Age | Commit message (Collapse) | Author |
|
This fixes an issue with a mix of atexit() usage in DLL and statically linked
libcrypto that came out in the test suite on NonStop, which has slightly
different DLL unload processing semantics compared to Linux. The change
allows a build configuration to select whether to register OPENSSL_cleanup()
with atexit() or not, so avoid situations where atexit() registration causes
SIGSEGV.
INSTALL.md and CHANGES.md have been modified to include and describe this
option.
Signed-off-by: Randall S. Becker <randall.becker@nexbridge.ca>
Signed-off-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23642)
|
|
Prevent spurious fuzzer timeouts by not printing ASN1 which is excessively
long.
This fixes a false positive encountered by OSS-Fuzz.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/23640)
(cherry picked from commit 4a6f70c03182b421d326831532edca32bcdb3fb1)
|
|
The EVP_DigestInit(3) manual page contains wrong name for the define
macro for the OSSL_DIGEST_PARAM_MICALG param.
Fixes #23580
CLA: trivial
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23615)
(cherry picked from commit 5e5c256bbad572cf8d8d9ef9127722ca028d2704)
|
|
Only modify doc/man* in the openssl-3.2 branch.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23583)
|
|
The following files
include/openssl/hpke.h
crypto/hpke/hpke.c
crypto/ec/asm/ecp_sm2p256-armv8.pl
crypto/chacha/asm/chacha-loongarch64.pl
still seem to be released under the OpenSSL License instead of the Apache 2 license.
Fixes #23570
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23576)
(cherry picked from commit e5313f20486f86be42059fce6b0d9e43a35e8655)
|
|
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23586)
(cherry picked from commit c3e8d67885c0c4295cfd1df35a41bf1f3fa9dc37)
|
|
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23581)
(cherry picked from commit 28c7f52612805c4ec0816ff1310222acd069de7d)
|
|
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23581)
(cherry picked from commit 5c16e9d384d1d0f4784352633044610a1f264027)
|
|
encoder_process assumes a cleanup function has been set in the currently
in-use encoder during processing, which can lead to segfaults if said
function hasn't been set
Add a NULL check for this condition, returning -1 if it is not set
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23069)
(cherry picked from commit cf57c3ecfa416afbc47d36633981034809ee6792)
|
|
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23567)
|
|
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23567)
|
|
QUIC supports the concept of stateless reset, in which a specially
crafted frame is sent to a client informing it that the QUIC state
information is no longer available, and the connection should be closed
immediately. Test for proper client support here
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23559)
|
|
https://www.openssl.org/docs/man3.1/man3/EVP_KDF_CTX.html
The pages for 3.0/3.1/master seem to have the following
EVP_KDF_CTX *EVP_KDF_CTX_new(const EVP_KDF *kdf);
which does not match with the actual header which is
EVP_KDF_CTX *EVP_KDF_CTX_new(EVP_KDF *kdf);
Fixes #23532
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23541)
(cherry picked from commit 4f6133f9db2b9b7ce5e59d8b8ec38202a154c524)
|
|
underlying system running tests
Fixes #22870
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/23502)
(cherry picked from commit 09693750601e39574ca7ea335faacfb23bc7282b)
|
|
There was really no need for this to be void and it made bugs very easy
to introduce accidentally, especially given that the free functions
needed to be passed a pointer to the pointer.
Also fix some bugs in the QUIC code detected immediately by this change.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23519)
(cherry picked from commit 62cb7c810e882895a71ba2cc479f482df0aa8e32)
|
|
Fixes #23492
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23507)
(cherry picked from commit d8d19107618dd89c4584996b2bbed32b983d3890)
|
|
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/23503)
(cherry picked from commit cb4f7a6ee053e8c51cf3ac35fee333d1f25552c0)
|
|
CLA: trivial
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23512)
(cherry picked from commit 76cecff5e9bedb2bafc60062283f99722697082a)
|
|
Configure was recently made to process this sort of line:
DEPEND[generated]=util/perl|OpenSSL/something.pm
Unfortunately, in processing such lines, the order in which paths
were recomputed caused some resulting paths to be faulty under some
circumstances. This change fixes that.
Fixes #22853
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23500)
|
|
Tested on kunpeng920, to turn on 'VPSM4_EX_CAPABLE'.
Signed-off-by: Liu-Ermeng <liuermeng2@huawei.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23317)
(cherry picked from commit 2a2561709ab316584d8b0a6220e244094fe507f5)
|
|
The existing loop pattern did not really run the expected
tests on the duplicated keys.
