Richard Levitte [Thu, 11 Sep 2025 13:30:15 +0000 (15:30 +0200)]
design: Fixed size large numbers
For the longest time, we have mitigated security issues related to large
numbers (BIGNUM) and constant time in a piece-meal fashion, without really
looking at the problem from a zoomed out, holistic perspective.
An interesting aspect in this problem is that large numbers can vary in
size, and that depending on their combined sizes, the time to perform
mathematical calculations with them vary equally much, and may thereby
unintentionally leak information on those numbers.
To mitigate that sort of timing issue, we introduce fixed size numbers,
which are designed to have payload sizes that are pre-determined, usually by
the crypto system that uses them. This means that even a very small number
(let's take 1 as a ridiculous example) would have the same size payload as a
much larger number, and calculations using them would perform across all
payload bits of all input numbers combined.
These fixed size numbers primarly differ from BIGNUMs in that once they have
been allocated to a certain size, that size will not change throughout its
lifetime.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28522)
Nikola Pajkovsky [Mon, 22 Sep 2025 10:17:16 +0000 (12:17 +0200)]
x509: fix mem leak on error path
The x509_store_add() creates X509_OBJECT wrapping either X509 or
X509_CRL. However, if you set the type to X509_LU_NONE before
X509_OBJECT_free then it skips the free on the wrapped type and just
calls OPENSSL_free on the object itself. Hence, leaking wrapped
object.
Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28631)
Tomas Mraz [Sat, 20 Sep 2025 14:45:50 +0000 (16:45 +0200)]
tls_common.c: Handle inner content type properly on Big Endian
When passing the inner content type to msg_callback,
the lowest byte of rec->type needs to be passed instead
of directly passing the rec->type otherwise the value is
incorrect on Big Endian platforms.
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28627)
Nikola Pajkovsky [Thu, 18 Sep 2025 06:56:44 +0000 (08:56 +0200)]
Ensure q variable is freed
Fixes: d88c43a64408 ("Ensure that empty or 1 element stacks are always sorted.")
Resolves: https://scan5.scan.coverity.com/#/project-view/65138/10222?selectedIssue=1665465 Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28596)
Viktor Dukhovni [Mon, 22 Sep 2025 05:02:28 +0000 (15:02 +1000)]
Added test suggested by Shane Lontis
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/28624)
Viktor Dukhovni [Sat, 20 Sep 2025 04:02:52 +0000 (14:02 +1000)]
Harden property put_str() helper corner case
The put_str() helper of the internal ossl_property_list_to_string()
function failed to correctly check the remaining buffer length in a
corner case in which a property name or string value needs quoting,
and exactly one byte of unused space remained in the output buffer.
The only potentially affected calling code is conditionally compiled
(disabled by default) provider "QUERY" tracing that is executed only
when also requested at runtime. An initial fragment of the property
list encoding would need to use up exactly 511 bytes, leaving just 1
byte for the next string which requires quoting. Bug reported by
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/28624)
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/28602)
Richard Levitte [Thu, 18 Sep 2025 15:12:33 +0000 (17:12 +0200)]
Make generated files read-only
This is an attempt to discouraged manual changes of generated files,
as people have done so, just to get their changes over-written next
time those files are re-generated.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28612)
Richard Levitte [Thu, 18 Sep 2025 05:14:13 +0000 (07:14 +0200)]
Fix OPENSSL_VERSION_NUMBER to always have zero status bits
The documentation suggested that they were always zero, while the
implementation in <openssl/opensslv.h> suggested that it could be
0xf in OpenSSL releases... which (almost) never happened because
of a bug in said implementation.
Therefore, we solidify that the status bits are indeed always zero,
at least in all OpenSSL 3 versions.
Ryan Hooper [Fri, 19 Sep 2025 15:33:09 +0000 (11:33 -0400)]
Fix CI Pipeline by Disabling SSL_TRACE_TEST
Disabling the SSL_TRACE_TEST since it caused an issue on
some cross compiles. A follow-on commit will change
the test.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28621)
this adds another release/acquire link between update_qp and
get_hold_current_qp via the reader_idx because the current
one which is based on the qp users count is only preventing
a race condition, but does not help when the reader acquires
the next qp.
