aboutsummaryrefslogtreecommitdiffstats
path: root/providers
Commit message (Collapse)AuthorAgeFilesLines
* Restrict digest in set_ctx_paramsHEADmasterpohsingwu2024-07-244-160/+255
| | | | | | | | In this commit, we also return different error if the digest is XOF. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23889)
* Restrict digest algorithm used in KDFspohsingwu2024-07-249-32/+366
| | | | | | Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23889)
* that open brace { should be on the previous lineDimitri Papadopoulos2024-07-2212-36/+20
| | | | | | | | | Found by running the checkpatch.pl Linux script to enforce coding style. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22097)
* Remove trailing whitespaceDimitri Papadopoulos2024-07-222-2/+2
| | | | | | | | | Found by running the checkpatch.pl Linux script to enforce coding style. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22097)
* Remove check for RSA encryption allowing X9.31 padding.slontis2024-07-211-1/+0
| | | | | | | | | | | | | X9.31 is a Signature Standard, and should not apply to encryption. rsa_ossl_public_encrypt() does not allow this padding mode. The openssl rsautil command line tool already failed if the -x931 option was used with -encrypt Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Todd Short <todd.short@me.com> (Merged from https://github.com/openssl/openssl/pull/24938)
* fips: correctly initialise FIPS indicator settablesPauli2024-07-192-3/+6
| | | | | | | | | | | | The `memset(3)` just happened to work because 2s complement. This is more robust. Also reduced the size of the indicator structure. Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24923)
* Fix kbkdf bug if MAC is set to KMAC and then something elsePauli2024-07-171-1/+2
| | | | | | | | | | | A context that is set to KMAC sets the is_kmac flag and this cannot be reset. So a user that does kbkdf using KMAC and then wants to use HMAC or CMAC will experience a failure. Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24883)
* Add FIPS indicator for TEST-RANDPauli2024-07-171-1/+9
| | | | | | | | | The indicator is always non-FIPS, since this is used for internal tasks and hasn't been validated. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/24851)
* riscv: Fix cpuid_obj asm checks for sm4/sm3Hongren Zheng2024-07-124-4/+4
| | | | | | | | Similar to #22881 / #23752 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Yang <kaishen.yy@antfin.com> (Merged from https://github.com/openssl/openssl/pull/24486)
* Change all existing FIPS configurable checks to use FIPS indicators.slontis2024-07-1118-319/+681
| | | | | | | | | | This changes the logic to always do the security checks and then decide what to do based on if this passes or not. Failure of a check causes either a failure OR the FIPS indicator callback to be triggered. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24623)
* Add FIPS indicator helpersslontis2024-07-113-1/+244
| | | | | | | | | Each provider algorithm context can use these helpers to add indicator support. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24623)
* Add FIPS indicator callback.slontis2024-07-111-1/+21
| | | | | | | | | | | | | | | | Add a FIPS indicator callback that can be set via OSSL_INDICATOR_set_callback(). This callback is intended to be run whenever a non approved algorithm check has occurred and strict checking has been disabled.The callback may be used to log non approved algorithms. The callback is passed a type and description string as well as the cbarg specified in OSSL_INDICATOR_set_callback. The return value can be either 0 or 1. A value of 0 can be used for testing purposes to force an error to occur from the algorithm that called the callback. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24623)
* Clarify DRBG seeding.Pauli2024-06-291-0/+5
| | | | | | | | | | | There is a legacy code path that OpenSSL won't use anymore but applications could. Add a comment indicating this to avoid confusion for people not intimately conversant with the nuances in the RNG code. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24745)
* Fix usage of deallocated EVP_RAND_CTX after execution of FIPS on-demand self ↵Karol Brzuskiewicz2024-06-241-0/+4
| | | | | | | | | | | | | | | | | | | | | | | tests Once RNG is used, triggering FIPS on-demand self tests (via OSSL_PROVIDER_self_test() API) crashes the application. This happens because the RNG context is stored before self tests, and restored after their execution. In the meantime - before context restoration - RAND_set0_private() function is called, which decrements the stored RNG context reference counter and frees it. To resolve the issue, the stored RNG context refcount has been incremented via the EVP_RAND_CTX_up_ref() API to avoid its deallocation during the RNG context switch performed by the self test function. The provider_status_test test has been updated to reproduce the issue as a regression test. Signed-off-by: Karol Brzuskiewicz <kabr@arista.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24599)