Fixes #23129
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23292)
(cherry picked from commit 387b93e14907cd8203d6f2c9d78e49df01cb6e1f)
|
|
"Guidelines how to" -> "Guidelines on how to"
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23488)
(cherry picked from commit ea15508b4ffa77d440e3f2c817998271bfeb3b9c)
|
|
This patch is to fix #23368.
Signed-off-by: Xu Yizhou <xuyizhou1@huawei.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23472)
(cherry picked from commit 1751185154ab1f1a796e0f39567fe51c8e24b78d)
|
|
Do not define S390X_MOD_EXP for a NO_ASM build, this would result in
unresolved externals for s390x_mod_exp and s390x_crt.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23458)
(cherry picked from commit a5b0c568dbefddd154f99011d7ce76cfbfadb67a)
|
|
Fixes #21203
CLA: trivial
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23435)
(cherry picked from commit 22f82d457c06289ec66a627a3d11649d83beff88)
|
|
The following files referred to ../liblegacy.a when they should have
referred to ../../liblegacy.a. This cause the creation of a mysterious
directory 'crypto/providers', and because of an increased strictness
with regards to where directories are created, configuration failure
on some platforms.
Fixes #23436
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/23452)
|
|
master/3.2 was never vulnerable to CVE-2023-5678 since it was fixed before
it was released.
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23432)
(cherry picked from commit afb19f07aecc84998eeea56c4d65f5e0499abb5a)
|
|
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23063)
(cherry picked from commit dbb478a51d3f695ec713e9829a2353a0d2d61a59)
|
|
This reverts commit 2b74e75331a27fc89cad9c8ea6a26c70019300b5.
The commit was wrong. With 3.x versions the engines must be themselves
responsible for creating their EVP_PKEYs in a way that they are treated
as legacy - either by using the respective set1 calls or by setting
non-default EVP_PKEY_METHOD.
The workaround has caused more problems than it solved.
Fixes #22945
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23063)
(cherry picked from commit 39ea78379826fa98e8dc8c0d2b07e2c17cd68380)
|
|
For some reason, those functions (and the _init functions too) would
raise EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE when the passed
ctx is NULL, and then not check if the provider supplied the function
that would support these libcrypto functions.
This corrects the situation, and has all those libcrypto functions
raise ERR_R_PASS_NULL_PARAMETER if ctx is NULL, and then check for the
corresponding provider supplied, and only when that one is missing,
raise EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE.
Because 0 doesn't mean error for EVP_PKEY_verify(), -1 is returned when
ERR_R_PASSED_NULL_PARAMETER is raised. This is done consistently for all
affected functions.
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23411)
(cherry picked from commit 5a25177d1b07ef6e754fec1747b57ee90ab1e028)
|
|
bind_afalg calls afalg_aes_cbc which allocates
cipher_handle->_hidden global object(s)
but if one of them fails due to out of memory,
the function bind_afalg relies on the engine destroy
method to be called. But that does not happen
because the dynamic engine object is not destroyed
in the usual way in dynamic_load in this case:
If the bind_engine function fails, there will be no
further calls into the shared object.
See ./crypto/engine/eng_dyn.c near the comment:
/* Copy the original ENGINE structure back */
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23409)
(cherry picked from commit 729a1496cc4cda669dea6501c991113c78f04560)
|
|
The parameter list for CRYPTO_DOWN_REF for the icc on windows build was
incorrect.
This issue was introduced by 99fd5b2b10
Fixes #23414
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23415)
(cherry picked from commit 20ddfe78e9ddc0aba8208616e1b0b33cb12f77f5)
|
|
SSL_clear() explicitly clears an SSL object to enable it to be reused.
You can have a similar effect by calling SSL_set_accept_state() or
SSL_set_connect_state(). We extend the testing of SSL_clear() to use these
other methods. We also ensure we test the case where we have unread
bufferred data that needs to be cleared.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23256)
(cherry picked from commit 5de8c49d6c019ad93149871989b755b5cc7b821c)
|
|
Freeing the QUIC TLS object may make calls back into QUIC so we should
free it first.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23256)
(cherry picked from commit f7f2b665cf91650deb28beb1145ea3eca7df67aa)
|
|
The TLS object may make callbacks into QUIC during cleanup so we must
free it first.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23256)
(cherry picked from commit fa4b1151c829b8be1d83cb49c9809d3a4f59fb03)
|
|
We had two functions which were very similarly named, that did almost the
same thing, but not quite. We bring the two together. Doing this also fixes
a possible bug where some data may not be correctly freed when the
RECORD_LAYER_clear() version was used.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23256)
(cherry picked from commit 4a0e4849af1588dfe9d7e01738acc96799b83447)
|
|
Using the client one when the server once should be used could cause a
later call to SSL_set_accept_state() to unexpectedly fail.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23256)
(cherry picked from commit a86714041d8a5868c629e9027e28c6d1dacde5f9)
|
|
When we clear the record layer, we better make sure we clear all relevant
fields, otherwise we can get ourselves into an unexpected state.
