Commit Graph

35338 Commits

Author SHA1 Message Date
JohnnySavages
16311dbf53 Check EC_GROUP_get0_order result before dereference
CLA: trivial

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24755)
2024-07-01 10:03:38 +02:00
Georgi Valkov
16beec98d2 threads_win: fix build error with VS2010 x86
InterlockedAnd64 and InterlockedAdd64 are not available on VS2010 x86.
We already have implemented replacements for other functions, such as
InterlockedOr64. Apply the same approach to fix the errors.
A CRYPTO_RWLOCK rw_lock is added to rcu_lock_st.

Replace InterlockedOr64 and InterlockedOr with CRYPTO_atomic_load and
CRYPTO_atomic_load_int, using the existing design pattern.

Add documentation and tests for the new atomic functions
CRYPTO_atomic_add64, CRYPTO_atomic_and

Fixes:
libcrypto.lib(libcrypto-lib-threads_win.obj) : error LNK2019: unresolved external symbol _InterlockedAdd64 referenced in function _get_hold_current_qp
libcrypto.lib(libcrypto-lib-threads_win.obj) : error LNK2019: unresolved external symbol _InterlockedOr referenced in function _get_hold_current_qp
libcrypto.lib(libcrypto-lib-threads_win.obj) : error LNK2019: unresolved external symbol _InterlockedAnd64 referenced in function _update_qp
libcrypto.lib(libcrypto-lib-threads_win.obj) : error LNK2019: unresolved external symbol _InterlockedOr64 referenced in function _ossl_synchronize_rcu

Signed-off-by: Georgi Valkov <gvalkov@gmail.com>

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24405)
2024-07-01 10:02:02 +02:00
Neil Horman
f96563297e Add badges for daily checks and provider compat
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24762)
2024-06-30 08:18:03 -04:00
Neil Horman
fccefa7016 Remove appveyor badge and replace it with os zoo badge
We don't use appveyor anymore. Replace it with the os zoo badge, so we
can more persistently see when its breaking

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24762)
2024-06-30 08:18:03 -04:00
Richard Levitte
5a9c90b1e5 OpenSSL::Test: Avoid running IPv6 related tests if IPv6 was explicitly disabled
It's possible to disable IPv6  explicitly when configuring OpenSSL.  In that
case, IPv6 related tests should be skipped.

This is solved by having OpenSSL::Test::Utils::have_IPv6() check configuration
first, before trying to determine if the machine supports IPv6.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24748)
2024-06-29 08:36:00 +02:00
Pauli
1eb122aa0c Clarify DRBG seeding.
There is a legacy code path that OpenSSL won't use anymore but applications
could.  Add a comment indicating this to avoid confusion for people not
intimately conversant with the nuances in the RNG code.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24745)
2024-06-29 14:11:28 +10:00
sanumesh
7afa7731e9 Add aix-clang and aix64-clang configuration
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24609)
2024-06-28 15:18:59 +02:00
Neil Horman
93a644d14a Remove macos-11 from CI
Recent build failure on os-zoo reports:
A brownout will take place on June, 8:00 AM – 2:00 PM EST to raise awareness of the upcoming macOS-11 environment removal.

It appears that github is retiring macos-11, so we may as well remove it
to prepare

Fixes #24739

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24744)
2024-06-28 11:17:59 +02:00
Neil Horman
15974897b7 Disable default case checks on clang 18
Recent updates in CI have upgraded clang to clang-18, which gripes when
it finds a switch statement without a default case.  We should add those
cases in, but since we have a lot of those, and CI is currently failing,
disable the check until we get them fixed up

Fixes #24739

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24744)
2024-06-28 11:17:59 +02:00
Neil Horman
68c7575afc Enable ipv6 use if available
Recently, it appears alpine containers added ipv6, which breaks our ipv6
ssl old tests because the perl test recipie runs the ipv6 test based on
runtime availability, even if the build time selection is to disable
ipv6.

