Commit Graph

35626 Commits

Author SHA1 Message Date
Pauli
4ac531ddcb Document the fips-indicator param for the test RNG
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24851)
2024-07-17 10:43:21 +10:00
Pauli
df32ba9e92 Add unit tests for the TEST-RAND FIPS indicator
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24851)
2024-07-17 10:43:21 +10:00
Pauli
924321a519 Add FIPS indicator for TEST-RAND
The indicator is always non-FIPS, since this is used for internal tasks and
hasn't been validated.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24851)
2024-07-17 10:43:21 +10:00
erbsland-dev
2dd74d3acb Add tests for long configuration lines with backslashes
Introduce new test files to verify behavior with config lines longer than 512 characters containing backslashes. Updated test plan to include these new test scenarios.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24890)
2024-07-16 21:32:40 +02:00
erbsland-dev
f54e4bc51b Fix line continuation check in config parser
Fixes #8038: Previously, line continuation logic did not account for the 'again' flag, which could cause incorrect removal of a backslash character in the middle of a line. This fix ensures that line continuation is correctly handled only when 'again' is false, thus improving the reliability of the configuration parser.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24890)
2024-07-16 21:32:40 +02:00
erbsland-dev
f692ceeedc Clarify in-place encryption behavior in documentation
Fixes #7941: Update the `EVP_EncryptUpdate` documentation to specify that in-place encryption is guaranteed only if the context does not contain incomplete data from previous operations.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24887)
2024-07-16 13:20:58 -04:00
Neil Horman
c1a27bdeb9 Fix cmake generator
PR #24678 modified some environment variables and locations that the
cmake exporter depended on, resulting in empty directory resolution.
Adjust build build.info and input variable names to match up again

Fixes #24874

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24877)
2024-07-16 11:12:04 -04:00
Tomas Mraz
b916940752 Optimization of ossl_ec_key_public_check()
We can do just the quick check if cofactor == 1 as the
fact that the point is on the curve already implies
that order * point = infinity.

Fixes #21833

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24816)
2024-07-16 15:36:46 +02:00
Neil Horman
01753c09bb Set down_load factor on hash table when culling items in doall
oss-fuzz noted this issue:
https://oss-fuzz.com/testcase-detail/5363002606419968

Which reports a heap buffer overflow during ossl_method_cache_flush_some

Its occuring because we delete items from the hash table while inside
its doall iterator

The iterator in lhash.c does a reverse traversal of all buckets in the
hash table, and at some point a removal during an iteration leads to the
hash table shrinking, by calling contract.  When that happens, the
bucket index becomes no longer valid, and if the index we are on is
large, it exceeds the length of the list, leading to an out of band
reference, and the heap buffer overflow report.

Fix it by preventing contractions from happening during the iteration,
but setting the down_load factor to 0, and restoring it to its initial
value after the iteration is done

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24867)
2024-07-16 06:05:14 -04:00
Pauli
2c3f1a6cad Fix parameter types int -> integer changes
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24881)
2024-07-16 06:42:05 +02:00
Matt Caswell
5c6975bd44 Fix a copy & paste error in the EVP_RAND docs
The "max_request" string is defined via the OSSL_RAND_PARAM_MAX_REQUEST
macro.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24863)
2024-07-15 16:42:24 -04:00
Daniel Gustafsson
b33f2697d9 Rearrange code examples in docs for clarity
The introduction of a deprecation notice between the header include
line and the function prototypes left the inclusion in the previous
block.  Move the #include to after the deprecation notice to ensure
that the headers is included together with the corresponding MDX_y*
functions.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24864)
2024-07-15 12:21:31 -04:00
Neil Horman
9884568569 Fix coverity-1510058
coverity noted a recent change made a call to OSSL_PARAM_get_size_t
without checking the return code, as is practice in all other call
sites.

Just add the check.

Fixes openssl/private#551

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24860)
2024-07-15 10:10:00 +10:00
Neil Horman
42230f294a Convert check-format-commits.sh to use allowlist
Initially check-format-commits.sh tried to check everything, using a
banlist to exlude files not appropriate for checking.

Its becoming clear that that approach isn't workable, given that the
number of files that we should not check far outweighs the number of
files that we should check.

