Matt Caswell [Tue, 29 Apr 2025 13:21:49 +0000 (14:21 +0100)]
Drop empty app data records in DTLS
App data records with 0 bytes of payload will confuse callers of SSL_read().
This will cause a successful read and return 0 bytes as read. Unfortunately
a 0 return from SSL_read() is considered a failure response. A subsequent
call to SSL_get_error() will then give the wrong result.
Zero length app data records are actually allowed by the spec, but have
never been handled correctly by OpenSSL. We already disallow creating such
empty app data records. Since the SSL_read() API does not have a good way to
handle this type of read, we simply ignore them.
Partial fix for #27316
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27541)
JiashengJiang [Mon, 5 May 2025 01:41:39 +0000 (21:41 -0400)]
crypto/provider_conf.c: Fix possible memory leak
Assign the return value of ossl_provider_info_add_to_store to added instead of
setting it directly to 1, in order to avoid a memory leak caused by entry not
being freed if ossl_provider_info_add_to_store() fails.
Signed-off-by: JiashengJiang <jiasheng@purdue.edu> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27472)
Pauli [Thu, 17 Apr 2025 02:09:38 +0000 (12:09 +1000)]
ccm: update CCM mode ciphers to use the TRIE param name decoder for AEAD ciphers
This brings the implementation in line with GCM which has had this capability
for a while. It will improveme performance setting and retrieving the
authenticatoin tag.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27392)
Addresses an issue where the EVP_CIPHER_CTX_get_updated_iv() function
does not properly return the updated IV for the ChaCha20 cipher.
chacha20_get_ctx_params was updated to be sensitive to the
OSSL_CIPHER_PARAM_UPDATED_IV parameter.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/27484)
Enable AES and SHA3 optimisations on Qualcomm Snapdragon X systems
For larger data blocks, AES gets performance gains of up to 26.5%,
and SHA3 up to 15%. Tested on a Dell 9345 with Snapdragon X1E-80-100.
Below are detailed data.
Signed-off-by: Aleksander Jan Bajkowski <olek2@wp.pl> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/27503)
Julian Zhu [Sat, 3 May 2025 08:16:27 +0000 (16:16 +0800)]
RISC-V: Provide generic optimized SHA-256 implementation for rv64gc
Signed-off-by: Julian Zhu <julian.oerv@isrc.iscas.ac.cn> Reviewed-by: Paul Yang <kaishen.yy@antfin.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/27381)
pkcs12: increase macsaltlen from 8 to 16 as per NIST SP 800-132
Align PKCS12 PBMAC1 PBKDF2 salt length with
PKCS5_DEFAULT_PBE2_SALT_LEN.
With this change, newly created PKCS12 PBMAC1 PBKDF2 keystores use mac
salt length of 16 bytes by default. This increases interoperability
with FIPS implementations which require at least 16 bytes of salt
length. Otherwise FIPS implementations fail to to open keystore with
invalid salt length errors (unapproved):
Mac verify error: invalid password? 80EBD061AD7F0000:error:1C800070:Provider routines:kdf_pbkdf2_set_ctx_params:invalid salt length:providers/implementations/kdfs/pbkdf2.c:293: 80EBD061AD7F0000:error:118C0103:PKCS12 routines:PBMAC1_PBKDF2_HMAC:internal error:crypto/pkcs12/p12_mutl.c:143: 80EBD061AD7F0000:error:1180006D:PKCS12 routines:PKCS12_verify_mac:mac generation error:crypto/pkcs12/p12_mutl.c:324: 80EBD061AD7F0000:error:1C800070:Provider routines:kdf_pbkdf2_set_ctx_params:invalid salt length:providers/implementations/kdfs/pbkdf2.c:293: 80EBD061AD7F0000:error:118C0103:PKCS12 routines:PBMAC1_PBKDF2_HMAC:internal error:crypto/pkcs12/p12_mutl.c:143: 80EBD061AD7F0000:error:1180006D:PKCS12 routines:PKCS12_verify_mac:mac generation error:crypto/pkcs12/p12_mutl.c:324:
The compile time constant is made possible to override with a build
time define, such that one can revert back to 8 if so is needed for
backwards compatibility.
