This resulted in some source reformatting becoming a bit less trippy
This is the script I used to run clang-format appropriately enough:
#! /bin/bash
include_re=$(yq -r '.repos.[].hooks.[] | select(.id == "clang-format") | .files' < .pre-commit-config.yaml)
known_generated=( crypto/bn/bn_prime.h
crypto/objects/obj_dat.h
crypto/objects/obj_xref.h
include/openssl/obj_mac.h
crypto/conf/conf_def.h
crypto/asn1/charmap.h
'*_err.c'
'*err.h' )
exclusions=()
for g in "${known_generated[@]}"; do
# Convert pattern to a regex
g=${g//\./\\.}
g=${g//\*/.\*}
exclusions+=( "^${g}\$" )
done
# Join all exclusions into one regex
exclude_re=$(IFS='|'; echo "${exclusions[*]}")
(set -x; git ls-files | grep -E $include_re | grep -Ev $exclude_re | xargs clang-format -i)
Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29383)
I looked for them with the following grep pipe, and then read through
the output to discern what are actual type definitions, and converted
what I found manually.
git grep -En -e '#define [a-zA-Z_0-9]+ ' -- '*.h' \
| sed -e 's|//.*||' -e 's|/\*.*\*/||g' \
| grep -Ev ' ([0-9]|.*".*|.*\\$)'
Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29383)
This is bascially eating my mac, as it now runs for 80 seconds
and eats all the CPU's exercising lock contention.
This dials it back to consume at most a quarter of the CPU's in
use by HARNESS_JOBS, unless LHASH_WORKERS is set to override it
in which case we use that.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/29406)
Coverity flagged a use before NULL check error in
kdf_snmpkdf_set_ctx_params.
In this function the ctx pointer was dereferenced to obtain a
OSSL_LIB_CTX pointer, and only after that dereference was ctx checked
for being NULL.
fix is pretty clear, just move the OSSL_LIB_CTX computation down to a
point after ctx is checked for NULL.
fixesopenssl/project#1765
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29400)
This allows setting the ML-KEM and ML-DSA output formats.
At the same fixing surprising lack of password encryption
of PKCS#8 private keys in DER output form in the CLI apps.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29324)
Custom MD methods are considered legacy and have been deprecated
since 3.0. With the removal of ENGINEs they become a lot less useful
and add significant complexity to the code. We should therefore remove
them in 4.0.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29366)
Its been reported that, when using SSL_listen_ex to obtain a new
connection from a listener, that, if the listener is freed prior to the
obtained connection, we get use-after-free conditions when freeing said
obtained connections.
This occurs because SSL_listen_ex fails to take a reference on the
parent listener SSL object (in the same way that SSL_new_from_listener
does). If the listener is freed first, then several listener resources
are freed, which the obtained connection still makes use of, hence the
use-after-free.
The fix is to do what SSL_new_from_listener does, namely:
1) Increase the reference count on the listener SSL object.
2) Ensure that the connection qc->listener points to the listener object
so that, when the connection is freed, we call SSL_free on the
listener object, dropping the reference count we take in
SSL_listen_ex.
While we're at it, this PR also modifies the quicapi test for testing
the SSL_listen_ex call, freeing the listener first to ensure that the
increased refcount holds the SSL object data stable until the connection
is freed.
Thanks to Stanislav Fort at Asile Research for pointing out this issue.
fixesopenssl/project#1766
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29398)
Update ossl_ec_key_fromdata to compute the public key if it is not provided in
the input parameters but the private key is. This allows for the creation of a
complete EC_KEY object from only private key data.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29054)
We still build with crypto-mdebug-backtrace enabled in a few ci jobs,
but it does nothing.
With the upcoming merge of feature/removesslv3, the code changes there
prevent the use of this option (i.e. enabling it results in
configuration failure).
It seems the most sensible thing to do here, given we have a major
release is to eliminate the option entirely, as it hasn't done anything
since 1.0.2.
Fixesopenssl/project#1763
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29380)
Custom cipher methods are considered legacy and have been deprecated
since 3.0. With the removal of ENGINEs they become a lot less useful
and add significant complexity to the code. We should therefore remove
them in 4.0.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29299)
Add tests to verify that `EVP_MD_CTX_serialize` and
`EVP_MD_CTX_deserialize` fail when called on a finalized `EVP_MD_CTX`.
A finalized context is in a terminal state and should not be serializable for
resumption or have a new state deserialized into it. These tests confirm the
expected failure behavior.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28837)
Refactor the SHA provider's context parameter handling in sha2_prov.c to use
the generated parameter decoder framework.
This change replaces manual parameter lookups using `OSSL_PARAM_locate` and
static `OSSL_PARAM` arrays with generated decoder functions and structs. A new
template, `sha2_prov.inc.in`, is added to create the necessary decoders during
the build.
This simplifies the code, reduces boilerplate, and improves type safety.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28837)
Implement context serialization and deserialization for the SHA3, KECCAK,
SHAKE, and KMAC provider-based digests.
This is achieved by handling the `OSSL_DIGEST_SERIALIZATION` parameter in
get_ctx_params and set_ctx_params. A custom format is used to store the KECCAK
state, including a magic number and an algorithm identifier to ensure the
context is not loaded into an incompatible digest instance.
This allows an EVP_MD_CTX to be saved and restored, which is useful for
applications that need to checkpoint hashing operations. The existing EVP
serialization tests have been extended to cover these new algorithms.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28837)
