Signature schemes like Ed25519 or ML-DSA use "pure" signing,
i.e. they directly sign the tbs data instead of signing a digest.
This is already supported in the X509 code, but not in CMS.
This commit adds support for such schemes to CMS.
This is a minimalistic set of changes, based in the work done
by David von Oheimb.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26867)
Viktor Dukhovni [Thu, 6 Mar 2025 14:44:06 +0000 (01:44 +1100)]
Make group names case-insensitive
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26991)
Viktor Dukhovni [Wed, 5 Mar 2025 19:02:28 +0000 (06:02 +1100)]
Refactor sigalg handling
- The default sigalg list now puts ML-DSA-65 first, then ML-DSA-87
and then ML-DSA-44. (87 vs. 44 Subject to bikeshedding).
- The mintls and maxtls versions are now taken into account for
both built-in and provided algorithms.
- Some algorithms have a separate TLSv1.2-specific name for future
reporting via openssl-list(1).
- ML-DSA aside, any new provided algorithms go at the end of the
default list (backwards-compatible inclusion).
- The built-in algorithms now also have min/max DTLS versions.
Though the provider TLS-SIGALG capability was extended to also report
the DTLS version range, the minimum supported DTLS is 1.3, which we
don't yet have, so it is not yet possible to add DTLS sigalgs via a
provider
- The TLS 1.3 brainpool sigalgs got their correct IANA names, with
the legacy names as purported TLS 1.2 alternatives, but since
these are for TLS 1.3 and up those names are for matching only,
the reported value will still be the 1.3 name.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26975)
Neil Horman [Fri, 7 Mar 2025 21:35:47 +0000 (16:35 -0500)]
Orphan packets from qrx
It may occur that the qrx we allocate in port_default_packet handler to
do AEAD validation isn't the one the channel ultimately uses (like if we
turn off address validation). In that event, we need to ensure that
anything we have on that qrx isn't returned to its free list to avoid
early freeing when we free the qrx at the end of
port_default_packet_handler, while those frames are still pending on the
channel qrx
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27004)
Neil Horman [Sat, 8 Mar 2025 02:52:03 +0000 (21:52 -0500)]
If our server channel creates its own qrx, set its initial secret
With the addition of larger client hellos, stemming from the use of
larger PQC key shares, it may happen that we get a client hello accross
multiple datagrams. Normally this is not a problem as
port_default_packet_handler allocates a qrx and initializes its initial
secret immediately. But if server address validation is disabled, then
the channel creates the qrx in port_bind_channel itself, without initial
secrets. As a result, we validate the first datagram in
port_default_packet_handler, but the subsequent datagrams containing the
remaining client hello fragments fail decode.
Fix it by ensuring that we add the initial secret in port_bind_channel
if we don't give it a preconfigured qrx
Fixes openssl/project#1131
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27006)
Neil Horman [Tue, 4 Mar 2025 13:20:29 +0000 (08:20 -0500)]
Fix build on windows xp
Windows XP doesn't support setting socket handles to be non-inheritable,
but the rio_notifier attempts to do so. WSASocketA will there return
an error when the NO_INHERIT flag is set. In that case, just retry the
call without the flag.
Fixes #26943
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26970)
Bernd Edlinger [Mon, 3 Mar 2025 07:22:31 +0000 (08:22 +0100)]
RCU: Ensure that qp's are actually retired in order
The current retirement code for rcu qp's has a race condition,
which can cause use-after-free errors, but only if more than
3 QPs are allocated, which is not the default configuration.
This fixes an oversight in commit 5949918f9afa ("Rework and
simplify RCU code")
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26952)
Andrew Dinh [Sat, 1 Mar 2025 16:19:38 +0000 (23:19 +0700)]
QUIC server post-rebase nits
- Apply doc nits suggested by Viktor from https://github.com/openssl/openssl/pull/26762
- Update CHANGES.md & NEWS.md saying there is now support for QUIC server
- Added copyright header in: test/radix/quic_ops.c
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26944)
Ivan Stanković [Tue, 4 Mar 2025 16:30:34 +0000 (17:30 +0100)]
x509: allow SAN URIs to contain userinfo
The way we're currently handling SAN URIs does not allow for userinfo,
meaning the name constraint check on such URIs will fail. Fix this by
skipping over the userinfo component:
authority = [ userinfo "@" ] host [ ":" port ]
(per RFC 3986).