Fixes #27267
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28585)
Viktor Dukhovni [Tue, 16 Sep 2025 12:40:32 +0000 (22:40 +1000)]
Fix ML-KEM key equality check when either unset
Fixes #28563
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28569)
Revert "rsa: expose pairwise consistency test API"
This reverts commit dc5cd6f70a0e "rsa: expose pairwise consistency test API",
that has introduced ossl_rsa_key_pairwise_test() function, as the only user
has been removed in 7f7f75816f26 "import pct: remove import PCTs for most
algorithms".
Complements: 7f7f75816f26 "import pct: remove import PCTs for most algorithms" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28557)
The cipher protocol ID, the return type of SSL_CIPHER_get_protocol_id,
is uint16_t and correctly described in docs to be 2 bytes, however the
function signature on the same page incorrectly pointed to it being
uint32_t, which is 4 bytes.
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28523)
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28393)
Bob Beck [Mon, 25 Aug 2025 20:26:33 +0000 (14:26 -0600)]
Use less preprocessor gymnastics for fatal error detection.
We seem to be using a lot of preprocessor gymnastics to avoid
having duplicate cases in a case statement depending on what
the host system defines these values to. We should not care.
If we don't bother with the case statement this becomes
easier to follow.
While we are here, pick up the reccomended windows2 values
that correspond with the POSIX values we already have
in here that we believe are "non-fatal", and condition
the codes to use on being windows or something POSIX.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28344)
test/p_ossltest.c: check for return values in OSSL_PARAM_* calls
Some of the OSSL_PARAM_* calls haven't their return codes checked
(OSSL_PARAM_get_octet_string_ptr() call
in ossl_test_aes128cbchmacsha1_set_ctx_params(),
and OSSL_PARAM_set_size_t() call in drbg_ctr_get_ctx_params()),
and Coverity complained about it. Add the missing checks.
Fixes: 032297054ab5 "Implement an ossltest provider to replace ossltest engine"
Resolves: https://github.com/openssl/project/issues/1618
Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1665462
Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1665463 Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28583)
providers/implementations/keymgmt/ecx_kmgmt.c.in: remove PCT on ECX import
While PCT on import has been removed for DH, EC, RSA, and SLH-DSA,
ECX seems to be overlooked. Correct that omission.
Complements: 7f7f75816f26 "import pct: remove import PCTs for most algorithms" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28573)
Bob Beck [Mon, 15 Sep 2025 17:52:44 +0000 (11:52 -0600)]
Don't return a value we never check from indent_printf()
Coverity notices it could overflow, since we don't use this
don't bother returning it
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28553)
Bob Beck [Fri, 12 Sep 2025 18:08:02 +0000 (12:08 -0600)]
Don't clear is_sorted unconditionally on OPENSSL_sk_insert()
If we have a comparison function, and the array was sorted,
check to see if we are inserting in the correct location.
if so do not clear is_sorted.
This allows for element locations found with OPENSSL_sk_find_ex
to be used to insert elements in the correct location and preserve
the sorting order without the need to sort the stack again.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28533)
Bob Beck [Wed, 10 Sep 2025 17:43:01 +0000 (11:43 -0600)]
Ensure that empty or 1 element stacks are always sorted.
Matt noticed "It's kind of weird that we are forced to call sort on
a newly created and empty stack. It feels like an empty stack should
have the "sorted" flag by default on creation"
I am incluined to agree. This change ensures tht empty or 1 element
stacks are marked as sorted, as per the existing comment in the
file.
Since this involved changing the various duplication routines to
also ensure that sorted was preserved for such stacks, I also
noticed the duplication code was largely duplicated. I
took the opportunity to deduplicate the duplication code while
making these changes.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28509)
25-test_verify.t: fix misleading test case names and file variable name
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28469)
25-test_verify.t: fix partly case-sensitive matching for Windows OS: s/MsWin32/MSWin32/
Fixes #27984
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28098)
Neil Horman [Fri, 12 Sep 2025 17:11:46 +0000 (13:11 -0400)]
Fix ossl_prov_set_macctx
This function fails to construct a param list that includes the passed
in property query string in the param lists when allocating subordonate
algorithms.
Make sure we allow callers to pass a param list (so that providers for
subordonate algorithms can be selected), and merge those into the param
list that this function builds on its own.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28461)
Neil Horman [Tue, 9 Sep 2025 13:47:34 +0000 (09:47 -0400)]
support passing prop querys to composite algs
We have several composite alg usages (i.e. MAC/KDF) which pick the right
digest implementation when using an engine, but fail to get the right
one when using a provider because we don't pass the propquery in a
parameter to their instantiation.
