Co-authored-by: Andrew Dinh <andrewd@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28023)
Co-authored-by: Andrew Dinh <andrewd@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28023)
ACK manager must avoid infinite probe time when waiting handshake confirmation
According to RFC 9002, section 6.2.2.1 the client the client must keep PTO (probe
time out) armed if it has not seen HANDSHAKE_DONE quic message from server.
Not following RFC spec here may cause the QUIC session to stale during TLS handshake.
Fixes openssl/project#1266
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28023)
Richard Levitte [Wed, 16 Jul 2025 13:08:48 +0000 (15:08 +0200)]
Add a test of 'openssl storeutl' with a BER-encoded PKCS#12 file
The test file (test-BER.p12) was given to us by David von Oheimb
Co-Authored-By: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/28016)
Richard Levitte [Thu, 10 Jul 2025 15:55:50 +0000 (17:55 +0200)]
Fix OSSL_STORE to consider cached info in the EOF check.
OSSL_STORE_load() called OSSL_STORE_eof() before checking if there is
cached OSSL_STORE_INFO to consider. To fix this issue, the cached info
check is moved to OSSL_STORE_eof(), as that seems to make most common
sense.
This solves an issue with PKCS#12 files, where the cached info was never
considered because the underlying file IO layer signaled that EOF is
reached.
Fixes #28010
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/28016)
AntonMoryakov [Mon, 2 Jun 2025 10:14:28 +0000 (13:14 +0300)]
sm2: sm2_sign.c: check EC_KEY_get0_private_key() for NULL in sm2_sig_gen()
Static analysis revealed that sm2_sig_gen() dereferences the return value
of EC_KEY_get0_private_key() without checking for NULL. This could lead to
a crash if the private key is unset.
This patch adds a NULL check and raises ERR_R_PASSED_NULL_PARAMETER if the
key is missing.
Issue found by static analyzer:
> Return value of EC_KEY_get0_private_key() is dereferenced without checking for NULL (11/12 checked)
CLA: trivial Signed-off-by: Anton Moryakov <ant.v.moryakov@gmail.com> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27741)
Daniel Van Geest [Wed, 23 Jul 2025 08:30:57 +0000 (10:30 +0200)]
openssl rand command should use the loaded library context
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28075)
Raise PROV_R_NULL_OUTPUT_BUFFER if shsec is NULL in ml_kem_encapsulate()
Signed-off-by: lanming <lanming@huawei.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28009)
quarckster is the owner of the /.github/workflows/ directory.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28060)
Dmitry Misharov [Mon, 31 Mar 2025 14:50:36 +0000 (16:50 +0200)]
pin GitHub Actions revisions from untrusted vendors
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27209)
the test shows that sec mem is ok-ish up to the number of available cores,
and when the sec mem lock gets contended, performance goes down rapidly.
Tested on Apple M4 Pro.
[1] https://github.com/openssl/openssl/pull/27625
Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28011)
Nikola Pajkovsky [Fri, 11 Jul 2025 07:18:12 +0000 (09:18 +0200)]
ci: enable lms only on master
a new config option cannot be enabled globally because the option
was not backported to the older versions.
Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28019)
Michael Baentsch [Mon, 30 Jun 2025 07:33:46 +0000 (09:33 +0200)]
Add note about use of EVP_PKEY in different libctxs
Co-authored-by: Shane Lontis <slontis@oracle.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26309)
QUIC receiver may accidentally ACK packet it fails to process
we set ok to -1 as we enter ossl_quic_handle_frames(). If we
set ok to 0 here we effectively assume successful processing
of all frames found in packet. We do this just before
we return from function:
```
1479
1480 /* Now that special cases are out of the way, parse frames */
1481 if (!PACKET_buf_init(&pkt, qpacket->hdr->data, qpacket->hdr->len)
1482 || !depack_process_frames(ch, &pkt, qpacket,
1483 enc_level,
1484 qpacket->time,
1485 &ackm_data))
1486 goto end;
1487
1488 ok = 1;
1489 end:
1490 /*
1491 * ASSUMPTION: If this function is called at all, |qpacket| is
1492 * a legitimate packet, even if its contents aren't.
