Commit Graph

30203 Commits (ad1ca777f9702f355a2f74dc5eed713476825f23)

Author SHA1 Message Date
Matt Caswell ad1ca777f9 Check the plaintext buffer is large enough when decrypting SM2
Previously there was no check that the supplied buffer was large enough.
It was just assumed to be sufficient. Instead we should check and fail if
not.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
2021-08-24 14:22:07 +01:00
Matt Caswell d07036b98d Extend tests for SM2 decryption
Check the case where C1y < 32 bytes in length (i.e. short overhead), and
also the case with longer plaintext and C1x and C1y > 32 bytes in length
(i.e. long overhead)

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
2021-08-24 14:22:07 +01:00
Matt Caswell 36cf45ef3b Correctly calculate the length of SM2 plaintext given the ciphertext
Previously the length of the SM2 plaintext could be incorrectly calculated.
The plaintext length was calculated by taking the ciphertext length and
taking off an "overhead" value.

The overhead value was assumed to have a "fixed" element of 10 bytes.
This is incorrect since in some circumstances it can be more than 10 bytes.
Additionally the overhead included the length of two integers C1x and C1y,
which were assumed to be the same length as the field size (32 bytes for
the SM2 curve). However in some cases these integers can have an additional
padding byte when the msb is set, to disambiguate them from negative
integers. Additionally the integers can also be less than 32 bytes in
length in some cases.

If the calculated overhead is incorrect and larger than the actual value
this can result in the calculated plaintext length being too small.
Applications are likely to allocate buffer sizes based on this and therefore
a buffer overrun can occur.

CVE-2021-3711

Issue reported by John Ouyang.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
2021-08-24 14:22:07 +01:00
Matt Caswell 4b8a8bb752 Fix the error handling in i2v_AUTHORITY_KEYID
Previously if an error path is entered a leak could result.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David Benjamin <davidben@google.com>
2021-08-24 14:22:07 +01:00
Matt Caswell e20fc2ee4f Allow fuzz builds to detect string overruns
If FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION is defined then we don't NUL
terminate ASN1_STRING datatypes. This shouldn't be necessary but we add it
any for safety in normal builds.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David Benjamin <davidben@google.com>
2021-08-24 14:22:07 +01:00
Matt Caswell 030c5aba94 Fix EC_GROUP_new_from_ecparameters to check the base length
Check that there's at least one byte in params->base before trying to
read it.

CVE-2021-3712

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David Benjamin <davidben@google.com>
2021-08-24 14:22:07 +01:00
Matt Caswell 7c038a6bcd Fix NETSCAPE_SPKI_print function to not assume NUL terminated strings
ASN.1 strings may not be NUL terminated. Don't assume they are.

CVE-2021-3712

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David Benjamin <davidben@google.com>
2021-08-24 14:22:06 +01:00
Matt Caswell 98624776c4 Fix append_ia5 function to not assume NUL terminated strings
ASN.1 strings may not be NUL terminated. Don't assume they are.

CVE-2021-3712

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David Benjamin <davidben@google.com>
2021-08-24 14:22:06 +01:00
Matt Caswell 1f365708a3 Fix test code to not assume NUL terminated strings
ASN.1 strings may not be NUL terminated. Don't assume they are.

CVE-2021-3712

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David Benjamin <davidben@google.com>
2021-08-24 14:22:06 +01:00
Matt Caswell 95f8c1e142 Fix CMP code to not assume NUL terminated strings
ASN.1 strings may not be NUL terminated. Don't assume they are.

CVE-2021-3712

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David Benjamin <davidben@google.com>
2021-08-24 14:22:06 +01:00
Matt Caswell d2015a783e Fix the name constraints code to not assume NUL terminated strings
ASN.1 strings may not be NUL terminated. Don't assume they are.

CVE-2021-3712

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David Benjamin <davidben@google.com>
2021-08-24 14:22:06 +01:00
Matt Caswell 918430ba80 Fix printing of PROXY_CERT_INFO_EXTENSION to not assume NUL terminated strings
ASN.1 strings may not be NUL terminated. Don't assume they are.

CVE-2021-3712

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David Benjamin <davidben@google.com>
2021-08-24 14:22:06 +01:00
Matt Caswell b2b3b9c993 Fix GENERAL_NAME_print to not assume NUL terminated strings
ASN.1 strings may not be NUL terminated. Don't assume they are.

CVE-2021-3712

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David Benjamin <davidben@google.com>
2021-08-24 14:22:06 +01:00
Matt Caswell 1747d4658b Fix POLICYINFO printing to not assume NUL terminated strings
ASN.1 strings may not be NUL terminated. Don't assume they are.

