sashan [Wed, 11 Jun 2025 06:23:38 +0000 (08:23 +0200)]
ossl_rio_poll_builder_add_fd(): Fixup pfds after reallocation
Local variable `pfds` used in `ossl_rio_poll_builder_add_fd()` must be consistent
with `rpb->pfd_heap`. The function maintains array of SSL objects for SSL_poll(3ossl).
It works with no issues until we need to reallocate `rbp->pfd_heap` in `rpb_ensure_alloc()`.
After `rpb_ensure_alloc()` returns we must update local variable `pfds` with `rpb->pfd_heap`
not doing so makes function to write to dead buffer.
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27804)
JiashengJiang [Mon, 12 May 2025 13:59:02 +0000 (09:59 -0400)]
test/helpers/quictestlib.c: Use goto instead of return to avoid memory leak
When TEST_ptr(*cssl) fails, bdata should be freed to avoid memory leak.
Fixes: a55b689 ("Use reported short conn id len in qtestlib") Signed-off-by: JiashengJiang <jiasheng@purdue.edu> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27599)
Return an error when update or final is used after the context has
already been finalized. Flag 'iimp' (intermediate-input-message-part)
must be 1 to allow an update or final call. If iimp is 0, then the
context has already been finalized.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27781)
Bartel Artem [Wed, 11 Jun 2025 03:58:31 +0000 (06:58 +0300)]
return NULL if gctx allocation fails.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Yang <kaishen.yy@antfin.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27795)
Bartel Artem [Tue, 10 Jun 2025 10:11:41 +0000 (13:11 +0300)]
check gctx for NULL before cleanup.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Yang <kaishen.yy@antfin.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27795)
Matt Caswell [Wed, 11 Jun 2025 08:50:16 +0000 (09:50 +0100)]
Allow our *_gen_cleanup functions to tolerate a NULL ctx
Our *_gen_cleanup functions are essentially "free" functions. Our
free functions tolerate NULL being passed. We are being inconsistent with
our *_gen_cleanup functions. Some of them tolerate NULL and others do not.
We should consistently tolerate NULL.
See also #27795
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/27807)
sashan [Tue, 3 Jun 2025 13:12:48 +0000 (15:12 +0200)]
Document transition from ANSI-C towards C-99
The existing NOTES-ANSI.md are renamed to NOTES-C99.md and updated
accordingly. INSTALL.md lists C-99 compiler instead of ANSI-C now.
Also moving from ANSI-C to C-99 warrants updates to NEWS.md and
CHANGES.md.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/27751)
Ingo Franzki [Wed, 28 May 2025 06:55:49 +0000 (08:55 +0200)]
Silence -Wstringop-overflow warnings with gcc 14 on s390x
Compiling OpenSSL on s390x with gcc 14 (i.e. in Fedora 41) shows several
-Wstringop-overflow warnings in providers/implementations/rands/drbg_ctr.c
and test/params_api_test.c.
Add explicit length checks to let the compiler know that it won't overrun
the buffer. This also silences the warnings.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27710)
Viktor Dukhovni [Tue, 13 May 2025 15:23:25 +0000 (01:23 +1000)]
Allow keygen after dup of minimal PKEY ctx
It should be possible to repeatedly duplicate a PKEY CTX created via
EVP_PKEY_CTX_new_from_name() that has not yet been assigned an
"operation" (e.g. via EVP_PKEY_CTX_keygen_init()), and then perform
keygen_init() and keygen() on the duplicated copies.
When the operation is not yet set, all that's needed is to not try to
use the key if one isn't set yet.
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27662)
Daniel Van Geest [Fri, 28 Mar 2025 10:40:32 +0000 (10:40 +0000)]
Fix SHAKE AlgorithmIdentifier encodings
NIST CSOR specifies that the id-shake128 and id-shake256
algorithm identifiers, like the SHA-3 ones, do not carry
any parameters.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27190)
yexiaochuan [Sat, 31 May 2025 09:47:58 +0000 (17:47 +0800)]
fix: add parsing check in TLS compress_certificate extension handler
The tls_parse_compress_certificate function was missing validation
for trailing bytes after parsing the algorithm list, violating
RFC8446 section 4.2 which requires sending a decode_error alert
for unparseable messages.
This commit adds a check for remaining bytes in the packet after
the while loop and sends SSL_AD_DECODE_ERROR if any trailing
bytes are found.
