Richard Levitte [Wed, 15 Oct 2025 12:06:34 +0000 (14:06 +0200)]
First integration of OSSL_FN into BIGNUM
This integration is made in such a way that OSSL_FN is an optional
'data' field in BIGNUM, i.e. it's allowed to be NULL even though
the BIGNUM's 'd' field is non-NULL.
The public BIGNUM API will do what it can to ensure that the 'data'
field becomes non-NULL, but remains lax on input BIGNUMs, for now.
This allows diverse internal bn constants and hacks to continue to
function with minimal friction. These constants and hacks will
incrementally be modified to use OSSL_FN where they currently use
BN_ULONG.
Richard Levitte [Thu, 9 Oct 2025 11:48:59 +0000 (13:48 +0200)]
Fix BN_DEBUG: ossl_assert() → assert()
ossl_assert() has been modified so much that it no longer fits the
purpose of bn_check_top() when BN_DEBUG is defined in a debug build,
which is to abort and tell where the BIGNUM is inconsistent.
This has remained undiscovered because no one has tried BN_DEBUG
for quite a while.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28930)
Richard Levitte [Wed, 8 Oct 2025 12:56:34 +0000 (14:56 +0200)]
Add the fixed number type (OSSL_FN) and its allocators and deallocator
This includes a small test program that performs introspection of the
OSSL_FN, to check that diverse functions do what's expected of them.
For future compatibility reasons, the limb type OSSL_FN_ULONG is based
on BN_ULONG. This caused a slight rearrangement of public BIGNUM related
headers.
Note: experiments with changing the current BIGNUM's 'dmax' and 'top' to be
"size_t" has shown disastrous effects, due to some lower level functions
assuming that they'll receive the size in "int" form rather than "size_t"
form (on some major platforms, these two types have different sizes).
Therefore, this change deviates slightly from the design for fixed numbers
(doc/designs/fixed-size-large-numbers.md) by making OSSL_FN's 'dsize' an
"int" rather than a "size_t".
Richard Levitte [Thu, 11 Sep 2025 13:30:15 +0000 (15:30 +0200)]
design: Fixed size large numbers
For the longest time, we have mitigated security issues related to large
numbers (BIGNUM) and constant time in a piece-meal fashion, without really
looking at the problem from a zoomed out, holistic perspective.
An interesting aspect in this problem is that large numbers can vary in
size, and that depending on their combined sizes, the time to perform
mathematical calculations with them vary equally much, and may thereby
unintentionally leak information on those numbers.
To mitigate that sort of timing issue, we introduce fixed size numbers,
which are designed to have payload sizes that are pre-determined, usually by
the crypto system that uses them. This means that even a very small number
(let's take 1 as a ridiculous example) would have the same size payload as a
much larger number, and calculations using them would perform across all
payload bits of all input numbers combined.
These fixed size numbers primarly differ from BIGNUMs in that once they have
been allocated to a certain size, that size will not change throughout its
lifetime.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28522)
Norbert Pocs [Sun, 5 Oct 2025 07:39:22 +0000 (09:39 +0200)]
Check return code of BIO_ADDR_rawaddress
Fixes coverity issue: https://scan5.scan.coverity.com/#/project-view/64471/10222?selectedIssue=1666584
Thank you for the report!
Signed-off-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/28751)
Theo Buehler [Wed, 1 Oct 2025 22:14:40 +0000 (00:14 +0200)]
[aarch64] move constants to rodata
The 3.6.0 has new assembly which again has constants in .text. This
breaks on platforms enforcing execute-only memory.
See, e.g., #24137 and PRs linked therein, among others.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/28726)
It looks pretty straightforward (I think). The fuzzer input buffer is
used in this particular case to randomly issue commands to the lcidm
hash table (add/delete/query/flush/etc).
The loop for the command processing (based on the input buffer), is
limited to 10k commands. However the fuzzer will on occasion provide
very large buffers (500k) which easily saturate that limit. If the
input buffer happens to do something like get biased toward mostly
additions, we wind up with a huge hashtable that has to constantly grow
and rehash, which we've seen leads to timeouts in the past.