CVE-2021-3712

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David Benjamin <davidben@google.com>
2021-08-24 14:22:06 +01:00
Matt Caswell ad6ac17489 Fix i2v_GENERAL_NAME to not assume NUL terminated strings
ASN.1 strings may not be NUL terminated. Don't assume they are.

CVE-2021-3712

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David Benjamin <davidben@google.com>
2021-08-24 14:22:06 +01:00
Zengit ed3f51ec7d Add a clarification to NOTES-UNIX.md
I just wasted almost 2 hours troubleshooting, because lowercase L
and 1 look too similar, this should help some people save time.

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16295)
2021-08-23 15:19:31 +02:00
Dmitry Belyavskiy f4d8b29a26 Get rid of warn_binary
Current implementation of warn_binary introduces a regression
when the content is passed in /dev/stdin as an explicit file name
and reads the file to be processed twice otherwise.

I suggest to reimplement this functionality after 3.0 if necessary.

Fixes #16359

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/16367)
2021-08-20 16:45:15 +02:00
Omair Majid 43044ede54 Fix documentation referring to 'function code'
ERR_GET_FUNC was removed, so remove references to 'function code' as
well from docs.

CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16353)
2021-08-20 10:16:58 +02:00
Beat Bolli c727cddc9c doc: fix a mistyped "=item" perldoc marker
Searching didn't reveal any other similar cases.

CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16354)
2021-08-20 12:06:19 +10:00
Rich Salz ecb09bafad Replace CONFIG_NOWAIT env var with -w option
And document the -w option

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16325)
2021-08-20 10:32:35 +10:00
Rich Salz 214888448d Set KERNEL_BITS, add CONFIG_NOWAIT
Avoid perl "undefined variable in regexp" message.
Not all uses were changed because I wasn't sure.
Add support for CONFIG_NOWAIT environment variable.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16325)
2021-08-19 15:50:14 -04:00
Rich Salz 92115096c3 Minor doc enhancements to INSTALL.md
Describe current relationship between config and Configure.
Put the environment variable list in alphabetical order.
Add description of KERNEL_BITS.
Add new variable CONFIG_NOWAIT.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16325)
2021-08-19 15:50:14 -04:00
Richard Levitte 023cb594d9 util/add-depends.pl: Rebuild the build file after reconfiguration
Reconfiguration is assumed if any dependency (.d) file is older than
configdata.pm.

Fixes #16364

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16365)
2021-08-19 20:45:00 +02:00
Richard Levitte 3bb2046a59 util/add-depends.pl: Only add dependencies on existing or generated headers
Headers that fulfill neither of those conditions are skipped.

This avoids build breaks when development has removed a previously
existing header.

Fixes #16360

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16361)
2021-08-19 19:06:46 +02:00
Todd Short e0f69c3598 Fix state name abbreviation
The TRSCV state abbrev was used for two states:
* TLS_ST_CR_CERT_VRFY
* TLS_ST_SW_CERT_VRFY

The second one is wrong because it's a write operation.
The state for TLS_ST_SW_CERT_VRFY should be "TWSCV"

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16327)
2021-08-19 08:24:16 +10:00
Richard Levitte d68820d956 Add tests for EVP_PKEY_get_utf8_string_param(), both positive and negative
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16334)
2021-08-18 17:05:57 +02:00
Richard Levitte 4e92d5c79d EVP_PKEY_get_utf8_string_param(): ensure the string is NUL terminated
A check is added to fail this function if the string buffer isn't
large enough to accomodate a terminating NUL byte.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16334)
2021-08-18 17:05:57 +02:00
Pauli 2fbf0a560d doc: remove errant blank line to appease doc-nits
Fixes #16328

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/16330)
2021-08-18 16:16:42 +10:00
Pauli 9f81ef9c0b pkcs12: check for zero length digest to avoid division by zero
Fixes #16331

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/16332)
2021-08-18 16:14:42 +10:00
Shane Lontis 46ac83eaf3 Fix CTS cipher decrypt so that the updated IV is returned correctly.
Adding KRB5 test vector 'NextIV' values to evp_test data for AES CTS indicated that the CTS decrypt functions incorrectly returned the wrong IV. The returned IV should match the value returned by the encrypt methods.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16286)
2021-08-18 08:38:40 +10:00
Shane Lontis 7daabe78a0 Change CTS CS3 (Kerberos) so that it accepts a 16 byte input block
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16286)
2021-08-18 08:38:40 +10:00
Shane Lontis 7f5a9399d2 Add support for camellia cbc cts mode
Fixes #16276

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16286)
2021-08-18 08:38:40 +10:00
Shane Lontis 42281f2617 Refactor cipher aes_cts code so that it can be used by other 128bit ciphers
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16286)
2021-08-18 08:38:40 +10:00
Richard Levitte 43cf27c9a4 Correct UTF8 params documentation further
The latest change misdocumented OSSL_PARAM_get_utf8_string(), that
change should have been for OSSL_PARAM_set_utf8_string().

