Add NULL check before accessing PKCS7 encrypted algorithm

Printing content of an invalid test certificate causes application crash, because of NULL dereference:

user@user:~/openssl$

Add NULL check before accessing PKCS7 encrypted algorithm

Printing content of an invalid test certificate causes application crash, because of NULL dereference:

user@user:~/openssl$ openssl pkcs12 -in test/recipes/80-test_pkcs12_data/bad2.p12 -passin pass: -info
MAC: sha256, Iteration 2048
MAC length: 32, salt length: 8
PKCS7 Encrypted data: Segmentation fault (core dumped)

Added test cases for pkcs12 bad certificates

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23632)

show more ...

Replace size_t with int and add the check for the EVP_MD_get_size()

Replace the type of "digest_size" with int to avoid implicit conversion when it is assigned by EVP_MD_get_size().
More

Replace size_t with int and add the check for the EVP_MD_get_size()

Replace the type of "digest_size" with int to avoid implicit conversion when it is assigned by EVP_MD_get_size().
Moreover, add the check for the "digest_size".

Fixes: 29ce1066bc ("Update the demos/README file because it is really old. New demos should provide best practice for API use. Add demonstration for computing a SHA3-512 digest - digest/EVP_MD_demo")
Signed-off-by: Jiasheng Jiang <jiasheng@purdue.edu>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23924)

show more ...

Replace unsigned with int

Replace the type of "digest_length" with int to avoid implicit conversion when it is assigned by EVP_MD_get_size().
Otherwise, it may pass the following check a

Replace unsigned with int

Replace the type of "digest_length" with int to avoid implicit conversion when it is assigned by EVP_MD_get_size().
Otherwise, it may pass the following check and cause the integer overflow error when EVP_MD_get_size() returns negative numbers.
Signed-off-by: Jiasheng Jiang <jiasheng@purdue.edu>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23922)

show more ...