1493 * Therefore, we call ossl_ackm_on_rx_packet() unconditionally, as long as
1494 * |ackm_data| has at least been initialized.
1495 */
1496 if (ok >= 0)
1497 ossl_ackm_on_rx_packet(ch->ackm, &ackm_data);
1498
1499 return ok > 0;
```
if the call to `depack_process_frames()` at line 1492 fails, because
barticualr frame in packet is corrupted/invalid we take a branch
to `end:` goto target. In this case we must avoid the call to
`ossl_ackm_on_rx_packet()`. Packet with malformed/invalid frame
must not be accepted. See RFC 9000 section 13.1:
Once the packet has been fully processed, a receiver acknowledges
receipt by sending one or more ACK frames containing the packet
number of the received packet.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28002)
Neil Horman [Tue, 1 Jul 2025 18:19:17 +0000 (14:19 -0400)]
Fixup non-optional use of IO::Socket::IP
IO::Socket::IP is an optionally used package in our perl scripts, and a
recent change of mine used it unilaterally, causing breakage on older
perl installations. Fix it up to use it optionally again, falling back
to IO::Socket::INET when needed.
Fixes #27940
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27941)
The check-ansi job is failing in the openssl-3.5 branch as a result of commit 60775e3. Fix that.
I guess this job doesn't run on PRs in master?
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27944)
Daniel Van Geest [Mon, 23 Jun 2025 11:45:59 +0000 (12:45 +0100)]
decoders: Fix prioritization of decoders via property query
When a property query string was used, it was not being applied to decoders.
When multiple providers supporting the same algorithm were loaded, it was
undefined which provider would be used when decoding a key, even when a
propquery string was provided. This fix scores decoder instances based on
property query matching and selects the highest scored decoder instance when
building the decoder chain.
The fake_rsa test provider is updated to support basic encoding and decoding.
A test is added using the fake_rsa provider to ensure that property query
strings are respected when loading decoders.
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27876)
INDIA\kanagavels [Wed, 18 Jun 2025 13:12:54 +0000 (18:42 +0530)]
Fixes #27831: Decreased NAMEMAP_HT_BUCKETS to 512.
Decreased the NAMEMAP_HT_BUCKETS value to 512, to avoid memory
allocation fail issues.
CLA: Trivial
Signed-off-by: Kanagavel S <kanagavels@ami.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27850)
noctuelles [Thu, 29 May 2025 19:01:21 +0000 (21:01 +0200)]
fix: msg callback in dtls1_do_write that incorrectly shows message (like a certificate) that spans over multiple fragments.
Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27811)
Christian Vögl [Thu, 26 Jun 2025 16:37:37 +0000 (18:37 +0200)]
Fix nullpointer dereference in OSSL_PARAM_merge
OSSL_PARAM_merge contained an error, where a nullpointer was
dereferenced when both parameter arrays ended with the same key
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27910)
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27895)
Ingo Franzki [Mon, 23 Jun 2025 11:42:08 +0000 (13:42 +0200)]
speed: Increase MAX_SIG_NUM and fix its usage in loopargs_t fields
Increase the maximum number of signature algorithms.
With the introduction of the SignMessage and VerifyMessage API with
OpenSSL 3.4 the providers that support combined digest and sign algorithms
register quite a lot more signature algorithms, so the current limit of
111 is hit easily.
While at it correct the definitions of the signature fields within the
loopargs_t structure to use MAX_SIG_NUM instead of MAX_KEM_NUM.
