Fixes: #1631
This changes the previously internal ossl_x509_check_certificate_times()
to be the public X509_check_certificate_times(). It adds documentation
for the new function and marks X509_cmp_time, X509_cmp_timeframe,
and X509_cmp_current_time as deprecated in 4.0, as discussed in #1631.
Since the function is now public, we can replace the remaining
uses of deprecated stuff with this function.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29152)
When ASYNC_start_job is called with args != NULL but size == 0,
OPENSSL_malloc(0) is called. Depending on the libc implementation,
malloc(0) may return NULL, causing a silent failure.
This patch modifies the logic to skip allocation if size is 0.
CLA: trivial
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29377)
This resulted in some source reformatting becoming a bit less trippy
This is the script I used to run clang-format appropriately enough:
#! /bin/bash
include_re=$(yq -r '.repos.[].hooks.[] | select(.id == "clang-format") | .files' < .pre-commit-config.yaml)
known_generated=( crypto/bn/bn_prime.h
crypto/objects/obj_dat.h
crypto/objects/obj_xref.h
include/openssl/obj_mac.h
crypto/conf/conf_def.h
crypto/asn1/charmap.h
'*_err.c'
'*err.h' )
exclusions=()
for g in "${known_generated[@]}"; do
# Convert pattern to a regex
g=${g//\./\\.}
g=${g//\*/.\*}
exclusions+=( "^${g}\$" )
done
# Join all exclusions into one regex
exclude_re=$(IFS='|'; echo "${exclusions[*]}")
(set -x; git ls-files | grep -E $include_re | grep -Ev $exclude_re | xargs clang-format -i)
Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29383)
I looked for them with the following grep pipe, and then read through
the output to discern what are actual type definitions, and converted
what I found manually.
git grep -En -e '#define [a-zA-Z_0-9]+ ' -- '*.h' \
| sed -e 's|//.*||' -e 's|/\*.*\*/||g' \
| grep -Ev ' ([0-9]|.*".*|.*\\$)'
Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29383)
This is bascially eating my mac, as it now runs for 80 seconds
and eats all the CPU's exercising lock contention.
This dials it back to consume at most a quarter of the CPU's in
use by HARNESS_JOBS, unless LHASH_WORKERS is set to override it
in which case we use that.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/29406)
Coverity flagged a use before NULL check error in
kdf_snmpkdf_set_ctx_params.
In this function the ctx pointer was dereferenced to obtain a
OSSL_LIB_CTX pointer, and only after that dereference was ctx checked
for being NULL.
fix is pretty clear, just move the OSSL_LIB_CTX computation down to a
point after ctx is checked for NULL.
fixesopenssl/project#1765
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29400)
This allows setting the ML-KEM and ML-DSA output formats.
At the same fixing surprising lack of password encryption
of PKCS#8 private keys in DER output form in the CLI apps.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29324)
Custom MD methods are considered legacy and have been deprecated
since 3.0. With the removal of ENGINEs they become a lot less useful
and add significant complexity to the code. We should therefore remove
them in 4.0.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29366)
Its been reported that, when using SSL_listen_ex to obtain a new
connection from a listener, that, if the listener is freed prior to the
obtained connection, we get use-after-free conditions when freeing said
obtained connections.
This occurs because SSL_listen_ex fails to take a reference on the
parent listener SSL object (in the same way that SSL_new_from_listener
does). If the listener is freed first, then several listener resources
are freed, which the obtained connection still makes use of, hence the
use-after-free.
The fix is to do what SSL_new_from_listener does, namely:
1) Increase the reference count on the listener SSL object.
2) Ensure that the connection qc->listener points to the listener object
so that, when the connection is freed, we call SSL_free on the
listener object, dropping the reference count we take in
SSL_listen_ex.
While we're at it, this PR also modifies the quicapi test for testing
the SSL_listen_ex call, freeing the listener first to ensure that the
increased refcount holds the SSL object data stable until the connection
is freed.
Thanks to Stanislav Fort at Asile Research for pointing out this issue.
fixesopenssl/project#1766
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29398)
Update ossl_ec_key_fromdata to compute the public key if it is not provided in
the input parameters but the private key is. This allows for the creation of a
complete EC_KEY object from only private key data.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29054)
We still build with crypto-mdebug-backtrace enabled in a few ci jobs,
but it does nothing.
With the upcoming merge of feature/removesslv3, the code changes there
prevent the use of this option (i.e. enabling it results in
configuration failure).
It seems the most sensible thing to do here, given we have a major
release is to eliminate the option entirely, as it hasn't done anything
since 1.0.2.
Fixesopenssl/project#1763
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29380)