* rand: remove unimplemented librandom stub codeDimitri John Ledkov2024-05-241-11/+0
| | | | | | | | Clean up of unsuable / no-op code. Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24465)
* rsa-pss: add tests checking for SHAKE usage in RSA-PSSDimitri John Ledkov2024-05-221-0/+1
| | | | | | | | | | | | | | | | | | | | | | | FIPS 186-5, RFC 8692, RFC 8702 all agree and specify that Shake shall be used directly as MGF (not as a hash in MGF1). Add tests that try to specify shake hash as MGF1 to ensure that fails. Separately the above standards specify how to use SHAKE as a message digest with either fixed or minimum output lengths. However, currently shake is not part of allowed hashes. Note that rsa_setup_md()/rsa_setup_mgf1_md() call ossl_digest_rsa_sign_get_md_nid() -> ossl_digest_get_approved_nid_with_sha1() -> ossl_digest_get_approved_nid() which only contain sha1/sha2/sha3 digests without XOF. The digest test case will need to be replace if/when shake with minimum output lengths is added to ossl_digest_get_approved_nid(). Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24387)
* fips provider: explicitly setup cpuid when initializingHongren Zheng2024-05-201-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | Fixes: #23979 Previously fips module relied on OPENSSL_cpuid_setup being used as constructor by the linker to correctly setup the capability vector, either via .section .init (for x86_64) or via __attribute__((constructor)). This would make ld.so call OPENSSL_cpuid_setup before the init function for fips module. However, this early constructing behavior has several disadvantages: 1. Not all platform/toolchain supports such behavior 2. Initialisation sequence is not well defined, and some function might not be initialized when cpuid_setup is called 3. Implicit path is hard to maintain and debug Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24419)
* Intentionally break EVP_DigestFinal for SHAKE128 and SHAKE256Tomas Mraz2024-05-151-5/+14
| | | | | | | | It will work only if OSSL_DIGEST_PARAM_XOFLEN is set. Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/24105)
* cipher_null.c: add NULL checkRajeev Ranjan2024-05-141-1/+1
| | | | | | | Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22903)
* fips: zeroization of public security parameters (PSPs)Dimitri John Ledkov2024-05-132-0/+8
| | | | | | | | | | | | | | | | | | | | | ISO 19790:2012/Cor.1:2015 7.9 requires cryptographic module to provide methods to zeroise all unproctected security sensitive parameters (which inclues both Critical/Private **and** Public security parameters). And those that are temprorarly stored are required to be zeroised after they are no longer needed at security levels 2 and higher. Comply with the above requirements by always zeroising public security parameters whenever they are freed. This is currently done under the FIPS feature, however the requirement comes from the ISO 19790:2012 which may also be needed in other jurisdictions. If not always. Note FIPS 140-3 includes ISO 19790:2012 by reference. Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24355)
* Adjust FIPS EC/DSA self test data for different nonce generationTomas Mraz2024-05-021-25/+25
| | | | | | Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24265)
* hkdf: when HMAC key is all zeros, still set a valid key lengthDimitri John Ledkov2024-04-251-1/+1
| | | | | | | | | | | | | | | By itself, this is no change in any computation. However, this will unlock enforcing minimum key lengths for NIST and FIPS 140-3 requirements. Also reading RFC8448 and RFC5869, this seems to be strictly correct too. Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@surgut.co.uk> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24204)
* Exclude X25519 and X448 from capabilities advertised by FIPS providerDimitri John Ledkov2024-04-191-2/+0
| | | | | | | Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24099)
* Make X25519 and X448 FIPS unapprovedTomas Mraz2024-04-191-4/+4
| | | | | | | | Partially fixes: #22105 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from https://github.com/openssl/openssl/pull/24099)
* Fix typos found by codespellDimitri Papadopoulos2024-04-101-1/+1
| | | | | | Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24013)
* signature/dsa_sig.c: Add checks for the EVP_MD_get_size()Jiasheng Jiang2024-04-091-2/+8
