JiashengJiang [Mon, 5 May 2025 18:52:40 +0000 (14:52 -0400)]
test/timing_load_creds.c: Free contents in error handling to avoid memory leak
Add a call to OPENSSL_free() in the error handling path to ensure contents is properly freed and prevent a memory leak.
Fixes: 45479dcee1 ("test/timing_load_creds.c: fix coding style and other (mostly minor) issues") Signed-off-by: JiashengJiang <jiasheng@purdue.edu> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/27570)
Pauli [Wed, 30 Apr 2025 22:12:00 +0000 (08:12 +1000)]
chacha_poly: fix settable ctx param list
The settable list used the generic AEAD cipher list which included
an extra parameter and omitted the IV length one. The set ctx param call
was custom so the errant list didn't directly impact operation.
The comment about ignoring OSSL_CIPHER_PARAM_AEAD_MAC_KEY is completely bogus.
That parameter isn't accepted either here or by the shared AEAD cipher params.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/27534)
Neil Horman [Wed, 7 May 2025 12:58:30 +0000 (08:58 -0400)]
Update IMPL_*_SIGALG to not have to stringify parameter
Noted while playing with some c-style tools that these macros got
mis-handled when doing style changes. Specifically, the last parameter,
as it passed externally as a token, but stringified internal to the
associated macro, got handled as an arithmetic expression rather than a
string.
Given that the only thing this parameter is used for is as a string, cut
out the middle man and just pass it as a string in the first place
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/27579)
Matt Caswell [Fri, 2 May 2025 15:40:50 +0000 (16:40 +0100)]
Add a test for app data received too early
Add a test for app data which was received prior to the Finished is read
correctly, and that if we continue to read we get the expected result.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/27543)
Matt Caswell [Fri, 2 May 2025 15:37:32 +0000 (16:37 +0100)]
Ensure we properly release DTLS buffered app data records
If we read an app data record before we have read the Finished we buffer
it. Once we've read it we need to make sure we've properly released it
otherwise we will attempt to read it again (and this time there will be
no data in it).
Fixes #27316
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/27543)
JiashengJiang [Mon, 5 May 2025 18:23:38 +0000 (14:23 -0400)]
test/bio_comp_test.c: Initialize pointer to avoid undefined behavior
If the allocation for "original" fails, "result" may be freed without being
properly initialized. Since result could hold a random value due to its
assignment in do_bio_comp_test(), freeing it without initialization is unsafe
and may lead to undefined behavior.
Fixes: 12e96a2360 ("Add brotli compression support (RFC7924)") Signed-off-by: JiashengJiang <jiasheng@purdue.edu> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27569)
Matt Caswell [Wed, 30 Apr 2025 12:09:58 +0000 (13:09 +0100)]
Add a test for sending an empty app data record in DTLS
DTLS should ignore this
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27541)
Matt Caswell [Tue, 29 Apr 2025 13:21:49 +0000 (14:21 +0100)]
Drop empty app data records in DTLS
App data records with 0 bytes of payload will confuse callers of SSL_read().
This will cause a successful read and return 0 bytes as read. Unfortunately
a 0 return from SSL_read() is considered a failure response. A subsequent
call to SSL_get_error() will then give the wrong result.
Zero length app data records are actually allowed by the spec, but have
never been handled correctly by OpenSSL. We already disallow creating such
empty app data records. Since the SSL_read() API does not have a good way to
handle this type of read, we simply ignore them.
Partial fix for #27316
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27541)
JiashengJiang [Mon, 5 May 2025 01:41:39 +0000 (21:41 -0400)]
crypto/provider_conf.c: Fix possible memory leak
Assign the return value of ossl_provider_info_add_to_store to added instead of
setting it directly to 1, in order to avoid a memory leak caused by entry not
being freed if ossl_provider_info_add_to_store() fails.
