

riscvcap.c: undefined reference to 'riscv_vlen_asm'

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24270)

show more ...

tls_provider_init(): Rename prov_ctx to xor_prov_ctx to clarify

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github

tls_provider_init(): Rename prov_ctx to xor_prov_ctx to clarify

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24103)

show more ...

tls_provider_init(): Fix leaks in error cases

Fixes #24101

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://gi

tls_provider_init(): Fix leaks in error cases

Fixes #24101

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24103)

show more ...

ssl_cipher_get_overhead(): Replace size_t with int and add the checks

Replace the type of "mac", "out", and "blk" with int to avoid implicit
conversion when it is assigned by EVP_MD_get_

ssl_cipher_get_overhead(): Replace size_t with int and add the checks

Replace the type of "mac", "out", and "blk" with int to avoid implicit
conversion when it is assigned by EVP_MD_get_size(),
EVP_CIPHER_get_iv_length(), and EVP_CIPHER_get_block_size().
Moreover, add the checks to avoid integer overflow.

Fixes: 045bd04706 ("Add DTLS_get_data_mtu() function")
Signed-off-by: Jiasheng Jiang <jiasheng@purdue.edu>

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23935)

show more ...