Closes: https://github.com/openssl/openssl/issues/27873 Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/27878)
Richard Levitte [Fri, 20 Jun 2025 12:29:04 +0000 (14:29 +0200)]
Nit: macro parameters should always be parenthesised in expressions
Affected macros: ossl_likely and ossl_unlikely
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27862)
Neil Horman [Thu, 19 Jun 2025 16:38:41 +0000 (12:38 -0400)]
Fix exit code for s_time when -new command line switch specified
When operating with the -new switch in apps/openssl s_time, we neglect
to set the exit code properly, and so the app exits with a code of 1
rather than 0 as expected
Fixes #27856
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/27857)
Neil Horman [Fri, 20 Jun 2025 14:22:10 +0000 (10:22 -0400)]
Fix buggy stringop-overflow error on s390
Despite some recent changes to our s390 builds, we're still seeing
errors due to some stringop-overflow warnings:
https://github.com/openssl/openssl/actions/runs/15748518222/job/44389197443
It appears to be caused because the static analysis that gcc preforms in
gcc 12 (the version of the compiler on our s390 runner), fails to infer
the proper sizes of the buffer on which we do the reverse memcpy in
swap_copy(), resulting in warnings, which on --strict-warnings builds,
breaks us.
Fix it by using inlen rather than outlen to limit the copy length,
adjusting it if need be to match the size of the output buffer in
le_copy(). This allows the compiler to properly infer the array length
constraints and suppress the warnings.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27864)
Sergey Kandaurov [Wed, 28 May 2025 17:58:26 +0000 (21:58 +0400)]
Preserve connection custom extensions in SSL_set_SSL_CTX()
The SSL_set_SSL_CTX() function is used to switch SSL contexts for
the given SSL object. If contexts differ, this includes updating
a cert structure with custom extensions from the new context. This
however overwrites connection custom extensions previously set on
top of inherited from the old context.
The fix is to preserve connection custom extensions using a newly
introduced flag SSL_EXT_FLAG_CONN in custom_ext_copy_conn().
Similar to custom_ext_copy(), it is a no-op if there are no custom
extensions to copy.
The only such consumer is ossl_quic_tls_configure() used to set the
"quic_transport_parameters" extension. Before this change, context
switch resulted in transport parameters not being sent due to the
missing extension.
Initially reported at https://github.com/nginx/nginx/issues/711
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27706)
Update pkeyutl documentation for PQC algorithms (Fixes #27415)
Add examples and documentation for using ML-DSA, ML-KEM, and SLH-DSA algorithms with pkeyutl. This includes information about the context-string option for ML-DSA and examples of encapsulation/decapsulation with ML-KEM.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27424)
Levi Zim [Wed, 16 Apr 2025 06:21:33 +0000 (14:21 +0800)]
Avoid potential double close of client_skt in sslecho
The server_running variable is declared as volatile and some comments in
the code are mentioning about implementing CTRL+C handler in the future.
In the client handling loop, the client_skt is closed at the end of the
loop if server_running is true. If (future) CTRL+C handler changes
server_running to false at this time. The next accept will not happen
and the exit clean up code will close client_skt for the second time.
This patch fixes this potential double close by setting client_skt back
to -1 after closing it.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27405)
Tomas Mraz [Thu, 19 Jun 2025 08:59:10 +0000 (10:59 +0200)]
Add strlen to symbols allowed on Windows
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27854)
Viktor Dukhovni [Fri, 11 Apr 2025 14:35:57 +0000 (00:35 +1000)]
Report errors in ML-KEM pkey hash
When on import the public key hash of a private key fails to match the
public part, add an appropriate message to the error stack. Previously,
the just failed to parse, without a reason.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27352)
sashan [Wed, 11 Jun 2025 06:23:38 +0000 (08:23 +0200)]
ossl_rio_poll_builder_add_fd(): Fixup pfds after reallocation
Local variable `pfds` used in `ossl_rio_poll_builder_add_fd()` must be consistent
with `rpb->pfd_heap`. The function maintains array of SSL objects for SSL_poll(3ossl).
It works with no issues until we need to reallocate `rbp->pfd_heap` in `rpb_ensure_alloc()`.
After `rpb_ensure_alloc()` returns we must update local variable `pfds` with `rpb->pfd_heap`
not doing so makes function to write to dead buffer.