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25861)
Tomas Mraz [Mon, 3 Mar 2025 11:02:29 +0000 (12:02 +0100)]
doc: Fix type of OSSL_KEM_PARAM_IKME for ML-KEM
Fixes #26945
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26954)
Pauli [Mon, 3 Mar 2025 01:40:20 +0000 (12:40 +1100)]
run ECX KEM evp_test tests
The FIPS providers that support ECX (3.0.x & maybe 3.1.x) do not support ECX
KEM so there is little point to testing these algorithms under FIPS. Consequently,
they are being tested only with the default provider.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26946)
Pauli [Mon, 3 Mar 2025 01:40:02 +0000 (12:40 +1100)]
ecx kem: add evp_test data for ECX KEM testing
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26946)
Pauli [Mon, 3 Mar 2025 00:45:48 +0000 (11:45 +1100)]
evp_test: fully test RSA
The evppkey_rsa.txt data were only tested against the default provider.
Change this so that they are tested against the FIPS provider too.
Also add the RSA KEM tests.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26946)
Pauli [Mon, 3 Mar 2025 00:45:43 +0000 (11:45 +1100)]
rsa kem: add evp_test data
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26946)
Pauli [Mon, 3 Mar 2025 00:45:27 +0000 (11:45 +1100)]
evp_test: fix untested errant code paths
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26946)
Pauli [Mon, 3 Mar 2025 00:18:11 +0000 (11:18 +1100)]
test: condition SHA1/MD5 tests on default provider in evp_test data file
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26946)
Pauli [Mon, 3 Mar 2025 00:17:45 +0000 (11:17 +1100)]
test: remove RSA KEM tests from evp_test data file
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26946)
14MM4CH1N3 [Fri, 14 Feb 2025 17:11:01 +0000 (12:11 -0500)]
Update doc README URLs
This updates the openssl documentation link to the one currently in use,
and removes the standards.txt section as that URL leads to the normal
documentation page and there is no "standards" page in the openssl
documentation site.
CLA: trivial
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26759)
Andrew Dinh [Thu, 27 Feb 2025 07:06:47 +0000 (14:06 +0700)]
SSL_CTX_set1_curves.pod: Move examples to own section
Also specify whether server or client preference
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26897)
Andrew Dinh [Tue, 25 Feb 2025 09:34:17 +0000 (16:34 +0700)]
doc: Add some clarifications for SSL_CTX_set1_curves()
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26897)
Signed-off-by: Ondrej Moris <omoris@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26899)
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/26925)
Tomas Mraz [Fri, 28 Feb 2025 10:13:27 +0000 (11:13 +0100)]
apps: Escape control characters in DNs by default
When displaying distinguished names the control characters
are escaped by default.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26932)
Tomas Mraz [Fri, 28 Feb 2025 10:09:55 +0000 (11:09 +0100)]
Sync CHANGES.md with 3.4 branch and fix formatting
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26932)
Neil Horman [Fri, 28 Feb 2025 18:58:48 +0000 (13:58 -0500)]
Remove empty buffer check in script_84 of quic_multistream_test
The quic_multistream_test occasionally fails script_84, specifically
failing on:
OP_CHECK2(check_write_buf_stat, 0, 0)
which fails due to the send stream buffer not reading zero after data is
sent on the stream
However, the send stream is culled of pending data, not after the stream
is sent, but rather only after the peer sends an ack confirming that the
data has been received. There is no guarantee that ACK will be sent
immediately, so occasionally timing discrepancies result in the test not
getting that ack by the time we check the send stream buffer.