Fix it by modifying the os zoo ci run to enable ipv6 in the build if its
available on the container

Fixes #24739

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24744)
2024-06-28 11:17:59 +02:00
Drokov Pavel
940059d545 p12_npas.c: Remove call with unused return value
CLA: trivial

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23275)
2024-06-28 09:12:03 +02:00
Jonathan M. Wilbur
41c1b6f0a5 ossl_print_attribute_value(): Multiple minor fixes for style and other errors
- use correct return values
- do not modify pointer in the atrtribute after decoding with d2i_X509_NAME()
- make oid parameter const in print_oid
- use OPENSSL_buf2hexstr_ex
- simplify return code translation from BIO_printf()

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24725)
2024-06-28 09:01:48 +02:00
sgzmd
fbd6609bb2 Free appname if it was set after initializing crypto.
Fixes #24729

CLA: trivial

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24730)
2024-06-27 19:49:52 +02:00
Vita Batrla
981d129a56 docs: document that *_free(NULL) does nothing
Explicitly documents that *_free(NULL) does nothing.
Fixes two cases where that wasn't true.
Fixes #24675.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Sasa Nedvedicky <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24735)
2024-06-27 18:26:26 +02:00
Matt Caswell
214c724e00 Add a test for an empty NextProto message
It is valid according to the spec for a NextProto message to have no
protocols listed in it. The OpenSSL implementation however does not allow
us to create such a message. In order to check that we work as expected
when communicating with a client that does generate such messages we have
to use a TLSProxy test.

Follow on from CVE-2024-5535

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24716)
2024-06-27 10:30:52 +01:00
Matt Caswell
de71058567 Add explicit testing of ALN and NPN in sslapitest
We already had some tests elsewhere - but this extends that testing with
additional tests.

Follow on from CVE-2024-5535

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24716)
2024-06-27 10:30:51 +01:00
Matt Caswell
238fa464d6 Add ALPN validation in the client
The ALPN protocol selected by the server must be one that we originally
advertised. We should verify that it is.

Follow on from CVE-2024-5535

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24716)
2024-06-27 10:30:51 +01:00
Matt Caswell
e10a3a84bf Correct return values for tls_construct_stoc_next_proto_neg
Return EXT_RETURN_NOT_SENT in the event that we don't send the extension,
rather than EXT_RETURN_SENT. This actually makes no difference at all to
the current control flow since this return value is ignored in this case
anyway. But lets make it correct anyway.

Follow on from CVE-2024-5535

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24716)
2024-06-27 10:30:51 +01:00
Matt Caswell
9925c97a8e Allow an empty NPN/ALPN protocol list in the tests
Allow ourselves to configure an empty NPN/ALPN protocol list and test what
happens if we do.

Follow on from CVE-2024-5535

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24716)
2024-06-27 10:30:51 +01:00
Matt Caswell
0d883f6309 Add a test for SSL_select_next_proto
Follow on from CVE-2024-5535

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24716)
2024-06-27 10:30:51 +01:00
Matt Caswell
a210f580f4 Clarify the SSL_select_next_proto() documentation
We clarify the input preconditions and the expected behaviour in the event
of no overlap.

Follow on from CVE-2024-5535

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24716)
2024-06-27 10:30:51 +01:00
Matt Caswell
fc8ff75814 Use correctly formatted ALPN data in tserver
The QUIC test server was using incorrectly formatted ALPN data. With the
previous implementation of SSL_select_next_proto this went unnoticed. With
the new stricter implemenation it was failing.

Follow on from CVE-2024-5535

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24716)
2024-06-27 10:30:51 +01:00
Matt Caswell
c6e1ea2235 More correctly handle a selected_len of 0 when processing NPN
In the case where the NPN callback returns with SSL_TLEXT_ERR_OK, but
the selected_len is 0 we should fail. Previously this would fail with an
internal_error alert because calling OPENSSL_malloc(selected_len) will
return NULL when selected_len is 0. We make this error detection more
explicit and return a handshake failure alert.

Follow on from CVE-2024-5535

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24716)
2024-06-27 10:30:51 +01:00
Matt Caswell
2ebbe2d7ca Fix SSL_select_next_proto
Ensure that the provided client list is non-NULL and starts with a valid
entry. When called from the ALPN callback the client list should already
have been validated by OpenSSL so this should not cause a problem. When
called from the NPN callback the client list is locally configured and
will not have already been validated. Therefore SSL_select_next_proto
should not assume that it is correctly formatted.

We implement stricter checking of the client protocol list. We also do the
same for the server list while we are about it.

CVE-2024-5535

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24716)
2024-06-27 10:30:51 +01:00
Jonathan M. Wilbur
b76a6c26a2 test: add tests for acceptable policies exts
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24663)
2024-06-26 15:00:27 +02:00
Jonathan M. Wilbur
2b735fe219 feat: add acceptablePrivilegePolicies and acceptableCertPolicies exts
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24663)
2024-06-26 15:00:13 +02:00
Kelvin Lee
0169bbbd1c MASM: Need to strip arguments after .pdata or .xdata
For MASM,

.section .pdata,"r"

got translated to:

.pdata,"r"    SEGMENT READONLY ALIGN(4)

that breaks ml64.
Previous version of x86_64-xlate.pl did strip that ',"r"'.