Ideally we should be checking .c files, .h files and their .in
counterparts, everything else should be excluded (at least for now)

convert the script to using an allowlist, only checking the above list,
and ignoring everything else

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24865)
2024-07-13 12:23:52 -04:00
Matt Caswell
e8c7febc8f Fix a minor typo in the documentation of RAND_set_seed_source_type()
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24858)
2024-07-12 18:08:44 +02:00
Richard Levitte
edb5dd56fc fix(stylecheck): Take advantage of check-format-commit.sh's new capability
.github/workflows/style-checks.yml now runs util/check-format-commit.sh
with the whole range of commits of the given PR.  This allows code style
fixups to be in a separate commit.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24856)
2024-07-12 15:37:07 +01:00
Richard Levitte
c2083f4ec6 feat: enhance util/check-format-commit.sh to be able to handle a commit range
Additionally, the 'git diff' call is modified to not show context lines, as
it's confusing to have style nits displayed on lines the author of the
commits hasn't touched.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24856)
2024-07-12 15:36:50 +01:00
erbsland-dev
b74646b627 Document Internal EVP_MD_CTX_ Flags
Add documentation for the internal flags `EVP_MD_CTX_FLAG_CLEANED` and
`EVP_MD_CTX_FLAG_REUSE`, explicitly stating that these flags are for
internal use only and must not be used in user code.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24829)
2024-07-12 15:54:35 +02:00
Georgi Valkov
20da3dabc4 o_fopen: fix coding style and build error with VS2010
Follow the coding style to place variable definitions before code

Fixes a build error on Windows 2003 with VS2010 introduced in [1]
crypto\o_fopen.c(45) : error C2143: syntax error : missing ';' before 'type'
crypto\o_fopen.c(46) : error C2275: 'DWORD' : illegal use of this type as an expression
        E:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\include\windef.h(152) : see declaration of 'DWORD'
crypto\o_fopen.c(46) : error C2146: syntax error : missing ';' before identifier 'flags'
crypto\o_fopen.c(46) : error C2065: 'flags' : undeclared identifier

[1] 917f37195a

Signed-off-by: Georgi Valkov <gvalkov@gmail.com>

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24853)
2024-07-12 11:23:56 +01:00
Tomas Mraz
b24a8200ab x_attrib.c: Fix print_hex() function
- Better handle 0 length input
- Use OPENSSL_buf2hexstr() instead of OPENSSL_buf2hexstr_ex()
  which fixes insufficient length of the allocate buffer.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24771)
2024-07-12 11:20:35 +01:00
Hongren Zheng
6cf42ad392 riscv: Fix cpuid_obj asm checks for sm4/sm3
Similar to #22881 / #23752

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
(Merged from https://github.com/openssl/openssl/pull/24486)
2024-07-12 11:09:02 +01:00
Richard Levitte
6eb648941e fix: drop DSA <=> dsaWithSHA1 aliasing
For some reason, DSA has been aliased with dsaWithSHA1 for an eternity.
They are not the same, though, and should never have been aliased in the
first place.

This was first discovered with 'openssl list':

    $ openssl list -signature-algorithms
    ...
    { 1.2.840.10040.4.1, 1.2.840.10040.4.3, 1.3.14.3.2.12, 1.3.14.3.2.13, 1.3.14.3.2.27, DSA, DSA-old, DSA-SHA, DSA-SHA1, DSA-SHA1-old, dsaEncryption, dsaEncryption-old, dsaWithSHA, dsaWithSHA1, dsaWithSHA1-old } @ default

This isn't good at all, as it confuses the key algorithms signature
function with a signature scheme that involves SHA1, and it makes it
look like OpenSSL's providers offer a DSA-SHA1 implementation (which
they currently do not do).

Breaking this aliasing apart (i.e. aliasing DSA, DSA-old, dsaEncryption
and dsaEncryption-old separately from the names that involve SHA) appears
harmless as far as OpenSSL's test suite goes.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24828)
2024-07-12 11:20:23 +02:00
Dmitry Misharov
8b591dceef deploy docs.openssl.org on doc changes
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24839)
2024-07-12 10:59:15 +02:00
Neil Horman
861e1f450c ignore various files in commit checker
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24845)
2024-07-11 23:13:47 -04:00
sashan
ad33d62396 EVP_DigestUpdate(): Check if ctx->update is set
The issue has been discovered by libFuzzer running on provider target.
There are currently three distinct reports which are addressed by
code change here.

    https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=69236#c1
    https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=69243#c1
    https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=69261#c1

the issue has been introduced with openssl 3.0.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24753)
2024-07-11 21:48:56 +02:00
Matt Caswell
939dd479ac Limit the number of commands that can be used in the quic-lcidm fuzzer
The fuzzer was reporting a spurious timeout due to excessive numbers of
commands in a single file. We limit the number of commands to avoid this.

