evp_pkey_ctx_setget_params_to_ctrl(): Always properly set ctx.action_type

Fixes #24698

Some applicable translations are bidirectional so they have
NONE action_type. However we n

evp_pkey_ctx_setget_params_to_ctrl(): Always properly set ctx.action_type

Fixes #24698

Some applicable translations are bidirectional so they have
NONE action_type. However we need to set the real action_type
in the ctx.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24709)

show more ...

Adapt all the exporter files to the new vars from util/mkinstallvars.pl

With this, the pkg-config files take better advantage of relative directory
values.

Fixes #24298

Adapt all the exporter files to the new vars from util/mkinstallvars.pl

With this, the pkg-config files take better advantage of relative directory
values.

Fixes #24298

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24687)

show more ...

Give util/mkinstallvars.pl more fine grained control over var dependencies

Essentially, we try to do what GNU does. 'prefix' is used to define the
defaults for 'exec_prefix' and 'libdir

Give util/mkinstallvars.pl more fine grained control over var dependencies

Essentially, we try to do what GNU does. 'prefix' is used to define the
defaults for 'exec_prefix' and 'libdir', and these are then used to define
further directory values. util/mkinstallvars.pl is changed to reflect that
to the best of our ability.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24687)

show more ...

Fix memory leak in x509_req_test

Running the x509_req_test with address sanitizer shows a memory leak:

==186455==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 53 by

Fix memory leak in x509_req_test

Running the x509_req_test with address sanitizer shows a memory leak:

==186455==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 53 byte(s) in 1 object(s) allocated from:
#0 0x3ffad5f47af in malloc (/lib64/libasan.so.8+0xf47af) (BuildId: 93b3d2536d76f772a95880d76c746c150daabbee)
#1 0x3ffac4214fb in CRYPTO_malloc crypto/mem.c:202
#2 0x3ffac421759 in CRYPTO_zalloc crypto/mem.c:222
#3 0x100e58f in test_mk_file_path test/testutil/driver.c:450
#4 0x1004671 in test_x509_req_detect_invalid_version test/x509_req_test.c:32
#5 0x100d247 in run_tests test/testutil/driver.c:342
#6 0x10042e3 in main test/testutil/main.c:31
#7 0x3ffaad34a5b in __libc_start_call_main (/lib64/libc.so.6+0x34a5b) (BuildId: 461b58df774538594b6173825bed67a9247a014d)
#8 0x3ffaad34b5d in __libc_start_main@GLIBC_2.2 (/lib64/libc.so.6+0x34b5d) (BuildId: 461b58df774538594b6173825bed67a9247a014d)
#9 0x1004569 (/root/openssl/test/x509_req_test+0x1004569) (BuildId: ab6bce0e531df1e3626a8f506d07f6ad7c7c6d57)
SUMMARY: AddressSanitizer: 53 byte(s) leaked in 1 allocation(s).

The certFilePath that is obtained via test_mk_file_path() must be freed when
no longer used.

While at it, make the certFilePath variable a local variable, there is no need
to have this a global static variable.

Fixes: https://github.com/openssl/openssl/commit/7d2c0a4b1feb152ee1190dfedc65dfd1c928f9e5

Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24715)

show more ...

bio_ssl.c: Do not call SSL_shutdown if not inited

Fixes #4545

If free is called for an SSL BIO that is in initialization phase,
the `SSL_shutdown` call is omitted.

Revi

bio_ssl.c: Do not call SSL_shutdown if not inited

Fixes #4545

If free is called for an SSL BIO that is in initialization phase,
the `SSL_shutdown` call is omitted.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24705)

show more ...

Fix usage of deallocated EVP_RAND_CTX after execution of FIPS on-demand self tests

Once RNG is used, triggering FIPS on-demand self tests (via
OSSL_PROVIDER_self_test() API) crashes the

Fix usage of deallocated EVP_RAND_CTX after execution of FIPS on-demand self tests

Once RNG is used, triggering FIPS on-demand self tests (via
OSSL_PROVIDER_self_test() API) crashes the application. This happens because the
RNG context is stored before self tests, and restored after their execution.
In the meantime - before context restoration - RAND_set0_private() function is
called, which decrements the stored RNG context reference counter and frees it.
To resolve the issue, the stored RNG context refcount has been incremented via
the EVP_RAND_CTX_up_ref() API to avoid its deallocation during the RNG context
switch performed by the self test function.
The provider_status_test test has been updated to reproduce the issue as
a regression test.

Signed-off-by: Karol Brzuskiewicz <kabr@arista.com>

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24599)

show more ...

Allow calling OPENSSL_INIT_free() with NULL argument

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.

Allow calling OPENSSL_INIT_free() with NULL argument

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24681)

show more ...

stricter parser for ipv4_from_asc

reject invalid IPv4 addresses in ipv4_from_asc

The old scanf-based parser accepted all kinds of invalid inputs like:
"1.2.3.4.5"
"1.2.3.4 "

stricter parser for ipv4_from_asc

reject invalid IPv4 addresses in ipv4_from_asc

The old scanf-based parser accepted all kinds of invalid inputs like:
"1.2.3.4.5"
"1.2.3.4 "
"1.2.3. 4"
" 1.2.3.4"
"1.2.3.4."
"1.2.3.+4"
"1.2.3.4.example.test"
"1.2.3.01"
"1.2.3.0x1"
Thanks to Amir Mohamadi for pointing this out.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24438)

show more ...