Most direct fix I think here, given that this is something of an
artificial failure in the fuzzer, is to simply clamp the command limit
more.
Fixes openssl/project#1664
Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28724)
Rationale:
- Allow applications to retrieve the remote UDP tuple for QUIC sessions
(e.g., logging, access control, diagnostics)
Provided documentation and test cases for SSL_get_peer_addr().
Set peer via channel API on new-conn.
- In ch_on_new_conn_common(), BIO_ADDR_copy(&ch->cur_peer_addr, peer)
was replaced with ossl_quic_channel_set_peer_addr(ch, peer) so
addressed_mode is enabled at connection bring-up.
Dropped redundant peer detection in create_qc_from_incoming_conn()
The peer address is now propagated in ch_on_new_conn_common() via
ossl_quic_channel_set_peer_addr(), so the channel is already in
"addressed" mode. This also avoids querying the (unconnected) server
UDP BIO, reduces duplication, and simplifies the accept path. All
regression tests pass.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28690)
Ondrej Moris [Wed, 1 Oct 2025 05:03:27 +0000 (07:03 +0200)]
tests: temporarily skip MLDSA pkcs11-provider test
External pkcs11-provider test requires at least kryoptic 1.2 for
MLDSA tests. But the current fedora:latest (42) still contains
kryoptic 1.1 and hence we need to temporarily disable MLDSA tests
until Fedora 43 is released.
Signed-off-by: Ondrej Moris <omoris@redhat.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28716)
Signed-off-by: Ondrej Moris <omoris@redhat.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28716)
pre-commit helps managing and maintaining multi-language pre-commit hooks.
This commit adds a pre-commit configuration to run a certian version of
clang-format utility. Later we can add sections for other languages as
well. pre-commit developers also provide the CI system which uses the
same config file.
https://pre-commit.com/
https://pre-commit.ci/
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28436)
Nikola Pajkovsky [Thu, 25 Sep 2025 16:32:17 +0000 (18:32 +0200)]
hashtable: add option to disable RCU locks
a new config option _no_rcu_ is added into HT_CONFIG. When _no_rcu_ is
set then hashtable can be guarded with any other locking primitives,
and behives as ordinary hashtable. Also, all the impact of the
atomics used internally to the hash table was mitigated.
Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28677)
In this setup, the hash function signature requires keybuf and len as
parameters rather than the hashtable key itself. As a result,
accessing members of the hashtable structure becomes awkward, since
you must do something like:
This kind of pointer arithmetic is both unnecessary and error-prone.
A cleaner approach is to pass the HT pointer directly into the hash
function. From there, you can safely cast it to the required type
without the pointer gymnastics.
Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28677)
Daniel Kubec [Sat, 27 Sep 2025 22:24:18 +0000 (00:24 +0200)]
Fix EVP_DecryptFinal_ex() for ChaCha20-Poly1305.
When using the ChaCha20-Poly1305 algorithm, the final interface
returns success without setting the authentication tag, whereas
the AES-GCM algorithm correctly returns failure in such cases.
Fixes #28137
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28683)
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28688)
The linux-riscv64 test machine crashes due to unaligned data,
when the V extension is enabled, while QEMU seems to have no
problems with unaligned data.
So check for aligned data and fall back to C code in case the
input or output values are unaligned.
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28684)
and also fix the unintentional omission of the ZBA extension,
since the first word in the OPENSSL_riscvcap environment variable
is ignored, because it is assumed to be the processor base
architecture, e.g. something like RV64GC.
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28684)
Ryan Hooper [Thu, 25 Sep 2025 16:42:24 +0000 (12:42 -0400)]
Fix Memory leak in CMS_EncryptedData_set1_key
When CMS_EncryptedData_set1_key is called repeatedly it will
leak data on the second call. This was because
cms->d.encryptedData was already set and needed to be cleared
before the call to M_ASN1_new_of.
Fixes: #28606 Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28668)
During code review for FIPS-140-3 certification, our lab noticed that
the known answer test for RSA was removed. This was done in the above
commit, as part of
https://github.com/openssl/openssl/pull/25988
Under the assertion that FIPS 140-3 Implementation Guidance section D.G
had relaxed the requirements for testing, obviating the need for this
test.