We couldmodify the script to wait longer, or repeatedly tick the quic
stack to wait for that ack to be collected, but since its perfectly
valid for that data to live in the ring buffer for a period, and that
any true erroneous keeping of that data beyond its ack point would
manifest as any number of other duplicate transmissions, it seems more
sane to just remove the check.
Fixes openssl/project#1117
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26939)
Matt Caswell [Fri, 28 Feb 2025 08:51:43 +0000 (08:51 +0000)]
Move ssl_err.c into libcrypto
We move ssl_err.c out of libssl and into libcrypto. This file is entirely
self contained and is used to load error strings into the libcrypto error
tables. By moving this file into libcrypto, libssl can be unloaded safely
without having dangling references to this error information.
Fixes #26672
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26931)
Viktor Dukhovni [Thu, 27 Feb 2025 17:17:08 +0000 (04:17 +1100)]
Further decoder tuning possibly better perf
- The decoder should consider fewer options based on
more precise tracking of the desired input type
(DER, PVK, MSBLOB), algorithm (RSA, EC, ...),
input structure (SPKI, P8, ...).
How much this affects actual use-cases is harder to estimate, we'll just
have to run before/after perf tests.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26927)
Geert Hendrickx [Fri, 28 Feb 2025 13:50:32 +0000 (14:50 +0100)]
Fix `no-tls-deprecated-ec` documentation to match the actual option.
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26934)
Valerii Krygin [Tue, 25 Feb 2025 15:57:26 +0000 (15:57 +0000)]
EVP_DecodeUpdate() should not produce padding zeros to the decoded output (Fixes #26677)
EVP_DecodeUpdate() should not produce zeros for input padding `=` signs to avoid writing to non-allocated memory regions.
To achieve this:
- Add `eof` parameter to `evp_decodeblock_int` function in `openssl/crypto/evp`. The parameter should either contain the number of the input padding characters to ignore or `-1` if the function has to count them.
- Use precalculated `eof` in `EVP_DecodeUpdate` to fix its behaviour.
- Use `eof = -1` in `EVP_DecodeFinal` to count it in `evp_decodeblock_int`.
- Do not ignore padding in `EVP_DecodeBlock` (`eof = 0`) because it should write padding zeros according to the documentation.
- Add the HISTORY section to EVP_EncodeInit documentation to describe the fix.
Other changes:
- Update AUTHORS.md
- Update the copyright date in the documentation.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26678)
Viktor Dukhovni [Wed, 26 Feb 2025 02:04:12 +0000 (13:04 +1100)]
Check full ML-KEM encoded key
When both seed and key are provided compare the full ML-KEM private key
with the seed keygen output, not just the public key.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26905)
doc/, CHANGES, NEWS: add missing entries and fix existing ones when which CMP feature was added
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/26908)
Andrew Dinh [Wed, 26 Feb 2025 14:39:20 +0000 (21:39 +0700)]
Update slh_dsa_test.c
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26916)
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26916)
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26916)
slontis [Tue, 25 Feb 2025 06:03:38 +0000 (17:03 +1100)]
Encoder : Fix floating pointer when OSSL_ENCODER_to_data() is called
twice.
Fixes #26862
This only happens when using the FIPS provider, since it needs to export
the key.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26891)
Viktor Dukhovni [Tue, 25 Feb 2025 07:17:02 +0000 (18:17 +1100)]
Use better data type info in decoders
The decoders in some cases failed to capture or propagate
information about what is being decoded, causing more work
happen to try unrelated decoders as a fallback.
We now try harder to keep track of the expected object (private key or
public key, if known), and the algorithm determined from the OID of a
PKCS8 object or SPKI. This leads in many cases to fewer decoder
invocations. With so many more algorithms now, trying every decoder
is increasingly best avoided.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26892)
slontis [Mon, 24 Feb 2025 23:06:26 +0000 (10:06 +1100)]
ML-DSA Add Wycheproof test vectors.
