summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
...
* QUIC CHANNEL: Remove stream 0-specific codeHugo Landau2023-05-122-31/+0
| | | | | | Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20765)
* QUIC APL: Create QUIC CHANNEL up front rather than deferring creationHugo Landau2023-05-121-60/+22
| | | | | | | | | | | | | | | | We switch to instantiating the QUIC_CHANNEL up front at QCSO instantiation time. This creates the QUIC_STREAM_MAP early and makes it easy for us to allocate streams prior to connection initiation. The role (client or server) is determined at QCSO allocation time and cannot be changed. SSL_set_connect/accept_state() are still modelled but their usage must be consistent with the chosen SSL_METHOD which dictates which role is being used. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20765)
* QUIC: Base client/server identity on SSL method, not ↵Hugo Landau2023-05-122-5/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | SSL_set_connect/accept_state In QUIC, we have an architectural need (in future, when we implement 0-RTT, etc.) to be able to create streams before we start connecting. This requires we allocate a stream, including a stream ID, after creating a QCSO but prior to connecting. However stream IDs are dependent on whether the endpoint is in the client or server role, therefore we must know whether we are going to be a client or server before any pre-connection streams are created. Moreover, the originally defined QUIC_client_method() and QUIC_server_method() functions heavily implied the original plan was to have different SSL_METHODs for clients and servers. Up until now we had been relying on SSL_set_connect/accept_state() instead. Solve these problems by basing client/server identity on whether QUIC_server_method() is used (in future, when we support servers). This ensures that once a QCSO is created its client/server identity are fixed and cannot change, allowing pre-connection stream IDs, etc. to be allocated. Client/server uncertainty was the primary reason why QUIC_CHANNEL creation was deferred until connection time up until now, so this enables further refactoring to facilitate eager allocation of the QUIC_CHANNEL at QCSO allocation time. This is important as allocating a stream including its write buffers is hard without having the QUIC_CHANNEL (which owns the QUIC_STREAM_MAP) in existence. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20765)
* QUIC Dispatch: Update ssl_lib.c frontend to use new dispatch styleHugo Landau2023-05-121-96/+60
| | | | | | | | | | | This amends the dispatch code from ssl_lib.c to the QUIC API Personality Layer to use the new approach of dispatching using SSL object pointers rather than raw QUIC_CONNECTION pointers. This completes the said refactor. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20765)
* QUIC Dispatch: Add simple way to determine if SSL object is QUIC-relatedHugo Landau2023-05-121-0/+5
| | | | | | Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20765)
* QUIC Dispatch: Refactor APL interface to use SSL pointers not QC pointersHugo Landau2023-05-122-218/+304
| | | | | | | | | | | | | | | | | | We now refactor the interface between ssl_lib.c frontend functions and the QUIC API Personality Layer so that the respective functions comprising the interface use SSL object pointers rather than raw QUIC_CONNECTION pointers. This is in preparation for stream support since once streams are supported, calls to e.g. ossl_quic_write() may be made on a QUIC_CONNECTION or a QUIC_XSO (that is, a stream object). Thus we take a uniform approach across all functions comprising the interface between the ssl_lib.c frontend and the QUIC API Personality Layer of using SSL pointers always. This provides a uniform approach and ensures that any function of the API personality layer can be easily adapted to support being called on a stream object in the future. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20765)
* QUIC Dispatch: Introduce the QUIC_XSO objectHugo Landau2023-05-124-14/+15
| | | | | | | | | | | | | | | | | | The QUIC_XSO (external stream object) is to a QUIC stream what a QUIC_CONNECTION is to a QUIC connection. Both are SSL objects. The QUIC_CONNECTION type is the internal representation of a QUIC connection SSL object (QCSO) and the QUIC_XSO type is the internal representation of a QUIC stream SSL object (QSSO) type. The name QUIC_XSO has been chosen to be distinct from the existing QUIC_STREAM type which is our existing internal stream type. QUIC_XSO is to a QUIC_STREAM what QUIC_CONNECTION is to a QUIC_CHANNEL; in other words, QUIC_CONNECTION and QUIC_XSO objects form part of the API personality layer, whereas QUIC_CHANNEL and QUIC_STREAM objects form part of the QUIC core and are distinct from the API personality layer. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20765)