However, for the 3.5 FIPS-140-3 certification we are adding assertions
for support of KAS-IFC-SSC, which follows FIPS-140-3 I.G section D.F,
which does not contain the same relaxed constraints. As such we need to
reintroduce the test.
While the specifics of the I.G requirements are slightly different in
D.F (allowing for other, potentially less time-consuming tests), the
most expedient path forward here is to simply re-introduce the test as
it existed previously, hence the reversion of the above commit.
Fixes openssl/private#832
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28676)
Tomas Mraz [Thu, 25 Sep 2025 12:19:22 +0000 (14:19 +0200)]
krb5kdf.c.in: Check the key size before applying the key
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28663)
Tomas Mraz [Thu, 25 Sep 2025 10:21:21 +0000 (12:21 +0200)]
Add test for using KRB5KDF with erroneous key size
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28663)
Bob Beck [Wed, 24 Sep 2025 16:16:11 +0000 (10:16 -0600)]
Update doc/designs/rfc4514.md
Co-authored-by: Andrew Dinh <andrewd@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28639)
Bob Beck [Mon, 22 Sep 2025 20:59:36 +0000 (14:59 -0600)]
Add git pre-commit hook example to the script
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28639)
Bob Beck [Mon, 22 Sep 2025 20:44:14 +0000 (14:44 -0600)]
unbreak url for legacy gost
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28639)
Bob Beck [Mon, 22 Sep 2025 20:21:06 +0000 (14:21 -0600)]
make it not write changes by default
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28639)
Bob Beck [Mon, 22 Sep 2025 19:51:32 +0000 (13:51 -0600)]
Add util/codespell-check.sh and run it
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28639)
Bob Beck [Tue, 2 Sep 2025 20:46:06 +0000 (14:46 -0600)]
Make tests run faster on typical platforms.
Sadly not doable in make as it is notoriously bad at telling
you the parallelism being used by make -j.
If the HARNESS_JOBS environment variable has not been
set, this makes the perl script attempt to figure out how
many cpu's are available on anything windows/linux/macos/bsd like,
and if it can be successfully detected, we use that value.
if not, we use 1 as before.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/28426)
Richard Levitte [Mon, 22 Sep 2025 16:26:50 +0000 (18:26 +0200)]
Change test/recipes/95-test_external_oqsprovider.t to allow out-of-source builds
Unfortunately, CMake's FindOpenSSL.cmake module doesn't handle OpenSSL's
build tree very well when it's out-of-source. This is resolved by create
a local OpenSSL "installation" with a minimum amount of symbolic links,
and using that.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28638)
Daniel Kubec [Fri, 19 Sep 2025 13:48:41 +0000 (15:48 +0200)]
Fix EVP_PKEY_can_sign() handling of NULL from query_operation_name()
EVP_PKEY_can_sign() assumed query_operation_name(OSSL_OP_SIGNATURE)
always returns a non-NULL string. According to the documentation,
query_operation_name() may return NULL, in which case
EVP_KEYMGMT_get0_name() should be used as a fallback.
Fixes #27790
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28620)
Viktor Dukhovni [Wed, 17 Sep 2025 09:07:07 +0000 (19:07 +1000)]
Check for OBJ_create() conflicts after write lock.
For now subsequent calls to OBJ_create() with identical inputs return
NID_undef. It may be better to return the previous NID in the future.
The real work actually happens in OBJ_add_object(). Duplicate compares
*all* the input object's fields with any of the objects found by lookup.
If these are identical, then necessarily all the lookups found the same
data, and we can return the existing nid in low-level calls via
OBJ_add_object() that specify the nid also. If any of the fields are
different the new object is not installed and NID_undef is returned.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28582)
Bernd Edlinger [Sun, 31 Aug 2025 19:41:50 +0000 (21:41 +0200)]
Add a test for multi-threaded OBJ_create
After a successful OBJ_create the returned NID should
be the same NID that is returned from OBJ_ln2nid and
should not change any more, but after an unsuccessful
OBJ_create, another thread must have created the object,
therefore OBJ_ln2nid should not return NID_undef in that
case.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28582)
This fixes the RSA-SM3 signatures to conform to the standard.