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Sasa Nedvedicky <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24714)
2024-06-26 12:03:45 +02:00
Tomas Mraz
55c1458303 evp_pkey_ctx_setget_params_to_ctrl(): Always properly set ctx.action_type
Fixes #24698

Some applicable translations are bidirectional so they have
NONE action_type. However we need to set the real action_type
in the ctx.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24709)
2024-06-26 11:52:02 +02:00
Richard Levitte
30dc37d798 Adapt all the exporter files to the new vars from util/mkinstallvars.pl
With this, the pkg-config files take better advantage of relative directory
values.

Fixes #24298

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24687)
2024-06-25 21:32:43 +02:00
Richard Levitte
6e0fd246e7 Give util/mkinstallvars.pl more fine grained control over var dependencies
Essentially, we try to do what GNU does.  'prefix' is used to define the
defaults for 'exec_prefix' and 'libdir', and these are then used to define
further directory values.  util/mkinstallvars.pl is changed to reflect that
to the best of our ability.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24687)
2024-06-25 21:32:34 +02:00
Ingo Franzki
a9064366e8 Fix memory leak in x509_req_test
Running the x509_req_test with address sanitizer shows a memory leak:

==186455==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 53 byte(s) in 1 object(s) allocated from:
    #0 0x3ffad5f47af in malloc (/lib64/libasan.so.8+0xf47af) (BuildId: 93b3d2536d76f772a95880d76c746c150daabbee)
    #1 0x3ffac4214fb in CRYPTO_malloc crypto/mem.c:202
    #2 0x3ffac421759 in CRYPTO_zalloc crypto/mem.c:222
    #3 0x100e58f in test_mk_file_path test/testutil/driver.c:450
    #4 0x1004671 in test_x509_req_detect_invalid_version test/x509_req_test.c:32
    #5 0x100d247 in run_tests test/testutil/driver.c:342
    #6 0x10042e3 in main test/testutil/main.c:31
    #7 0x3ffaad34a5b in __libc_start_call_main (/lib64/libc.so.6+0x34a5b) (BuildId: 461b58df774538594b6173825bed67a9247a014d)
    #8 0x3ffaad34b5d in __libc_start_main@GLIBC_2.2 (/lib64/libc.so.6+0x34b5d) (BuildId: 461b58df774538594b6173825bed67a9247a014d)
    #9 0x1004569  (/root/openssl/test/x509_req_test+0x1004569) (BuildId: ab6bce0e531df1e3626a8f506d07f6ad7c7c6d57)
SUMMARY: AddressSanitizer: 53 byte(s) leaked in 1 allocation(s).

The certFilePath that is obtained via test_mk_file_path() must be freed when
no longer used.

While at it, make the certFilePath variable a local variable, there is no need
to have this a global static variable.

Fixes: 7d2c0a4b1f

Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24715)
2024-06-25 16:09:22 +02:00
erbsland-dev
57b83edc46 bio_ssl.c: Do not call SSL_shutdown if not inited
Fixes #4545

If free is called for an SSL BIO that is in initialization phase,
the `SSL_shutdown` call is omitted.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24705)
2024-06-25 16:06:17 +02:00
Karol Brzuskiewicz
42a8ef844e Fix usage of deallocated EVP_RAND_CTX after execution of FIPS on-demand self tests
Once RNG is used, triggering FIPS on-demand self tests (via
OSSL_PROVIDER_self_test() API) crashes the application. This happens because the
RNG context is stored before self tests, and restored after their execution.
In the meantime - before context restoration - RAND_set0_private() function is
called, which decrements the stored RNG context reference counter and frees it.
To resolve the issue, the stored RNG context refcount has been incremented via
the EVP_RAND_CTX_up_ref() API to avoid its deallocation during the RNG context
switch performed by the self test function.
The provider_status_test test has been updated to reproduce the issue as
a regression test.