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27804)
JiashengJiang [Mon, 12 May 2025 13:59:02 +0000 (09:59 -0400)]
test/helpers/quictestlib.c: Use goto instead of return to avoid memory leak
When TEST_ptr(*cssl) fails, bdata should be freed to avoid memory leak.
Fixes: a55b689 ("Use reported short conn id len in qtestlib") Signed-off-by: JiashengJiang <jiasheng@purdue.edu> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27599)
Return an error when update or final is used after the context has
already been finalized. Flag 'iimp' (intermediate-input-message-part)
must be 1 to allow an update or final call. If iimp is 0, then the
context has already been finalized.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27781)
Bartel Artem [Wed, 11 Jun 2025 03:58:31 +0000 (06:58 +0300)]
return NULL if gctx allocation fails.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Yang <kaishen.yy@antfin.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27795)
Bartel Artem [Tue, 10 Jun 2025 10:11:41 +0000 (13:11 +0300)]
check gctx for NULL before cleanup.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Yang <kaishen.yy@antfin.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27795)
Matt Caswell [Wed, 11 Jun 2025 08:50:16 +0000 (09:50 +0100)]
Allow our *_gen_cleanup functions to tolerate a NULL ctx
Our *_gen_cleanup functions are essentially "free" functions. Our
free functions tolerate NULL being passed. We are being inconsistent with
our *_gen_cleanup functions. Some of them tolerate NULL and others do not.
We should consistently tolerate NULL.
See also #27795
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/27807)
Ingo Franzki [Wed, 28 May 2025 06:55:49 +0000 (08:55 +0200)]
Silence -Wstringop-overflow warnings with gcc 14 on s390x
Compiling OpenSSL on s390x with gcc 14 (i.e. in Fedora 41) shows several
-Wstringop-overflow warnings in providers/implementations/rands/drbg_ctr.c
and test/params_api_test.c.
Add explicit length checks to let the compiler know that it won't overrun
the buffer. This also silences the warnings.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27710)
Viktor Dukhovni [Tue, 13 May 2025 15:23:25 +0000 (01:23 +1000)]
Allow keygen after dup of minimal PKEY ctx
It should be possible to repeatedly duplicate a PKEY CTX created via
EVP_PKEY_CTX_new_from_name() that has not yet been assigned an
"operation" (e.g. via EVP_PKEY_CTX_keygen_init()), and then perform
keygen_init() and keygen() on the duplicated copies.
When the operation is not yet set, all that's needed is to not try to
use the key if one isn't set yet.
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27662)
Daniel Van Geest [Fri, 28 Mar 2025 10:40:32 +0000 (10:40 +0000)]
Fix SHAKE AlgorithmIdentifier encodings
NIST CSOR specifies that the id-shake128 and id-shake256
algorithm identifiers, like the SHA-3 ones, do not carry
any parameters.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27190)
yexiaochuan [Sat, 31 May 2025 09:47:58 +0000 (17:47 +0800)]
fix: add parsing check in TLS compress_certificate extension handler
The tls_parse_compress_certificate function was missing validation
for trailing bytes after parsing the algorithm list, violating
RFC8446 section 4.2 which requires sending a decode_error alert
for unparseable messages.
This commit adds a check for remaining bytes in the packet after
the while loop and sends SSL_AD_DECODE_ERROR if any trailing
bytes are found.
