we assume these to be order sensitive and not self contained, so
as per our new style we disable clang format around them.
we should consider renaming to .inc, or doing away with some
of these and just putting the code inline, but that's for
later consideration.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29259)
Similar to the previous errtest.c fix this also is not broken
by any reformatting today, but this change makes this follow
the same pattern as the other things that test OPENSSL_LINE
after the fact so we maintain the same paradigm everywhere.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29259)
(in it's final form it will work with either compiler
because it's currently one line, but was tripped up before
by the #ifdef, so redid it to be consistent with the
other changes previously in this stack)
While I am here correct the test to test for all possible
return values of ERR_get_error_all, without the #ifdefs
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29259)
Fortunately due to the initial size of the allocated
buffer and the limit for unfragmented DTLS record size
the use-after-realloc cannot be triggered.
But we fix the potentially problematic code anyway.
Reported Joshua Rogers. It was found with the ZeroPath security
tooling.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29278)
(cherry picked from commit 6d1d85c31b)
Check parameters of ECDSA signatures on verify and fail for invalid
malformed signatures in the code path for s390x accelerators. Handle
condition code of kdsa instruction for detecting invalid parameters.
For NIST P521 curves, kdsa ignores completely the upper 14 bytes of
the sections for r and s in the parameter-block, so adapt the offset
and length for bignum conversions for these curves. This will detect
cases of malformed signatures which are not covered by the kdsa
parameter checking.
Fixes: #29173
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29214)
(cherry picked from commit 8e28ea9e62)
The kdsa instruction is doing some parameter checking for the verify
function codes, like r/s equals zero and range checks. To handle these
cases correctly in the calling functions, the asm returns now also
condition code 2.
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29214)
(cherry picked from commit bcaa2a3af6)
Using SSL_CTX_set_cert_verify_callback but still calling
X509_verify_cert is useful if applications want to dynamically
configure the X509_STORE_CTX, or postprocess the result, in a way that
does not quite fit the somewhat unpredictable behavior of the
SSL_CTX_set_verify callback. (In my experience, applications rarely
realize it is called multiple times. It's also too late at that point to
reconfigure the X509_STORE_CTX as verification has already started.)
There is one note in the docs that the callback needs to stash the
verify result with X509_STORE_CTX_set_error, but it is not immediately
obvious that X509_verify_cert will do so, or that it is the built-in
behavior. Add a paragraph discussing this.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28960)
(cherry picked from commit 069181d7f3)
The OSSL_FUNC_signature_{sign,verify}_message_* functions were added
in OpenSSL 3.4 but weren't documented in the HISTORY section of
provider-signature(7), while the corresponding EVP_PKEY_sign_message_*
functions are properly documented in EVP_PKEY_sign(3).
This adds the missing HISTORY entry to document when these provider
functions were introduced.
Fixes#29088
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29130)
(cherry picked from commit 6b4ad7f8d8)
(cherry picked from commit af76e77ccb)
This fixes the following compilation error on HP-UX:
```
11:07:19 crypto/evp/bio_ok.c: In function 'block_in':
11:07:19 crypto/evp/bio_ok.c:579: error: 'SIZE_MAX' undeclared (first use in this function)
11:07:19 crypto/evp/bio_ok.c:579: error: (Each undeclared identifier is reported only once
11:07:19 crypto/evp/bio_ok.c:579: error: for each function it appears in.)
```
Signed-off-by: Lars Erik Wik <lars.erik.wik@northern.tech>
CLA: trivial
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28793)
(cherry picked from commit 695a5aaf0b)
This changes handles the introduction of _POSIX_VERSION into the NonStop x86
header files that tricks OpenSSL into thinking that ucontext.h is available.
Build a workaround in timing_load_creds.c on NonStop for lack of rusage.
This simulates getrusage() that is not available on NonStop.
Fixes#28498Fixes#29023
Signed-off-by: Randall S. Becker <randall.becker@nexbridge.ca>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29106)
In ossl_ec_curve_nid_from_params, EC_GROUP_get0_cofactor may return NULL,
but BN_is_zero was called on it unconditionally, leading to a potential
segmentation fault.
Now check that cofactor != NULL before calling BN_is_zero or BN_is_word,
aligning with safe practices used elsewhere in the codebase.
This fixes a critical NULL pointer dereference vulnerability that could
be triggered by EC groups with unset cofactor, preventing DoS via segfault.
Signed-off-by: Anton Moryakov <ant.v.moryakov@gmail.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29069)
(cherry picked from commit 87a4607668)
It is not entirely obvious from the description how the objects returned
by X509_STORE_get1_objects() and X509_STORE_get1_all_certs() are
supposed to be freed, explicitly mention the relevant calls, and provide
a reference to DEFINE_STACK_OF(3).
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/29002)
(cherry picked from commit de1abbed1c)
