Signed-off-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28403)
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28369)
Simo Sorce [Fri, 10 Jan 2025 22:20:59 +0000 (17:20 -0500)]
Implement EVP_KDF_CTX_set_SKEY
This allows to use a SKEY as input to a KDF derive operation.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28369)
Signed-off-by: Dmitry Belyavskiy <beldmit@gmail.com> Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28369)
Signed-off-by: Dmitry Belyavskiy <beldmit@gmail.com> Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28369)
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28369)
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28369)
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28369)
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28369)
Design document of using opaque object as symmetric key
Signed-off-by: Dmitry Belyavskiy <beldmit@gmail.com> Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28369)
Leonabcd123 [Thu, 28 Aug 2025 08:46:13 +0000 (11:46 +0300)]
Fix typos and whitespace
Added "the" before "use"
Add missing whitespace
Removed unnecessary apostrophe in FIPS.md
CLA: trivial
Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28362)
test/bioprinttest.c: move the %n result to the field that is later checked
The test_n test implicitly assumed a certain union layout, as the %n was
writing to the union field in accordance with the length modifier being
tested, but comparison of the expected value was dan agains the val field,
and that is incorrect, especially on big-endian architectures. Fix that
by explicitly assigning the result to the val field of the union and
updating the expected values where the resulting value overflows
into negative.
Fixes: 9deaf8383338 "test/bioprinttest.c: add some checks for integer and string printing" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28388)
test/bioprinttest.c: fix sloppy length modifier usage in int_data
Some test vectors used in int_data have mismatching (or, more
spercifically) missing length modifiers in conversion specifiers;
most of the time it has gone unnoticed, but on some architectures where
64-bit arguments supplied differently (sugh as mips and armv7) it led
to garbage being retrieved instead of the expected values. Fix it
by properly providing proper length modifiers.
Fixes: 9deaf8383338 "test/bioprinttest.c: add some checks for integer and string printing" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28388)
Pauli [Thu, 14 Aug 2025 04:57:19 +0000 (14:57 +1000)]
slh-dsa: add a PCT for key import when in FIPS mode
Fixes #28182
Co-Authored-By: slontis <shane.lontis@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28276)
crypto/bio/bio_print.c: improve the precision handling in fmtint
Per [1]:
* A negative precision is taken as if the precision were omitted.
* The default precision is 1.
* For d, i, o, u, x, and X conversion specifiers, if a precision
is specified, the '0' flag shall be ignored.
crypto/bio/bio_print.c: bring back the length modifier support for %n
For some reason, it has been removed in commit 15b337fa58ba "bio/b_print.c:
switch to int64_t as "greatest-width integer type".", despite being a part
of the standard in both ANSI C and POSIX.1-2001. Bring it back for all
the supported length modifiers.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28177)
crypto/bio/bio_print.c: make %n in line with other libc implementations
The standard[1] is pretty vague in its definition of the %n specifier
by using "the number of bytes written to the output so far", without
actually elaborating, whether only the actually written bytes, or the bytes
that would be written (but discarded) are used; the consensus across
implementations, however, seems to gravitate towards the latter. Track
the virtual "write position" separately and use its value when %n format
is occurred. That also means that we cannot finish the output early
upon reach of the end of buffer (unless we made sure that no %n specifiers
occur in the remainder of the format string).
crypto/bio/bio_print.c: always terminate output with \0
Man page states that the result is terminated with \0 on error, however,
when the jump to the "out" label is performed in _dopr, writing out \0
is skipped. Rearrange the end of the routine to make the "out" part
include the overflow calculation and the final \0 writing.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28177)
crypto/bio/bio_print.c: consolidating print arguments in a structure
buffer/sbuffer/maxlen/currlen are passed together between _dopr, fmt*,
and doapr_outch; consolidate them together in a structure and pass
it instead. A preparatory commit before introducing a separate "write
position" parameter, that is also to be passed around.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28177)
crypto/bio/bio_print.c: no prefix for zero value in alternative form
Per [1] (emphasis is added):
- For o conversion, it shall increase the precision,
**if and only if necessary**, to force the first digit of the result
to be a zero (**if the value and precision are both 0,
a single 0 is printed**).
- For x or X conversion specifiers, a **non-zero** result shall have
0x (or 0X) prefixed to it.