Fixes #27717
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27733)
crypto/evp/ctrl_params_translate.c: prevent clashes of generic names NONE, GET, SET
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/27773)
Pauli [Thu, 5 Jun 2025 03:28:37 +0000 (13:28 +1000)]
rand: add argument error checking to EVP_RAND_nonce()
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27766)
Pauli [Thu, 5 Jun 2025 02:02:52 +0000 (12:02 +1000)]
rand: document the EVP_RAND_nonce() return correctly
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27766)
Pauli [Wed, 4 Jun 2025 23:50:59 +0000 (09:50 +1000)]
rand: produce correct return from EVP_RAND_nonce
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27766)
Pauli [Wed, 4 Jun 2025 23:50:34 +0000 (09:50 +1000)]
rand: fix memory overrun bug
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27766)
Pauli [Wed, 4 Jun 2025 23:50:20 +0000 (09:50 +1000)]
rand: add unit test exhibiting memory overrun
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27766)
Neil Horman [Thu, 5 Jun 2025 12:54:56 +0000 (08:54 -0400)]
Add a test to confirm that we can repeatedly create and destroy keys
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27775)
Neil Horman [Thu, 5 Jun 2025 12:25:52 +0000 (08:25 -0400)]
Allow for reuse of thread_local keys in threads_none
If openssl is configured with no-threads, the implementation has a hard
limit of 256 LIB_CTX values, as each LIB_CTX allocates a thread local
key, and we never reuse them (like libc does when using
pthread_key_create/destroy.
Improve the situation by allowing for marking freed keys as unsued and
searching for an available key when allocating
Fixes #27757
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27775)
Yaroslav Lelkin [Thu, 5 Jun 2025 05:50:43 +0000 (10:50 +0500)]
Fix NIST ACVP server URLs in SLH-DSA test files
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/27770)
Neil Horman [Wed, 4 Jun 2025 19:48:45 +0000 (15:48 -0400)]
Remove _strlen31
This function is old and fairly broken. Code archeology in our git tree
hasn't revealed why it was creted (though it may have possibly been to
support older win32 systems that couldn't do 64 bit integers properly,
like windows 95/98).
There seems to be no good reason to keep it around, and given that it
has potentially serious side effects, lets just remove it.
Fixes #27761
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27763)
Neil Horman [Fri, 6 Jun 2025 00:57:35 +0000 (20:57 -0400)]
Fix use of IO::Socket::IP on windows 2025
Apparently IO::Socket::IP has several odd behaviors on windows 2025,
notably indicating that AF_INET6 isn't a supported family when it
clearly is.
Follow the pattern in determinig the haveIPV6 variable in Proxy.pm, and
record if we determine IPv6 availablity with the IP class or the INET6
class and use the same method when testing port binding
Fixes project/#1213
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
(Merged from https://github.com/openssl/openssl/pull/27780)
Neil Horman [Tue, 3 Jun 2025 20:02:15 +0000 (16:02 -0400)]
Test randomly selected client port for availabilty in sslrecords test
Encountered this error in a pr today:
https://github.com/openssl/openssl/actions/runs/15418713146/job/43387767612
===
Proxy started on port [::1]:56662
Engine "ossltest" set.
Using default temp DH parameters
ACCEPT [::1]:59189
Server responds on [::1]:59189
Engine "ossltest" set. C0774F02907F0000:error:80000062:system library:BIO_bind:Address already in use:crypto/bio/bio_sock2.c:240:calling bind() C0774F02907F0000:error:10000075:BIO routines:BIO_bind:unable to bind socket:crypto/bio/bio_sock2.c:242:
connect:errno=98
===
Its occuring because we randomly select a port to use for our client
connection in the sslrecords test. Thats usually fine, but sometimes,
we get unlucky and pick a port thats already in use. This presents as
random failures in our CI on this test.
So lets try harden ourselves against it. When creating the client
connection, test the randomly selected port by trying to bind to it via
a call to IO::Socket::IP->new(). If that fails, try a different port
number, until we get one that works. If it works, use that port in the
assignment for the clients local port value.
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27752)
Viktor Dukhovni [Sun, 1 Jun 2025 02:47:15 +0000 (12:47 +1000)]
Split arguments taking quotes into account
CA.pl supports interpolating multiple arguments into the executed
commands. Previously these were evaluated by a shell, which supported
quoting of values that contain whitespace, backslashes, ...
With a shell no longer used (avoid command injection), backwards
compatibility requires some similar functionality. The code now handles
double and single-quoted strings (shell-style word splitting), but not
parameter expansion ($foo remains unexpanded) or command substitution
(`cmd` and $(cmd) remain unexpanded).