CLA: trivial
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28415)
Tomas Mraz [Tue, 23 Sep 2025 15:00:00 +0000 (17:00 +0200)]
Fix doublefree after failure in ossl_siv128_init()
The issue was reported by Ronald Crane from Zippenhop LLC.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28644)
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28535)
Bob Beck [Fri, 12 Sep 2025 15:18:45 +0000 (09:18 -0600)]
Const correct the various sk_find functions.
Since we no longer mutate the stack when finding, let us
make the stack pointers const.
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28532)
Bob Beck [Tue, 16 Sep 2025 21:30:31 +0000 (15:30 -0600)]
Correct the documentation for OPENSSL_sk_find
Since April of 2023 with commit eb0935f, these functions have not
sorted the stack if it was not sorted. The documentation was noti
changed at the time to reflect this changed behaviour.
This corrects the documentation to reflect the current behaviour
of these functions
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28532)
Neil Horman [Tue, 23 Sep 2025 09:40:06 +0000 (05:40 -0400)]
Close small race condition on error raising in QUIC
Github issue #28501 reported an odd condition in which a double free was
occuring when a given thread was popping entries of its error stack.
It was hypothesized that, because a few places in the quic stack save
error state to a shared structure (ch->err_state, port->error_state,
qtls->error_state), that multiple threads may attempt to mutate the
shared structure during error save/restore in parallel.
Investigation showed that all paths which led to such mutations were
done under lock, so that shouldn't occur.
Except for one case, which this PR addresses.
In ossl_quic_conn_stream_conclude, we unlock our protecting mutex, prior
to calling QUIC_RAISE_NON_NORMAL_ERROR. If that function is called with
an reason code of SHUTDOWN, it attempts to restore the channel error
state. Given that the lock was released first, this creates a small
race condition in which two threads may manipulate the shared error
state in the channel struct in parallel.
According to the reporter, applying this patch prevents the reported
error from occuring again.
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28642)
Neil Horman [Mon, 22 Sep 2025 13:01:00 +0000 (09:01 -0400)]
Disable HW acceleration when running TLSProxy tests
IBM reported that, since the introduction of the ossltest provider,
several tests are failing on s390x
They are failing because MAC computation on s390x uses hardware
acceleration, which bypasses the use of the ossltest provided digests.
Because TLSProxy tests rely on the return of known consistent data
(which the ossltest provider gives us), the HW acceleration ignores this
giving us real MAC's instead, causing the test to fail.
We could write an HMAC provided algorithm to override that behavior, but
since this only occurs on s390, and only in cases in which the
TLSprovider is used, it seems simpler, and more maintainable to just
disable hw acceleration on those tests (given that we don't want to use
the accelerated path anyway).
Set the capabilities register for s390 to enforce this in the TLSProxy
code.
Fixes #28630
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28633)
Andrew Dinh [Wed, 17 Sep 2025 01:49:59 +0000 (11:49 +1000)]
Skip LMS tests if fetch for the LMS algorithm fails
Check for specific LMS error
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28580)
For unknown reasons using RW mutexes on RISC-V arch
seems to be broken, at least with glibc.
Fixes #28550
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28634)
Nikola Pajkovsky [Mon, 22 Sep 2025 10:17:16 +0000 (12:17 +0200)]
x509: fix mem leak on error path
The x509_store_add() creates X509_OBJECT wrapping either X509 or
X509_CRL. However, if you set the type to X509_LU_NONE before
X509_OBJECT_free then it skips the free on the wrapped type and just
calls OPENSSL_free on the object itself. Hence, leaking wrapped
object.
Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28631)
Tomas Mraz [Sat, 20 Sep 2025 14:45:50 +0000 (16:45 +0200)]
tls_common.c: Handle inner content type properly on Big Endian
When passing the inner content type to msg_callback,
the lowest byte of rec->type needs to be passed instead
of directly passing the rec->type otherwise the value is
incorrect on Big Endian platforms.