Fix them up by constructing the appropriate parameters
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28461)
Neil Horman [Thu, 4 Sep 2025 20:14:21 +0000 (16:14 -0400)]
remove loader_attic test from test_cmp_cli
This engine is going away (in fact they all are), so just remove the
test cases referencing this engine
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28461)
Neil Horman [Thu, 4 Sep 2025 20:12:20 +0000 (16:12 -0400)]
remove loader_attic tests from test_store
With the removal of engines we need to handle the loader_attic test that
will fail with said removal
based on the advice of @levitte, given that we have a file: loader in
the default provider already, theres no need to test an engine thats
going away, so just remove it.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28461)
Neil Horman [Thu, 4 Sep 2025 18:04:55 +0000 (14:04 -0400)]
Convert TLSProxy to use new provider
replace use of ossltest engine with provider in TLSProxy and update all
dependent tests
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28461)
Neil Horman [Thu, 4 Sep 2025 17:45:22 +0000 (13:45 -0400)]
replace ossltest engine in test_dgst
Use the new ossltest provider rather than the ossltest engine
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28461)
Neil Horman [Thu, 4 Sep 2025 17:44:30 +0000 (13:44 -0400)]
Convert test_rand to use our new p_ossltest provider
Replace ossltest engine with ossltest provider in test_rand
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28461)
Neil Horman [Tue, 26 Aug 2025 12:08:01 +0000 (08:08 -0400)]
Implement an ossltest provider to replace ossltest engine
Part of the effort to remove engines creates a problem for our test
suite, in that we have a large number of tests that rely on the use of a
test engine (ossltest), which implements the aes-128-cbc, aes-128-gcm,
aes-128-cbc-hmac-sha1 ciphers, several digests and a random number
generator to produce predictable outputs for the purposes of doing
testing against known values.
Since we're getting rid of engines, these tests need to be updated to
use a provider that presents the same functionality.
This commit implements that provider.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28461)
Pauli [Fri, 12 Sep 2025 09:03:12 +0000 (19:03 +1000)]
Add OSSL_ prefix back onto param names
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28529)
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28547)
crypto/ec/ecp_nistz256.c: use OPENSSL_aligned_alloc_array
Allocate table in ecp_nistz256_windowed_mul() and preComputedTable
in ecp_nistz256_mult_precompute() using OPENSSL_aligned_alloc_array() call
instead of OPENSSL_malloc with a 64-byte slack and manual pointer alignment
adjustement.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28295)
Explicitly limit the OPENSSL_aligned_alloc()'s alignment to 65536
There is little need to support alignments larger than a page size,
and the open-coded OPENSSL_aligned_alloc() implementation implements
that support in quite wasteful manner, so it is better just to limit
the maximum supported alignment explicitly. The value of 65536
has been chosen so it is architecture-agnostic and is no less than page sizes
used in commonly occurring architectures (and also it is a pretty number).
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28295)
crypto/mem.c: use open-coded aligned alloc when posix_memalign fails
While posix_memalign() is generally not expected to fail, we can always use
the internal aligned alloc implementation to ensure that any
OPENSSL_aligned_malloc failure is indeed fatal and does not require
a fallback.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28295)
Move the open-coded aligned alloc in a separate file and use it in FIPS module
Factor the open-coded aligned allocation implementation in a separate
file and use it instead of just returning NULL in CRYPTO_aligned_alloc
implementation in the FIPS provider.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28295)
Move OPENSSL_SMALL_FOOTPRINT-related logic from aligned_alloc to the only caller
Originally, CRYPTO_aligned_alloc() returned NULL if OpenSSL was built
with OPENSSL_SMALL_FOOTPRINT defined, which is a weird place for such
a consideration; moreover it means that every caller requires to
implement some form of a fallback (and manually over-allocate
and then align the returned memory if the alignment is a requirement),
which is counter-productive (and outright ridiculous in environments
with posix_memalign() available). Move the OPENSSL_SMALL_FOOTPRINT
consideration to the only current caller and update the documentation
and tests accordingly.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28295)
doc/man3/OPENSSL_malloc.pod: size is no longer needed to be alignment multiple
While the commit 648803a17e4c1 "crypto/mem.c: don't use aligned_alloc
in CRYPTO_aligned_alloc" removed the aligned_alloc() usage
along with its overly onerous requirements, its author failed to update
the documentation accordingly. Correct that omission by removing
the requirement from the DESCRIPTION and adding a relevant mention
in HISTORY.