Pavol Žáčik [Wed, 20 Aug 2025 12:35:03 +0000 (14:35 +0200)]
Add SKEYMGMT support to the FIPS provider
And extend the SKEY managers listing test with a FIPS case.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28339)
Jakub Jelen [Mon, 25 Aug 2025 08:04:41 +0000 (10:04 +0200)]
doc: Fix function name in example code
CLA: trivial Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28334)
Holger Dengler [Wed, 20 Aug 2025 15:55:43 +0000 (17:55 +0200)]
aes-s390x.pl: Initialize reserved and unused memory
The reserved bytes in the parameter block (bytes 0-11) for the KMA
instruction should be set to zero to be compatible in case of future
architecture changes.
While at it, also the following unused parts of the parameter block
(bytes 48-63) are also cleared to avoid false positives with various
memory checkers like valgrind.
As it makes - performance wise - no difference to process 12, 48 or 64
bytes with one XC call, but two XC calls are slower than one call, the
first 64 bytes of the parameter block will be cleared with a single XC
call. This will also initialize the counter in the parameter block
(bytes 12-15), although it is not strictly necessary.
Co-developed-by: Juergen Christ <jchrist@linux.ibm.com> Signed-off-by: Juergen Christ <jchrist@linux.ibm.com> Signed-off-by: Holger Dengler <dengler@linux.ibm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28315)
doc/man3/SSL_poll.pod: mention SSL_POLL_EVENT_{EL,IC} in SYNOPSIS
While the constants are present since the initial commit 2a5ee0a08d2c "QUIC:
Add polling API", they weren't initially documented in c9b0df2250e2 "QUIC:
Add manpage for SSL_poll" (probably due to absence of the QUIC server
mode support at the time), and mentioned for the first time in b20f55702100
"QUIC: Update SSL_poll documentation", but without the accompanying update
of the SYNOPSIS section. Rescind the omission by updating it as well.
Complements: b20f55702100 "QUIC: Update SSL_poll documentation" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28303)
Pavol Žáčik [Tue, 19 Aug 2025 12:26:07 +0000 (14:26 +0200)]
Add targets to skip build of non-installable programs
These make it possible to split the build into two
parts, e.g., when tests should be built with different
compiler flags than installed software.
Also use these as dependecies where appropriate.
Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28302)
Michael Baentsch [Wed, 16 Jul 2025 09:18:02 +0000 (11:18 +0200)]
rebase to master fixing some missing group references
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26965)
Nachel72 [Sun, 17 Aug 2025 06:08:38 +0000 (14:08 +0800)]
Fix: Add free to avoid memory leak.
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28289)
Anthony Roberts [Thu, 3 Jul 2025 10:21:37 +0000 (11:21 +0100)]
Fix `VC-WIN64-CLANGASM-ARM` target
This was broken for Windows ARM64 in #22949
The comments were in the wrong format, and a define check of `_M_ARM64` was missed in places
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27958)
Nikola Pajkovsky [Fri, 15 Aug 2025 12:02:44 +0000 (14:02 +0200)]
dh: add FIPS 140-3 PCT on key generation
According to FIPS 140-3 IG 10.3.A Additonal Comment 1, a PCT shall be
performed.
Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/28280)
Nachel72 [Mon, 18 Aug 2025 07:53:48 +0000 (15:53 +0800)]
fix(pkcs12): prevent PKCS7 memleak in p12_npas.c
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/28292)
Viktor Dukhovni [Mon, 28 Jul 2025 07:45:18 +0000 (17:45 +1000)]
Add design doc for rfc4514 DN output format
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/28104)
Reviewed-by: Hugo Landau <hlandau@devever.net> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/28210)
ritoban23 [Wed, 13 Aug 2025 20:19:17 +0000 (01:49 +0530)]
Fix null pointer check in pkey_dh_derive to ensure both keys are set
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/28259)
Nachel72 [Wed, 13 Aug 2025 15:15:05 +0000 (23:15 +0800)]
Fix: Check for wrong object. The converted sc should be checked instead of the original s
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/28248)
Holger Dengler [Thu, 21 Aug 2025 12:14:04 +0000 (14:14 +0200)]
Ignore generated assembler files for cpuid functions
The architecture-specific code to detect CPU features at runtime is
generated from Perl Assembler. Modify the ignore pattern to match the
generated .S files for all architectures.
Signed-off-by: Holger Dengler <dengler@linux.ibm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/28318)
Niels Dossche [Thu, 21 Aug 2025 11:24:01 +0000 (13:24 +0200)]
Fix reallocation failure condition in qtx_resize_txe()
Returning the same pointer does not mean that the reallocation failed,
it would also prevent updating alloc_len down below.
This is similar code and a similar change to 043a41ddee.
