summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* Change "a SSL" to "an SSL"Andrew Dinh2024-11-1330-40/+40
| | | | | | Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/25868)
* test_hashtable_multithread(): Stress it moreTomas Mraz2024-11-131-7/+8
| | | | | | Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Hugo Landau <hlandau@devever.net> (Merged from https://github.com/openssl/openssl/pull/25669)
* Use test_random() in hashtable mt test for reproducibilityTomas Mraz2024-11-131-18/+18
| | | | | | Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Hugo Landau <hlandau@devever.net> (Merged from https://github.com/openssl/openssl/pull/25669)
* Fix doc and use of_X509v3_add_extensions() in case ↵Dr. David von Oheimb2024-11-134-9/+10
| | | | | | | | sk_X509_EXTENSION_num(exts) <= 0 Reviewed-by: Hugo Landau <hlandau@devever.net> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25631)
* Add test for SSL_stream_resetNeil Horman2024-11-131-4/+33
| | | | | | | | | | | | Add a test to the quic_multistream test suite to reset a stream after all data has been received by a given stream, ensuring that we don't crash in the reset operation Fixes #25410 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25910)
* Fix SSL_stream_reset for stream objects which have FIN bit setNeil Horman2024-11-131-2/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When calling SSL_stream_reset on a QUIC stream object that has received all data that is expected to be sent (i.e. when the sender has sent a STREAM frame with the FIN bit set), we encounter the following segfault: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7f0bd28 in ossl_quic_sstream_get_final_size (qss=0x0, final_size=0x0) at ssl/quic/quic_sstream.c:273 273 if (!qss->have_final_size) (gdb) bt 0) 0x00007ffff7f0bd28 in ossl_quic_sstream_get_final_size (qss=0x0, final_size=0x0) at ssl/quic/quic_sstream.c:273 1) 0x00007ffff7ef65bf in quic_validate_for_write (xso=0x5555555efcb0, err=0x7fffffffd5e0) at ssl/quic/quic_impl.c:2513 2) 0x00007ffff7ef8ae3 in ossl_quic_stream_reset (ssl=0x5555555efcb0, args=0x0, args_len=0) at ssl/quic/quic_impl.c:3657 3) 0x00007ffff7ebdaa6 in SSL_stream_reset (s=0x5555555efcb0, args=0x0, args_len=0) at ssl/ssl_lib.c:7635 4) 0x0000555555557527 in build_request_set ( req_list=0x55555555ebd0 "neil1.txt neil2.txt neil3.txt neil4.txt neil5.txt neil6.txt neil7.txt neil8.txt neil9.txt neil10.txt neil11.txt neil12.txt neil13.txt neil14.txt neil15.txt neil16.txt neil17.txt neil18.txt neil19.txt "..., ssl=0x5555555b6f80) at demos/guide/quic-hq-interop.c:545 5) 0x00005555555587b2 in main (argc=4, argv=0x7fffffffe568) at demos/guide/quic-hq-interop.c:941 This occurs because: 1) When the stream FIN bit is set, the quic stack frees the underlying stream structures immediately within the QUIC stack and 2) when SSL_stream_reset is called, the call stack indicates we call quic_validate_for_write, which attempts to access the xso->stream->sstream QUIC_SSTREAM object, which was already freed in (1) The fix I think is pretty straightforward. On receipt of a STREAM frame with a FIN bit set, the QUIC stack sets the QUIC_STREAM object state to QUIC_SSTREAM_STATE_DATA_RECVD, which means we can use that state to simply assert that the stream is valid for write, which allows it to be reset properly. Fixes #25410 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25910)
* Adjustments for the on schedule workflowsTomas Mraz2024-11-138-24/+25
| | | | | | | | | | | | Run them all after 02:00 UTC. Add possibility to run them on workflow_dispatch. Add branch 3.4 to the coveralls.yml. Remove the branches from os-zoo.yml as it is possible to run on them manually from workflow_dispatch. Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/25765)
* Fix memleaks in cmd_RecordPadding()Holger Dengler2024-11-131-8/+7
| | | | | | | | | | | | | Free the internal copy of parameter `value` on each early exit. Fixes #25906 Signed-off-by: Holger Dengler <dengler@linux.ibm.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25926)
* feat: define and use ossl_bio_print_hexJonathan M. Wilbur2024-11-135-43/+58
| | | | | | Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25429)
* test: the attributeDescriptor X.509v3 extensionJonathan M. Wilbur2024-11-132-1/+36
| | | | | | Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25429)
* doc: the attributeDescriptor X.509v3 extensionJonathan M. Wilbur2024-11-133-0/+50
| | | | | | Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25429)
* feat: support the attributeDescriptor X.509v3 extensionJonathan M. Wilbur2024-11-135-1/+233
| | | | | | Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25429)
* txp_generate_stream_frames(): Set stream id in header early enoughTomas Mraz2024-11-121-1/+1
| | | | | | | | | | | | | Otherwise we will calculate an incorrect header size for higher stream ids and won't fit the frame into the packet. Fixes #25417 Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25928)
* APPS/load_key_certs_crls(): refactor to clean up the code a little and add ↵Dr. David von Oheimb2024-11-121-8/+38