Signed-off-by: JiashengJiang <jiasheng@purdue.edu> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27472)
Pauli [Thu, 17 Apr 2025 02:09:38 +0000 (12:09 +1000)]
ccm: update CCM mode ciphers to use the TRIE param name decoder for AEAD ciphers
This brings the implementation in line with GCM which has had this capability
for a while. It will improveme performance setting and retrieving the
authenticatoin tag.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27392)
Addresses an issue where the EVP_CIPHER_CTX_get_updated_iv() function
does not properly return the updated IV for the ChaCha20 cipher.
chacha20_get_ctx_params was updated to be sensitive to the
OSSL_CIPHER_PARAM_UPDATED_IV parameter.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/27484)
Enable AES and SHA3 optimisations on Qualcomm Snapdragon X systems
For larger data blocks, AES gets performance gains of up to 26.5%,
and SHA3 up to 15%. Tested on a Dell 9345 with Snapdragon X1E-80-100.
Below are detailed data.
Signed-off-by: Aleksander Jan Bajkowski <olek2@wp.pl> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/27503)
Julian Zhu [Sat, 3 May 2025 08:16:27 +0000 (16:16 +0800)]
RISC-V: Provide generic optimized SHA-256 implementation for rv64gc
Signed-off-by: Julian Zhu <julian.oerv@isrc.iscas.ac.cn> Reviewed-by: Paul Yang <kaishen.yy@antfin.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/27381)
pkcs12: increase macsaltlen from 8 to 16 as per NIST SP 800-132
Align PKCS12 PBMAC1 PBKDF2 salt length with
PKCS5_DEFAULT_PBE2_SALT_LEN.
With this change, newly created PKCS12 PBMAC1 PBKDF2 keystores use mac
salt length of 16 bytes by default. This increases interoperability
with FIPS implementations which require at least 16 bytes of salt
length. Otherwise FIPS implementations fail to to open keystore with
invalid salt length errors (unapproved):
Mac verify error: invalid password? 80EBD061AD7F0000:error:1C800070:Provider routines:kdf_pbkdf2_set_ctx_params:invalid salt length:providers/implementations/kdfs/pbkdf2.c:293: 80EBD061AD7F0000:error:118C0103:PKCS12 routines:PBMAC1_PBKDF2_HMAC:internal error:crypto/pkcs12/p12_mutl.c:143: 80EBD061AD7F0000:error:1180006D:PKCS12 routines:PKCS12_verify_mac:mac generation error:crypto/pkcs12/p12_mutl.c:324: 80EBD061AD7F0000:error:1C800070:Provider routines:kdf_pbkdf2_set_ctx_params:invalid salt length:providers/implementations/kdfs/pbkdf2.c:293: 80EBD061AD7F0000:error:118C0103:PKCS12 routines:PBMAC1_PBKDF2_HMAC:internal error:crypto/pkcs12/p12_mutl.c:143: 80EBD061AD7F0000:error:1180006D:PKCS12 routines:PKCS12_verify_mac:mac generation error:crypto/pkcs12/p12_mutl.c:324:
The compile time constant is made possible to override with a build
time define, such that one can revert back to 8 if so is needed for
backwards compatibility.
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27446)
Lars Kanis [Sat, 1 Feb 2025 17:01:43 +0000 (18:01 +0100)]
Add a target config for MINGW on ARM64
This is necessary to build OpenSSL native on Windows on Arm64 with gcc or clang.
It also works when cross compiling on Linux for aarch64-w64-windows-gnu.
This patch is used since years on MSYS2:
https://github.com/msys2/MINGW-packages/blob/master/mingw-w64-openssl/001-support-aarch64.patch
Fixes #10533
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26605)
Richard Levitte [Wed, 30 Apr 2025 12:37:12 +0000 (14:37 +0200)]
Drop "by store"'s by_store_subject_ex()
It was used to pass libctx and propq, which would override the
corresponding values passed to by_store_ctrl_ex(). This wasn't
really reasonable to do either way, as it could potentially be a
surprise to the user, who can reasonably expect that the URI is
opened with the libctx and propq that was passed with the URI, and
not with those passed later.
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27529)
Originally from https://github.com/openssl/openssl/pull/27507, with some
changes.
