Commit Graph

36052 Commits

Author SHA1 Message Date
Tomas Mraz
93bfe97c5b sm2_sig_verify(): Do not call BN_CTX_end() without BN_CTX_start()
In case of memory allocation failure this
could happen.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25994)
2024-11-21 11:13:56 +01:00
Michael Baentsch
0c64b1ca03 add new keytype test for EVP_PKEY_Q_keygen
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25972)
2024-11-21 09:09:45 +00:00
Tomas Mraz
47a80fd203 pkeyutl.c: Avoid freeing pkey at multiple places
Also fixes a leak of pkey in error case for -verifyrecover.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25987)
2024-11-20 17:40:26 +01:00
spectre
6f2c97d50a README.md: Fix typo. Change 'the are' to 'there are'
This pull request fixes a typo in the documentation.
The phrase "the are" has been corrected to "there are".

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25977)
2024-11-20 17:23:10 +01:00
Michael Baentsch
1a077b38c9 s_cb.c: Move the negotiated group output
It needs to be always displayed not just with -brief.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25959)
2024-11-20 17:10:20 +01:00
wangcheng
4c41aa4b33 Add CTX copy function for EVP_MD to optimize the performance of EVP_MD_CTX_copy_ex.
1. Add OSSL_FUNC_digest_copyctx_fn function for EVP_MD, which is used to copy algctx from the old EVP_MD_CTX to the new one.

2. Add implementation of OSSL_FUNC_digest_copyctx_fn function for default providers.

3. Modify EVP_MD_CTX_copy_ex: When the fetched digest is the same in in and out contexts, use the copy function to copy the members in EVP_MD_CTX if the OSSL_FUNC_digest_copyctx_fn function exists. Otherwise, use the previous method to copy.

4. Add documentation for OSSL_FUNC_digest_copyctx function in doc/man7/provider-digest.pod.

5. Add testcase.

Fixes #25703

Signed-off-by: wangcheng <bangwangnj@163.com>

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25726)
2024-11-20 14:12:53 +01:00
Dr. David von Oheimb
9ca66fc273 x509_vfy.c and x509_lu.c: refactor find_issuer(), X509_STORE_CTX_get1_issuer(), etc.
Reviewed-by: Hugo Landau <hlandau@devever.net>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18762)
2024-11-20 12:48:24 +01:00
Tomas Mraz
6a3d5b6e62 os-zoo CI: Replace macos-12 run with macos-15
macos-12 runners will be removed in December.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Hugo Landau <hlandau@devever.net>
(Merged from https://github.com/openssl/openssl/pull/25715)
2024-11-20 12:19:57 +01:00
Neil Horman
dcb5d6bf88 Add docs for OSSL_PARAM_print_to_buf
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25630)
2024-11-19 08:40:13 -05:00
Neil Horman
63b671626e Make ossl_trace_param_values an official api function
lots of people may want to print params to a buffer.  Make it part of
our api

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25630)
2024-11-19 08:38:25 -05:00
Neil Horman
4fec10eae7 Add QUERY trace points
Adds trace messages for method store add/remove and fetch operations

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25630)
2024-11-19 08:36:25 -05:00
Neil Horman
3eed43f8a1 Add a QUERY trace category
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25630)
2024-11-19 08:36:19 -05:00
Neil Horman
11539fd734 Add tracing messages to the provider api
Adds tracing messages to the
init/teardown/gettable_params/get_params/query/unquery operations for a
provider

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25630)
2024-11-19 08:36:19 -05:00
Neil Horman
193296eaaa Adding a trace category for PROVIDER calls
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25630)
2024-11-19 08:36:19 -05:00
Dmitry Misharov
5c5b8d2d7c remove ternary from runs-on, security repo is hosted on github.com
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25939)
2024-11-15 17:44:56 +01:00
Alicja Kario
eaf4da97c9 man ECDSA_sign(3): fix wrong variable names
the parameters in the function definitions use `siglen` not `sig_len`,
this fixes the doc text.

Signed-off-by: Alicja Kario <hkario@redhat.com>

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25927)
2024-11-13 17:32:45 +01:00
Andrew Dinh
ef39dd058b Change "a SSL" to "an SSL"
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25868)
2024-11-13 17:24:40 +01:00
Tomas Mraz
837f05fc30 test_hashtable_multithread(): Stress it more
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Hugo Landau <hlandau@devever.net>
(Merged from https://github.com/openssl/openssl/pull/25669)
2024-11-13 17:22:37 +01:00
Tomas Mraz
9abd6ca635 Use test_random() in hashtable mt test for reproducibility
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Hugo Landau <hlandau@devever.net>
(Merged from https://github.com/openssl/openssl/pull/25669)
2024-11-13 17:22:37 +01:00
Dr. David von Oheimb
577ec498bd Fix doc and use of_X509v3_add_extensions() in case sk_X509_EXTENSION_num(exts) <= 0
Reviewed-by: Hugo Landau <hlandau@devever.net>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25631)
2024-11-13 17:19:58 +01:00
Neil Horman
15c6580a76 Add test for SSL_stream_reset
Add a test to the quic_multistream test suite to reset a stream after
all data has been received by a given stream, ensuring that we don't
crash in the reset operation

