Mathieu Tortuyaux [Mon, 18 Sep 2023 14:02:21 +0000 (16:02 +0200)]
enc: "bad decrypt" only in decryption
CLA: trivial
Signed-off-by: Mathieu Tortuyaux <mathieu.tortuyaux@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22134)
Simo Sorce [Thu, 14 Sep 2023 20:55:32 +0000 (16:55 -0400)]
Add provider documentation for the new open_ex
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20131)
Simo Sorce [Thu, 14 Sep 2023 13:25:30 +0000 (09:25 -0400)]
Add Test to verify open_ex password checking works
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20131)
Simo Sorce [Mon, 23 Jan 2023 22:28:21 +0000 (17:28 -0500)]
Allow to pass a passprase callback at store open
Some PKCS11 modules require authentication early on to be able to
preload objects, which we want to do to avoid costly roundtrips when the
HSM is actually reached over a network (Cloud HSM).
Unfortunately at open time we can't interact with the user becaue the
callbacks are only passed at object load time. later on.
This patch corrects this issue by providing a more feature rich open
call for providers.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20131)
Tomas Mraz [Wed, 13 Sep 2023 14:56:58 +0000 (16:56 +0200)]
Postponed further context duplication support for ciphers
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22094)
Sumitra Sharma [Tue, 12 Sep 2023 06:30:21 +0000 (12:00 +0530)]
Enhance code safety and readability in SSL_get_shared_ciphers()
This commit introduces two key improvements:
1. Improve code safety by replacing the conditional statement with
`if (n >= size)` and using OPENSSL_strnlen() instead of strlen().
This change ensures proper buffer size handling and adheres to
secure coding practices.
2. Enhance code readability by substituting `strcpy(p, c->name)` with
`memcpy(p, c->name, n)`. This adjustment prioritizes code clarity and
maintenance, even while mitigating a minimal buffer overflow risk.
These enhancements bolster the code's robustness and comprehensibility,
aligning with secure coding principles and best practices.
Fixes #19837
Signed-off-by: Sumitra Sharma <sumitraartsy@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21934)
Pan Lanlan [Fri, 8 Sep 2023 16:13:43 +0000 (00:13 +0800)]
Update OPENSSL_buf2hexstr() to use DEFAULT_SEPARATOR.
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22041)
Matthias St. Pierre [Fri, 15 Sep 2023 13:32:25 +0000 (15:32 +0200)]
APPS: remove duplicate definition of `trace_data_stack`
Note: It seems like the C compiler doesn't care about the duplicate.
(The first definition is eight lines above.) The C++ compiler however
didn't like it when I reused the tracing code snippets elsewhere.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22117)
Dimitri Papadopoulos [Wed, 13 Sep 2023 18:50:11 +0000 (20:50 +0200)]
Fix new typos found by codespell
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22098)
Tomas Mraz [Thu, 14 Sep 2023 14:59:47 +0000 (16:59 +0200)]
coveralls.yml: Improve coverage mapping and remove 1.1.1
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22104)
Neil Horman [Tue, 12 Sep 2023 21:09:06 +0000 (17:09 -0400)]
Fix a key repointing in various ciphers
In the dupctx fixups I missed a pointer that needed to be repointed to
the surrounding structures AES_KEY structure for the sm4/aes/aria
ccm/gcm variants. This caused a colliding use of the key and possible
use after free issues.