Co-authored-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27529)
Richard Levitte [Wed, 30 Apr 2025 09:38:04 +0000 (11:38 +0200)]
Rework the "by store" X509_LOOKUP method to open the given URI early
The cached X509_LOOKUP method data is no longer just the URI, but now
includes the OSSL_STORE_CTX pointer, and required parameters to reopen
the URI at any time. cache_objects() is modified to handle this, and
only (re)open the URI when it wasn't previously opened, or when it was
closed by an earlier call.
This way, we can call OSSL_STORE_open_ex() in by_store_ctrl_ex(), and
get to see possible errors when the URI is loaded.
This assumes that if the URI could be opened once, it can be opened
again.
Fixes #27461
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27529)
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27240)
Neil Horman [Thu, 24 Apr 2025 13:26:33 +0000 (09:26 -0400)]
Disable unterminated-string-initialization in strict-warnings
Recently updated to fedora 42, which includes an updated gcc, which
triggers a new warning:
test/afalgtest.c:44:9: error: initializer-string for array of 'unsigned char' truncates NUL terminator but destination lacks 'nonstring' attribute (18 chars into 17 available) [-Werror=unterminated-string-initialization]
44 | "\x53\x69\x6e\x67\x6c\x65\x20\x62\x6c\x6f\x63\x6b\x20\x6d\x73\x67"
The warning occurs because in some locations we create char buffers of
length X, and fill it with X bytes of data, truncating the NULL
terminator.
We could fix it by adding the nonstring attribute, but given that:
1) Adding attributes might impact other platforms that don't understand the
attribute.
2) We often create char buffers that don't expect a NULL terminator.
3) Converting the unsigned char arrays to uint8_t, or other types that
could be interpreted as non-strings has no impact, only applying the
nonstring attribute silences the warning.
It seems more sensible to just disable the warning entirely
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27490)
Daniel Van Geest [Sun, 13 Apr 2025 00:49:09 +0000 (01:49 +0100)]
Expand gettable params for HKDF
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27365)
Neil Horman [Tue, 29 Apr 2025 13:27:30 +0000 (09:27 -0400)]
Update test/ossl_store_test.c
Co-authored-by: Viktor Dukhovni <viktor1ghub@dukhovni.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27393)
Neil Horman [Tue, 29 Apr 2025 13:24:46 +0000 (09:24 -0400)]
Update test/ossl_store_test.c
Co-authored-by: Viktor Dukhovni <viktor1ghub@dukhovni.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27393)
Matt Caswell [Thu, 17 Apr 2025 11:45:31 +0000 (12:45 +0100)]
Fix a typo in evpciph_des3_common.txt
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27408)
Matt Caswell [Tue, 15 Apr 2025 14:03:36 +0000 (15:03 +0100)]
Fix a deadlock while attempting to get the Primary EVP_RAND_CTX
When only the FIPS provider was loaded we could get a deadlock when
calling RAND_get0_primary() due to attempting to obtain a recursive
lock.
We reduce the scope of the locks that we hold to avoid this.
Fixes #27391
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27408)
Matt Caswell [Wed, 16 Apr 2025 11:20:10 +0000 (12:20 +0100)]
Ensure that our fips internal provider is always loaded
The fips provider has an internal provider. In some circumstances we
could end up trying to find it, but failing because it hasn't been loaded
yet. We just always ensure it is loaded early to avoid this.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27408)
Matt Caswell [Wed, 16 Apr 2025 11:15:51 +0000 (12:15 +0100)]
Assert that we successfully obtained a lock
We should never fail to obtain a lock, so assert that we are successful
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27408)
Matt Caswell [Wed, 16 Apr 2025 11:14:55 +0000 (12:14 +0100)]
Add a test for calling RAND_get0_primary()
We simply test that calling RAND_get0_primary() returns a success
for both the default and fips providers.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27408)
Arne Schwabe [Sat, 26 Apr 2025 18:21:28 +0000 (20:21 +0200)]
Fix aesv8 arm assembler code not working on 32 bit Android
OpenSSL uses 'void' as perlasm for the 32 bit armeabi-arm target, which
most notably lacks a 32 or 64 in its name. So while most code that is
targeted for 32 uses !~ /64/ there is one instance that uses ~= /32/,
introduced by commit 8e69c18 between 3.4.0 and 3.5.0. This leaves out
that line on 32 bit android causing a segfault.