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28627)
Nikola Pajkovsky [Thu, 18 Sep 2025 06:56:44 +0000 (08:56 +0200)]
Ensure q variable is freed
Fixes: d88c43a64408 ("Ensure that empty or 1 element stacks are always sorted.")
Resolves: https://scan5.scan.coverity.com/#/project-view/65138/10222?selectedIssue=1665465 Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28596)
Viktor Dukhovni [Mon, 22 Sep 2025 05:02:28 +0000 (15:02 +1000)]
Added test suggested by Shane Lontis
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/28624)
Viktor Dukhovni [Sat, 20 Sep 2025 04:02:52 +0000 (14:02 +1000)]
Harden property put_str() helper corner case
The put_str() helper of the internal ossl_property_list_to_string()
function failed to correctly check the remaining buffer length in a
corner case in which a property name or string value needs quoting,
and exactly one byte of unused space remained in the output buffer.
The only potentially affected calling code is conditionally compiled
(disabled by default) provider "QUERY" tracing that is executed only
when also requested at runtime. An initial fragment of the property
list encoding would need to use up exactly 511 bytes, leaving just 1
byte for the next string which requires quoting. Bug reported by
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/28624)
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/28602)
Richard Levitte [Thu, 18 Sep 2025 15:12:33 +0000 (17:12 +0200)]
Make generated files read-only
This is an attempt to discouraged manual changes of generated files,
as people have done so, just to get their changes over-written next
time those files are re-generated.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28612)
Richard Levitte [Thu, 18 Sep 2025 05:14:13 +0000 (07:14 +0200)]
Fix OPENSSL_VERSION_NUMBER to always have zero status bits
The documentation suggested that they were always zero, while the
implementation in <openssl/opensslv.h> suggested that it could be
0xf in OpenSSL releases... which (almost) never happened because
of a bug in said implementation.
Therefore, we solidify that the status bits are indeed always zero,
at least in all OpenSSL 3 versions.
Ryan Hooper [Fri, 19 Sep 2025 15:33:09 +0000 (11:33 -0400)]
Fix CI Pipeline by Disabling SSL_TRACE_TEST
Disabling the SSL_TRACE_TEST since it caused an issue on
some cross compiles. A follow-on commit will change
the test.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28621)
this adds another release/acquire link between update_qp and
get_hold_current_qp via the reader_idx because the current
one which is based on the qp users count is only preventing
a race condition, but does not help when the reader acquires
the next qp.
Fixes #27267
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28585)
Viktor Dukhovni [Tue, 16 Sep 2025 12:40:32 +0000 (22:40 +1000)]
Fix ML-KEM key equality check when either unset
Fixes #28563
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28569)
Revert "rsa: expose pairwise consistency test API"
This reverts commit dc5cd6f70a0e "rsa: expose pairwise consistency test API",
that has introduced ossl_rsa_key_pairwise_test() function, as the only user
has been removed in 7f7f75816f26 "import pct: remove import PCTs for most
algorithms".
Complements: 7f7f75816f26 "import pct: remove import PCTs for most algorithms" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28557)
The cipher protocol ID, the return type of SSL_CIPHER_get_protocol_id,
is uint16_t and correctly described in docs to be 2 bytes, however the
function signature on the same page incorrectly pointed to it being
uint32_t, which is 4 bytes.
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28523)
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28393)
Bob Beck [Mon, 25 Aug 2025 20:26:33 +0000 (14:26 -0600)]
Use less preprocessor gymnastics for fatal error detection.
We seem to be using a lot of preprocessor gymnastics to avoid
having duplicate cases in a case statement depending on what
the host system defines these values to. We should not care.
If we don't bother with the case statement this becomes
easier to follow.
While we are here, pick up the reccomended windows2 values
that correspond with the POSIX values we already have
in here that we believe are "non-fatal", and condition
the codes to use on being windows or something POSIX.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28344)
test/p_ossltest.c: check for return values in OSSL_PARAM_* calls
Some of the OSSL_PARAM_* calls haven't their return codes checked
(OSSL_PARAM_get_octet_string_ptr() call
in ossl_test_aes128cbchmacsha1_set_ctx_params(),
and OSSL_PARAM_set_size_t() call in drbg_ctr_get_ctx_params()),
and Coverity complained about it. Add the missing checks.