Fixes #22076
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22102)
Neil Horman [Tue, 12 Sep 2023 21:07:53 +0000 (17:07 -0400)]
Fix regression in evp_test for provider compat CI
If we ignore the faliure to copy on an old fips provider, we need to use
ctx_base, rather than ctx
Fixes #22076
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22102)
Olga Batyshkina [Mon, 7 Aug 2023 13:14:53 +0000 (15:14 +0200)]
Fix PKCS#12 creation error when certificate contains auxiliary data
Prefer friendly name passed by the caller and calculated local
key id to ones found in certificate auxiliary data when creating
PKCS#12.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21675)
Dmitry Belyavskiy [Thu, 31 Aug 2023 09:33:36 +0000 (11:33 +0200)]
Store: API for deletion - documentation
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21901)
Dmitry Belyavskiy [Mon, 28 Aug 2023 11:38:33 +0000 (13:38 +0200)]
Store: API for deletion - tests
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21901)
Dmitry Belyavskiy [Mon, 28 Aug 2023 11:38:19 +0000 (13:38 +0200)]
Store: API for deletion - make update
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21901)
Dmitry Belyavskiy [Mon, 28 Aug 2023 11:37:33 +0000 (13:37 +0200)]
Store: API for deletion
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21901)
Bernd Edlinger [Tue, 5 Sep 2023 14:59:45 +0000 (16:59 +0200)]
Fix engine cleanup error handling
Error handling in engine_cleanup_add_first/last was
broken and caused memory leaks.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21971)
Matt Caswell [Wed, 13 Sep 2023 09:31:46 +0000 (10:31 +0100)]
Remove use of _Static_assert
We had some use of the C11 _Static_assert feature which can cause some
problems on some platforms. Everywhere we were using it, it is not really
required so remove it.
Fixes #22017
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22091)
Tomas Mraz [Wed, 13 Sep 2023 06:29:17 +0000 (08:29 +0200)]
Fix build of SHA3 on ARM64 with no-asm
Fixes #22089
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22090)
Pauli [Wed, 13 Sep 2023 02:06:20 +0000 (12:06 +1000)]
Use correct version of 3.1 build for FIPS provider.
We're (currently) intending to validate 3.1.2 against FIPS 140-3.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/22088)
Richard Levitte [Tue, 12 Sep 2023 12:58:03 +0000 (14:58 +0200)]
Have legacy blake2 EVP structure use base blake2 implementation
For some reason, the code here was made to got through the provider
specific init functions. This is very very dangerous if the provider
specific functions were to change in any way (such as changes to the
implementation context structure).
Instead, use the init functions from the base blake2 implementations
directly.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22079)
Hugo Landau [Fri, 8 Sep 2023 11:50:59 +0000 (12:50 +0100)]
QUIC CHANNEL: Add missing duplicate TPARAM handling cases
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22039)
Hugo Landau [Fri, 8 Sep 2023 12:08:10 +0000 (13:08 +0100)]
QUIC MULTISTREAM TEST: Correct trivial bug
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22039)
Richard Levitte [Tue, 12 Sep 2023 13:07:29 +0000 (15:07 +0200)]
Fix test/quic_tserver_test.c for slow machines
OSSL_sleep(1) isn't enough of a wait for threads to process the next QUIC
tick, so it gets increased to OSSL_sleep(100). This may be a tad much,
perhaps, but for now, it gives a good margin.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22075)
Bernd Edlinger [Mon, 11 Sep 2023 10:26:46 +0000 (12:26 +0200)]
Fix memory leaks in ssl_old_test.c
This fixes a few memory leaks reported in #22049.
If SSL_CTX_set0_tmp_dh_pkey rejects the temp dh key
due to security restrictions (even when @SECLEVEL=0 is used!)
then the caller has to delete the PKEY object.
That is different to how the deprecated
SSL_CTX_set_tmp_dh_pkey was designed to work.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22060)
Tomas Mraz [Mon, 11 Sep 2023 15:23:46 +0000 (17:23 +0200)]
d2i_ECPKParameters and i2d_ECPKParameters are not deprecated
So do not document them as such.
Fixes #22068
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22069)
Matt Caswell [Tue, 12 Sep 2023 09:39:51 +0000 (10:39 +0100)]
Further fix in bio_dgram_test for BIO_s_dgram_mem()
When setting an explicit buffer size using BIO_s_dgram_mem() make sure we
take into account the size of the header (which may be large on NonStop)
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22058)
Matt Caswell [Mon, 11 Sep 2023 09:03:22 +0000 (10:03 +0100)]
Fix a failure in bio_dgram_test on the NonStop platform
The size of the datagram header is significantly larger that we might
expect on NonStop (probably driven by sizeof(BIO_ADDR)). We adjust the
size of the default buffer to take into account the header size and the
mtu.