This fixes the compilation issue by replacing the ~= /32/ with !~ /64/
compilation taget (see 15-android.conf)
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27510)
By updating the `util/find-doc-nits` new missing history sections were
discovered. This commit adds the missing.
Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27488)
doc/man3: Change formulation to let the script to catch it
Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27488)
Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27488)
util/find-doc-nits: Check function macros in history
Add a checker for function macros if they are present in the HISTORY
section of the man page.
Resolves: #26774
Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27488)
Matt Caswell [Fri, 25 Apr 2025 14:21:47 +0000 (15:21 +0100)]
Clarify how s_client -ign_eof and -quiet impact command processing
If -ign_eof -or -quiet are passed to s_client this implicitly turns off
command processing (i.e. equivalent to -nocommands). This was stated on
the man page in the "CONNECTED COMMANDS" section, but not in the
documentation for "-ign_eof" or "-quiet" directly. We state it here as
well to make it clearer.
Fixes #27443
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27500)
Anton Tieleman [Mon, 28 Apr 2025 11:49:25 +0000 (13:49 +0200)]
Test+fix handling "wrong" downgrade signals
This accounts for cases that can only occur when een non-compliant server sends
the wrong downgrade signal. (TLS1.1 signal when negotiating TLS1.2 or TLS1.2
signal when negotiating TLS1.0/TLS1.1). According to the TLS1.3 RFC these
cases should be rejected:
RFC8446, section 4.1.3: TLS 1.3 clients receiving a ServerHello indicating
TLS 1.2 or below MUST check that the last 8 bytes are not equal to either of
these values. TLS 1.2 clients SHOULD also check that the last 8 bytes are
not equal to the second value if the ServerHello indicates TLS 1.1 or below.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27518)
Anton Tieleman [Mon, 28 Apr 2025 11:30:01 +0000 (13:30 +0200)]
Repair downgrade tests
A number of these tests were failing for the wrong reasons. The intention is to verify
that the client sends an illegal parameter alert when an unexpected downgrade signal
is received. Instead, a number of tests failed because TLS1.1 was not available. The
tests are adapted to explicitly check for an illegal parameter alert from the client.
Client and server flags are updated to enable TLS1.1 where required and a few tests
requiring TLS1.1 were moved to be disabled when TLS1.1 is not available.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27518)
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26994)
Tomas Mraz [Tue, 29 Apr 2025 09:56:23 +0000 (11:56 +0200)]
apps/prime.c: Fix memory leak of a BIGNUM
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27521)
Update to use BIO_get_line() with support for multiple primes per in file
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26549)
zriback [Fri, 31 Jan 2025 02:05:32 +0000 (21:05 -0500)]
Address and add tests for edge cases involving short or empty files
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26549)
zriback [Thu, 30 Jan 2025 16:41:15 +0000 (11:41 -0500)]
Fix issue where file is not read correctly with Windows line endings
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26549)
zriback [Fri, 24 Jan 2025 20:43:22 +0000 (15:43 -0500)]
Add 20-test_prime unit test
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26549)
zriback [Fri, 24 Jan 2025 06:03:35 +0000 (01:03 -0500)]
Add -in option to prime function to allow input from file for primality testing. Update -hex option documentation to reflect use with input and output.
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26549)
Fix typo in SHA256 RISC-V64 Zbb comments: Sigma0 -> Sum0
This corrects a misleading comment in sha256-riscv64-zbb.pl. The rotation
operation corresponds to the Sum0 function as defined in the FIPS 180-4
standard, not Sigma0.
CLA: trivial
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27480)
The microsoft compiler does not like the empty struct,
so go add a dummy field instead.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Paul Yang <kaishen.yy@antfin.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27494)
file_store.c: give detail on file_set_ctx_params() error
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27498)
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27498)
A. Wilcox [Thu, 17 Apr 2025 13:51:53 +0000 (08:51 -0500)]
Fix P-384 curve on lower-than-P9 PPC64 targets
The change adding an asm implementation of p384_felem_reduce incorrectly
uses the accelerated version on both targets that support the intrinsics
*and* targets that don't, instead of falling back to the generics on older
targets. This results in crashes when trying to use P-384 on < Power9.