Added a python script to convert the json files into evp_test data.
Added a EVP_TEST_METHOD "KeyFromData" that can test failures when
loading raw keys. (The existing "PrivateKeyRaw" and "PublicKeyRaw"
were not fit for this purpose).
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26885)
slontis [Tue, 25 Feb 2025 02:31:46 +0000 (13:31 +1100)]
FIPS POST: Change PBKDF2 CAST to use less iterations.
Fixes #26876
The issue here is that the pbkdf2 'lower_bounds_checks' currently errors by default
in FIPS mode if iterations < 1000.
i.e. the "pkcs5" flag = 0 triggers an error..
Turning the flag on means the FIPS indicator is triggered (which is probably correct behaviour)
Not sure testing the fips state here is a good idea (i.e. taking a TSAN hit).
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26887)
Neil Horman [Mon, 24 Feb 2025 12:55:33 +0000 (07:55 -0500)]
fix slh-dsa incorrect prediction of result code
The slh_dsa fuzzer predicts failure in EVP_message_sign_init in the
event we pass a context_string param of more than 255 bytes. That makes
for an accurate prediction, but only if we actually create the param.
augment the setting of exepct_rc_init to be determined not only by our
allocation of a > 255 byte message, but also on selector bit 1, which
determines if we create the parameter at all.
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/26884)
Neil Horman [Sun, 16 Feb 2025 13:35:38 +0000 (08:35 -0500)]
Change cipher suite alert for 0 length cipher_suites
From RFC 8446:
Note: TLS defines two generic alerts (see Section 6) to use upon
failure to parse a message. Peers which receive a message which
cannot be parsed according to the syntax (e.g., have a length
extending beyond the message boundary or contain an out-of-range
length) MUST terminate the connection with a "decode_error" alert.
Peers which receive a message which is syntactically correct but
semantically invalid (e.g., a DHE share of p - 1, or an invalid enum)
MUST terminate the connection with an "illegal_parameter" alert.
A zero length cipher suite list I think is considered out of range, and
so we should return "decode_error" rather than "illegal_parameter"
Fixes #25309
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26781)
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25930)
fips-jitter: Force use jitter entropy in the FIPS 3.0.9 provider callback
FIPS 3.0.9 provider does not honor runtime seed configuration, thus if
one desires to use JITTER entropy source with FIPS 3.0.9 provider
something like this needs to be applied to the core (libcrypto) build.
Not sure if this is at all suitable for upstream.
With fips-jitter (3.5+) config, also ensure that core<->provider
callback for entropy uses jitter entropy source, rather than os seed
(getrandom syscall).
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25930)
Fix read out of buffer bounds when dealing with BIO_ADDR
This issue was discoevered while I was testing SSL_new_from_listener()
using a newly created unit test. It has turned out the QUIC stack
at few places contain pattern as follows:
foo(QUIC_WHATEVER *q, BIO_ADDR *a)
{
q->a = *a;
}
The problem is that derefencning a that way is risky. If the address `a`
comes from BIO_lookup_ex() it may actually be shorter than sizeof(BIO_ADDR).
Using BIO_ADDR_copy() is the right thing to do here.
Fixes #26241
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26252)
Niels Dossche [Tue, 21 Jan 2025 11:04:44 +0000 (12:04 +0100)]
Fix potential memory leak in policy_section()
If sk_POLICYQUALINFO_push() fails, qual is not freed.
Fix it by adding POLICYQUALINFO_free() to the error path.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26499)
Tomas Mraz [Wed, 22 Jan 2025 08:57:36 +0000 (09:57 +0100)]
add_uris_recursive(): Avoid OSSL_STORE_INFO leak on error
Fixes #26480
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26511)
Niels Dossche [Wed, 22 Jan 2025 13:35:25 +0000 (14:35 +0100)]
Fix potential leak in error path in cert_response()
get1_cert_status() returns an object that must be freed,
but the error path does not do that.