Fixes #27717
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27733)
crypto/evp/ctrl_params_translate.c: prevent clashes of generic names NONE, GET, SET
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/27773)
Pauli [Thu, 5 Jun 2025 03:28:37 +0000 (13:28 +1000)]
rand: add argument error checking to EVP_RAND_nonce()
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27766)
Pauli [Thu, 5 Jun 2025 02:02:52 +0000 (12:02 +1000)]
rand: document the EVP_RAND_nonce() return correctly
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27766)
Pauli [Wed, 4 Jun 2025 23:50:59 +0000 (09:50 +1000)]
rand: produce correct return from EVP_RAND_nonce
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27766)
Pauli [Wed, 4 Jun 2025 23:50:34 +0000 (09:50 +1000)]
rand: fix memory overrun bug
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27766)
Pauli [Wed, 4 Jun 2025 23:50:20 +0000 (09:50 +1000)]
rand: add unit test exhibiting memory overrun
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27766)
Neil Horman [Thu, 5 Jun 2025 12:54:56 +0000 (08:54 -0400)]
Add a test to confirm that we can repeatedly create and destroy keys
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27775)
Neil Horman [Thu, 5 Jun 2025 12:25:52 +0000 (08:25 -0400)]
Allow for reuse of thread_local keys in threads_none
If openssl is configured with no-threads, the implementation has a hard
limit of 256 LIB_CTX values, as each LIB_CTX allocates a thread local
key, and we never reuse them (like libc does when using
pthread_key_create/destroy.
Improve the situation by allowing for marking freed keys as unsued and
searching for an available key when allocating
Fixes #27757
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27775)
Yaroslav Lelkin [Thu, 5 Jun 2025 05:50:43 +0000 (10:50 +0500)]
Fix NIST ACVP server URLs in SLH-DSA test files
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/27770)
Neil Horman [Wed, 4 Jun 2025 19:48:45 +0000 (15:48 -0400)]
Remove _strlen31
This function is old and fairly broken. Code archeology in our git tree
hasn't revealed why it was creted (though it may have possibly been to
support older win32 systems that couldn't do 64 bit integers properly,
like windows 95/98).
There seems to be no good reason to keep it around, and given that it
has potentially serious side effects, lets just remove it.
Fixes #27761
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27763)
Neil Horman [Fri, 6 Jun 2025 00:57:35 +0000 (20:57 -0400)]
Fix use of IO::Socket::IP on windows 2025
Apparently IO::Socket::IP has several odd behaviors on windows 2025,
notably indicating that AF_INET6 isn't a supported family when it
clearly is.
Follow the pattern in determinig the haveIPV6 variable in Proxy.pm, and
record if we determine IPv6 availablity with the IP class or the INET6
class and use the same method when testing port binding
Fixes project/#1213
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
(Merged from https://github.com/openssl/openssl/pull/27780)
Neil Horman [Tue, 3 Jun 2025 20:02:15 +0000 (16:02 -0400)]
Test randomly selected client port for availabilty in sslrecords test
Encountered this error in a pr today:
https://github.com/openssl/openssl/actions/runs/15418713146/job/43387767612
===
Proxy started on port [::1]:56662
Engine "ossltest" set.
Using default temp DH parameters
ACCEPT [::1]:59189
Server responds on [::1]:59189
Engine "ossltest" set. C0774F02907F0000:error:80000062:system library:BIO_bind:Address already in use:crypto/bio/bio_sock2.c:240:calling bind() C0774F02907F0000:error:10000075:BIO routines:BIO_bind:unable to bind socket:crypto/bio/bio_sock2.c:242:
connect:errno=98
===
Its occuring because we randomly select a port to use for our client
connection in the sslrecords test. Thats usually fine, but sometimes,
we get unlucky and pick a port thats already in use. This presents as
random failures in our CI on this test.
So lets try harden ourselves against it. When creating the client
connection, test the randomly selected port by trying to bind to it via
a call to IO::Socket::IP->new(). If that fails, try a different port
number, until we get one that works. If it works, use that port in the
assignment for the clients local port value.
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27752)
Viktor Dukhovni [Sun, 1 Jun 2025 02:47:15 +0000 (12:47 +1000)]
Split arguments taking quotes into account
CA.pl supports interpolating multiple arguments into the executed
commands. Previously these were evaluated by a shell, which supported
quoting of values that contain whitespace, backslashes, ...
With a shell no longer used (avoid command injection), backwards
compatibility requires some similar functionality. The code now handles
double and single-quoted strings (shell-style word splitting), but not
parameter expansion ($foo remains unexpanded) or command substitution
(`cmd` and $(cmd) remain unexpanded).
On Windows system(@LIST) does not correctly preserve argv, do our
own quoting instead and use system(<$quoted_cmd>).
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27432)
Viktor Dukhovni [Fri, 18 Apr 2025 04:18:09 +0000 (14:18 +1000)]
Avoid shell commandline processing in CA.pl
The CA.pl script used to build single-string string commandlines to pass
to a shell via `system(command_string)`. That was fragile and not a best
practice.
This PR replaces `system(command_string)` with `system { executable } @argv`,
which avoids the shell whenever possible (at least Unix-like systems and
Windows). The only question mark is whether some sort of quoting is
needed for VMS to preserve the case of commandline arguments even when
processes are spawned directly, rather than via the shell.