Signed-off-by: Anna Wilcox <AWilcox@Wilcox-Tech.com> Closes: #27350 Fixes: 85cabd94 ("Fix Minerva timing side-channel signal for P-384 curve on PPC") Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27429)
Simo Sorce [Thu, 24 Apr 2025 14:05:53 +0000 (10:05 -0400)]
Add test to check SKEYMGMT interfaces
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27483)
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27483)
Richard Levitte [Wed, 23 Apr 2025 18:14:38 +0000 (20:14 +0200)]
Relax absolut path checking in our 'file' scheme implementation
So far, we strictly obeyed [RFC 8089], which only allows absolute paths
in a 'file:' URI. However, this seems to give a confusing user
experience, where something like 'file:foo.pem' wouldn't open foo.pem,
even though it's there in the current directory, but 'file:$(pwd)/foo.pem'
would.
To be less surprising for such use cases, we relax our implementation
visavi [RFC 8089] to allow relative paths.
Ensure z and d are actually zeroized by cleansing the full size of s,
rather than just vector_bytes.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27437)
Matt Caswell [Fri, 11 Apr 2025 13:19:46 +0000 (14:19 +0100)]
Fix errors on SSL_accept() and SSL_get_error()
Calling SSL_accept() was raising two errors on the stack if you passed
the wrong object type. Similarly SSL_get_error() was adding an error to
the stack if the wrong object type was passed and returning the wrong
result.
We also ensure SSL_set_accept_state() and SSL_set_connect_state() don't
raise spurious errors since these are void functions.
Fixes #27347
Fixes #27348
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27351)
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27157)
Luke Kurlandski [Tue, 4 Mar 2025 16:53:36 +0000 (11:53 -0500)]
Improved error message for X509_V_ERR_CERT_NOT_YET_VALID
In addition to an invalid certificate, it is not unlikely that this
exact error (case X509_V_ERR_CERT_NOT_YET_VALID) is caused by an
incorrect system clock. This cannot be trivially fixed, so for now,
we simply improve the quality of the error message.
Fixes #14771
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27141)
Viktor Dukhovni [Wed, 9 Apr 2025 07:33:02 +0000 (17:33 +1000)]
Fix default pkey(1) DER output
This is expected to be PKCS#8, but was defaulting to traditional when
possible. Changed default DER output format to PKCS#8 and extended the
`-traditional` option to apply also to DER output.
Fixes: #21708 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27273)
Simo Sorce [Tue, 15 Apr 2025 19:42:22 +0000 (15:42 -0400)]
Advertize signature setting in settable_ctx fn
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27342)
Simo Sorce [Tue, 15 Apr 2025 18:58:20 +0000 (14:58 -0400)]
Add test for ML-DSA sig/ver message update
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27342)
Simo Sorce [Fri, 11 Apr 2025 21:24:09 +0000 (17:24 -0400)]
Add ml_dsa msg_update functions to provider code
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27342)
Simo Sorce [Fri, 11 Apr 2025 17:38:20 +0000 (13:38 -0400)]
Make public ml_dsa_mu_.. helpers
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27342)
Simo Sorce [Wed, 9 Apr 2025 13:35:20 +0000 (09:35 -0400)]
Split the ML-DSA internal sigver functions
Deconstruct the functions into 2 parts:
- mu computation (if needed)
- actual signing/verification
Adds helper to compute mu that is split in 3 parts
(init/update/finalize) where the update part can be used to feed the message
to be signed or verified in chunks of any size.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27342)
Simo Sorce [Tue, 15 Apr 2025 19:21:19 +0000 (15:21 -0400)]
Fix EVP_PKEY_verify man page
Various functions were misnamed in the descriptions.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27342)
Simo Sorce [Tue, 15 Apr 2025 19:20:41 +0000 (15:20 -0400)]
Fix mldsa'a msg_inits operation type
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27342)
projects / thirdparty / openssl.git / log
