summaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)Author
2024-03-11PKCS7: Remove one of the duplicate checksJiasheng Jiang
There are two consecutive identical checks "if (i <= 0)". We can remove one of them to make the code clear. CLA: trivial Signed-off-by: Jiasheng Jiang <jiasheng@purdue.edu> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23741)
2024-03-11Add reformatting commit to .git-blame-ignore-revsAarni Koskela
CLA: trivial Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23748)
2024-03-11Make the generated params_idx.c file deterministic if run multipleslontis
times. Fixes #23672 There are many name/value pairs currently that have duplicate names e.g. 'CAPABILITY_TLS_GROUP_MAX_TLS' => "tls-max-tls", 'CAPABILITY_TLS_SIGALG_MAX_TLS' => "tls-max-tls", Stripping the .pm file down to just the above entries and running multiple times gives different results for the produce_decoder. On multiple runs any iterations over the unordered hash table keys using foreach my $name (keys %params) results in a different order on multiple runs. Because of this the mapping from the hash 'value' back to the 'key' will be different. Note that the code also uses another mechanism in places that uses "name1" => "value" "name2" => "*name1" Rather than fix all the strings the change done was to sort the keys. If we were to chose to fix the strings then the perl code should be changed to detect duplicates. Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/23688)
2024-03-11FAQ.md should be removedAlexandr Nedvedicky
the page the link refers to does not exist. Anyone objects to delete file? Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23719)
2024-03-11Fix BIO_get_new_index() to return an error when it is exhausted.slontis
Fixes #23655 BIO_get_new_index() returns a range of 129..255. It is set to BIO_TYPE_START (128) initially and is incremented on each call. >= 256 is reserved for the class type flags (BIO_TYPE_DESCRIPTOR) so it should error if it reaches the upper bound. Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23732)
2024-03-09Bring SSL_group_to_name docs in line with API definitionNeil Horman
docs say the SSL object in this function is const, but the api doesn't qualify it as such. Adjust the docs to match the definition Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23785)
2024-03-09Add CHANGESHugo Landau
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23584)
2024-03-09QUIC MULTISTREAM TEST: Test write buffer statistics queriesHugo Landau
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23584)
2024-03-09QUIC: Add stream write buffer queriesHugo Landau
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23584)
2024-03-08Try to fix intermittent CI failures in sslapitestBernd Edlinger
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/23705)
2024-03-07QLOG: Fix indentationHugo Landau
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23598)
2024-03-07QUIC: Define error code for stateless resetHugo Landau
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23598)
2024-03-07QUIC: Add documentation for QUIC error codesHugo Landau
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23598)
2024-03-07QUIC: Uniform changes for QUIC error code definitions renameHugo Landau
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23598)
2024-03-07QUIC: Make QUIC transport error codes publicHugo Landau
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23598)
2024-03-07Dont run the self-hosted workflows when not availableBernd Edlinger
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23678)
2024-03-07Gate setting of ipi_spec_dst on not building for freebsdNeil Horman
some variants of FreeBSD (notably Dells OneFS) implement IP_PKTINFO partially, and as such the build breaks for those variants. specifically, it supports IP_PKTINFO, but the in_pktinfo struct has no defined ipi_spec_dst field. Work around this by gating the setting of that variable on not building for FreeBSD Fixes #23739 Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23753)
2024-03-07interop tests: Fedora 39 config, simplify updatesStanislav Zidek
Imitating Fedora 39 configuration in openssl.cnf with SECLEVEL lowered to 0 in order to be able to run TLS 1.3 tests with TLS_AES_128_CCM_8_SHA256. In order to make updating smoother, check out specific tag rather than the branch. This way, "old" tests can be fetched until PR pointing to "new" tests is merged, so backwards-incompatible changes can be done when needed. Files specific for openssl upstream moved to separate directory. CLA: trivial Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23747)
2024-03-07Fix a memory leak on successful load of CRLDmitry Belyavskiy
Fixes #23693 Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23695)
2024-03-06QUIC QLOG: Fix ANSIHugo Landau
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23744)
2024-03-06QUIC QLOG: Fix use of sprintfHugo Landau
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23744)
2024-03-06Enable qlog support by defaultHugo Landau
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23744)
2024-03-06Document that unknown groups and sigalgs marked with ? are ignoredTomas Mraz
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/23050)
2024-03-06Add test for ignoring unknown sigalgs and groups marked with ?Tomas Mraz
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/23050)
2024-03-06Allow ignoring unknown sigalgs and groups in the configurationTomas Mraz
Related to #20789 Signature algorithms and groups in the configuration that are preceded with ? character and are unknown to libssl are just ignored. The handling for them is similar to handling of ciphers. I.e., there should be a failure only in case the configuration produces no valid sigalgs or groups. Also ignore duplicate sigalgs and groups as such confiuration errors should not be fatal. Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/23050)
2024-03-06apps/cmp: improve -reqin option to read fallback public key from first ↵Dr. David von Oheimb