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28317)
vkryl [Fri, 15 Aug 2025 12:01:51 +0000 (15:01 +0300)]
Android: Enable 16 KB ELF alignment for `arm64-v8a` and `x86_64` platforms
CLA: trivial
Reviewed-by: Hugo Landau <hlandau@devever.net> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28277)
Niels Dossche [Tue, 19 Aug 2025 20:56:38 +0000 (22:56 +0200)]
Make error checks on RSA_public_decrypt() consistent
Some are only checking for a value < 0, some for <= 0, some for == 0, etc.
The documentation tells us that -1 is returned on error, so at least the
== 0 ones are wrong. In general, the return values are checked
inconsistently. This patch makes the return value checks consistent to
the form that seems to occur most.
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28306)
Current QUIC stack may leave connection monitored by SSL_poll() to stale
during regular shutdown. The issue is triggered when ACK for client's
FIN gets delayed. The sequeance of operations to trigger
the stale of QUIC connection at client goes as follows:
- application calls SSL_shutdown() on connection,
the shutdown can not proceed, because bi-directional
stream must be flushed. The client awaits ACK from
server acknowledging reception of FIN on client's stream
- the stream object gets destroyed, because application
received all data from server.
- application updates poll set and passes to SSL_poll()
- ssl poll ticks the engine. Engine receives delayed ACK
and marks stream as flushed. At this point the SSL_shutdown()
operation may proceed given the application calls the
SSL_shutdown(). However there is no mechanism to make SSL_poll()
return so application is unable to proceed with its event
loop where SSL_shutdown() may get called.
This change introduces ossl_quic_channel_notify_flush_done() function
which notifies channel when all streams are flushed (all FINs got ACKed).
The first thing SSL_shudown() does it calls ossl_quic_stream_map_begin_shutdown_flush().
The function walks list of all streams attached to channel and notes how many
streams is missing ACK for their FIN. In our test case it finds one such stream.
Call to SSL_shutdown() returns and application destroys the SSL stream object
and updates a poll set.
SSL_poll() gets called. The QUIC stack (engine) gets ticked and reads data
from socket. It processes delayed ACK now. The ACK-manager updates the
stream notifying the server ACKs the FIN sent by client. The stream
is flushed now. Thw shutdown_flush_done() for stream gets called on
behalf of ACK manager.
The shutdown_flush_done() does two things:
- it marks stream as flushed
- it decrements the num_shutdown_flush counter initialized
be earlier call to ossl_quic_stream_map_begin_shutdown_flush()
called by SSL_shutdown()
The change here calls ossl_quic_channel_notify_flush_done() when
num_shutdown_flush reaches zero.
The ossl_quic_channel_notify_flush_done() then calls function
ossl_quic_channel_notify_flush_done(), which just moves the state
of the channel (connection) from active to terminating state.
The change of channel state is sufficent for SSL_poll() to
signal _EC event on connection.
Once application receives _EC event on connection it should
check the state of the channel/reason of error. In regular case
the error/channel state hints application to call SSL_shutdown()
so connection object can proceed with connection shutdown.
The SSL_shutdown() call done now moves channel to terminated
state. So the next call to SSL_poll() can signal _ECD which
tells application it's time to stop polling on SSL connection
object and destroy it.
Fixes openssl/project#1291
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28116)
Matt Caswell [Thu, 7 Aug 2025 16:50:17 +0000 (17:50 +0100)]
Don't keep the store open in by_store_ctrl_ex
Previously #27529 made a change to `by_store_ctrl_ex` in order to open
the OSSL_STORE early. The reason given in that PR is:
"This way, we can call OSSL_STORE_open_ex() in by_store_ctrl_ex(), and
get to see possible errors when the URI is loaded"
That PR then kept the store open until cache_objects is called and then
reused it. Unfortunately by the time cache_objects() is called we could be
in a multi-threaded scenario where the X509_STORE is being shared by
multiple threads. We then get a race condition where multiple threads are
all using (and ultimately closing) the same `OSSL_STORE_CTX`.
The purpose of keeping the `OSSL_STORE` object between by_store_ctrl_ex()
and `cache_objects` is presumably an optimisation to avoid having to open
the store twice. But this does not work because of the above issue.
We just take the hit and open it again.
Fixes #28171
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28198)
fips: upgrade self-test KATs to reduce SHA-1/SHA-224 usage
FIPS 140-3 IG states that SHA-224 needs standalone KAT, if it is
implemented without SHA-256. As OpenSSL implements SHA-256, upgrade
existing higher level KAT from SHA-224 to SHA-256 without adding
SHA-224 digest KAT.