* QUIC Dispatch: Enhance SSL object unwrapping functions (core)Hugo Landau2023-05-121-5/+88
| | | | | | | | | | | Uniform changes to all dispatch functions to use the new dispatch functionality follows this commit. Separated into a core commit and a commit containing the uniform pattern (monotonous) changes for ease of review. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20765)
* CMP client: fix checking new cert enrolled with oldcert and without private keyDr. David von Oheimb2023-05-128-36/+74
| | | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/20832)
* CMP client: fix error response on -csr without private key, also in docsDr. David von Oheimb2023-05-1210-21/+77
| | | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/20832)
* apps/openssl.cnf: fix reference to insta.ca.crtDr. David von Oheimb2023-05-122-4/+4
| | | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/20832)
* provider: return error if buf too small when getting ec pubkey paramYi Li2023-05-122-1/+23
| | | | | | | | | | | | | | | Fixes #20889 There was an incorrect value passed to EC_POINT_point2oct() for the buffer size of the param passed-in. Added testcases. Signed-off-by: Yi Li <yi1.li@intel.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20890)
* Fix typos found by codespellDimitri Papadopoulos2023-05-1214-28/+28
| | | | | | | | | | Fix only typos in doc/man* for inclusion in 3.* branches. Other typos have been fixed in a different commit. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20924)
* Clarify documentation of SSL_SESSION_dupWatson Ladd2023-05-121-2/+4
| | | | | | | Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20848)
* Clear ownership when duplicating sessionsWatson Ladd2023-05-122-2/+5
| | | | | | | Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20848)
* ecp_nistp256.c: Fix exponent in commentJonas Lindstrøm2023-05-111-1/+1
| | | | | | | | CLA: trivial Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20926)
* fix SSL_get_wbio may return rbio on quicihciah2023-05-111-1/+1
| | | | | | | | | CLA: trivial Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20930)
* Fixed TLS1.3 handshake issue for legacy engine API.Yuan, Shuai2023-05-111-0/+4
| | | | | | | | Signed-off-by: Yuan, Shuai <shuai.yuan@intel.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20922)
* Fix a typo found by codespell in a variable nameDimitri Papadopoulos2023-05-111-5/+5
| | | | | | | | | | | The change is limited to a single C file. CLA: trivial Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20912)
* restrict rsaBITS algorithm name check in speedMichael Baentsch2023-05-111-13/+19
| | | | | | Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20898)
* CMP app: fix deallocated host/port fields in APP_HTTP_TLS_INFODr. David von Oheimb2023-05-101-3/+9
| | | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20034)
* CMP app and app_http_tls_cb(): pick the right TLS hostname (also without port)Dr. David von Oheimb2023-05-102-3/+7
| | | | | | | | | Fixes #20031 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20034)
* Fix a typo found by codespell in a Makefile variableDimitri Papadopoulos2023-05-101-1/+1
| | | | | | | | | | | | I have no experience with building on Windows, so I don't know the effect of fixing this typo. I guess that this will fix a bug at worst. CLA: trivial Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20911)
* DLTS → DTLSDimitri Papadopoulos2023-05-102-2/+2
| | | | | | | | | | | Fix a typo that is confusing for newcomers. CLA: trivial Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20909)
* Fix memory leak in engine_cleanup_add_first()Kovalev Vasiliy2023-05-091-2/+3
| | | | | | | | | Fixes #20870 Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20880)
* aes-gcm-armv8_64 asm support bigdianJerryDevis2023-05-091-206/+581
| | | | | | | | Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20489) (cherry picked from commit 32344a74b7ee2693a5bfda361c40ec60ab5be624)