Unfortunately, given the way that some environment variables and
command-line options are used to construct the commands to run,
the result is still brittle. The CA.pl utility really should
be replaced with something better.
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27432)
Matt Caswell [Mon, 2 Jun 2025 14:45:06 +0000 (15:45 +0100)]
Add a CHANGES.md entry regarding no_renegotiation alert
Highight the bug being fixed for DTLS users
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27591)
Clarify what happens in the event that a no_renegotiation alert is
received.
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27591)
Matt Caswell [Fri, 9 May 2025 09:28:16 +0000 (10:28 +0100)]
Test that a no_renegotiation alert is handled correctly
If we receive a no_renegotiation alert we should abort the connection. We
add a test for this.
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27591)
Matt Caswell [Fri, 9 May 2025 08:58:15 +0000 (09:58 +0100)]
Fix DTLS handling when receiving a no_renegotiation alert
no_renegotiation is a warning alert sent from the server when it is not
prepared to accept a renegotiation attempt. In TLS we abort the connection
when we receive one of these - which is a reasonable response. However,
in DTLS we incorrectly ignore this and keep trying to renegotiate.
We bring the DTLS handling of a no_renegotiation alert into line with
how TLS handles this. In versions prior to 3.2 handling of a warning
alert in DTLS was mishandled resulting in a failure of the connection,
which ends up being the right thing to do "by accident" in the case of
"no_renegotiation". From 3.2 this mishandling was fixed, but exposed this
latent bug.
Fixes #27419
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27591)
Dmitry Misharov [Tue, 3 Jun 2025 11:04:57 +0000 (13:04 +0200)]
ci: remove windows-2019 runner images
According to https://github.com/actions/runner-images/issues/12045
The Windows 2019 Actions runner image will begin deprecation on
2025-06-01 and will be fully unsupported by 2025-06-30. Jobs using
the windows-2019 YAML workflow label should be updated to
windows-2022, windows-2025 or windows-latest.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27749)
Matt Caswell [Thu, 29 May 2025 11:52:35 +0000 (12:52 +0100)]
Ensure client read app data secret change occurs after write for QUIC
We don't want read secrets to be issue before write for QUIC, because
we want to avoid the situation where we want to ack something we've read
but we don't have the write secret yet.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27732)
Matt Caswell [Thu, 29 May 2025 11:31:33 +0000 (12:31 +0100)]
Implement explicit storing of the server_finished_hash
tls13_change_cipher_state was storing the server_finished_hash as a
side effect of its operation. This decision is better made by the state
machine which actually knows what state we are in.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27732)
Matt Caswell [Thu, 29 May 2025 11:16:14 +0000 (12:16 +0100)]
Ensure client read handshake secret change occurs after write for QUIC
We don't want read secrets to be issue before write for QUIC, because
we want to avoid the situation where we want to ack something we've read
but we don't have the write secret yet.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27732)
Matt Caswell [Thu, 29 May 2025 10:59:25 +0000 (11:59 +0100)]
Implement explicit storing of the handshake_traffic_hash
tls13_change_cipher_state was storing the handshake_traffic_hash as a
side effect of its operation. This decision is better made by the state
machine which actually knows what state we are in.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27732)
sashan [Tue, 20 May 2025 01:22:24 +0000 (03:22 +0200)]
- drop s/-ansi/-std=c99
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/27659)
initial implementation of http/1.0 server to benchmark OpenSSL QUIC
stack. The server currently replies with HTTP 200 OK only. It provides
text/plain response body.
It only accepts GET request with any URI. Any other requests will
make server to drop stream/connection.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27508)
Daniel Frink [Thu, 29 May 2025 00:23:39 +0000 (19:23 -0500)]
Add generated cipher implementation files to gitignore
A commit was merged recently which change ciphercommon.c and
cipher_chacha20_poly1305.c to be generated files. The corresponding
.c files were not added to the gitignore, so this commit adds them
to avoid them being erroneously tracked in the future.
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27715)
Cleanup - this constant and functions are no longer in use
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27716)
Norbert Pocs [Wed, 28 May 2025 20:12:06 +0000 (22:12 +0200)]
sslapitest: Add failing test for quic double free
The double free happened on the EVP_MD object, when we used external
quic implementation. This test makes the yield secret callback fail, to
make the kdfdigest free path happen.
Signed-off-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27713)
Norbert Pocs [Wed, 28 May 2025 14:28:54 +0000 (16:28 +0200)]
quic_tls.c: Precede double free on EVP_MD variable
When external quic implementation is used, the variable is not used and
double free happens whe the yield_secret_cb fails.
Resolves: #27504
Signed-off-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27713)
Richard Levitte [Thu, 9 Nov 2023 09:42:25 +0000 (10:42 +0100)]
[design] Functions for explicitly fetched signature algorithms
This design goes into more details what was outlined in the design for
[fetching composite (PKEY) algorithms and using them].