Fixes #23255
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23256)
(cherry picked from commit 5fb065589d3a4dfeeb6d48b0561ab3145ceb2127)
|
|
Coverity issue 1453632 noted a missing null check in kdf_test_ctrl
recently. If a malformed value is passed in from the test file that
does not contain a ':' character, the p variable will be NULL, leading
to a NULL derefence prepare_from_text
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/23398)
(cherry picked from commit 6ca1d3ee81b61bc973e4e1079ec68ac73331c159)
|
|
Bumps [suisei-cn/actions-download-file](https://github.com/suisei-cn/actions-download-file) from 1.4.0 to 1.6.0.
- [Release notes](https://github.com/suisei-cn/actions-download-file/releases)
- [Commits](https://github.com/suisei-cn/actions-download-file/compare/v1.4.0...v1.6.0)
---
updated-dependencies:
- dependency-name: suisei-cn/actions-download-file
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
CLA: trivial
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23425)
(cherry picked from commit 62ecad5378067ab1f702ef2381c2f4a279d15250)
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
Release: yes
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
Release: yes
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
Release: yes
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
Release: yes
|
|
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Release: yes
(Merged from https://github.com/openssl/openssl/pull/23422)
|
|
The failure would be caught later on, so this went unnoticed, until someone
tried with just one hex digit, which was simply ignored.
Fixes #23373
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23374)
(cherry picked from commit ea6268cfceaba24328d66bd14bfc97c4fac14a58)
|
|
PKCS7 ContentInfo fields held within a PKCS12 file can be NULL, even if the
type has been set to a valid value. CVE-2024-0727 is a result of OpenSSL
attempting to dereference the NULL pointer as a result of this.
We add test for various instances of this problem.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23361)
(cherry picked from commit 8a85df7c60ba1372ee98acc5982e902d75f52130)
|
|
PKCS12 structures contain PKCS7 ContentInfo fields. These fields are
optional and can be NULL even if the "type" is a valid value. OpenSSL
was not properly accounting for this and a NULL dereference can occur
causing a crash.
CVE-2024-0727
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23361)
(cherry picked from commit 041962b429ebe748c8b6b7922980dfb6decfef26)
|
|
if the private key is output to stdout using the HARNESS_OSSL_PREFIX,
out is a stack of BIOs and must therefore free'd using BIO_free_all.
Steps to reproduce:
$ HARNESS_OSSL_PREFIX=x OPENSSL_CONF=apps/openssl.cnf util/shlib_wrap.sh apps/openssl req -new -keyout - -passout pass: </dev/null
[...]
Direct leak of 128 byte(s) in 1 object(s) allocated from:
#0 0x7f6f692b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x7f6f686eda00 in CRYPTO_malloc crypto/mem.c:202
#2 0x7f6f686edba0 in CRYPTO_zalloc crypto/mem.c:222
#3 0x7f6f68471bdf in BIO_new_ex crypto/bio/bio_lib.c:83
#4 0x7f6f68491a8f in BIO_new_fp crypto/bio/bss_file.c:95
#5 0x555c5f58b378 in dup_bio_out apps/lib/apps.c:3014
#6 0x555c5f58f9ac in bio_open_default_ apps/lib/apps.c:3175
#7 0x555c5f58f9ac in bio_open_default apps/lib/apps.c:3203
#8 0x555c5f528537 in req_main apps/req.c:683
#9 0x555c5f50e315 in do_cmd apps/openssl.c:426
#10 0x555c5f4c5575 in main apps/openssl.c:307
#11 0x7f6f680461c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
SUMMARY: AddressSanitizer: 128 byte(s) leaked in 1 allocation(s).
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23365)
(cherry picked from commit ff78d94b131d7bb3b761509d3ce0dd864b1420e3)
|
|
actions-rs/toolchain is unmaintained and generates warnings
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23232)
(cherry picked from commit cd5911a6b300453eefb4b6d9d797c9d1cdefb956)
|