request message file given Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/21660)
2024-03-06crypto/cmp: add OSSL_CMP_MSG_get0_certreq_publickey(); fix coding style nitDr. David von Oheimb
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/21660)
2024-03-06apps/cmp: extend documentation and diagnostics for using -reqin in special ↵Dr. David von Oheimb
situations Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/21660)
2024-03-06apps/cmp: add -reqout_only option for dumping/saving just the initial CMP ↵Dr. David von Oheimb
request message Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/21660)
2024-03-06apps/cmp.c: refactor to fix some coding style nits and more convenient ↵Dr. David von Oheimb
source-level debugging Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/21660)
2024-03-06cmperr.h: use free reason value 106 rather than 197 for CMP_R_UNEXPECTED_SENDERDr. David von Oheimb
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/21660)
2024-03-02Dump out qlog json if it is malformedNeil Horman
We're still seeing periodic failures in qlog from malformed json output, so lets try to catch it. Modify the verify-qlog.py script to, in the event of an exception in json.loads, to replay the entire json file to the console, followed by an exception indicating what line it died trying to parse. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23715)
2024-03-01Implement PCT for EDDSApohsingwu
According to FIPS 140-3 IG 10.3.A Additonal Comment 1, a PCT shall be performed consistent with the intended use of the keys. This commit implements PCT for EDDSA via performing sign and verify operations after key generated. Also use the same pairwise test logic in EVP_PKEY_keygen and EVP_PKEY_pairwise_check for EDDSA in FIPS_MODULE. Add OSSL_SELF_TEST_DESC_PCT_EDDSA to OSSL_PROVIDER-FIPS page. Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23408)
2024-03-01demos/http3: Use `SSL_write_ex2()` together with `SSL_WRITE_FLAG_CONCLUDE`Alexandr Nedvedicky
These calls were introduced by PR #23343. Change also does a minor tweak to Makefile so CFLAGS and LDFLAGS variables from the environment are respected. Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23602)
2024-03-01Fix off by one issue in buf2hexstr_sep()shridhar kalavagunta
Fixes #23363 Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23404)
2024-02-25Improve documentation of standard IANA cipher suite names.Michael
Reviewed-by: Paul Yang <kaishen.yy@antfin.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23539)
2024-02-25Add appropriate lower bound checks for GeneralizedTime and UTCTimeJob Snijders
ITU-T X.690 / ISO/IEC 8825-1 section 11.7 and section 11.8 impose specific constraints on how GeneralizedTime and UTCTime can be encoded in BER/CER/DER. Following from these constraints a minimum length can be derived. Checking the length in this context can potentially help prevent applications from interpreting an invalid GeneralizedTime as a valid UTCTime. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23483)
2024-02-25apps/engine: add EC to list of capabilitiesMartin Oliveira
openssl engine -c wasn't showing if an engine implemented EC cla: trivial Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23538)
2024-02-25Ensure `$(MAKE)` commands and `CFLAGS` are appropriately quoted in the Makefile.Hamilton Chapman
If a user's `make` command came from a path that contained a space then both the `$(MAKE)` variable (and parts of the generated `CFLAGS`, when building for iOS) would not be properly quoted and the build would fail. Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23663)
2024-02-22Apply the AES-GCM unroll8 optimisation to Microsoft Azure Cobalt 100Tom Cosgrove
Performance improvements range from 18% to 32%. Change-Id: Ifb89eeac3c0625a582a25ff07cf7f9c9ec8f5ba6 Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23651)
2024-02-22chachap10-ppc.pl: Fix truncated relocation响马
Fix error: relocation truncated to fit: R_PPC64_REL14 (stub) against symbol `ChaCha20_ctr32_vsx_8x' CLA: trivial Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23618)
2024-02-22SSL_set1_groups_list(): Fix memory corruption with 40 groups and moreMichael Baentsch
Fixes #23624 The calculation of the size for gid_arr reallocation was wrong. A multiplication by gid_arr array item size was missing. Testcase is added. Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23625)
2024-02-22s_cb.c: Add missing return value checksMrRurikov
Return value of function 'SSL_CTX_ctrl', that is called from SSL_CTX_set1_verify_cert_store() and SSL_CTX_set1_chain_cert_store(), is not checked, but it is usually checked for this function. CLA: trivial Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23647) (cherry picked from commit 6f794b461c6e16c8afb996ee190e084cbbddb6b8)
2024-02-22Minor wording fixes related to no-atexitTomas Mraz
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/23642) (cherry picked from commit 66e6f72c3e4221580a7f456ddeaa5027f0bbb8b7)
2024-02-21Don't print excessively long ASN1 items in fuzzerMatt Caswell
Prevent spurious fuzzer timeouts by not printing ASN1 which is excessively long. This fixes a false positive encountered by OSS-Fuzz. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/23640)
2024-02-21Extended SSL_SESSION functions using time_tIjtaba Hussain
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/21206)
2024-02-20Future proof RLAYER_USE_EXPLICIT_IV by checking dtls versions directly.Frederik Wedel-Heinen
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23611)
2024-02-20Correct the defined name of the parameter "micalg" in the documentationBernd Ritter
The EVP_DigestInit(3) manual page contains wrong name for the define macro for the OSSL_DIGEST_PARAM_MICALG param. Fixes #23580 CLA: trivial Reviewed-by: Paul Yang <kaishen.yy@antfin.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23615)
2024-02-19Minor updatesHugo Landau
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23535)
2024-02-19Fix warningHugo Landau
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23535)