Fix it by adding a call to X509_free() in the error path.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26513)
Tomas Mraz [Mon, 24 Feb 2025 08:47:13 +0000 (09:47 +0100)]
Rename fnv1a_hash() to ossl_fnv1a_hash()
It is no longer static.
Also add it to libssl only with quic enabled.
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26882)
Niels Dossche [Wed, 22 Jan 2025 14:43:14 +0000 (15:43 +0100)]
Fix potential memory leaks in error paths in ossl_rsa_multiprime_derive()
There are several cases where new BIGNUM instances are created, not
using the context, but not freed when an error occurs.
Fix this by adding the necessary calls to BN_free().
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26515)
Neil Horman [Fri, 21 Feb 2025 17:22:17 +0000 (12:22 -0500)]
Convert test_bio_ssl to use fake time
The test_bio_ssl test in quicapitest is failing on windows. Something
about the timing there is causing wide variance in how long it takes to
establish a handshake (between 130-6500 iterations).
Convert it to use fake time to make it run consistently.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26801)
Viktor Dukhovni [Mon, 17 Feb 2025 15:41:51 +0000 (02:41 +1100)]
Add hybrid ML-KEM based groups to default TLS groups
- send two key shares by default
- trim down the list of default groups
The default TLS group list setting is now:
?*X25519MLKEM768 / ?*X25519:?secp256r1 / ?X448:?secp384r1:?secp521r1 / ?ffdhe2048:?ffdhe3072
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26801)
The interoperability tests disable client ip address
validation done by RETRY packet. All tests done in CI
take code path which sends a retry packet.
The first initial packet sent by client uses a different
initial encryption level keys to protect packet integrity.
The keys are derived from DCID chosen by client.
When server accepts connection on behalf of initial packet,
the 'DCID' gets changed which means the initial level encryption keys
are changing too. So when server skips sending a retry packet,
it must forget the qrx which was used to validate initial
packet sent by client.
Forgetting qrx is not straightforward, we must salvage the
unencrypted packets left there after they were validated.
Those unencrypted packets must be injected to newly created channel.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26808)
Perform initial AEAD validation before creating a channel
We let port to create qrx object and use it for
packet validation. If packet validates, we then
create channel and pass pre-created qrx to channel's
constructor.
Co-authored-by: Andrew Dinh <andrewd@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26808)
Burkov Egor [Wed, 19 Feb 2025 13:42:07 +0000 (16:42 +0300)]
fix: add OOM handler for x509 fuzz test
CLA: trivial
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26830)
Bernd Edlinger [Mon, 24 Feb 2025 06:51:16 +0000 (07:51 +0100)]
Revert wrong macos RCU fix
This reverts #23974 which seems to be no longer needed now,
due to other fixes nearby. Most likely the change did just
slightly decrease the performance of the reader threads, and
did therefore create the wrong impression that it fixed the issue.
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26881)
Viktor Dukhovni [Fri, 21 Feb 2025 08:47:36 +0000 (19:47 +1100)]
More seed and private key checks for ML-DSA
- Check seed/key consistency when generating from a seed and the private
key is also given.
- Improve error reporting when the private key does not match an
explicit public key.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/26865)
Neil Horman [Thu, 20 Feb 2025 14:15:26 +0000 (09:15 -0500)]
separate intval into separate variable in OSSL_PARAMS
construction of int params holds a pointer to an int rather than an int
value, so we need to use separate variables when constructing separate
int params.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26851)
Fails because the fuzzer occasionaly provides inputs which drives the
fuzzer to create an octet-string for the context_string param which
violates the 255 byte constraint documented on that parameter.
Fix it by detecting that condition, expecting failure in the call to
EVP_sign_message_init, and bailing out when it occurs.
Fixes openssl/project#1109
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26851)
projects / thirdparty / openssl.git / log