| | | | | | | | | | | Add checks for the EVP_MD_get_size() to avoid integer overflow and then explicitly cast from int to size_t. Fixes: 45a845e40b ("Add EVP_DigestSign/EVP_DigestVerify support for DSA") Signed-off-by: Jiasheng Jiang <jiasheng@purdue.edu> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23948)
* signature/ecdsa_sig.c: Add checks for the EVP_MD_get_size()Jiasheng Jiang2024-04-091-2/+9
| | | | | | | | | | | Add checks for the EVP_MD_get_size() to avoid integer overflow and then explicitly cast from int to size_t. Fixes: edd3b7a309 ("Add ECDSA to providers") Signed-off-by: Jiasheng Jiang <jiasheng@purdue.edu> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23947)
* Fix EVP_PKEY_CTX_add1_hkdf_info() behaviorTodd Short2024-04-092-0/+50
| | | | | | | | | | | | | | Fix #23448 `EVP_PKEY_CTX_add1_hkdf_info()` behaves like a `set1` function. Fix the setting of the parameter in the params code. Update the TLS_PRF code to also use the params code. Add tests. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23456)
* Copyright year updatesMatt Caswell2024-04-093-3/+3
| | | | | | | | | | Reviewed-by: Neil Horman <nhorman@openssl.org> Release: yes (cherry picked from commit 3764f200f9d44622faa8ac1b15d2f3eb7c39e473) Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24034)
* Copyright year updatesRichard Levitte2024-04-0914-14/+14
| | | | | | | | | | Reviewed-by: Neil Horman <nhorman@openssl.org> Release: yes (cherry picked from commit 0ce7d1f355c1240653e320a3f6f8109c1f05f8c0) Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24034)
* Use RFC 5869 test case for HKDF self-testpohsingwu2024-04-021-8/+26
| | | | | | | | | According to NIST SP 800-131Ar2 section 8, the length of the key-derivation key shall be at least 112 bits. Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23833)
* rands/drbg_hash.c: Add checks for the EVP_MD_get_size()Jiasheng Jiang2024-04-021-1/+5
| | | | | | | | | | | | | Add checks for the EVP_MD_get_size() to avoid integer overflow and then explicitly cast from int to size_t. Fixes: 8bf3665196 ("Added DRBG_HMAC & DRBG_HASH + Added defaults for setting DRBG for master/public/private + renamed generate_counter back to reseed_counter + generated new cavs data tests") Signed-off-by: Jiasheng Jiang <jiasheng@purdue.edu> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23944)
* rands/drbg_hmac.c: Add checks for the EVP_MD_get_size()Jiasheng Jiang2024-04-011-1/+5
| | | | | | | | | | | | | Add checks for the EVP_MD_get_size() to avoid integer overflow and then explicitly cast from int to size_t. Fixes: 8bf3665196 ("Added DRBG_HMAC & DRBG_HASH + Added defaults for setting DRBG for master/public/private + renamed generate_counter back to reseed_counter + generated new cavs data tests") Signed-off-by: Jiasheng Jiang <jiasheng@purdue.edu> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23945)
* macs/kmac_prov.c: Add checks for the EVP_MD_get_size()Jiasheng Jiang2024-04-011-1/+7
| | | | | | | | | | | | Add checks for the EVP_MD_get_size() to avoid integer overflow and then explicitly cast from int to size_t. Fixes: 6e624a6453 ("KMAC implementation using EVP_MAC") Signed-off-by: Jiasheng Jiang <jiasheng@purdue.edu> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23946)
* signature/rsa_sig.c: Add checks for the EVP_MD_get_size()Jiasheng Jiang2024-04-011-2/+8
| | | | | | | | | | | | Add checks for the EVP_MD_get_size() to avoid integer overflow and then explicitly cast from int to size_t. Fixes: 6f4b766315 ("PROV: add RSA signature implementation") Signed-off-by: Jiasheng Jiang <jiasheng@purdue.edu> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23949)
* kdfs/hmacdrbg_kdf.c: Add checks for the EVP_MD_get_size()Jiasheng Jiang2024-04-011-1/+5
| | | | | | | | | | | | | Add checks for the EVP_MD_get_size() to avoid integer overflow and then explicitly cast from int to size_t. Fixes: f3090fc710 ("Implement deterministic ECDSA sign (RFC6979)") Signed-off-by: Jiasheng Jiang <jiasheng@purdue.edu> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23950)
* Break the if statement up into 2 if statementsJiasheng Jiang2024-03-301-4/+6
| | | | | | | | | | | | Break the if statement up into 2 if statements to avoid call EVP_MD_get_size() twice. Signed-off-by: Jiasheng Jiang <jiasheng@purdue.edu> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23959)
* signature/sm2_sig.c: Add the check for the EVP_MD_CTX_get_size()Jiasheng Jiang2024-03-301-0/+1
| | | | | | | | | | | | Add the check for the return value of EVP_MD_CTX_get_size() to avoid invalid negative numbers. Fixes: d0b79f8631 ("Add SM2 signature algorithm to default provider") Signed-off-by: Jiasheng Jiang <jiasheng@purdue.edu> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23959)