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16318)
2021-08-17 13:50:18 +02:00
Ingo Franzki f17e52778f Test EVP Cipher updating the context's IV
Ensure that an EVP_CipherUpdate operation updates the context's
IV for AES CBC, CFB, OFB, and CTR. An application can get the
updated IV via EVP_CIPHER_CTX_iv().

The s390x implementation of the CFB and OFB ciphers in e_aes.c did not
update the IV in the context, but only within its s390x specific
context data.

Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>

Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16291)
2021-08-16 13:02:51 +02:00
Ingo Franzki c719ea171c s390x: AES OFB/CFB: Maintain running IV from cipher context
Copy the current IV from the cipher context into the kmo/kmf param before
the operation, and copy the modified IV back to the context afterwards.
Without this, an application that obtains the running IV from the context
would still get the original IV, but not the updated one.

This implementation in e_aes.c now matches the code in cipher_aes_hw_s390x.inc
that is used for the provider implementation.

Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>

Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16291)
2021-08-16 13:02:50 +02:00
Todd Short 0449702abc Fix potential double-free
The `sk` variable is assigned to `s->session->peer_chain`.
If `ssl3_digest_cached_records()` were to fail, then `sk` would still be
non-NULL, and subsequently freed on the error return. When the session
is freed, it will then attempt to free `s->session->peer_chain`,
resulting in a double-free (of `sk`).

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16309)
2021-08-16 12:56:53 +02:00
Tomas Mraz 0ec738433e Multiple fixes for getting pub key from legacy DH PKEY
There were multiple issues with getting OSSL_PKEY_PARAM_PUB_KEY
from a legacy EVP_PKEY DH and DHX keys.

Fixes #16247

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16253)
2021-08-16 12:55:08 +02:00
Tomas Mraz 4ccad35756 Correct documentation errors in regards to UTF8 params
This fixes numerous bugs in documentation in regards to UTF8
params and their sizes. The returned size should always be without the
terminating NUL byte. On the other hand on the requestor side
the size of the buffer should include the NUL byte if it expects it
being included in the returned string.

Also make this clear in the EVP_PKEY_get_group_name() documentation
which uses utf8 string params under the hood.

Fixes #16287

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16296)
2021-08-13 12:28:10 +02:00
Tomas Mraz bd32bdb8b2 Add documentation about the multilib postfix and libdir
Fixes #16244

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16281)
2021-08-13 10:45:44 +02:00
Shane Lontis 254957f768 Allow small RSA exponents in the default provider
Fixes #16255

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16285)
2021-08-13 10:35:56 +02:00
Dmitry Belyavskiy a5f4099d27 Disclaimer about the default provider activation added to config
Fixes #16249

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16280)
2021-08-12 09:59:34 +02:00
Pauli dbd0244a16 genpkey: -quiet doesn't take an argument
Fixes #16238

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16240)
2021-08-12 16:26:22 +10:00
Todd Short 3465ec99ea Sort SSL_OP names in documentation
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16236)
2021-08-11 18:13:33 +02:00
Todd Short 73dadb9300 Add missing SSL_OP flags
Add missing SSL_OP flags. Correct the list of flags set by SSL_OP_ALL.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16236)
2021-08-11 18:13:11 +02:00
Tomas Mraz 0f70d60134 EVP_CIPHER_CTX_set_key_length: Raise error when key length is not settable
If key length is different from the existing key length and it is not
a settable parameter, raise an error.

Fixes #16277

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16279)
2021-08-11 17:11:47 +02:00
Tomas Mraz 12e055991e dsatest: Properly detect failure in generate/sign/verify
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16268)
2021-08-11 12:07:08 +02:00
Tomas Mraz aa5098021b Set FFC_PARAM_FLAG_VALIDATE_LEGACY on params generated with FIPS 186-2 gen
Fixes #16261

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16268)
2021-08-11 12:07:08 +02:00
Tomas Mraz c96670e59a aes_v8_xts_encrypt is present only on 64bit arm builds
Fixes #16273

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16275)
2021-08-11 10:08:57 +02:00
Dmitry Belyavskiy b4f1b7b658 Omitted signature_algorithms extension alerts updated
Fixes #15484

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16217)
2021-08-11 09:47:47 +02:00