Upgrade KATs that use SHA-1 to SHA-256, and add explicit SHA-1 KAT.
SHA-1 and SHA-224 are promised to be deprecated by 2030, as per draft
[NIST SP 800-131A Rev. 3](https://csrc.nist.gov/pubs/sp/800/131/a/r3/ipd).
With upgrades to these KATs it makes it easier to build a modules with
SHA-1 and SHA-224 marked as unapproved services, or removed
altogether.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28307)
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28213)
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28213)
Add DetECDSA self test, signature is one byte shorter somehow
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28213)
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28213)
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28213)
[FIPS 186-5](https://doi.org/10.6028/NIST.FIPS.186-5) approved
deterministic ECDSA in the same manner as [RFC
6979](https://datatracker.ietf.org/doc/html/rfc6979).
Thus add deterministic ECDSA capability to the FIPS provider.
DSA signature generation has been deprecated and removed from FIPS
186-5, thus deterministic DSA signature creation is not added to the
FIPS provider.
Testing can be done by performing 20-test_dgst.t but need to version
guarded against different FIPS provider versions. Thus is left out of
this PR for now.
It is not clear if HMAC-DRBG-KDF should be exposed publically for
direct usage as an approved usage, or if it should be marked as
unapproved or better yet made completely internal to the FIPS
provider.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28213)
Pavol Žáčik [Mon, 11 Aug 2025 10:19:59 +0000 (12:19 +0200)]
apps/speed.c: Support more signature algorithms
Some signature algorithms (e.g., ML-DSA-65) cannot be initialized
via EVP_PKEY_sign_init, so try also EVP_PKEY_sign_message_init
before reporting an error.
Fixes #27108.
Signed-off-by: Pavol Žáčik <zacik.pa@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28224)
Pavol Žáčik [Mon, 11 Aug 2025 10:02:03 +0000 (12:02 +0200)]
apps/speed.c: Disable testing of composite signature algorithms
Creating public key context from name would always fail
for composite signature algorithms (such as RSA-SHA256)
because the public key algorithm name (e.g., RSA) does
not match the name of the composite algorithm.
Relates to #27855.
Signed-off-by: Pavol Žáčik <zacik.pa@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28224)
Matt Caswell [Fri, 15 Aug 2025 16:12:11 +0000 (17:12 +0100)]
Test setting a client to send a key share not allowed in TLSv1.3
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Hugo Landau <hlandau@devever.net> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28283)
Matt Caswell [Fri, 15 Aug 2025 15:43:49 +0000 (16:43 +0100)]
Fail immediately if we have no key shares to send
If we are configured in such a way that we have no valid key shares to
send in the ClientHello we should immediately abort the connection.
Fixes #28281
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Hugo Landau <hlandau@devever.net> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28283)
test/stack_test.c: check sk_sint_push result in test_int_stack
coverity complains about possible double free, which does not seem
to be the case with the current implementation, but it still
would be nice to check and reacto on unexpected sk_sint_push result.
Complements: 9837496142cf "Unit tests for crypto/stack."
Resolves: https://scan5.scan.coverity.com/#/project-view/65249/10222?selectedIssue=1662046
Related: https://github.com/openssl/project/issues/1317 Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28238)
Referencing to old_ret after it has been freed by realloc is UB, so drop
its usage in the printing routine, and don't check it for being non-NULL
(as it is not a mistake to call free() on NULL pointer anyway).
Fixes: d090695101a9 "test: add a sanity test for memory allocation functions"
Resolves: https://scan5.scan.coverity.com/#/project-view/65279/10222?selectedIssue=1662052
Related: https://github.com/openssl/project/issues/1317 Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28238)
test/sslapitest.c: tfix in row allocation in create_new_vfile
sizeof(*row) and not sizeof(row) is supposed to be used for the array
allocation.
Fixes: 76fd7a1d6192 "Add a test for SRP"
Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1662054
Related: https://github.com/openssl/project/issues/1317 Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28238)
Bernd Edlinger [Mon, 18 Aug 2025 09:39:52 +0000 (11:39 +0200)]
Fix the return value of OBJ_create
OBJ_create is supposed to return NID_undef on error
and the newly created NID on success.
Fixes: 88a1fbb8d1b2 ("reduce lock contention when adding objects to ADDED_OBJ hash table") Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28293)
BIO_dgram: Fix BIO_CTRL_DGRAM_QUERY_MTU for IPv4-mapped IPv6 addresses
Ensure the correct IP header size is subtracted by reusing
dgram_get_mtu_overhead(), which handles address families properly.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28088)
projects / thirdparty / openssl.git / log