Add Provider compatibility on PR CI job

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pul

Add Provider compatibility on PR CI job

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24537)

show more ...

Support subjectDirectoryAttributes and associatedInformation exts

Added tests for SDA and AI extensions.
Added internal function ossl_print_attribute_value() with documentation.

Support subjectDirectoryAttributes and associatedInformation exts

Added tests for SDA and AI extensions.
Added internal function ossl_print_attribute_value() with documentation.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24669)

show more ...

Fix typos found by codespell

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/24691)

Extend `mask` of `ssl_method_st` to 64-bit

Fixes #23260: The bit count for `SSL_OP_*` flags has exceeded 32 bits, making it impossible to handle newer flags and protocol extensions with the

Extend `mask` of `ssl_method_st` to 64-bit

Fixes #23260: The bit count for `SSL_OP_*` flags has exceeded 32 bits, making it impossible to handle newer flags and protocol extensions with the existing 32-bit variables. This commit extends the `mask` field in the `ssl_method_st` structure to 64-bit, aligning them with the previously extended 64-bit `options` field.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24692)

show more ...

[DOCS] Correct history in doc/man3/OSSL_STORE_LOADER.pod

Bulk editing had history wrongly specify current functions as deprecated,
among other small errors.

Fixes #24678

[DOCS] Correct history in doc/man3/OSSL_STORE_LOADER.pod

Bulk editing had history wrongly specify current functions as deprecated,
among other small errors.

Fixes #24678

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24680)

show more ...

Make x509_req_test ANSI Compatible

Update the `x509_req_test` to ensure ANSI compatibility. The integrated certificate string was too long, so the PEM certificate has been moved to `certs/x5

Make x509_req_test ANSI Compatible

Update the `x509_req_test` to ensure ANSI compatibility. The integrated certificate string was too long, so the PEM certificate has been moved to `certs/x509-req-detect-invalid-version.pem`. The test have been updated to load this certificate from the file on disk.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24677)

show more ...

Add Test for Verification Failure on Incorrect X509 Version

Tests #5738: Introduce a new test to verify that a malformed X509 request with the version field set to version 6 fails either ear

Add Test for Verification Failure on Incorrect X509 Version

Tests #5738: Introduce a new test to verify that a malformed X509 request with the version field set to version 6 fails either early when reading from data or later when `X509_REQ_verify` is called.
Adding a new test recipe `60-test_x509_req.t`

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24677)

show more ...

Add Version Check for CSR Verification

Fixes #5738: This change introduces a check for the version number of a CSR document before its signature is verified. If the version number is not 1 (

Add Version Check for CSR Verification

Fixes #5738: This change introduces a check for the version number of a CSR document before its signature is verified. If the version number is not 1 (encoded as zero), the verification function fails with an `X509_R_UNSUPPORTED_VERSION` error.

To minimize impact, this check is only applied when verifying a certificate signing request using the `-verify` argument, resulting in a `X509_REQ_verify` call. This ensures that malformed certificate requests are rejected by a certification authority, enhancing security and preventing potential issues.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24677)

show more ...

s_client: use the full buffer for reads

Use full allocated buffer for reads to not call into switch() over and
over; also increase the size of the buffer to 16 kiB (max for TLS
recor

s_client: use the full buffer for reads

Use full allocated buffer for reads to not call into switch() over and
over; also increase the size of the buffer to 16 kiB (max for TLS
records). The server side already is using 16 kiB buffers.

Signed-off-by: Hubert Kario <hkario@redhat.com>

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24688)

show more ...

Fix regression of EVP_PKEY_CTX_add1_hkdf_info() with older providers

If there is no get_ctx_params() implemented in the key exchange
provider implementation the fallback will not work. I

Fix regression of EVP_PKEY_CTX_add1_hkdf_info() with older providers

If there is no get_ctx_params() implemented in the key exchange
provider implementation the fallback will not work. Instead
check the gettable_ctx_params() to see if the fallback should be
performed.

Fixes #24611

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24661)

show more ...

Incorporate more review feedback

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged f

Incorporate more review feedback

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24673)

show more ...

Incorporate review feedback

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from h

Incorporate review feedback

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24673)

show more ...

Fix data race between SSL_SESSION_list_add and ssl_session_dup

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <m

Fix data race between SSL_SESSION_list_add and ssl_session_dup

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24673)

show more ...

Add test for ASN1_item_verify()

This is a test for https://github.com/openssl/openssl/issues/24575
Original idea by Theo Buehler.

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com

Add test for ASN1_item_verify()

This is a test for https://github.com/openssl/openssl/issues/24575
Original idea by Theo Buehler.

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24576)

show more ...

ASN1_item_verify_ctx(): Return -1 on fatal errors

Fixes #24575

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: D

ASN1_item_verify_ctx(): Return -1 on fatal errors

Fixes #24575

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24576)

show more ...

feat: add delegatedNameConstraints and holderNameConstraints exts

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://gith

feat: add delegatedNameConstraints and holderNameConstraints exts

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24664)

show more ...

Add comp.h to gitignore

Signed-off-by: Todd Short <todd.short@me.com>

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: T

Add comp.h to gitignore

Signed-off-by: Todd Short <todd.short@me.com>

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24676)

show more ...