Commit Graph

34940 Commits

Author SHA1 Message Date
Tomas Mraz
13ee569d41 Set AFL_MAP_SIZE to avoid crash in the AFL CI job
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23843)
2024-03-15 10:23:45 +01:00
Tomas Mraz
b7de38e84c Add a test using the bandwidth limit filter
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23588)
2024-03-15 10:19:19 +01:00
Tomas Mraz
37ffd4a1fa Add support for bandwidth limitation in noisydgram BIO filter
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23588)
2024-03-15 10:19:19 +01:00
Tomas Mraz
45d16a44eb bio_f_noisy_dgram_filter(): Fix typo
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23588)
2024-03-15 10:19:19 +01:00
Shakti Shah
9f3a7ca2cf SSL_add_dir_cert_subjects_to_stack(): Documented return values
In the man page for SSL_add_dir_cert_subjects_to_stack(), the functions
returning int have undocumented return values.

Fixes #23171

Signed-off-by: Shakti Shah <shaktishah33@gmail.com>

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23433)
2024-03-15 10:15:03 +01:00
Job Snijders
c5e097dec5 Add Content Type OID for id-ct-rpkiSignedPrefixList
References: draft-ietf-sidrops-rpki-prefixlist
Title: "A profile for Signed Prefix Lists for Use in the Resource Public Key Infrastructure (RPKI)"

OID assigned under 'SMI Security for S/MIME CMS Content Type (1.2.840.113549.1.9.16.1)'
https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#security-smime-1

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23426)
2024-03-15 09:10:22 +01:00
Tomas Mraz
5c846d32d4 apps/x509.c: No warning reading from stdin if redirected
Fixes #22893

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23526)
2024-03-15 09:07:51 +01:00
Neil Horman
37cd49f57f Fix ASLR to be smaller during asan/tsan/ubsan runs
Recently asan/tsan/ubsan runs have been failing randomly.  It appears
that a recent runner update may have led to the Address Space Layout
Randomization setting in the linux kernel of ubuntu-latest runner
getting set to too high a value (it defaults to 30).  Such a setting
leads to the possibility that a given application will have memory
mapped to an address space that the sanitizer code typically uses to do
its job.  Lowering this value allows a/t/ubsan to work consistently
again

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23842)
2024-03-15 08:47:24 +01:00
Frederik Wedel-Heinen
f08be09651 Avoid a memcpy in dtls_get_reassembled_message()
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23828)
2024-03-14 18:19:17 +01:00
Vladimirs Ambrosovs
c91f0ca958 Fix dasync_rsa_decrypt to call EVP_PKEY_meth_get_decrypt
Signed-off-by: Vladimirs Ambrosovs <rodriguez.twister@gmail.com>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23825)
2024-03-14 08:49:01 +01:00
Joachim Vandersmissen
3cb0755323 Implement KAT for KBKDF with KMAC128
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23745)
2024-03-13 17:04:31 +01:00
sharad3001
39202836d6 Update tls13ccstest.c, removal of deadcode
tst has been already checked for invalid value in the start of the function with switch statement.

Checked again here, so removed deadcode

CLA: trivial

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23813)
2024-03-13 17:00:48 +01:00
Frederik Wedel-Heinen
7649b5548e Add fuzzing for DTLS
Update the fuzz corpora submodule with the DTLS fuzz corpus.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23585)
2024-03-12 20:10:40 +01:00
James Muir
cf8422480a s_server: test ocsp with "-cert_chain"
Add a test to exercise the use of s_server with "-cert_chain" to
construct an ocsp request.

This new functionality was added in PR #22192.

Testing:

  make V=1 TESTS='test_ocsp_cert_chain' test

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23101)
2024-03-12 19:54:27 +01:00
Alexandr Nedvedicky
7f8aba2f44 Limit the number of http headers when receiving the http response
Change introduces a default limit on HTTP headers we expect to receive
from server to 256. If limit is exceeded http client library indicates
HTTP_R_RESPONSE_TOO_MANY_HDRLINES error. Application can use
OSSL_HTTP_REQ_CTX_set_max_response_hdr_lines() to change default.
Setting limit to 0 implies no limit (current behavior).