Fixes #25410

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25910)
2024-11-13 10:55:16 -05:00
Neil Horman
bbfffbcaf3 Fix SSL_stream_reset for stream objects which have FIN bit set
When calling SSL_stream_reset on a QUIC stream object that has received
all data that is expected to be sent (i.e. when the sender has sent a
STREAM frame with the FIN bit set), we encounter the following segfault:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7f0bd28 in ossl_quic_sstream_get_final_size (qss=0x0, final_size=0x0) at ssl/quic/quic_sstream.c:273
273	    if (!qss->have_final_size)
(gdb) bt
0)  0x00007ffff7f0bd28 in ossl_quic_sstream_get_final_size (qss=0x0, final_size=0x0) at ssl/quic/quic_sstream.c:273
1)  0x00007ffff7ef65bf in quic_validate_for_write (xso=0x5555555efcb0, err=0x7fffffffd5e0) at ssl/quic/quic_impl.c:2513
2)  0x00007ffff7ef8ae3 in ossl_quic_stream_reset (ssl=0x5555555efcb0, args=0x0, args_len=0) at ssl/quic/quic_impl.c:3657
3)  0x00007ffff7ebdaa6 in SSL_stream_reset (s=0x5555555efcb0, args=0x0, args_len=0) at ssl/ssl_lib.c:7635
4)  0x0000555555557527 in build_request_set (
    req_list=0x55555555ebd0 "neil1.txt neil2.txt neil3.txt neil4.txt neil5.txt neil6.txt neil7.txt neil8.txt neil9.txt neil10.txt neil11.txt neil12.txt neil13.txt neil14.txt neil15.txt neil16.txt neil17.txt neil18.txt neil19.txt "..., ssl=0x5555555b6f80)
    at demos/guide/quic-hq-interop.c:545
5)  0x00005555555587b2 in main (argc=4, argv=0x7fffffffe568) at demos/guide/quic-hq-interop.c:941

This occurs because:
1) When the stream FIN bit is set, the quic stack frees the underlying
   stream structures immediately within the QUIC stack
and
2) when SSL_stream_reset is called, the call stack indicates we call
   quic_validate_for_write, which attempts to access the
   xso->stream->sstream QUIC_SSTREAM object, which was already freed in
   (1)

The fix I think is pretty straightforward.  On receipt of a STREAM frame
with a FIN bit set, the QUIC stack sets the QUIC_STREAM object state to
QUIC_SSTREAM_STATE_DATA_RECVD, which means we can use that state to
simply assert that the stream is valid for write, which allows it to be
reset properly.

Fixes #25410

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25910)
2024-11-13 10:55:08 -05:00
Tomas Mraz
21f6c3b4fb Adjustments for the on schedule workflows
Run them all after 02:00 UTC.
Add possibility to run them on workflow_dispatch.
Add branch 3.4 to the coveralls.yml.
Remove the branches from os-zoo.yml as it is
possible to run on them manually from workflow_dispatch.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25765)
2024-11-13 12:15:35 +01:00
Holger Dengler
0abbd3e5ac Fix memleaks in cmd_RecordPadding()
Free the internal copy of parameter `value` on each early
exit.

Fixes #25906

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25926)
2024-11-13 12:00:26 +01:00
Jonathan M. Wilbur
1f7d2a2887 feat: define and use ossl_bio_print_hex
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25429)
2024-11-13 11:53:34 +01:00
Jonathan M. Wilbur
80b0a33b38 test: the attributeDescriptor X.509v3 extension
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25429)
2024-11-13 11:53:34 +01:00
Jonathan M. Wilbur
044b95837a doc: the attributeDescriptor X.509v3 extension
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25429)
2024-11-13 11:53:34 +01:00
Jonathan M. Wilbur
cccdf41010 feat: support the attributeDescriptor X.509v3 extension
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25429)
2024-11-13 11:53:34 +01:00
Tomas Mraz
ba6f115ccf txp_generate_stream_frames(): Set stream id in header early enough
Otherwise we will calculate an incorrect header
size for higher stream ids and won't fit the
frame into the packet.