* Fix stack use-after-free in QUICJuergen Christ2023-05-091-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When running test_quicapi on master on a Fedora 38 with santizier, a stack use-after-free is reported: ``` 75-test_quicapi.t .. ================================================================= ==28379==ERROR: AddressSanitizer: stack-use-after-return on address 0x03ffa22a2961 at pc 0x03ffa507384a bp 0x03fffb576d68 sp 0x03fffb576550 READ of size 8 at 0x03ffa22a2961 thread T0 #0 0x3ffa5073849 in memcpy (/usr/lib64/libasan.so.8+0x73849) (BuildId: ce24d4ce2e06892c2e9105155979b957089a182c) #1 0x118b883 in tls_handle_alpn ssl/statem/statem_srvr.c:2221 #2 0x111569d in tls_parse_all_extensions ssl/statem/extensions.c:813 #3 0x118e2bf in tls_early_post_process_client_hello ssl/statem/statem_srvr.c:1957 #4 0x118e2bf in tls_post_process_client_hello ssl/statem/statem_srvr.c:2290 #5 0x113d797 in read_state_machine ssl/statem/statem.c:712 #6 0x113d797 in state_machine ssl/statem/statem.c:478 #7 0x10729f3 in SSL_do_handshake ssl/ssl_lib.c:4669 #8 0x11cec2d in ossl_quic_tls_tick ssl/quic/quic_tls.c:717 #9 0x11afb03 in ch_tick ssl/quic/quic_channel.c:1296 #10 0x10cd1a9 in ossl_quic_reactor_tick ssl/quic/quic_reactor.c:79 #11 0x10d948b in ossl_quic_tserver_tick ssl/quic/quic_tserver.c:160 #12 0x1021ead in qtest_create_quic_connection test/helpers/quictestlib.c:273 #13 0x102b81d in test_quic_write_read test/quicapitest.c:54 #14 0x12035a9 in run_tests test/testutil/driver.c:370 #15 0x1013203 in main test/testutil/main.c:30 #16 0x3ffa463262b in __libc_start_call_main (/usr/lib64/libc.so.6+0x3262b) (BuildId: 6bd4a775904d85009582d6887da4767128897d0e) #17 0x3ffa463272d in __libc_start_main_impl (/usr/lib64/libc.so.6+0x3272d) (BuildId: 6bd4a775904d85009582d6887da4767128897d0e) #18 0x101efb9 (/root/openssl/test/quicapitest+0x101efb9) (BuildId: 075e387adf6d0032320aaa18061f13e9565ab481) Address 0x03ffa22a2961 is located in stack of thread T0 at offset 33 in frame #0 0x10d868f in alpn_select_cb ssl/quic/quic_tserver.c:49 This frame has 1 object(s): [32, 41) 'alpn' (line 50) <== Memory access at offset 33 is inside this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-use-after-return (/usr/lib64/libasan.so.8+0x73849) (BuildId: ce24d4ce2e06892c2e9105155979b957089a182c) in memcpy Shadow bytes around the buggy address: 0x03ffa22a2680: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 0x03ffa22a2700: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 0x03ffa22a2780: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 0x03ffa22a2800: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 0x03ffa22a2880: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 =>0x03ffa22a2900: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5[f5]f5 f5 f5 0x03ffa22a2980: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 0x03ffa22a2a00: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 0x03ffa22a2a80: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 0x03ffa22a2b00: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 0x03ffa22a2b80: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==28379==ABORTING ../../util/wrap.pl ../../test/quicapitest default ../../test/default.cnf ../../test/certs => 1 not ok 1 - running quicapitest ``` Fix this be making the protocols to select static constants and thereby moving them out of the stack frame of the callback function. Signed-off-by: Juergen Christ <jchrist@linux.ibm.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20904)
* Update the corpora submoduleMatt Caswell2023-05-081-0/+0
| | | | | | | | | | We update the corpora submodule to include a fuzz testcase for the conf timeout. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20839)
* Prevent a fuzzing timeout in the conf fuzzerMatt Caswell2023-05-081-0/+17
| | | | | | | | | | | | | The fuzzer was creating a config file with large numbers of includes which are expensive to process. However this should not cause a security issue, and should never happen in normal operation so we can ignore it. Fixes ossfuzz issue 57718. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20839)
* Don't attempt a QUIC connection without specifying ALPNMatt Caswell2023-05-081-0/+4
| | | | | | | | | ALPN is required for a successful QUIC connection, so do not allow the -quic option for s_client without -alpn Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20580)
* Add some documentation for the new QUIC mode in s_clientMatt Caswell2023-05-082-0/+18
| | | | | | | | Also mentions the new FIN command in s_client advance mode Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20580)
* Add the ability to send FIN on a QUIC stream from s_clientMatt Caswell2023-05-081-4/+25
| | | | | | Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20580)
* Add QUIC support to s_clientMatt Caswell2023-05-083-30/+125
| | | | | | Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20580)
* remove unused macro in common.hzhangzhilei2023-05-051-8/+0
| | | | | | | Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20881)