Fixes #22013
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22058)
Matt Caswell [Mon, 11 Sep 2023 12:57:35 +0000 (13:57 +0100)]
Test that a client that does not supply ALPN fails as expected
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22066)
Matt Caswell [Mon, 11 Sep 2023 12:55:41 +0000 (13:55 +0100)]
Ensure QUIC-TLS errors raised during channel start are available to caller
TLS misconfiguration errors should be shown to the application to enable
diagnosis of the problem. Otherwise you just get a generical "internal
error" message.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22066)
Matt Caswell [Fri, 8 Sep 2023 16:36:38 +0000 (17:36 +0100)]
Test we correctly handle missing ALPN from the server
ALPN is a requirement for QUIC so it is an error if the server does not
send it.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22066)
Dimitri Papadopoulos [Mon, 11 Sep 2023 11:27:05 +0000 (13:27 +0200)]
Fix typos found by codespell
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22063)
Bernd Edlinger [Mon, 11 Sep 2023 10:34:02 +0000 (12:34 +0200)]
Fix a memleak in prepare_rsa_params
This affects only RSA-PSS keys with params using
negative salt legth, or in case of out of memory.
This fixes a memory leak reported in #22049.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22061)
Neil Horman [Fri, 1 Sep 2023 17:47:15 +0000 (13:47 -0400)]
Add dupctx support to rc4_hmac_md5 algo
Pretty straightforward, just clone the requested context, no pointers to
fixup
Fixes #21887
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21933)
Neil Horman [Fri, 1 Sep 2023 17:22:03 +0000 (13:22 -0400)]
implement dupctx for chacha20_poly1305
Same as chacha20 in the last commit, just clone the ctx and its
underlying tlsmac array if its allocated
Fixes #21887
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21933)
Neil Horman [Fri, 1 Sep 2023 16:13:19 +0000 (12:13 -0400)]
Fix aes_gcm_siv dupctx function
This cipher family has a dupctx function, but was failing because it was
attempting to memdup a field only if it was null
Fix the conditional check to get it working again
Fixes #21887
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21933)
Neil Horman [Fri, 1 Sep 2023 15:28:33 +0000 (11:28 -0400)]
implement dupctx for aes_WRAP methods
create a dupctx method for aes_WRAP implementations of all sizes
Fixes #21887
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21933)
Neil Horman [Fri, 1 Sep 2023 13:10:35 +0000 (09:10 -0400)]
Add dupctx support to aead ciphers
Add dupctx method support to to ciphers implemented with IMPLEMENT_aead_cipher
This includes:
aes-<kbits>-gcm
aria-<kbits>-ccm
aria-<kbits>-gcm
sm4-<kibs>-gcm
Fixes #21887
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21933)
Neil Horman [Tue, 29 Aug 2023 19:42:48 +0000 (15:42 -0400)]
make inability to dup/clone ciphers an error
There should be no reason that a cipher can't be duplicated
Fixes #21887
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21933)
Matt Caswell [Fri, 8 Sep 2023 10:22:36 +0000 (11:22 +0100)]
Add a test for SSL_CIPHER_find() when used with a QUIC SSL object
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22011)
Matt Caswell [Thu, 7 Sep 2023 16:45:49 +0000 (17:45 +0100)]
Fix the SSL_CIPHER_find() function when used with a QCSO
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22011)
Matt Caswell [Thu, 7 Sep 2023 16:36:13 +0000 (17:36 +0100)]
Add a test for using a PSK with QUIC
Check that we can set and use a PSK when establishing a QUIC connection.