Fixes: 032297054ab5 "Implement an ossltest provider to replace ossltest engine"
Resolves: https://github.com/openssl/project/issues/1618
Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1665462
Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1665463 Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28583)
providers/implementations/keymgmt/ecx_kmgmt.c.in: remove PCT on ECX import
While PCT on import has been removed for DH, EC, RSA, and SLH-DSA,
ECX seems to be overlooked. Correct that omission.
Complements: 7f7f75816f26 "import pct: remove import PCTs for most algorithms" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28573)
Bob Beck [Mon, 15 Sep 2025 17:52:44 +0000 (11:52 -0600)]
Don't return a value we never check from indent_printf()
Coverity notices it could overflow, since we don't use this
don't bother returning it
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28553)
Bob Beck [Fri, 12 Sep 2025 18:08:02 +0000 (12:08 -0600)]
Don't clear is_sorted unconditionally on OPENSSL_sk_insert()
If we have a comparison function, and the array was sorted,
check to see if we are inserting in the correct location.
if so do not clear is_sorted.
This allows for element locations found with OPENSSL_sk_find_ex
to be used to insert elements in the correct location and preserve
the sorting order without the need to sort the stack again.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28533)
Bob Beck [Wed, 10 Sep 2025 17:43:01 +0000 (11:43 -0600)]
Ensure that empty or 1 element stacks are always sorted.
Matt noticed "It's kind of weird that we are forced to call sort on
a newly created and empty stack. It feels like an empty stack should
have the "sorted" flag by default on creation"
I am incluined to agree. This change ensures tht empty or 1 element
stacks are marked as sorted, as per the existing comment in the
file.
Since this involved changing the various duplication routines to
also ensure that sorted was preserved for such stacks, I also
noticed the duplication code was largely duplicated. I
took the opportunity to deduplicate the duplication code while
making these changes.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28509)
25-test_verify.t: fix misleading test case names and file variable name
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28469)
25-test_verify.t: fix partly case-sensitive matching for Windows OS: s/MsWin32/MSWin32/
Fixes #27984
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28098)
Neil Horman [Fri, 12 Sep 2025 17:11:46 +0000 (13:11 -0400)]
Fix ossl_prov_set_macctx
This function fails to construct a param list that includes the passed
in property query string in the param lists when allocating subordonate
algorithms.
Make sure we allow callers to pass a param list (so that providers for
subordonate algorithms can be selected), and merge those into the param
list that this function builds on its own.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28461)
Neil Horman [Tue, 9 Sep 2025 13:47:34 +0000 (09:47 -0400)]
support passing prop querys to composite algs
We have several composite alg usages (i.e. MAC/KDF) which pick the right
digest implementation when using an engine, but fail to get the right
one when using a provider because we don't pass the propquery in a
parameter to their instantiation.
Fix them up by constructing the appropriate parameters
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28461)
Neil Horman [Thu, 4 Sep 2025 20:14:21 +0000 (16:14 -0400)]
remove loader_attic test from test_cmp_cli
This engine is going away (in fact they all are), so just remove the
test cases referencing this engine
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28461)
Neil Horman [Thu, 4 Sep 2025 20:12:20 +0000 (16:12 -0400)]
remove loader_attic tests from test_store
With the removal of engines we need to handle the loader_attic test that
will fail with said removal
based on the advice of @levitte, given that we have a file: loader in
the default provider already, theres no need to test an engine thats
going away, so just remove it.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28461)
Neil Horman [Thu, 4 Sep 2025 18:04:55 +0000 (14:04 -0400)]
Convert TLSProxy to use new provider
replace use of ossltest engine with provider in TLSProxy and update all
dependent tests
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28461)
Neil Horman [Thu, 4 Sep 2025 17:45:22 +0000 (13:45 -0400)]
replace ossltest engine in test_dgst
Use the new ossltest provider rather than the ossltest engine
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28461)
projects / thirdparty / openssl.git / log