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27446)
Lars Kanis [Sat, 1 Feb 2025 17:01:43 +0000 (18:01 +0100)]
Add a target config for MINGW on ARM64
This is necessary to build OpenSSL native on Windows on Arm64 with gcc or clang.
It also works when cross compiling on Linux for aarch64-w64-windows-gnu.
This patch is used since years on MSYS2:
https://github.com/msys2/MINGW-packages/blob/master/mingw-w64-openssl/001-support-aarch64.patch
Fixes #10533
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26605)
Richard Levitte [Wed, 30 Apr 2025 12:37:12 +0000 (14:37 +0200)]
Drop "by store"'s by_store_subject_ex()
It was used to pass libctx and propq, which would override the
corresponding values passed to by_store_ctrl_ex(). This wasn't
really reasonable to do either way, as it could potentially be a
surprise to the user, who can reasonably expect that the URI is
opened with the libctx and propq that was passed with the URI, and
not with those passed later.
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27529)
Originally from https://github.com/openssl/openssl/pull/27507, with some
changes.
Co-authored-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27529)
Richard Levitte [Wed, 30 Apr 2025 09:38:04 +0000 (11:38 +0200)]
Rework the "by store" X509_LOOKUP method to open the given URI early
The cached X509_LOOKUP method data is no longer just the URI, but now
includes the OSSL_STORE_CTX pointer, and required parameters to reopen
the URI at any time. cache_objects() is modified to handle this, and
only (re)open the URI when it wasn't previously opened, or when it was
closed by an earlier call.
This way, we can call OSSL_STORE_open_ex() in by_store_ctrl_ex(), and
get to see possible errors when the URI is loaded.
This assumes that if the URI could be opened once, it can be opened
again.
Fixes #27461
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27529)
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27240)
Neil Horman [Thu, 24 Apr 2025 13:26:33 +0000 (09:26 -0400)]
Disable unterminated-string-initialization in strict-warnings
Recently updated to fedora 42, which includes an updated gcc, which
triggers a new warning:
test/afalgtest.c:44:9: error: initializer-string for array of 'unsigned char' truncates NUL terminator but destination lacks 'nonstring' attribute (18 chars into 17 available) [-Werror=unterminated-string-initialization]
44 | "\x53\x69\x6e\x67\x6c\x65\x20\x62\x6c\x6f\x63\x6b\x20\x6d\x73\x67"
The warning occurs because in some locations we create char buffers of
length X, and fill it with X bytes of data, truncating the NULL
terminator.
We could fix it by adding the nonstring attribute, but given that:
1) Adding attributes might impact other platforms that don't understand the
attribute.
2) We often create char buffers that don't expect a NULL terminator.
3) Converting the unsigned char arrays to uint8_t, or other types that
could be interpreted as non-strings has no impact, only applying the
nonstring attribute silences the warning.
It seems more sensible to just disable the warning entirely
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27490)
Daniel Van Geest [Sun, 13 Apr 2025 00:49:09 +0000 (01:49 +0100)]
Expand gettable params for HKDF
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27365)
Neil Horman [Tue, 29 Apr 2025 13:27:30 +0000 (09:27 -0400)]
Update test/ossl_store_test.c
Co-authored-by: Viktor Dukhovni <viktor1ghub@dukhovni.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27393)
Neil Horman [Tue, 29 Apr 2025 13:24:46 +0000 (09:24 -0400)]
Update test/ossl_store_test.c
Co-authored-by: Viktor Dukhovni <viktor1ghub@dukhovni.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27393)
Matt Caswell [Thu, 17 Apr 2025 11:45:31 +0000 (12:45 +0100)]
Fix a typo in evpciph_des3_common.txt
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27408)
Matt Caswell [Tue, 15 Apr 2025 14:03:36 +0000 (15:03 +0100)]
Fix a deadlock while attempting to get the Primary EVP_RAND_CTX
When only the FIPS provider was loaded we could get a deadlock when
calling RAND_get0_primary() due to attempting to obtain a recursive
lock.