Fixes openssl/project#83
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22011)
Vladimir Kotal [Tue, 5 Sep 2023 09:13:47 +0000 (11:13 +0200)]
augment man pages with information about PKCS12KDF in FIPS mode
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21965)
Tomas Mraz [Fri, 8 Sep 2023 13:28:45 +0000 (15:28 +0200)]
Add CVE-2023-4807 fix to CHANGES.md and NEWS.md
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22033)
Tomas Mraz [Fri, 8 Sep 2023 13:21:23 +0000 (15:21 +0200)]
Sync changes between 3.2 and 3.1 branches
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22033)
Bernd Edlinger [Thu, 7 Sep 2023 17:22:25 +0000 (19:22 +0200)]
Fix a possible memleak in rsa_pub_encode
That seems to be only an issue for RSA-PSS with parameters.
Spotted by code review, so it looks like there is no test coverage for this.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22032)
Dmitry Misharov [Thu, 7 Sep 2023 11:52:46 +0000 (13:52 +0200)]
remove unused Appveyour config
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22000)
Dimitri Papadopoulos [Sun, 6 Aug 2023 17:44:37 +0000 (19:44 +0200)]
Bad function definition
void f() should probably be void f(void)
Found by running the checkpatch.pl Linux script to enforce coding style.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21468)
Dimitri Papadopoulos [Sun, 16 Jul 2023 18:03:40 +0000 (20:03 +0200)]
"foo * bar" should be "foo *bar"
Found by running the checkpatch.pl Linux script to enforce coding style.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21468)
Dimitri Papadopoulos [Sun, 16 Jul 2023 07:09:31 +0000 (09:09 +0200)]
Remove repeated words
Found by running the checkpatch.pl Linux script to enforce coding style.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21468)
Richard Levitte [Fri, 8 Sep 2023 06:20:02 +0000 (08:20 +0200)]
Fix test_quic_multistream to allow multiple concurrent tests
The server port was hard coded to 8186. That could make for some
"interesting" effects if two instances of this same test was running
on the same machine.
This change binds the server interface with port 0, and captures the
resulting random port.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22025)
Matt Caswell [Fri, 8 Sep 2023 14:26:40 +0000 (15:26 +0100)]
Fix a build failure where recvmmsg is available but not sendmmsg
Some old glibc versions have recvmmsg but not sendmmsg. We require both to
use that functionality. Introduce a test to check we have a sufficiently
recent version of glibc.
Fixes #22021
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/22036)
Randall S. Becker [Thu, 7 Sep 2023 19:42:10 +0000 (20:42 +0100)]
Prevent 80-test_cmp_http from accidentally killing perl in error.
If there is an issue with setting up the test environment in this test,
pid is not set so stop_server kills the perl process. A guard has been
added to prevent this situation.
Fixes: #22014
Signed-off-by: Randall S. Becker <randall.becker@nexbridge.ca>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22015)
Min Zhou [Thu, 7 Sep 2023 03:07:53 +0000 (11:07 +0800)]
LoongArch64 assembly pack: add ChaCha20 modules
This assembly implementation for ChaCha20 includes three code paths:
scalar path, 128-bit LSX path and 256-bit LASX path. We prefer the
LASX path or LSX path if the hardware and system support these
extensions.
There are 32 vector registers avaialable in the LSX and LASX
extensions. So, we can load the 16 initial states and the 16
intermediate states of ChaCha into the 32 vector registers for
calculating in the implementation. The test results on the 3A5000
and 3A6000 show that this assembly implementation significantly
improves the performance of ChaCha20 on LoongArch based machines.
The detailed test results are as following.
Test with:
$ openssl speed -evp chacha20
3A5000
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
C code 178484.53k 282789.93k 311793.70k 322234.99k 324405.93k 324659.88k
assembly code 223152.28k 407863.65k 989520.55k
2049192.96k
2127248.70k
2131749.55k
+25% +44% +217% +536% +556% +557%
3A6000
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
C code 214945.33k 310041.75k 340724.22k 349949.27k 352925.01k 353140.74k
assembly code 299151.34k 492766.34k
2070166.02k
4300909.91k
4473978.88k
4499084.63k
+39% +59% +508% +1129% +1168% +1174%
Signed-off-by: Min Zhou <zhoumin@loongson.cn>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21998)
Rainer Jung [Thu, 7 Sep 2023 22:27:07 +0000 (00:27 +0200)]
Regexp modifier "r" needs perl 5.14; OpenSSL should build with 5.11, so do not use the "r" shortcut.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22019)
Bernd Edlinger [Fri, 8 Sep 2023 08:33:24 +0000 (10:33 +0200)]
Fix output corruption in req command
when used in conjunction with -out and -modulus options.