Fixes #25417

Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25928)
2024-11-12 16:56:09 +01:00
Dr. David von Oheimb
dd73b45e28 APPS/load_key_certs_crls(): refactor to clean up the code a little and add clarifying comments
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@devever.net>
(Merged from https://github.com/openssl/openssl/pull/22528)
2024-11-12 12:27:46 +01:00
Dr. David von Oheimb
012353bdf2 openssl-pkeyutl.pod.in: improve description of -rawin and -digest options
Fixes #25827

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25831)
2024-11-09 12:06:38 +01:00
Dr. David von Oheimb
26a826c2d1 openssl-pkeyutl.pod.in: add that -sign is default op, update claim on hash needed for -sign/-verify, etc.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25831)
2024-11-09 12:06:07 +01:00
Dr. David von Oheimb
abad748da8 APPS/pkeyutl: add missing high-level check for -verifyrecover being usable only with RSA
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25903)
2024-11-09 11:43:59 +01:00
Dr. David von Oheimb
fe07cbf9c3 APPS/pkeyutl: remove wrong check for -verifyrecover regarding too long sign/verify input
Fixed #25898

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25903)
2024-11-09 11:43:59 +01:00
Matt Caswell
b10cfd93fd Add a test for setting TLSv1.2 ciphersuites on a QUIC object
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25886)
2024-11-08 14:36:17 +01:00
Matt Caswell
40237bf97a Don't complain with "no cipher match" for QUIC objects
Calling the functions SSL_CTX_set_cipher_list() or SSL_set_cipher_list() will
return the error "no cipher match" if no TLSv1.2 (or below) ciphers are enabled
after calling them. However this is normal behaviour for QUIC objects which do
not support TLSv1.2 ciphers. Therefore we should suppress that error in this
case.

Fixes #25878

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25886)
2024-11-08 14:36:17 +01:00
Matt Caswell
e54526413d Add a test for the new_session_cb from a QUIC object
Setting a new_session_cb should work for a QUIC object just as it does
with a normal TLS object.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25874)
2024-11-07 12:05:34 +01:00
Matt Caswell
dc84829cc5 Make sure we use the correct SSL object when making a callback
When processing a callback within libssl that applies to TLS the original
SSL object may have been created for TLS directly, or for QUIC. When making
the callback we must make sure that we use the correct SSL object. In the
case of QUIC we must not use the internal only SSL object.

Fixes #25788

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25874)
2024-11-07 12:05:34 +01:00
Matt Caswell
f88c2f2d17 Keep hold of a reference to the user SSL in QUIC
In some cases a QUIC SSL_CONNECTION object needs to get hold of a reference
to the original SSL object as created by the user. We should keep a
reference to it.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25874)
2024-11-07 12:05:23 +01:00
Vladimirs Ambrosovs
2aaef03339 Bugfixes for params to legacy control translations for EC parameters
param->ctrl translation: Fix fix_ecdh_cofactor()

In POST_PARAMS_TO_CTRL state the fix_ecdh_cofactor() function should
return value in ctx->p1

param->ctrl translation: fix evp_pkey_ctx_setget_params_to_ctrl
 return

Since some of the ctrl operations may return 0 as valid value
(e.g. ecdh_cofactor value 0 is valid setting), before colling
POST_PARAMS_TO_CTRL, we need to check return value for 0 as well
otherwise the evp_pkey_ctx_setget_params_to_ctrl function fails
without a chance to fix the return value

param->ctrl translation: Set ecdh_cofactor default action_type GET

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22587)
2024-11-07 10:35:54 +01:00
oleg.hoefling
85a52f7292 Adjust naming authority formatting when printing out admission extension
Indent namingAuthority section with two spaces to match the parent
node.

Signed-off-by: oleg.hoefling <oleg.hoefling@gmail.com>

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25814)
2024-11-07 10:29:34 +01:00
Niels Dossche
fa856b0ce0 Fix memory leak on failure in copy_issuer()
When sk_GENERAL_NAME_reserve() fails, ialt is not freed.
Add the freeing operation in the common error path.

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25876)
2024-11-07 10:19:56 +01:00
Niels Dossche
83b62d41b2 Remove unnecessary sk_GENERAL_NAME_free() calls on NULL
There are several calls to sk_GENERAL_NAME_free() where the argument is
actually NULL, there are not necessary.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25877)
2024-11-05 16:14:40 +01:00
Celeste Liu
e899361b98 x509: add a newline after printing Full Name
We forget it in 58301e24f6.

Fixes #25853

CLA: trivial

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25854)
2024-11-05 14:22:10 +01:00
Tomas Mraz
0b234a237c interop-tests.yml: Update to Fedora 40 and fix provisioning breakage
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25847)
2024-11-05 14:07:30 +01:00
ArtSin
ccaa754b5f Fix uses of EVP_PKEY_Q_keygen with size_t variadic argument
Fix cases where `int` argument was passed instead of `size_t`.

CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25857)
2024-11-05 13:49:08 +01:00
Matt Caswell
d1669a14d1 Fix the default_md example in the ca docs
We should not have an example showing the default_md as md5.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25856)
2024-11-05 11:12:33 +00:00
Michael Baentsch
b9881e8eb1 Document extensibility of -groups parameter via providers
Also add brainpool curves

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25821)
2024-11-04 12:01:18 +01:00
Gábor Tóthvári
8f4cd8e305 Remove two unused union members from struct x509_object_st.
CLA: trivial

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25826)
2024-11-04 11:52:17 +01:00
Todd Short
a590a7e3bc Use correct alerts for some cert comp errors
Fixes #25471

Signed-off-by: Todd Short <todd.short@me.com>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25845)
2024-11-04 11:50:46 +01:00