We reduce the scope of the locks that we hold to avoid this.
Fixes #27391
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27408)
Matt Caswell [Wed, 16 Apr 2025 11:20:10 +0000 (12:20 +0100)]
Ensure that our fips internal provider is always loaded
The fips provider has an internal provider. In some circumstances we
could end up trying to find it, but failing because it hasn't been loaded
yet. We just always ensure it is loaded early to avoid this.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27408)
Matt Caswell [Wed, 16 Apr 2025 11:15:51 +0000 (12:15 +0100)]
Assert that we successfully obtained a lock
We should never fail to obtain a lock, so assert that we are successful
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27408)
Matt Caswell [Wed, 16 Apr 2025 11:14:55 +0000 (12:14 +0100)]
Add a test for calling RAND_get0_primary()
We simply test that calling RAND_get0_primary() returns a success
for both the default and fips providers.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27408)
Arne Schwabe [Sat, 26 Apr 2025 18:21:28 +0000 (20:21 +0200)]
Fix aesv8 arm assembler code not working on 32 bit Android
OpenSSL uses 'void' as perlasm for the 32 bit armeabi-arm target, which
most notably lacks a 32 or 64 in its name. So while most code that is
targeted for 32 uses !~ /64/ there is one instance that uses ~= /32/,
introduced by commit 8e69c18 between 3.4.0 and 3.5.0. This leaves out
that line on 32 bit android causing a segfault.
This fixes the compilation issue by replacing the ~= /32/ with !~ /64/
compilation taget (see 15-android.conf)
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27510)
By updating the `util/find-doc-nits` new missing history sections were
discovered. This commit adds the missing.
Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27488)
doc/man3: Change formulation to let the script to catch it
Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27488)
Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27488)
util/find-doc-nits: Check function macros in history
Add a checker for function macros if they are present in the HISTORY
section of the man page.
Resolves: #26774
Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27488)
Matt Caswell [Fri, 25 Apr 2025 14:21:47 +0000 (15:21 +0100)]
Clarify how s_client -ign_eof and -quiet impact command processing
If -ign_eof -or -quiet are passed to s_client this implicitly turns off
command processing (i.e. equivalent to -nocommands). This was stated on
the man page in the "CONNECTED COMMANDS" section, but not in the
documentation for "-ign_eof" or "-quiet" directly. We state it here as
well to make it clearer.
Fixes #27443
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27500)
Anton Tieleman [Mon, 28 Apr 2025 11:49:25 +0000 (13:49 +0200)]
Test+fix handling "wrong" downgrade signals
This accounts for cases that can only occur when een non-compliant server sends
the wrong downgrade signal. (TLS1.1 signal when negotiating TLS1.2 or TLS1.2
signal when negotiating TLS1.0/TLS1.1). According to the TLS1.3 RFC these
cases should be rejected:
RFC8446, section 4.1.3: TLS 1.3 clients receiving a ServerHello indicating
TLS 1.2 or below MUST check that the last 8 bytes are not equal to either of
these values. TLS 1.2 clients SHOULD also check that the last 8 bytes are
not equal to the second value if the ServerHello indicates TLS 1.1 or below.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27518)
Anton Tieleman [Mon, 28 Apr 2025 11:30:01 +0000 (13:30 +0200)]
Repair downgrade tests
A number of these tests were failing for the wrong reasons. The intention is to verify
that the client sends an illegal parameter alert when an unexpected downgrade signal
is received. Instead, a number of tests failed because TLS1.1 was not available. The
tests are adapted to explicitly check for an illegal parameter alert from the client.