| | | | | | | | | clarifying comments Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@devever.net> (Merged from https://github.com/openssl/openssl/pull/22528)
* openssl-pkeyutl.pod.in: improve description of -rawin and -digest optionsDr. David von Oheimb2024-11-092-24/+49
| | | | | | | | Fixes #25827 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25831)
* openssl-pkeyutl.pod.in: add that -sign is default op, update claim on hash ↵Dr. David von Oheimb2024-11-091-7/+13
| | | | | | | | needed for -sign/-verify, etc. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25831)
* APPS/pkeyutl: add missing high-level check for -verifyrecover being usable ↵Dr. David von Oheimb2024-11-092-5/+18
| | | | | | | | only with RSA Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/25903)
* APPS/pkeyutl: remove wrong check for -verifyrecover regarding too long ↵Dr. David von Oheimb2024-11-092-6/+11
| | | | | | | | | | sign/verify input Fixed #25898 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/25903)
* Add a test for setting TLSv1.2 ciphersuites on a QUIC objectMatt Caswell2024-11-081-1/+11
| | | | | | Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25886)
* Don't complain with "no cipher match" for QUIC objectsMatt Caswell2024-11-081-3/+5
| | | | | | | | | | | | | | Calling the functions SSL_CTX_set_cipher_list() or SSL_set_cipher_list() will return the error "no cipher match" if no TLSv1.2 (or below) ciphers are enabled after calling them. However this is normal behaviour for QUIC objects which do not support TLSv1.2 ciphers. Therefore we should suppress that error in this case. Fixes #25878 Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25886)
* Add a test for the new_session_cb from a QUIC objectMatt Caswell2024-11-071-0/+72
| | | | | | | | | Setting a new_session_cb should work for a QUIC object just as it does with a normal TLS object. Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25874)
* Make sure we use the correct SSL object when making a callbackMatt Caswell2024-11-0716-72/+87
| | | | | | | | | | | | | When processing a callback within libssl that applies to TLS the original SSL object may have been created for TLS directly, or for QUIC. When making the callback we must make sure that we use the correct SSL object. In the case of QUIC we must not use the internal only SSL object. Fixes #25788 Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25874)
* Keep hold of a reference to the user SSL in QUICMatt Caswell2024-11-074-5/+17
| | | | | | | | | | In some cases a QUIC SSL_CONNECTION object needs to get hold of a reference to the original SSL object as created by the user. We should keep a reference to it. Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25874)
* Bugfixes for params to legacy control translations for EC parametersVladimirs Ambrosovs2024-11-071-1/+11
| | | | | | | | | | | | | | | | | | | | | | param->ctrl translation: Fix fix_ecdh_cofactor() In POST_PARAMS_TO_CTRL state the fix_ecdh_cofactor() function should return value in ctx->p1 param->ctrl translation: fix evp_pkey_ctx_setget_params_to_ctrl return Since some of the ctrl operations may return 0 as valid value (e.g. ecdh_cofactor value 0 is valid setting), before colling POST_PARAMS_TO_CTRL, we need to check return value for 0 as well otherwise the evp_pkey_ctx_setget_params_to_ctrl function fails without a chance to fix the return value param->ctrl translation: Set ecdh_cofactor default action_type GET Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22587)
* Adjust naming authority formatting when printing out admission extensionoleg.hoefling2024-11-071-18/+16
| | | | | | | | | | | Indent namingAuthority section with two spaces to match the parent node. Signed-off-by: oleg.hoefling <oleg.hoefling@gmail.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25814)
* Fix memory leak on failure in copy_issuer()Niels Dossche2024-11-071-1/+2
| | | | | | | | | When sk_GENERAL_NAME_reserve() fails, ialt is not freed. Add the freeing operation in the common error path. Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25876)
* Remove unnecessary sk_GENERAL_NAME_free() calls on NULLNiels Dossche2024-11-051-3/+0
| | | | | | | | | There are several calls to sk_GENERAL_NAME_free() where the argument is actually NULL, there are not necessary. Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25877)
* x509: add a newline after printing Full NameCeleste Liu2024-11-051-0/+1
| | | | | | | | | | | | We forget it in 58301e24f66aa74b13b85a171dd14e6088c35662. Fixes #25853 CLA: trivial Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25854)
* interop-tests.yml: Update to Fedora 40 and fix provisioning breakageTomas Mraz2024-11-051-2/+2
| | | | | | | Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25847)
* Fix uses of `EVP_PKEY_Q_keygen` with `size_t` variadic argumentArtSin2024-11-054-4/+4
| | | | | | | | | | | Fix cases where `int` argument was passed instead of `size_t`. CLA: trivial Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25857)