Fixes #21403
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22026)
Randall S. Becker [Thu, 7 Sep 2023 14:15:21 +0000 (15:15 +0100)]
Exclude include of poll.h from NonStop builds - not defined on platform.
socket.h has been modified so that poll.h is omitted for OPENSSL_SYS_NONSTOP
builds. The platform configuration is derived from UNIX so the include is
only omitted for NonStop but kept in the OPENSSL_SYS_UNIX include block.
Fixes: #22001
Signed-off-by: Randall S. Becker <randall.becker@nexbridge.ca>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22006)
Randall S. Becker [Thu, 7 Sep 2023 14:00:19 +0000 (15:00 +0100)]
Modify 50-nonstop.conf to enable c99 extensions for uintptr_t.
This is done using the define __NSK_OPTIONAL_TYPES__ and is specific to the
NonStop platform builds.
Fixes: #22002
Signed-off-by: Randall S. Becker <randall.becker@nexbridge.ca>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22005)
Matt Caswell [Wed, 6 Sep 2023 11:36:43 +0000 (12:36 +0100)]
Return NULL if we fail to create a BIO in the demos/quicserver
Strictly speaking the previous code was still correct since BIO_set_fd
is tolerant of a NULL BIO. But this way is more clear.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21950)
Matt Caswell [Wed, 6 Sep 2023 11:14:33 +0000 (12:14 +0100)]
Add a missing call to BIO_closesocket()
A couple of the demos missed a call to this function in an error case.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21950)
Matt Caswell [Tue, 5 Sep 2023 14:17:29 +0000 (15:17 +0100)]
Expand the explanation of how to go and do useful work in non-blocking
Add additional commentary to the non-blocking examples explaining where to
add code to go and do other useful work.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21950)
Matt Caswell [Fri, 1 Sep 2023 16:41:48 +0000 (17:41 +0100)]
Add a new guide page on writing a non-blocking QUIC client
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21950)
Matt Caswell [Fri, 25 Aug 2023 17:05:32 +0000 (18:05 +0100)]
Add a new guide page on writing a non-blocking TLS client
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21950)
Matt Caswell [Fri, 25 Aug 2023 12:44:14 +0000 (13:44 +0100)]
Add a QUIC non-blocking demo
Show how to write a QUIC client using a non-blocking socket
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21950)
Matt Caswell [Thu, 24 Aug 2023 08:14:21 +0000 (09:14 +0100)]
Add a TLS non-blocking demo
Show how to write a TLS client using a non-blocking socket
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21950)
dependabot[bot] [Fri, 8 Sep 2023 08:14:37 +0000 (08:14 +0000)]
Bump coverallsapp/github-action from 2.2.1 to 2.2.3
Bumps [coverallsapp/github-action](https://github.com/coverallsapp/github-action) from 2.2.1 to 2.2.3.
- [Release notes](https://github.com/coverallsapp/github-action/releases)
- [Commits](https://github.com/coverallsapp/github-action/compare/v2.2.1...v2.2.3)
---
updated-dependencies:
- dependency-name: coverallsapp/github-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
CLA: trivial
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22012)
Bernd Edlinger [Wed, 6 Sep 2023 12:06:52 +0000 (14:06 +0200)]
Fix a possible memleak in SRP_VBASE_new
In the error handling case the memory in
vb->users_pwd was accidentally not released.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21981)
Richard Levitte [Wed, 6 Sep 2023 05:13:26 +0000 (07:13 +0200)]
OSSL_STORE: Fix error flag clearing and setting (provider path only)
When the provider's load function returned with an error, the libcrypto
error flag was only set if EOF hadn't been reached. This is troublesome,
as an error can very well occur during the last load before EOF is reached!