It also changes what functionality will be used for this. The design for
signature was originally to add modified initializers for DigestSign and
DigestVerify, but recent OTC discussions redirected us to have a closer look
at EVP_PKEY_sign() and EVP_PKEY_verify().
[fetching composite (PKEY) algorithms and using them]:
./fetching-composite-algorithms.md
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22672)
JiashengJiang [Sat, 17 May 2025 00:20:47 +0000 (20:20 -0400)]
test/evp_test.c: Free fetched_digest on error to avoid memory leak
Call EVP_MD_free() to release fetched_digest if OPENSSL_zalloc() fails, preventing a memory leak.
Fixes: 2208ba56eb ("evp_test: Add the missing check after calling OPENSSL_malloc") Signed-off-by: JiashengJiang <jiasheng@purdue.edu> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27648)
AntonMoryakov [Fri, 16 May 2025 14:19:21 +0000 (17:19 +0300)]
apps: lib: Prevent potential NULL dereference in init_client()
apps: lib: Simplify ba_ret handling in init_client()
Simplify logic around ba_ret assignment:
- Fail early if ba_ret == NULL
- Assign directly otherwise, without checking *ba_ret
This avoids extra nesting and matches OpenSSL's conventions.
CLA: trivial Signed-off-by: Anton Moryakov <ant.v.moryakov@gmail.com> Co-authored-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26783)
Viktor Dukhovni [Wed, 21 May 2025 15:33:03 +0000 (01:33 +1000)]
Note finished state in cipher BIO EOF
When the cipher BIO encounters a non-retriable EOF (or error), mark the
state as "finished", else a subsequent BIO_flush() or attempted read may
attempt to finalise the crypto state again, and fail, leading, for
example, to users seeing erroneous apparent decryption failure.
This is not a new problem, the fix should be backported to all supported
releases. It was made more apparent by recent changes to the base64
BIO, which returns a non-retriable EOF when padding is seen at the end
of the base64 data, even if the underlying next BIO is "retriable".
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27680)
the theory I have for the cause of this failure is:
1. qtest_create_quic_connection_ex is called for the client
2. The client is in blocking mode, so we fall into the conditional on line 512
3. We create the server thread on line 519, which is non-blocking
4. The scheduler in the failing case, lets the server run ahead of the client
5. Server thread enters qtest_create_quic_connection_ex and iterates steps
6-9 in the do_while loop starting on line 530
6. Server calls qtest_add_time
7. Server calls ossl_quic_tserver_tick
8. Server calls ossl_quic_tserver_is_term_any, received NULL return
9. Server calls qtest_wait_for_timeout
10. Eventually qtest_wait_for_timeout returns zero, adn the server jumps to
the error label, returning zero to globservret, and the thread exits
11. Client thread regains the cpu, and attempts to call SSL_connect, which
fails, as the server is no longer listening
12. We fall into the error case on line 556, and SSL_get_error returns
SSL_ERROR_SSL, which causes clienterr to get set to 1
13. We exit the do{} while loop on line 581, and do the TEST_true check on
line 593. The server having exited wait_for_thread returns true, but
globserverret is still zero from step 10 above, and so the test fails
I can't prove this is the case, as the test only appears to fail in CI,
and we can't dump verbose logging there, lest we affect the timing of
the tests, so this is just a theory, but it seems to fit the
observations we have.
Attempting to fix this, by creating a thread interlock with a condition
variable that blocks the server from ticking the quic reactor until such
time as the client is about to call SSL_connect to prevent the race
condition
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27704)
Norbert Pocs [Mon, 26 May 2025 08:08:06 +0000 (10:08 +0200)]
Document EVP_CIPHER failure for missing provider function
When writing a new CIPHER implementation the OSSL_FUNC_cipher_get_params
must be present, otherwise the fetch fails. This behaviour is seen in
function evp_cipher_cache_constants@crypto/evp/evp_lib.c.
Resolves: #25801
Signed-off-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27696)
JiashengJiang [Fri, 16 May 2025 22:34:03 +0000 (18:34 -0400)]
apps/cmp.c: Free bio on error to avoid memory leak
Call BIO_free() to release bio if ASN1_i2d_bio_of() fails, preventing a memory leak.
Fixes: 6a3579e190 ("CMP: add support for requesting cert template using genm/genp") Signed-off-by: JiashengJiang <jiasheng@purdue.edu> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27647)
Tomas Mraz [Fri, 16 May 2025 09:08:37 +0000 (11:08 +0200)]
OSSL_CMP_MSG_http_perform(): Remove extraneous %s from debug log print
Also add missing ":" to another log print.
Fixes #27634
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/27635)
projects / thirdparty / openssl.git / log