Fixes #22264

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23781)
2024-03-12 19:35:41 +01:00
Jiasheng Jiang
bc930bed20 Add check for xor_get_aid()
Add check for the return value of xor_get_aid() in order to avoid NULL pointer deference.

For example, "algor" could be NULL if the allocation of X509_ALGOR_new() fails. As a result, i2d_X509_ALGOR() will return 0 and "ctx->aid" will be an invalid value NULL.

Fixes: f4ed6eed2c ("SSL_set1_groups_list(): Fix memory corruption with 40 groups and more")
Signed-off-by: Jiasheng Jiang <jiasheng@purdue.edu>

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23764)
2024-03-12 19:32:32 +01:00
olszomal
7ceb770883 Improve the documentation on -cert_chain and -status_verbose options
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22192)
2024-03-12 14:02:13 +01:00
olszomal
d6aafeb107 Use the untrusted certificate chain to create a valid certificate ID for OCSP_request
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22192)
2024-03-12 14:02:13 +01:00
谭九鼎
52a75f4088 Doc: fix style
CLA: trivial

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23805)
2024-03-12 06:44:45 +01:00
Jiasheng Jiang
8211ca45e4 PKCS7: Remove one of the duplicate checks
There are two consecutive identical checks "if (i <= 0)".
We can remove one of them to make the code clear.

CLA: trivial

Signed-off-by: Jiasheng Jiang <jiasheng@purdue.edu>

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23741)
2024-03-11 15:19:15 +01:00
Aarni Koskela
1f03d33ef5 Add reformatting commit to .git-blame-ignore-revs
CLA: trivial

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23748)
2024-03-11 12:18:03 +00:00
slontis
5df34ca70a Make the generated params_idx.c file deterministic if run multiple
times.

Fixes #23672

There are many name/value pairs currently that have duplicate names e.g.

    'CAPABILITY_TLS_GROUP_MAX_TLS' =>           "tls-max-tls",
    'CAPABILITY_TLS_SIGALG_MAX_TLS' =>          "tls-max-tls",

Stripping the .pm file down to just the above entries and running
multiple times gives different results for the produce_decoder.

On multiple runs any iterations over the unordered hash table keys using
foreach my $name (keys %params) results in a different order on multiple
runs. Because of this the mapping from the hash 'value' back to the
'key' will be different.

Note that the code also uses another mechanism in places that uses
"name1" => "value"
"name2" => "*name1"
Rather than fix all the strings the change done was to sort the keys. If
we were to chose to fix the strings then the perl code should be changed
to detect duplicates.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/23688)
2024-03-11 12:08:00 +00:00
Alexandr Nedvedicky
854539889d FAQ.md should be removed
the page the link refers to does not exist.
Anyone objects to delete file?

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23719)
2024-03-11 11:40:25 +00:00
slontis
d60b37506d Fix BIO_get_new_index() to return an error when it is exhausted.
Fixes #23655

BIO_get_new_index() returns a range of 129..255.

It is set to BIO_TYPE_START (128) initially and is incremented on each
call.
>= 256 is reserved for the class type flags (BIO_TYPE_DESCRIPTOR) so it
should error if it reaches the upper bound.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23732)
2024-03-11 11:34:25 +00:00
Neil Horman
53a8728686 Bring SSL_group_to_name docs in line with API definition
docs say the SSL object in this function is const, but the api doesn't
qualify it as such.  Adjust the docs to match the definition