* Revert "win-onecore: Build with /APPCONTAINER for UWP compat"Mathias Berchtold2023-05-051-5/+4
| | | | | | | | | | | This reverts commit 2c61a670ebf2f1923a3bd2ef0ee4b2fa6261eaeb. Not all OneCore based SKUs (or editions) of Windows (Server, XBOX, etc) require /APPCONTAINER. The /APPCONTAINER link option is only relevant for Universal Windows Platform (UWP) apps for which there are already dedicated configurations (VC-WIN32-UWP, VC-WIN64A-UWP, etc) where the /APPCONTAINER link option is added. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20872)
* Fix the padlock engineBernd Edlinger2023-05-051-2/+13
| | | | | | | | | | | | | | ... after it was broken for almost 5 years, since the first 1.1.1 release. Note: The last working version was 1.1.0l release. Fixes #20073 Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20146)
* Add libctx to x931 keygen.slontis2023-05-054-6/+65
| | | | | | | | | Added coverage test that failed without the change. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19677)
* Extend the min/max protocol testingMatt Caswell2023-05-051-7/+71
| | | | | | | | Add more test cases and ensure we test DTLS and QUIC too Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20830)
* Be more accurate about what we accept as a valid DTLS versionMatt Caswell2023-05-051-2/+4
| | | | | | | | We accepted more version numbers as valid DTLS then we really should do. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20830)
* Update the min/max proto function documentation for QUICMatt Caswell2023-05-051-0/+3
| | | | | | | | | These functions do nothing if used with a QUIC object, so we document this behaviour. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20830)
* 25-test_x509.t: test dots in CA file pathAlois Klink2023-05-041-1/+14
| | | | | | | | | | | | | | | Test whether dots in the CA file path breaks the default CA serial number file path. Tests for: - https://github.com/openssl/openssl/issues/6203 - https://github.com/openssl/openssl/issues/6489 - https://github.com/openssl/openssl/pull/6566 - https://github.com/openssl/openssl/issues/10442 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20873)
* feature: openssl req -verify output to stderr instead of stdout #20728Rajarshi Karmakar2023-05-041-1/+1
| | | | | | Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20858)
* Fix broken links on asym_cipher manpagesLadislav Marko2023-05-041-3/+2
| | | | | | | | | Links were missing starting tags Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20729)
* Add negative integer check when using ASN1_BIT_STRINGmlitre2023-05-041-0/+6
| | | | | | | | | | | The negative integer check is done to prevent potential overflow. Fixes #20719. CLA: trivial Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20862)
* apps: silent warning when loading CSR files with vfyopt optionTianjia Zhang2023-05-036-9/+12
| | | | | | | | | | | | | | | | | When verifying or signing a CSR file with the -vfyopt option, a warning message similar to the following will appear: Warning: CSR self-signature does not match the contents This happens especially when the SM2 algorithm is used and the distid parameter is added. Pass the vfyopts parameter to the do_X509_REQ_verify() function to eliminate the warning message. Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20799)
* speed.c: remove unused num print_message argsReinhard Urban2023-05-031-95/+44
| | | | | | | | | | these num args went unused with the removal of the ifndef SIGALRM branches, commit ee1d7f1d25ef24f111f13dc742474cd9c39c2753 Feb 2021 PR #14228 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20795)
* rand: trust user supplied entropy when configured without a random sourcePauli2023-05-031-0/+6
| | | | | | | | Fixes #20841 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/20843)
* Copy min/max_proto_version from SSL_CTX to SSL only for the same method typesTomas Mraz2023-05-021-2/+4
| | | | | | Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from https://github.com/openssl/openssl/pull/20764)
* Do not send the empty renegotiation info SCSV in QUICTomas Mraz2023-05-021-1/+3
| | | | | | | | | There is no point in sending that when min_proto_version is >= TLS1_3_VERSION. So we set that during SSL_CTX initialization and skip adding the SCSV. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from https://github.com/openssl/openssl/pull/20764)
* param->ctrl translation: Fix evp_pkey_ctx_setget_params_to_ctrl()Richard Levitte2023-05-011-0/+1
| | | | | | | | Ensure that ctx.ctrl_cmd defaults to translation->cmd_num Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from https://github.com/openssl/openssl/pull/20780)
View Lorry Controller Status