Also, the error flag was never reset, even though documentation specifies
that it should indicate an error in the last load (i.e. not the one before
that).
Fixes #21968
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21976)
Pauli [Thu, 7 Sep 2023 02:35:10 +0000 (12:35 +1000)]
Add test case for #21986
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/21988)
Pauli [Wed, 6 Sep 2023 23:27:37 +0000 (09:27 +1000)]
Check error return from cms_sd_asn1_ctrl() correctly.
Fixes #21986
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/21988)
Richard Levitte [Thu, 7 Sep 2023 05:34:33 +0000 (07:34 +0200)]
Fix 80-test_cmp_http.t to be more flexible regarding IP versions
Because apps/lib/http_server.c had a hard coded "[::]" for the accept host,
80-test_cmp_http.t assumed that it would always get a CMP server on an IPv6
address, and tested for that.
With the fix in apps/lib/http_server.c, that test was of course doomed to
fail. Since CMP should be about IP version testing, 80-test_cmp_http.t is
adapted to allow the Mock server to accept connections on either IP version,
and the test for IPv6 is removed.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21989)
Richard Levitte [Thu, 7 Sep 2023 03:57:36 +0000 (05:57 +0200)]
BIO_set_accept_name(): To accept from any interface, use *
Using "*:{port}" is preferred to "[::]:{port}", because it won't break on
IPv4-only machines.
This fixes test failures in 79-test_http.t and 80-test_ssl_new.t on machines
without IPv6.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21989)
wangcheng [Wed, 6 Sep 2023 13:29:38 +0000 (21:29 +0800)]
Modify the dkeyform type to support engine
The valtype value of dkeyform defined in the s_server_options structure is F, which leads to the judgment that the engine is not supported when processing parameters in the opt_next function.
This the valtype value of dkeyform should be changed to "f".
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21982)
Min Zhou [Wed, 6 Sep 2023 03:52:26 +0000 (11:52 +0800)]
test/chacha: replace CPUID_OBJ with OPENSSL_CPUID_OBJ
Fixes #21977
Signed-off-by: Min Zhou <zhoumin@loongson.cn>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21978)
Matt Caswell [Thu, 7 Sep 2023 09:00:46 +0000 (10:00 +0100)]
Prepare for 3.2 alpha 2
Reviewed-by: Richard Levitte <levitte@openssl.org>
Release: yes
Matt Caswell [Thu, 7 Sep 2023 09:00:22 +0000 (10:00 +0100)]
Prepare for release of 3.2 alpha 1
Reviewed-by: Richard Levitte <levitte@openssl.org>
Release: yes
Matt Caswell [Thu, 7 Sep 2023 09:00:21 +0000 (10:00 +0100)]
make update
Reviewed-by: Richard Levitte <levitte@openssl.org>
Release: yes
Matt Caswell [Thu, 7 Sep 2023 08:59:15 +0000 (09:59 +0100)]
Copyright year updates
Reviewed-by: Richard Levitte <levitte@openssl.org>
Release: yes
Hugo Landau [Mon, 4 Sep 2023 16:53:13 +0000 (17:53 +0100)]
QUIC MULTISTREAM TEST: Add comment
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21827)
Hugo Landau [Wed, 30 Aug 2023 07:01:47 +0000 (08:01 +0100)]
QUIC MULTISTREAM TEST: Adjust spin behaviour
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21827)
Hugo Landau [Tue, 29 Aug 2023 13:33:44 +0000 (14:33 +0100)]
win32: Support condition variable broadcasting on XP
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21827)
Hugo Landau [Thu, 24 Aug 2023 14:19:20 +0000 (15:19 +0100)]
QUIC MULTISTREAM TEST: Synchronize script 20 correctly
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21827)
Hugo Landau [Thu, 24 Aug 2023 09:16:52 +0000 (10:16 +0100)]
QUIC MULTISTREAM TEST: Run all scripts in both blocking and non-blocking modes
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21827)
Pauli [Tue, 5 Sep 2023 01:49:38 +0000 (11:49 +1000)]
fips compatibility: update 3.1.1 to 3.1.2