Client and server flags are updated to enable TLS1.1 where required and a few tests
requiring TLS1.1 were moved to be disabled when TLS1.1 is not available.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27518)
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26994)
Tomas Mraz [Tue, 29 Apr 2025 09:56:23 +0000 (11:56 +0200)]
apps/prime.c: Fix memory leak of a BIGNUM
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27521)
Update to use BIO_get_line() with support for multiple primes per in file
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26549)
zriback [Fri, 31 Jan 2025 02:05:32 +0000 (21:05 -0500)]
Address and add tests for edge cases involving short or empty files
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26549)
zriback [Thu, 30 Jan 2025 16:41:15 +0000 (11:41 -0500)]
Fix issue where file is not read correctly with Windows line endings
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26549)
zriback [Fri, 24 Jan 2025 20:43:22 +0000 (15:43 -0500)]
Add 20-test_prime unit test
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26549)
zriback [Fri, 24 Jan 2025 06:03:35 +0000 (01:03 -0500)]
Add -in option to prime function to allow input from file for primality testing. Update -hex option documentation to reflect use with input and output.
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26549)
Fix typo in SHA256 RISC-V64 Zbb comments: Sigma0 -> Sum0
This corrects a misleading comment in sha256-riscv64-zbb.pl. The rotation
operation corresponds to the Sum0 function as defined in the FIPS 180-4
standard, not Sigma0.
CLA: trivial
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27480)
The microsoft compiler does not like the empty struct,
so go add a dummy field instead.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Paul Yang <kaishen.yy@antfin.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27494)
file_store.c: give detail on file_set_ctx_params() error
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27498)
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27498)
A. Wilcox [Thu, 17 Apr 2025 13:51:53 +0000 (08:51 -0500)]
Fix P-384 curve on lower-than-P9 PPC64 targets
The change adding an asm implementation of p384_felem_reduce incorrectly
uses the accelerated version on both targets that support the intrinsics
*and* targets that don't, instead of falling back to the generics on older
targets. This results in crashes when trying to use P-384 on < Power9.
Signed-off-by: Anna Wilcox <AWilcox@Wilcox-Tech.com> Closes: #27350 Fixes: 85cabd94 ("Fix Minerva timing side-channel signal for P-384 curve on PPC") Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27429)
Simo Sorce [Thu, 24 Apr 2025 14:05:53 +0000 (10:05 -0400)]
Add test to check SKEYMGMT interfaces
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27483)
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27483)
Richard Levitte [Wed, 23 Apr 2025 18:14:38 +0000 (20:14 +0200)]
Relax absolut path checking in our 'file' scheme implementation
So far, we strictly obeyed [RFC 8089], which only allows absolute paths
in a 'file:' URI. However, this seems to give a confusing user
experience, where something like 'file:foo.pem' wouldn't open foo.pem,
even though it's there in the current directory, but 'file:$(pwd)/foo.pem'
would.
To be less surprising for such use cases, we relax our implementation
visavi [RFC 8089] to allow relative paths.
Ensure z and d are actually zeroized by cleansing the full size of s,
rather than just vector_bytes.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27437)
Matt Caswell [Fri, 11 Apr 2025 13:19:46 +0000 (14:19 +0100)]
Fix errors on SSL_accept() and SSL_get_error()
Calling SSL_accept() was raising two errors on the stack if you passed
the wrong object type. Similarly SSL_get_error() was adding an error to
the stack if the wrong object type was passed and returning the wrong
result.
We also ensure SSL_set_accept_state() and SSL_set_connect_state() don't
raise spurious errors since these are void functions.
Fixes #27347
Fixes #27348
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27351)
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27157)
Luke Kurlandski [Tue, 4 Mar 2025 16:53:36 +0000 (11:53 -0500)]
Improved error message for X509_V_ERR_CERT_NOT_YET_VALID
In addition to an invalid certificate, it is not unlikely that this
exact error (case X509_V_ERR_CERT_NOT_YET_VALID) is caused by an
incorrect system clock. This cannot be trivially fixed, so for now,
we simply improve the quality of the error message.
Fixes #14771
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27141)
Viktor Dukhovni [Wed, 9 Apr 2025 07:33:02 +0000 (17:33 +1000)]
Fix default pkey(1) DER output
This is expected to be PKCS#8, but was defaulting to traditional when
possible. Changed default DER output format to PKCS#8 and extended the
`-traditional` option to apply also to DER output.