fix demos/sslecho/main.c so it builds on OpenBSD too

trying to build `demos/sslecho/main.c` shipped by current openssl
fails with error as follows:
```
cc -I../../include -g -Wal

fix demos/sslecho/main.c so it builds on OpenBSD too

trying to build `demos/sslecho/main.c` shipped by current openssl
fails with error as follows:
```
cc -I../../include -g -Wall -c -o main.o main.c
main.c:35:24: error: variable has incomplete type 'struct sockaddr_in'
struct sockaddr_in addr;
^
main.c:35:12: note: forward declaration of 'struct sockaddr_in'
struct sockaddr_in addr;
^
main.c:46:32: error: use of undeclared identifier 'INADDR_ANY'
addr.sin_addr.s_addr = INADDR_ANY;
^
main.c:152:24: error: variable has incomplete type 'struct sockaddr_in'
struct sockaddr_in addr;
^
main.c:152:12: note: forward declaration of 'struct sockaddr_in'
struct sockaddr_in addr;
^
3 errors generated.
gmake: *** [<builtin>: main.o] Error 1
```

including `netinet/in.h` fixes the build

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23936)

show more ...

Add 3.3 and 3.2 branches to Coveralls builds

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org

Add 3.3 and 3.2 branches to Coveralls builds

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23938)

show more ...

Correct OSSL_sleep for NonStop PUT model by introducing sleep().

This fix also removes SPT model support as it was previously deprecated.
Upcoming threading models on the platform should

Correct OSSL_sleep for NonStop PUT model by introducing sleep().

This fix also removes SPT model support as it was previously deprecated.
Upcoming threading models on the platform should be supportable without change
to this method.

Fixes: #23923
Fixes: #23927
Fixes: #23928

Signed-off-by: Randall S. Becker <randall.becker@nexbridge.ca>

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23926)

show more ...

Don’t use the recvmmsg dgram method on Android <5

recvmmsg and sendmmsg were only added to Android’s C library in version 5, starting with API Level 21.

Reviewed-by: Neil Horman <nh

Don’t use the recvmmsg dgram method on Android <5

recvmmsg and sendmmsg were only added to Android’s C library in version 5, starting with API Level 21.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23754)

show more ...

Fixed a typo and grammar in openssl-ts.pod

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(M

Fixed a typo and grammar in openssl-ts.pod

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23913)

show more ...

fix uploading artifacts for paramertrized jobs

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.or

fix uploading artifacts for paramertrized jobs

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23933)

show more ...

Make counters in rcu/rw threads torture test 64 bit

Its possible in some conditions for the rw/rcu torture tests to wrap the
counter, leading to false positive failures, make them 64 bit

Make counters in rcu/rw threads torture test 64 bit

Its possible in some conditions for the rw/rcu torture tests to wrap the
counter, leading to false positive failures, make them 64 bits to avoid
this

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23724)

show more ...

Add M1 macOS runner to some workflows

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/

Add M1 macOS runner to some workflows

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23724)

show more ...

riscv: Fix remaining asm checks

There are additional asm checks which don't check for OPENSSL_CPUID_OBJ
causing the build to still fail on riscv [1], so fix them in the same
manner a

riscv: Fix remaining asm checks

There are additional asm checks which don't check for OPENSSL_CPUID_OBJ
causing the build to still fail on riscv [1], so fix them in the same
manner as ff279597692f9f19dca5b147944d3d96f2e109f8

[1] https://bugs.gentoo.org/923956
Fixes: https://github.com/openssl/openssl/issues/22871

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23752)

(cherry picked from commit daf1f8d64fff4a395ee7cf032484dc022a27e748)

show more ...

Update FIPS hmac key documentation

The documentation is slightly incorrect about the FIPS hmac key.

CLA: trivial

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Rev

Update FIPS hmac key documentation

The documentation is slightly incorrect about the FIPS hmac key.

CLA: trivial

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23846)

show more ...

Move artifact upload code into the shell script

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>

Move artifact upload code into the shell script

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23551)

show more ...

Experimental support for uploading qlog artifacts

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>

Experimental support for uploading qlog artifacts

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23551)

show more ...

Fix unbounded memory growth when using no-cached-fetch

When OpenSSL has been compiled with no-cached-fetch we do not cache
algorithms fetched from a provider. When we export an EVP_PKEY

Fix unbounded memory growth when using no-cached-fetch

When OpenSSL has been compiled with no-cached-fetch we do not cache
algorithms fetched from a provider. When we export an EVP_PKEY to a
provider we cache the details of that export in the operation cache for
that EVP_PKEY. Amoung the details we cache is the EVP_KEYMGMT that we used
for the export. When we come to reuse the key in the same provider that
we have previously exported the key to, we check the operation cache for
the cached key data. However because the EVP_KEYMGMT instance was not
cached then instance will be different every time and we were not
recognising that we had already exported the key to the provider.

This causes us to re-export the key to the same provider everytime the key
is used. Since this consumes memory we end up with unbounded memory growth.

The fix is to be more intelligent about recognising that we have already
exported key data to a given provider even if the EVP_KEYMGMT instance is
different.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/23841)

show more ...

Try to fix intermittent CI failures in quic_multistream test

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/

Try to fix intermittent CI failures in quic_multistream test

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23807)

show more ...

plug potential memory leak in error code path

Function `module_add()` may leak stack of modules when
it fails to initialize newly added module.

Fixes #23835

Reviewed-by

plug potential memory leak in error code path

Function `module_add()` may leak stack of modules when
it fails to initialize newly added module.

Fixes #23835

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23836)

show more ...

Raise the AFL_MAP_SIZE to accommodate future growth

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openss

Raise the AFL_MAP_SIZE to accommodate future growth

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23851)

show more ...

82-test_ocsp_cert_chain.t: Just ignore unrecognized lines in server output

There might be warnings from AFL fuzz checker
or other warnings that we do not care about.

For success

82-test_ocsp_cert_chain.t: Just ignore unrecognized lines in server output

There might be warnings from AFL fuzz checker
or other warnings that we do not care about.

For success it is just required that cert_status: ocsp response sent:
is present.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23851)

show more ...

Minor docfix for OSSL_HTTP_REQ_CTX_set_max_response_hdr_lines(3)

Also removal of duplicate assignment and addition of comment
in test/http_test.c

Follow up change to PR #23781

Minor docfix for OSSL_HTTP_REQ_CTX_set_max_response_hdr_lines(3)

Also removal of duplicate assignment and addition of comment
in test/http_test.c

Follow up change to PR #23781

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23837)

show more ...

Set AFL_MAP_SIZE to avoid crash in the AFL CI job

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Matt Caswell <matt@open

Set AFL_MAP_SIZE to avoid crash in the AFL CI job

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23843)

show more ...

Add a test using the bandwidth limit filter

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/open

Add a test using the bandwidth limit filter

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23588)

show more ...

Add support for bandwidth limitation in noisydgram BIO filter

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://githu

Add support for bandwidth limitation in noisydgram BIO filter

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23588)

show more ...

bio_f_noisy_dgram_filter(): Fix typo

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pul

bio_f_noisy_dgram_filter(): Fix typo

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23588)

show more ...