Found by OSSFuzz

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24831)
2024-07-11 14:17:11 -04:00
Neil Horman
c86d37cec9 Modify check-format to match line length coding style
In an effort to clarify our coding style, generally line lengths SHOULD
be no longer than 80 columns but MUST be no longer than 100 columns

Modify the check-format.pl script to account for this.

Replace the -l|--sloppy-len option (which modifies the max line length
to 84 rather than 80 cols), with -l|--strict-len which reduces allowed
line length to 80 cols from the new default 100 cols).

Also fix up a typo in the docs indicating --sloppy-bodylen has a short
-l option (its actually -b)

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/24841)
2024-07-11 12:28:25 -04:00
dependabot[bot]
00163371fa Dependabot update
CLA: trivial

(deps): Bump actions/setup-python

Bumps [actions/setup-python](https://github.com/actions/setup-python) from 5.1.0 to 5.1.1.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](https://github.com/actions/setup-python/compare/v5.1.0...v5.1.1)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24843)
2024-07-11 09:53:55 +02:00
slontis
06da147373 Add FIPS indicators to evp_test
evp_test code needed to be modified to defer setting algorithm contexts
until the run phase. The parse functions also defer setting into the context
until the run phase, which allows the context to initialize in a controlled order.
This allows params to be passed into the algorithm init function.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24623)
2024-07-11 08:29:54 +10:00
slontis
c13ddf0a6c Change all existing FIPS configurable checks to use FIPS indicators.
This changes the logic to always do the security checks and then decide
what to do based on if this passes or not. Failure of a check causes
either a failure OR the FIPS indicator callback to be triggered.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24623)
2024-07-11 08:29:43 +10:00
slontis
d4848934a6 Add FIPS indicator helpers
Each provider algorithm context can use these helpers to add indicator
support.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24623)
2024-07-11 08:29:43 +10:00
slontis
0557d6c62b Add FIPS indicator callback.
Add a FIPS indicator callback that can be set via
OSSL_INDICATOR_set_callback(). This callback is intended to be run
whenever a non approved algorithm check has occurred and strict checking
has been disabled.The callback may be used to
log non approved algorithms. The callback is passed a type and
description string as well as the cbarg specified in OSSL_INDICATOR_set_callback.
The return value can be either 0 or 1.
A value of 0 can be used for testing purposes to force an error to occur from the algorithm
that called the callback.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24623)
2024-07-11 08:29:43 +10:00
Jiasheng Jiang
45cada1339 apps/rehash.c: Add the check for the EVP_MD_get_size()
Add the check for the return value of EVP_MD_get_size() to avoid invalid negative
numbers and then explicitly cast from int to size_t.

Add the check to prevent that EVP_MD_get_size() returns a value greater
than EVP_MAX_MD_SIZE.

Signed-off-by: Jiasheng Jiang <jiashengjiangcool@outlook.com>

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24802)
2024-07-10 18:23:44 +02:00
Dr. David von Oheimb
eaf577c865 extend X509_REQ_add_extensions_nid() and thuis APPS/req to support augmenting/overriding existing extensions
Fixes #11169

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24792)
2024-07-10 16:19:26 +02:00
Dr. David von Oheimb
4925af7bb8 add X509v3_add_extensions()
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24792)
2024-07-10 16:19:26 +02:00
Dr. David von Oheimb
94b40ec455 refactor and constify X509_REQ_get_extensions()
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24792)
2024-07-10 16:19:26 +02:00
Dr. David von Oheimb
b0ebb87ab5 constify ossl_x509at_add1_attr()
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24792)
2024-07-10 16:19:06 +02:00
Dr. David von Oheimb
77600210e2 X509at_add1_attr*(): extend error entry on duplicate attribute
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24792)
2024-07-10 16:19:06 +02:00
Dr. David von Oheimb
39424d9601 apps/req: avoid needless hint on using -help on duplicate extensions added via -addext
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24792)
2024-07-10 16:19:06 +02:00
Tomas Mraz
850bd09cf9 windows_comp.yml: Run openssl after it is built
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24820)
2024-07-10 15:20:49 +02:00
Neil Horman
fc22d74c53 Add a style-check workflow
Add a CI job that evaluates style issues, restricted only to lines
changed for the affected files in a given commit

Also provide a mechanism to waive those style issues.  by applying the
style:exempted label to a PR, the checks are still run (its nice to see
what they are regardless), but the test will pass CI regardless of
weather any issues are found.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24806)
2024-07-10 07:31:14 -04:00
Neil Horman
acae12eb78 Add a check-format-commit.sh script
Add a wrapper script to check-format.pl, which is capable of analyzing
commits rather than just a file.  for a provided commit this script:

1) runs check-format.pl on the files changed in the provided commit

2) filters the output of check-format.pl, only producing lines that
   match ranges of changed lines in those files

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24806)
2024-07-10 07:31:14 -04:00
erbsland-dev
2a45839778 Enhance documentation for BN_mask_bits()
Fixes #5537

Added a note that the error check for `BN_mask_bits()` depends
on the internal representation that depends on the platform's word size.
Included a reference to the `BN_num_bits()` function for precise bit checking.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24812)
2024-07-10 11:49:00 +02:00
Stephen Farrell
21dfb97596 Extend TLSv1.3 record layer padding API calls
Added SSL_set_block_padding_ex() and SSL_CTX_set_block_padding_ex()
to allow separate padding block size values for handshake messages
and application data messages.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24796)
2024-07-10 11:44:39 +02:00
erbsland-dev
b544047c99 Add documentation for deprecated CMAC_CTX functions
Fixes #5539: Create a new manual page `CMAC_CTX.pod` documenting the deprecated `CMAC_CTX` functions and add the necessary build dependencies. This page includes function descriptions, usage details, and replacement suggestions with the `EVP_MAC` interface.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24814)
2024-07-10 09:46:24 +02:00
erbsland-dev
2c1ef172f8 Add and Update Documentation for TS_VERIFY_CTX Functions
Mark the existing `TS_VERIFY_CTX_set_certs` function as deprecated in the
documentation.
Add missing documentation for the deprecated functions `TS_VERIFY_CTX_set_data`,
`TS_VERIFY_CTX_set_imprint`, and `TS_VERIFY_CTX_set_store`.
Write missing documentation for the following functions:
- `TS_VERIFY_CTX_new`
- `TS_VERIFY_CTX_init`
- `TS_VERIFY_CTX_free`
- `TS_VERIFY_CTX_cleanup`
- `TS_VERIFY_CTX_set_flags`
- `TS_VERIFY_CTX_add_flags`
- `TS_VERIFY_CTX_set0_data`
- `TS_VERIFY_CTX_set0_imprint`
- `TS_VERIFY_CTX_set0_store`
- `TS_VERIFY_CTX_set0_certs`

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24701)
2024-07-10 09:40:34 +02:00
erbsland-dev
6f811d839f Replace and Deprecate TS_VERIFY_CTX Functions
Fixes #18854

Replace and deprecate the functions `TS_VERIFY_CTX_set_data`,
`TS_VERIFY_CTX_set_store`, `TS_VERIFY_CTX_set_certs`, `TS_VERIFY_CTX_set_imprint`
with new versions: `TS_VERIFY_CTX_set0_data`,
`TS_VERIFY_CTX_set0_store`, `TS_VERIFY_CTX_set0_certs` and `TS_VERIFY_CTX_set0_imprint`.

The previous functions had poorly documented memory handling, potentially
leading to memory leaks. The new functions improve memory management and provide
clearer usage.

Also, update existing code to use the new function calls instead of the deprecated
ones.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24701)
2024-07-10 09:39:53 +02:00
olszomal
7751887025 Clarify supported curves in the s_client/s_server documentation
Mention that supported curves (aka groups) include named EC parameters
as well as X25519 and X448 or FFDHE groups.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24774)
2024-07-10 09:36:03 +02:00
Tomas Mraz
7b1e008d38 os-zoo.yml: Cleanup unnecessary -Wno-switch-default
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24787)
2024-07-10 09:34:42 +02:00
Neil Horman
d8def79838 read lock store on ossl_method_store_do_all
Theres a data race between ossl_method_store_insert and
ossl_method_store_do_all, as the latter doesn't take the property lock
before iterating.

However, we can't lock in do_all, as the call stack in several cases
later attempts to take the write lock.

The choices to fix it are I think:
1) add an argument to indicate to ossl_method_store_do_all weather to
   take the read or write lock when doing iterations, and add an
   is_locked api to the ossl_property_[read|write] lock family so that
   subsequent callers can determine if they need to take a lock or not

2) Clone the algs sparse array in ossl_method_store_do_all and use the
   clone to iterate with no lock held, ensuring that updates to the
   parent copy of the sparse array are left untoucheTheres a data race
   between ossl_method_store_insert and ossl_method_store_do_all, as the
   latter doesn't take the property lock before iterating.

I think method (2), while being a bit more expensive, is probably the
far less invasive way to go here

Fixes #24672

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24782)
2024-07-09 11:27:53 +02:00