Complements: 648803a17e4c1 "crypto/mem.c: don't use aligned_alloc in CRYPTO_aligned_alloc" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28295)
test/radix/terp.c: avoid accessing uninitialised terp on error
Stats printing in TERP_run() assumes that terp has been initialised,
which is not the case when a jump to the err label has been performed
before successful TERP_init() call; avoid it by emplacing it
within a have_terp guard check.
Fixes: 4a2d5fe812f8 "QUIC RADIX: Add RADIX test framework implementation"
Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1665430
References: https://github.com/openssl/project/issues/1432 Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28546)
crypto/evp/ctrl_params_translate.c: fix a typo in the error message
The ERR_raise_data() call on failure to find ctx->p2 in str_value_map
erroneously refers to ctx->p1 instead; fix that but supplying the
correct field and casting it to the supposed const char * type.
Fixes: 9a1c4e41e8d3 "EVP: Implement data-driven translation between known ctrl and OSSL_PARAMs"
Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1665427
References: https://github.com/openssl/project/issues/1432 Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28546)
test/wpackettest.c: remove ubogus cleanup() in test_WPACKET_quic_vlint_random()
In the beginning of the iteration, pkt is not initialised yet, so there is
no need to clean it up on RAND_bytes() failure. Replace "return cleanup(&pkt)"
with plain "return 0"'
Fixes: 416d0a638c16 "QUIC wire format support"
Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1665422
References: https://github.com/openssl/project/issues/1432 Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28546)
crypto/x509/t_x509.c: check i2d_X509_NAME() return value in X509_ocspid_print()
There is little reason for this call to fail, but there is also little
reason for not to check for it, and, since Coverity noticed
that the check is missing, just add it.
Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1665420
References: https://github.com/openssl/project/issues/1432 Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28546)
Neil Horman [Sun, 14 Sep 2025 17:13:00 +0000 (13:13 -0400)]
Enable LMS on provider compat fips build for 3.6
The LMS test for fips assumes that LMS is available in the provider in
any version equal to or later than 3.6.
We should probably augment the test such that instead of just checking
the openssl version, we instead query the provider to see if the needed
algs are available to use LMS.
But given the current state of affairs, it seems more sensible to just
enable lms in the 3.6 fips provider build to ensure lms gets tested.
Fixes openssl/project#1435
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/28541)
Viktor Dukhovni [Sat, 13 Sep 2025 02:52:42 +0000 (12:52 +1000)]
Test failure of rsa_encrypt when buffer too short
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28517)
Viktor Dukhovni [Thu, 11 Sep 2025 08:50:44 +0000 (18:50 +1000)]
Harden RSA public encrypt
Check the that the indicated output buffer length is large enough.
Fix EVP_SealInit() to initialise the output buffer length to the RSA
modulus length, not the input KEK length.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28517)
Neil Horman [Thu, 11 Sep 2025 12:40:14 +0000 (08:40 -0400)]
Update our CI jobs to cover the 3.6 stable branch
The coveralls, prov-compat and provider-compatibiity CI jobs test each
of the stable branches. We need to add 3.6 to the list in each of those
tests
Fixes openssl/project#1424
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28519)
kmac_prov.c.in: avoid resource leak on kmac_new_decoder fail in kmac_fetch_new
kctx was not freed in a case of kmac_new_decoder failure; consolidate
all the error paths under the "err:" label and jump to it on kmac_new_decoder()
returning 0.
Fixes: d5efc853796b "kmac: avoid using ossl_prov_digest_load_from_params()"
Resolves: https://github.com/openssl/project/issues/1419
Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1453634 Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28516)
Replace homebrewed implementation of *printf*() functions with libc
Switching from ANSI-C we can use implementation of printf like
function provided by libc on target platform. This applies
starting from 3.6 and onwards.