Fixes: #21708 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27273)
Simo Sorce [Tue, 15 Apr 2025 19:42:22 +0000 (15:42 -0400)]
Advertize signature setting in settable_ctx fn
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27342)
Simo Sorce [Tue, 15 Apr 2025 18:58:20 +0000 (14:58 -0400)]
Add test for ML-DSA sig/ver message update
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27342)
Simo Sorce [Fri, 11 Apr 2025 21:24:09 +0000 (17:24 -0400)]
Add ml_dsa msg_update functions to provider code
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27342)
Simo Sorce [Fri, 11 Apr 2025 17:38:20 +0000 (13:38 -0400)]
Make public ml_dsa_mu_.. helpers
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27342)
Simo Sorce [Wed, 9 Apr 2025 13:35:20 +0000 (09:35 -0400)]
Split the ML-DSA internal sigver functions
Deconstruct the functions into 2 parts:
- mu computation (if needed)
- actual signing/verification
Adds helper to compute mu that is split in 3 parts
(init/update/finalize) where the update part can be used to feed the message
to be signed or verified in chunks of any size.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27342)
Simo Sorce [Tue, 15 Apr 2025 19:21:19 +0000 (15:21 -0400)]
Fix EVP_PKEY_verify man page
Various functions were misnamed in the descriptions.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27342)
Simo Sorce [Tue, 15 Apr 2025 19:20:41 +0000 (15:20 -0400)]
Fix mldsa'a msg_inits operation type
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27342)
olszomal [Fri, 3 Jan 2025 07:42:55 +0000 (08:42 +0100)]
Fix URL parsing to handle missing ports and ISO 8601 timestamps in paths
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26303)
Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27455)
If the function is not called the settings default to 0.
Fixes #10584
Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27410)
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/27372)
provider-signature.pod: fix doc of OSSL_SIGNATURE_PARAM_ALGORITHM_ID, describing its relevance
This provides a fix for the documentation part of #22932.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/27372)
ASN1_item_sign.pod: fix description of the algor1, algor2, and signature in/out-parameters
This provides a fix for the documentation part of #22932.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/27372)
Pauli [Wed, 9 Apr 2025 02:42:40 +0000 (12:42 +1000)]
test: test for setting hkdf salt to null
Fixes #27302
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27305)
Pauli [Wed, 9 Apr 2025 02:42:10 +0000 (12:42 +1000)]
hkdf: allow salt to be set to null
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27305)
Pauli [Mon, 31 Mar 2025 22:57:50 +0000 (09:57 +1100)]
params: refactor some of the param helper code
Unifies some duplicated code.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27221)
Pauli [Mon, 31 Mar 2025 22:15:40 +0000 (09:15 +1100)]
commands: fix parameter value output
The parameter value output library routine was incorrect. It used the
incorrect length when printing fetched parameter sizes. It also printed
a string which was potentially not zero terminated. Both of these are
addressed here.
Additionally, octet strings have their initial bytes printed in hex.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27221)
Older versions place an error code to the error queue when retrieving
updated IV.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27417)
Neil Horman [Mon, 14 Apr 2025 16:23:15 +0000 (12:23 -0400)]
Serialize install process to avoid multiple make depend operations
If make install is run with a large -j value (make install -j N , where
N < 1)
We can run into a situation in which the install fails because multiple
make depend operations are running in parallel, which will fail due to
makefile rewriting.
Serialize the install process to guarantee that those operations don't
step on one another
Fixes # 27074
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/27388)
Jan Luebbe [Fri, 4 Apr 2025 10:38:40 +0000 (12:38 +0200)]
80-test_cms.t: Add test case for verification of multiple signatures
openssl cms -verify requires all signatures to pass verification, so adding
a signature with -resign will cause overall verification to fail if the new
signature cannot be verified.
As I intend to optionally allow this case (see #26382), this new test
case ensures that the current behaviour stays the default.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/27269)
projects / thirdparty / openssl.git / log