The plan at the moment is to validate 3.1.2 all going well.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21962)
Philip Prindeville [Sat, 2 Sep 2023 19:18:04 +0000 (13:18 -0600)]
Per other commands, make progress dots in req only w/ -verbose
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21937)
Dr. David von Oheimb [Tue, 29 Aug 2023 09:09:05 +0000 (11:09 +0200)]
CMP: generalize ossl_cmp_calc_protection() to handle Edwards curves correctly
Fixes #21564
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21884)
Kurt Roeckx [Fri, 1 Sep 2023 12:03:07 +0000 (14:03 +0200)]
Update fuzz corpora to latest commit
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21927)
Bernd Edlinger [Mon, 4 Sep 2023 07:40:28 +0000 (09:40 +0200)]
Fix internal memory leaks from OPENSSL_MALLOC_FAILURES
There is a rarely used feature that can be enabled
with `./config enable-crypto-mdebug` when additionally
the environment variable OPENSSL_MALLOC_FAILURES is used.
It turns out to be possible that CRYPTO_zalloc may
create a leak when the memory is allocated and then
the shouldfail happens, then the memory is lost.
Likewise when OPENSSL_realloc is used with size=0,
then the memory is to be free'd but here the shouldfail
check is too early, and the failure may prevent the
memory to be freed thus creating a bogus memory leak.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21944)
Tomas Mraz [Mon, 4 Sep 2023 07:09:40 +0000 (09:09 +0200)]
Test that NULL BIGNUM is supported in OSSL_PARAM_BLD_push_BN()
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21945)
Tomas Mraz [Mon, 4 Sep 2023 06:59:53 +0000 (08:59 +0200)]
OSSL_PARAM_BLD_push_BN_pad(): Allow NULL BIGNUM
This was supported previously and regressed
with commit
17898ec6011cc583c5af69ca8f25f5d165ff3e6a
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21945)
Dr. David von Oheimb [Fri, 4 Aug 2023 17:02:28 +0000 (19:02 +0200)]
apps/cmp.c: fix bug not allowing to reset -csr and -serial option values
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21659)
Dr. David von Oheimb [Fri, 4 Aug 2023 06:23:58 +0000 (08:23 +0200)]
apps.c: improve warning texts of parse_name() when skipping RDN input
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21659)
Dr. David von Oheimb [Thu, 3 Aug 2023 14:52:49 +0000 (16:52 +0200)]
apps.c: fix error messages (newline and needless text) in load_key_certs_crls()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21659)
Hugo Landau [Thu, 31 Aug 2023 17:54:16 +0000 (18:54 +0100)]
MUTEX: Assert on locking failure
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21919)
dependabot[bot] [Tue, 5 Sep 2023 07:56:28 +0000 (07:56 +0000)]
Bump actions/checkout from 2 to 4
Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 4.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v2...v4)
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
CLA: trivial
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21953)
Richard Levitte [Mon, 4 Sep 2023 20:09:27 +0000 (22:09 +0200)]
VMS: More header inclusion compensation for VMS C compiler
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/21959)
Kai Pastor [Sun, 3 Sep 2023 08:59:22 +0000 (10:59 +0200)]
Use armv8 .quad instead of .dword
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21939)
Tomas Mraz [Mon, 4 Sep 2023 19:39:30 +0000 (21:39 +0200)]
04-test_encoder_decoder.t: Use algorithm that is non-fips also on 3.0.0
The test encrypted RSA key with DES3 which is still
allowed in the 3.0 fips provider.
Instead use the traditional key format that uses MD5
to create the password based key. MD5 is disallowed
in the 3.0 fips provider.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/21957)
Tomas Mraz [Mon, 4 Sep 2023 19:50:18 +0000 (21:50 +0200)]
quicserver.c: Fix build with no-ssl-trace
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21958)