Add negative integer check when using ASN1_BIT_STRING

The negative integer check is done to prevent potential overflow.
Fixes #20719.

CLA: trivial

Reviewed-by: Tomas Mr

Add negative integer check when using ASN1_BIT_STRING

The negative integer check is done to prevent potential overflow.
Fixes #20719.

CLA: trivial

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20862)

show more ...

apps: silent warning when loading CSR files with vfyopt option

When verifying or signing a CSR file with the -vfyopt option,
a warning message similar to the following will appear:

apps: silent warning when loading CSR files with vfyopt option

When verifying or signing a CSR file with the -vfyopt option,
a warning message similar to the following will appear:

Warning: CSR self-signature does not match the contents

This happens especially when the SM2 algorithm is used and the
distid parameter is added. Pass the vfyopts parameter to the
do_X509_REQ_verify() function to eliminate the warning message.

Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20799)

show more ...

speed.c: remove unused num print_message args

these num args went unused with the removal of the ifndef SIGALRM
branches, commit ee1d7f1d25ef24f111f13dc742474cd9c39c2753 Feb 2021
PR

speed.c: remove unused num print_message args

these num args went unused with the removal of the ifndef SIGALRM
branches, commit ee1d7f1d25ef24f111f13dc742474cd9c39c2753 Feb 2021
PR #14228

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20795)

show more ...

rand: trust user supplied entropy when configured without a random source

Fixes #20841

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.

rand: trust user supplied entropy when configured without a random source

Fixes #20841

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/20843)

show more ...

Copy min/max_proto_version from SSL_CTX to SSL only for the same method types

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from ht

Copy min/max_proto_version from SSL_CTX to SSL only for the same method types

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20764)

show more ...

Do not send the empty renegotiation info SCSV in QUIC

There is no point in sending that when min_proto_version is >= TLS1_3_VERSION.
So we set that during SSL_CTX initialization and skip

Do not send the empty renegotiation info SCSV in QUIC

There is no point in sending that when min_proto_version is >= TLS1_3_VERSION.
So we set that during SSL_CTX initialization and skip adding the SCSV.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20764)

show more ...

param->ctrl translation: Fix evp_pkey_ctx_setget_params_to_ctrl()

Ensure that ctx.ctrl_cmd defaults to translation->cmd_num

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-

param->ctrl translation: Fix evp_pkey_ctx_setget_params_to_ctrl()

Ensure that ctx.ctrl_cmd defaults to translation->cmd_num

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20780)

show more ...

param->ctrl translation: Fix fix_ec_paramgen_curve_nid()

This function didn't prepare space to get the param string, which causes
the default_fixup_args() call to fail.

Fixes #2

param->ctrl translation: Fix fix_ec_paramgen_curve_nid()

This function didn't prepare space to get the param string, which causes
the default_fixup_args() call to fail.

Fixes #20161

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20780)

show more ...

Minor fixups

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20423)

QUIC CC: Update CC design document

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20423)

QUIC CHANNEL: Fix bug where time callback arg wasn't passed

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/o

QUIC CHANNEL: Fix bug where time callback arg wasn't passed

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20423)

show more ...

QUIC CC: Use OSSL_PARAM

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20423)

QUIC CC: Move dummy method to test code

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/

QUIC CC: Move dummy method to test code

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20423)

show more ...

QUIC CC: Tweaks

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20423)

QUIC CC: Safe multiplication

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20423)

QUIC CC: Minor fixes

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20423)

QUIC: Make QUIC_CHANNEL use newreno CC

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2

QUIC: Make QUIC_CHANNEL use newreno CC

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20423)

show more ...

QUIC Congestion Control: Tests

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20423)

QUIC: NewReno congestion controller

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2042

QUIC: NewReno congestion controller

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20423)

show more ...

QUIC CC: Major revisions to CC abstract interface

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/ope

QUIC CC: Major revisions to CC abstract interface

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20423)

show more ...

Update the corpora

Updated the fuzz corpora to include a testcase for the zero length
handshake fragment records issue fixed by the previous commit.

Reviewed-by: Todd Short <tod

Update the corpora

Updated the fuzz corpora to include a testcase for the zero length
handshake fragment records issue fixed by the previous commit.

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20824)

show more ...

Release zero length handshake fragment records

If we are processing a hanshake fragment and we end up with a
zero length record, then we still need to release it to avoid an
infinite

Release zero length handshake fragment records

If we are processing a hanshake fragment and we end up with a
zero length record, then we still need to release it to avoid an
infinite loop.

Fixes #20821

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20824)

show more ...

doc: note that the stack find functions no longer modify the stack

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github

doc: note that the stack find functions no longer modify the stack

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20842)

show more ...

x509: sort stacks before finds

x509_trust.c, x509_vpm.c and v3_lib.c don't have a lock for their sorts.
This is no worse than the existing code which sorted silently without locks.

x509: sort stacks before finds

x509_trust.c, x509_vpm.c and v3_lib.c don't have a lock for their sorts.
This is no worse than the existing code which sorted silently without locks.

Addition is quadratic time in by_dir.c and v3_purp.c. However, this
is an improvement over the older O(n^2 log n) code where each find also
sorted the stack. Also note that v3_purp.c is limited to a maximum of
10 items, so quadratic behaviour isn't terrible.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20842)

show more ...

provider_core: sort provider stack on find

Adding all providers is quadratic time because each provider is checked
for being in the stack before adding it. However, this is an improveme

provider_core: sort provider stack on find

Adding all providers is quadratic time because each provider is checked
for being in the stack before adding it. However, this is an improvement
over the older O(n^2 log n) code where each find also sorted the stack.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20842)

show more ...