* riscv: Fix remaining asm checksJakov Smolić2024-03-224-8/+8
| | | | | | | | | | | | | | | There are additional asm checks which don't check for OPENSSL_CPUID_OBJ causing the build to still fail on riscv [1], so fix them in the same manner as ff279597692f9f19dca5b147944d3d96f2e109f8 [1] https://bugs.gentoo.org/923956 Fixes: https://github.com/openssl/openssl/issues/22871 Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23752) (cherry picked from commit daf1f8d64fff4a395ee7cf032484dc022a27e748)
* Implement KAT for KBKDF with KMAC128Joachim Vandersmissen2024-03-131-0/+33
| | | | | | Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23745)
* Implement PCT for EDDSApohsingwu2024-03-011-8/+134
| | | | | | | | | | | | | | | | | According to FIPS 140-3 IG 10.3.A Additonal Comment 1, a PCT shall be performed consistent with the intended use of the keys. This commit implements PCT for EDDSA via performing sign and verify operations after key generated. Also use the same pairwise test logic in EVP_PKEY_keygen and EVP_PKEY_pairwise_check for EDDSA in FIPS_MODULE. Add OSSL_SELF_TEST_DESC_PCT_EDDSA to OSSL_PROVIDER-FIPS page. Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23408)
* Fix memory leaks on error cases during drbg initializationsTomas Mraz2024-02-095-5/+10
| | | | | | Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/23503)
* Add appropriate NULL checks in EVP_CIPHER apiNeil Horman2024-01-251-0/+6
| | | | | | | | | | | | | | The EVP_CIPHER api currently assumes that calls made into several APIs have already initalized the cipher in a given context via a call to EVP_CipherInit[_ex[2]]. If that hasnt been done, instead of an error, the result is typically a SIGSEGV. Correct that by adding missing NULL checks in the apropriate apis prior to using ctx->cipher Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22995)
* Fix the encoding of SM2 keysRichard Levitte2024-01-121-1/+9
| | | | | | | | | | | | | | OpenSSL's encoding of SM2 keys used the SM2 OID for the algorithm OID where an AlgorithmIdentifier is encoded (for encoding into the structures PrivateKeyInfo and SubjectPublicKeyInfo). Such keys should be encoded as ECC keys. Fixes #22184 Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22529)
* Fix partial block encryption in cfb and ofb for s390xHolger Dengler2024-01-122-7/+4
| | | | | | | | | | | | | | | | Use the number of processed bytes information (num) from the generic cipher context for the partial block handling in cfb and ofb, instead of keep this information in the s390x-specific part of the cipher context. The information in the generic context is reset properly, even if the context is re-initialized without resetting the key or iv. Fixes: #23175 Signed-off-by: Holger Dengler <dengler@linux.ibm.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23201)
* cleanse stack variable in kdf_pbkdf1_do_deriveNeil Horman2024-01-051-0/+1
| | | | | | | | | | | kdf_pbkdf1_do_derive stores key derivation information in a stack variable, which is left uncleansed prior to returning. Ensure that the stack information is zeroed prior to return to avoid potential leaks of key information Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23194)
* cleanse stack variable in blake2[b|s] finalizationNeil Horman2024-01-032-2/+6
| | | | | | | | | | | If the output of a blake2[b|s] digest isn't a multipl of 8, then a stack buffer is used to compute the final output, which is left un-zeroed prior to return, allowing the potential leak of key data. Ensure that, if the stack variable is used, it gets cleared prior to return. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23173)
* validate requested key length in kdf_pbkdf1_do_deriveNeil Horman2024-01-031-0/+5
| | | | | | | | | | | | | When using pbkdf1 key deriviation, it is possible to request a key length larger than the maximum digest size a given digest can produce, leading to a read of random stack memory. fix it by returning an error if the requested key size n is larger than the EVP_MD_size of the digest Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23174)
* riscv: Fix mispelling of extension test macroGrant Nichol2024-01-021-1/+1
| | | | | | | | | | | When refactoring the riscv extension test macros, RISCV_HAS_ZKND_AND_ZKNE was mispelled. CLA: trivial Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23139)
* Add missing settable entry OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST_PROPS for RSA asymslontis2023-12-291-0/+1
| | | | | | Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20319)
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-08 12:23:09 +0000