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23785)
2024-03-09 19:05:23 -05:00
Hugo Landau
bf7ae259a4 Add CHANGES
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23584)
2024-03-09 08:56:59 +00:00
Hugo Landau
7b4436a7cb QUIC MULTISTREAM TEST: Test write buffer statistics queries
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23584)
2024-03-09 08:56:59 +00:00
Hugo Landau
b317583f4a QUIC: Add stream write buffer queries
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23584)
2024-03-09 08:56:59 +00:00
Bernd Edlinger
a24f29bbb4 Try to fix intermittent CI failures in sslapitest
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/23705)
2024-03-08 18:23:20 +01:00
Hugo Landau
6d42be3af7 QLOG: Fix indentation
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23598)
2024-03-07 23:48:49 +00:00
Hugo Landau
5f02bbd5a6 QUIC: Define error code for stateless reset
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23598)
2024-03-07 23:48:49 +00:00
Hugo Landau
c38558357d QUIC: Add documentation for QUIC error codes
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23598)
2024-03-07 23:48:49 +00:00
Hugo Landau
4b4b9c9eb3 QUIC: Uniform changes for QUIC error code definitions rename
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23598)
2024-03-07 23:48:49 +00:00
Hugo Landau
02f5ab7785 QUIC: Make QUIC transport error codes public
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23598)
2024-03-07 23:48:49 +00:00
Bernd Edlinger
74fd682388 Dont run the self-hosted workflows when not available
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23678)
2024-03-07 18:27:02 +01:00
Neil Horman
b5e076bee3 Gate setting of ipi_spec_dst on not building for freebsd
some variants of FreeBSD (notably Dells OneFS) implement IP_PKTINFO
partially, and as such the build breaks for those variants.
specifically, it supports IP_PKTINFO, but the in_pktinfo struct has no
defined ipi_spec_dst field.  Work around this by gating the setting of
that variable on not building for FreeBSD

Fixes #23739

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23753)
2024-03-07 08:14:12 -05:00
Stanislav Zidek
f38d9b74c9 interop tests: Fedora 39 config, simplify updates
Imitating Fedora 39 configuration in openssl.cnf with
SECLEVEL lowered to 0 in order to be able to run
TLS 1.3 tests with TLS_AES_128_CCM_8_SHA256.

In order to make updating smoother, check out specific tag rather
than the branch. This way, "old" tests can be fetched until PR
pointing to "new" tests is merged, so backwards-incompatible
changes can be done when needed.

Files specific for openssl upstream moved to separate
directory.

CLA: trivial

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23747)
2024-03-07 07:52:43 -05:00
Dmitry Belyavskiy
6134e8e6dd Fix a memory leak on successful load of CRL
Fixes #23693

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23695)
2024-03-07 11:03:31 +01:00
Hugo Landau
8d8866aff3 QUIC QLOG: Fix ANSI
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23744)
2024-03-06 20:44:48 +00:00
Hugo Landau
6a11cd50d5 QUIC QLOG: Fix use of sprintf
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23744)
2024-03-06 20:44:48 +00:00
Hugo Landau
e98940d6f6 Enable qlog support by default
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23744)
2024-03-06 20:44:48 +00:00
Tomas Mraz
cd2cdb6158 Document that unknown groups and sigalgs marked with ? are ignored
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/23050)
2024-03-06 10:42:05 +01:00
Tomas Mraz
2b4cea1edf Add test for ignoring unknown sigalgs and groups marked with ?
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/23050)
2024-03-06 10:42:05 +01:00
Tomas Mraz
10f65f7282 Allow ignoring unknown sigalgs and groups in the configuration
Related to #20789

Signature algorithms and groups in the configuration that are
preceded with ? character and are unknown to libssl are just ignored.
The handling for them is similar to handling of ciphers.
I.e., there should be a failure only in case the configuration produces
no valid sigalgs or groups.

Also ignore duplicate sigalgs and groups as such confiuration errors
should not be fatal.

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/23050)
2024-03-06 10:42:05 +01:00
Dr. David von Oheimb
d6d9277b2e apps/cmp: improve -reqin option to read fallback public key from first request message file given
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/21660)
2024-03-06 08:49:28 +01:00
Dr. David von Oheimb
bcd3707dba crypto/cmp: add OSSL_CMP_MSG_get0_certreq_publickey(); fix coding style nit
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/21660)
2024-03-06 08:49:28 +01:00
Dr. David von Oheimb
904ee65290 apps/cmp: extend documentation and diagnostics for using -reqin in special situations
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/21660)
2024-03-06 08:49:28 +01:00
Dr. David von Oheimb
2fbe23bbbe apps/cmp: add -reqout_only option for dumping/saving just the initial CMP request message
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/21660)
2024-03-06 08:49:28 +01:00
Dr. David von Oheimb
a143e4e3c9 apps/cmp.c: refactor to fix some coding style nits and more convenient source-level debugging
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/21660)
2024-03-06 08:48:48 +01:00
Dr. David von Oheimb
5003abae02 cmperr.h: use free reason value 106 rather than 197 for CMP_R_UNEXPECTED_SENDER
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/21660)
2024-03-06 08:48:48 +01:00