Signed-off-by: Karol Brzuskiewicz <kabr@arista.com>

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24599)
2024-06-24 19:02:43 +02:00
Tomas Mraz
d38f62ea11 Allow calling OPENSSL_INIT_free() with NULL argument
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24681)
2024-06-24 15:49:35 +02:00
David Benjamin
3fc784835c stricter parser for ipv4_from_asc
reject invalid IPv4 addresses in ipv4_from_asc

The old scanf-based parser accepted all kinds of invalid inputs like:
"1.2.3.4.5"
"1.2.3.4 "
"1.2.3. 4"
" 1.2.3.4"
"1.2.3.4."
"1.2.3.+4"
"1.2.3.4.example.test"
"1.2.3.01"
"1.2.3.0x1"
Thanks to Amir Mohamadi for pointing this out.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24438)
2024-06-24 15:43:12 +02:00
Tomas Mraz
94567d6889 Add Provider compatibility on PR CI job
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24537)
2024-06-24 15:40:09 +02:00
Jonathan M. Wilbur
be5adfd6e3 Support subjectDirectoryAttributes and associatedInformation exts
Added tests for SDA and AI extensions.
Added internal function ossl_print_attribute_value() with documentation.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24669)
2024-06-24 15:33:21 +02:00
Dimitri Papadopoulos
8f250985ad Fix typos found by codespell
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/24691)
2024-06-24 15:09:11 +02:00
erbsland-dev
89c9c3b857 Extend mask of ssl_method_st to 64-bit
Fixes #23260: The bit count for `SSL_OP_*` flags has exceeded 32 bits, making it impossible to handle newer flags and protocol extensions with the existing 32-bit variables. This commit extends the `mask` field in the `ssl_method_st` structure to 64-bit, aligning them with the previously extended 64-bit `options` field.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24692)
2024-06-23 10:09:07 -04:00
Richard Levitte
b23cd39f0a [DOCS] Correct history in doc/man3/OSSL_STORE_LOADER.pod
Bulk editing had history wrongly specify current functions as deprecated,
among other small errors.

Fixes #24678

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24680)
2024-06-22 06:28:26 +02:00
erbsland-dev
7d2c0a4b1f Make x509_req_test ANSI Compatible
Update the `x509_req_test` to ensure ANSI compatibility. The integrated certificate string was too long, so the PEM certificate has been moved to `certs/x509-req-detect-invalid-version.pem`. The test have been updated to load this certificate from the file on disk.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24677)
2024-06-21 15:40:45 -04:00
erbsland-dev
895ecd0ce8 Add Test for Verification Failure on Incorrect X509 Version
Tests #5738: Introduce a new test to verify that a malformed X509 request with the version field set to version 6 fails either early when reading from data or later when `X509_REQ_verify` is called.
Adding a new test recipe `60-test_x509_req.t`

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24677)
2024-06-21 15:40:45 -04:00
erbsland-dev
7fab3c7d61 Add Version Check for CSR Verification
Fixes #5738: This change introduces a check for the version number of a CSR document before its signature is verified. If the version number is not 1 (encoded as zero), the verification function fails with an `X509_R_UNSUPPORTED_VERSION` error.

To minimize impact, this check is only applied when verifying a certificate signing request using the `-verify` argument, resulting in a `X509_REQ_verify` call. This ensures that malformed certificate requests are rejected by a certification authority, enhancing security and preventing potential issues.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24677)
2024-06-21 15:40:45 -04:00
Hubert Kario
03448ba21b s_client: use the full buffer for reads
Use full allocated buffer for reads to not call into switch() over and
over; also increase the size of the buffer to 16 kiB (max for TLS
records). The server side already is using 16 kiB buffers.

Signed-off-by: Hubert Kario <hkario@redhat.com>

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24688)
2024-06-21 13:09:17 -04:00
Tomas Mraz
663dbc9c9c Fix regression of EVP_PKEY_CTX_add1_hkdf_info() with older providers
If there is no get_ctx_params() implemented in the key exchange
provider implementation the fallback will not work. Instead
check the gettable_ctx_params() to see if the fallback should be
performed.

Fixes #24611

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24661)
2024-06-21 16:41:33 +02:00
Robert Schulze
af82623d32 Incorporate more review feedback
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24673)
2024-06-21 07:57:56 -04:00
Robert Schulze
8d934a7592 Incorporate review feedback
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24673)
2024-06-21 07:57:56 -04:00
Robert Schulze
79886c85b3 Fix data race between SSL_SESSION_list_add and ssl_session_dup
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24673)
2024-06-21 07:57:56 -04:00
Tomas Mraz
2f0b4974df Add test for ASN1_item_verify()
This is a test for https://github.com/openssl/openssl/issues/24575
Original idea by Theo Buehler.

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24576)
2024-06-21 10:03:42 +02:00
Tomas Mraz
8d380f85da ASN1_item_verify_ctx(): Return -1 on fatal errors
Fixes #24575

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24576)
2024-06-21 10:03:42 +02:00