* Fix the default_md example in the ca docsMatt Caswell2024-11-051-1/+1
| | | | | | | | We should not have an example showing the default_md as md5. Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25856)
* Document extensibility of -groups parameter via providersMichael Baentsch2024-11-041-5/+8
| | | | | | | | Also add brainpool curves Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25821)
* Remove two unused union members from struct x509_object_st.Gábor Tóthvári2024-11-042-4/+2
| | | | | | | | CLA: trivial Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25826)
* Use correct alerts for some cert comp errorsTodd Short2024-11-041-4/+12
| | | | | | | | | | Fixes #25471 Signed-off-by: Todd Short <todd.short@me.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25845)
* Support DEFAULT keyword and '-' prefix in SSL_CTX_set1_groups_list()Frederik Wedel-Heinen2024-11-044-13/+130
| | | | | | | | Fixes #25790 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25813)
* APPS/pkeyutl: strengthen error message on too long sign/verify inputDr. David von Oheimb2024-11-041-6/+8
| | | | | | Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22910)
* APPS/pkeyutl: -digest implies -rawin and can only be used with -sign and -verifyDr. David von Oheimb2024-11-043-19/+25
| | | | | | Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22910)
* APPS/pkeyutl: improve -rawin usability (implied by Ed25519 and Ed448) and docDr. David von Oheimb2024-11-044-57/+122
| | | | | | Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22910)
* CHANGES.md: re-word 'app' to 'command' and 'apps' to 'commands' for consistencyDr. David von Oheimb2024-11-041-5/+6
| | | | | | Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22910)
* apps/speed.c: Fix the benchmarking for AEAD ciphersMohammed Alhabib2024-11-041-75/+285
| | | | | | | | | | | | | | | | Fixed the benchmarking for the evp aead interface for ccm, gcm, ocb, and siv, where decryption fails when executing `openssl speed -evp aes-128-ccm -decrypt` and `openssl speed -evp aes-128-gcm -decrypt`. Related issues are [24686](https://github.com/openssl/openssl/issues/24686) and [24250](https://github.com/openssl/openssl/issues/24250). Now both encryption and decryption, with or without AAD, executes correctly without issues. Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25823)
* apps: Change default cipher to aes-256-cbc for req, cms and smime appsAditya2024-11-048-33/+31
| | | | | | | | | | | | Update `CHANGES.md` and `NEWS.md`; remove `no-des` guard from req, cms, and smime apps Update MAN pages for default cipher; fix styling by removing braces around single statements Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25839)
* Fix incorrect openssl-smime doc sample command for encryptZheyu Shen2024-11-011-2/+2
| | | | | | | | | | Original documented sample command causes error. PEM recipient cert argument needs to go last. CLA: trivial Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25829)
* speed.c: Check for 0 block sizeTomas Mraz2024-10-311-1/+6
| | | | | | | | | | | | | Although this cannot really happen check for 0 block size to avoid division by 0. Fixes Coverity 1633936 Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25822)
* Fix potential memory leak in OSSL_HPKE_CTX_new()Niels Dossche2024-10-301-0/+1
| | | | | | | | | | | ctx->propq is a duplicated string, but the error code does not free the duplicated string's memory. If e.g. EVP_CIPHER_fetch() fails then we can leak the string's memory. Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25812)
* test: Add test cases for req -cipher optionAditya2024-10-302-2/+51
| | | | | | Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25796)
* req: Add -cipher option to specify private key encryption cipherAditya2024-10-302-1/+22
| | | | | | Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25796)
* Remove sslkeylog file setup from quic-hq-interopNeil Horman2024-10-301-97/+0
| | | | | | | | | | | | | Now that libcrypto supports the user of SSLKEYLOGFILE, the interop demo attempts to open the same file based on the same env variable. The hq-interop-demo code can just be removed, and it fixes the open failure when both libcrypto and hq-interop attempt to open and write the same file, which is causing the nightly failure Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25819)
* fix: util/check-format-commit.sh - fix ending checkRichard Levitte2024-10-301-1/+1
| | | | | | | | | Look at the end result instead of the file name it's stored in Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25810)
* output negotiated TLS1.3 groupMichael Baentsch2024-10-301-5/+6
| | | | | | Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25808)
* speed.c: Check block size before running EVP_Cipher_loop()Tomas Mraz2024-10-281-0/+23
| | | | | | | | Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Todd Short <todd.short@me.com> (Merged from https://github.com/openssl/openssl/pull/25792)
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-03 14:35:04 +0100