The slight exception here is old windows printf functions
before 2015, those are supported.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28305)
crmf_lib.c create_popo_signature(): add error queue entry on signature failure
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28482)
OSSL_CALLBACK.pod: add missing info on required return values of callback functions
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28474)
Jakub Jelen [Tue, 9 Sep 2025 16:10:30 +0000 (18:10 +0200)]
doc: Add missing commas
CLA: trivial Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28493)
Igor Ustinov [Tue, 9 Sep 2025 19:50:01 +0000 (21:50 +0200)]
Doc changes: the -hmac-env and -hmac-stdin options of openssl-dgst
will appear in version 4.0
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28497)
Add one more trace message to the torture_rcu_high test
It is interesting that in the very rare cases, where this
test failure has been observed so far, the rcu torture value
went always backwards to 0. This could be either due to
ossl_rcu_deref(&writer_ptr) returning NULL, or the initial
value of "new = CRYPTO_zalloc(sizeof(uint64_t), NULL, 0)"
still visible despite ossl_rcu_assign_ptr(&writer_ptr, &new)
immediatley after the "*new = global_ctr++" statement.
Add one additional trace message to find out what exactly
happens here, when it happens again.
Additionally, we do no longer initialize the new value to
zero but something else, so it can also be detected.
Related to #27267
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28487)
In some cases this information is necessary on the provider side
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28486)
doc/man3/RAND_load_file.pod: RAND_load_file on non-regular files with bytes=-1
Mention that RAND_load_file attempts to read only RAND_DRBG_STRENGTH
bytes on non-regular files if the number of bytes to be read
is not specified explicitly.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28379)
crypto/rand/randfile.c: avoid signed integer overflow in RAND_load_file
If a file supplied to RAND_load_file is too big (more than INT_MAX bytes),
it is possible to trigger a signer integer overflow during ret calculation.
Avoid it by returning early when we are about to hit it on the next
iteration.
Reported-by: Liu-Ermeng <liuermeng2@huawei.com>
Resolves: https://github.com/openssl/openssl/issues/28375 Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28379)
util/find-doc-nits: do not check files in submodules in check_env_vars
The reports about undocumented environment variables coming from files
in submodules are superfluous; get the list of directories
from .gitmodules and exclude them from processing.
Resolves: https://github.com/openssl/openssl/issues/28109 Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28378)
Enji Cooper [Fri, 5 Sep 2025 03:22:00 +0000 (20:22 -0700)]
Make the Unix build process more repeatable
Before this change all manpages would contain the date when pod2man was
run. This resulted in outputs that differed between builds--or
potentially across a single build if the host clock "ticked" to the next
day when the build was being run.
This commit modifies the manpage generation process as follows:
- The date all manpages were generated will be normalized to a single
date.
- The release date specified in `VERSION.dat` is used instead of the
date/time when `pod2man` was executed OR--in the event a date isn't
specified in `VERSION.dat`--the time when the Makefiles were last
regenerated.
Embedding a consistent date into the generated manpages helps ensure that
the build process as a whole is more repeatable and helps ensure that
release versions of OpenSSL create artifacts consistent with the date
that the official release was cut.
Co-authored-by: Richard Levitte <levitte@openssl.org> Signed-off-by: Enji Cooper <yaneurabeya@gmail.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28449)
It is replaced by a few flags starting with '--allow-'. Currently:
--allow-unauthenticated
--allow-downgrades
--allow-remove-essential
--allow-change-held-packages
Signed-off-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28435)
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28422)
David Benjamin [Sun, 31 Aug 2025 22:09:52 +0000 (18:09 -0400)]
Add a helper function to delete the extension list
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28398)
Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
This means that a present but empty extensions list is actually invalid.
Rather, if you have no extensions to encode, you are meant to omit the
list altogether. Fix the delete_ext functions to handle this correctly.
This would mostly be moot, as an application adding extensions only to
delete them all would be unusual. However, #13658 implemented a slightly
roundabout design where, to omit SKID/AKID, the library first puts them
in and then the command-line tool detects some placeholder values and
deletes the extension again.
Fixes #28397
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28398)
Viperinius [Sun, 31 Aug 2025 16:09:11 +0000 (16:09 +0000)]
Fix typo in BN_generate_prime docs
CLA: trivial
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28395)
Norbert Pocs [Wed, 27 Aug 2025 13:45:45 +0000 (15:45 +0200)]
docs: Be case specific with links to man headers
Signed-off-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28356)
Also update a check for a negative int length value
in mem_write().
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26438)
projects / thirdparty / openssl.git / log