On Windows system(@LIST) does not correctly preserve argv, do our
own quoting instead and use system(<$quoted_cmd>).
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27432)
Viktor Dukhovni [Fri, 18 Apr 2025 04:18:09 +0000 (14:18 +1000)]
Avoid shell commandline processing in CA.pl
The CA.pl script used to build single-string string commandlines to pass
to a shell via `system(command_string)`. That was fragile and not a best
practice.
This PR replaces `system(command_string)` with `system { executable } @argv`,
which avoids the shell whenever possible (at least Unix-like systems and
Windows). The only question mark is whether some sort of quoting is
needed for VMS to preserve the case of commandline arguments even when
processes are spawned directly, rather than via the shell.
Unfortunately, given the way that some environment variables and
command-line options are used to construct the commands to run,
the result is still brittle. The CA.pl utility really should
be replaced with something better.
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27432)
Matt Caswell [Mon, 2 Jun 2025 14:45:06 +0000 (15:45 +0100)]
Add a CHANGES.md entry regarding no_renegotiation alert
Highight the bug being fixed for DTLS users
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27591)
Clarify what happens in the event that a no_renegotiation alert is
received.
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27591)
Matt Caswell [Fri, 9 May 2025 09:28:16 +0000 (10:28 +0100)]
Test that a no_renegotiation alert is handled correctly
If we receive a no_renegotiation alert we should abort the connection. We
add a test for this.
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27591)
Matt Caswell [Fri, 9 May 2025 08:58:15 +0000 (09:58 +0100)]
Fix DTLS handling when receiving a no_renegotiation alert
no_renegotiation is a warning alert sent from the server when it is not
prepared to accept a renegotiation attempt. In TLS we abort the connection
when we receive one of these - which is a reasonable response. However,
in DTLS we incorrectly ignore this and keep trying to renegotiate.
We bring the DTLS handling of a no_renegotiation alert into line with
how TLS handles this. In versions prior to 3.2 handling of a warning
alert in DTLS was mishandled resulting in a failure of the connection,
which ends up being the right thing to do "by accident" in the case of
"no_renegotiation". From 3.2 this mishandling was fixed, but exposed this
latent bug.
Fixes #27419
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27591)
Dmitry Misharov [Tue, 3 Jun 2025 11:04:57 +0000 (13:04 +0200)]
ci: remove windows-2019 runner images
According to https://github.com/actions/runner-images/issues/12045
The Windows 2019 Actions runner image will begin deprecation on
2025-06-01 and will be fully unsupported by 2025-06-30. Jobs using
the windows-2019 YAML workflow label should be updated to
windows-2022, windows-2025 or windows-latest.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27749)
Matt Caswell [Thu, 29 May 2025 11:52:35 +0000 (12:52 +0100)]
Ensure client read app data secret change occurs after write for QUIC
We don't want read secrets to be issue before write for QUIC, because
we want to avoid the situation where we want to ack something we've read
but we don't have the write secret yet.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27732)
Matt Caswell [Thu, 29 May 2025 11:31:33 +0000 (12:31 +0100)]
Implement explicit storing of the server_finished_hash
tls13_change_cipher_state was storing the server_finished_hash as a
side effect of its operation. This decision is better made by the state
machine which actually knows what state we are in.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27732)
Matt Caswell [Thu, 29 May 2025 11:16:14 +0000 (12:16 +0100)]
Ensure client read handshake secret change occurs after write for QUIC
We don't want read secrets to be issue before write for QUIC, because
we want to avoid the situation where we want to ack something we've read
but we don't have the write secret yet.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27732)
Matt Caswell [Thu, 29 May 2025 10:59:25 +0000 (11:59 +0100)]
Implement explicit storing of the handshake_traffic_hash
tls13_change_cipher_state was storing the handshake_traffic_hash as a
side effect of its operation. This decision is better made by the state
machine which actually knows what state we are in.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27732)
Cleanup - this constant and functions are no longer in use
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27716)
projects / thirdparty / openssl.git / log
