Fix unbounded memory growth when using no-cached-fetch When OpenSSL has been compiled with no-cached-fetch we do not cache algorithms fetched from a provider. When we export an EVP_PKEY to a provider we cache the details of that export in the operation cache for that EVP_PKEY. Amoung the details we cache is the EVP_KEYMGMT that we used for the export. When we come to reuse the key in the same provider that we have previously exported the key to, we check the operation cache for the cached key data. However because the EVP_KEYMGMT instance was not cached then instance will be different every time and we were not recognising that we had already exported the key to the provider. This causes us to re-export the key to the same provider everytime the key is used. Since this consumes memory we end up with unbounded memory growth. The fix is to be more intelligent about recognising that we have already exported key data to a given provider even if the EVP_KEYMGMT instance is different. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from https://github.com/openssl/openssl/pull/23841)
plug potential memory leak in error code path Function `module_add()` may leak stack of modules when it fails to initialize newly added module. Fixes #23835 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23836)
82-test_ocsp_cert_chain.t: Just ignore unrecognized lines in server output There might be warnings from AFL fuzz checker or other warnings that we do not care about. For success it is just required that cert_status: ocsp response sent: is present. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23851)
Minor docfix for OSSL_HTTP_REQ_CTX_set_max_response_hdr_lines(3) Also removal of duplicate assignment and addition of comment in test/http_test.c Follow up change to PR #23781 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23837)
SSL_add_dir_cert_subjects_to_stack(): Documented return values In the man page for SSL_add_dir_cert_subjects_to_stack(), the functions returning int have undocumented return values. Fixes #23171 Signed-off-by: Shakti Shah <shaktishah33@gmail.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23433)
Add Content Type OID for id-ct-rpkiSignedPrefixList References: draft-ietf-sidrops-rpki-prefixlist Title: "A profile for Signed Prefix Lists for Use in the Resource Public Key Infrastructure (RPKI)" OID assigned under 'SMI Security for S/MIME CMS Content Type (1.2.840.113549.1.9.16.1)' https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#security-smime-1 Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23426)
apps/x509.c: No warning reading from stdin if redirected Fixes #22893 Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23526)
Fix ASLR to be smaller during asan/tsan/ubsan runs Recently asan/tsan/ubsan runs have been failing randomly. It appears that a recent runner update may have led to the Address Space Layout Randomization setting in the linux kernel of ubuntu-latest runner getting set to too high a value (it defaults to 30). Such a setting leads to the possibility that a given application will have memory mapped to an address space that the sanitizer code typically uses to do its job. Lowering this value allows a/t/ubsan to work consistently again Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23842)
Update tls13ccstest.c, removal of deadcode tst has been already checked for invalid value in the start of the function with switch statement. Checked again here, so removed deadcode CLA: trivial Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23813)
Add fuzzing for DTLS Update the fuzz corpora submodule with the DTLS fuzz corpus. Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23585)
s_server: test ocsp with "-cert_chain" Add a test to exercise the use of s_server with "-cert_chain" to construct an ocsp request. This new functionality was added in PR #22192. Testing: make V=1 TESTS='test_ocsp_cert_chain' test Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23101)