From 6b0e79968b7ee3d6701c7e2e69dbe5edcd94c0fd Mon Sep 17 00:00:00 2001 From: "Node.js GitHub Bot" Date: Tue, 5 Aug 2025 17:06:14 +0000 Subject: [PATCH] deps: upgrade openssl sources to openssl-3.5.2 PR-URL: https://github.com/nodejs/node/pull/59371 Reviewed-By: Richard Lau Reviewed-By: James M Snell Reviewed-By: Filip Skokan Reviewed-By: Luigi Pinca Reviewed-By: Rafael Gonzaga --- deps/openssl/openssl/CHANGES.md | 7 ++ deps/openssl/openssl/NEWS.md | 4 + deps/openssl/openssl/VERSION.dat | 4 +- deps/openssl/openssl/apps/asn1parse.c | 2 +- deps/openssl/openssl/apps/rand.c | 4 +- deps/openssl/openssl/crypto/dh/dh_check.c | 36 +++++++- .../crypto/encode_decode/decoder_lib.c | 28 ++++++ .../crypto/encode_decode/decoder_pkey.c | 72 ++++++++++++--- .../crypto/encode_decode/encoder_local.h | 2 + deps/openssl/openssl/crypto/evp/asymcipher.c | 8 +- .../openssl/openssl/crypto/evp/keymgmt_meth.c | 4 +- deps/openssl/openssl/crypto/evp/m_sigver.c | 24 +++-- deps/openssl/openssl/crypto/perlasm/x86asm.pl | 4 +- deps/openssl/openssl/crypto/provider_core.c | 6 ++ deps/openssl/openssl/crypto/rsa/rsa_gen.c | 15 ++++ .../openssl/openssl/crypto/slh_dsa/slh_hash.c | 3 + deps/openssl/openssl/crypto/sm2/sm2_sign.c | 6 +- deps/openssl/openssl/crypto/store/store_lib.c | 25 +++--- deps/openssl/openssl/crypto/x509/x_crl.c | 15 +++- deps/openssl/openssl/fuzz/dtlsserver.c | 5 +- deps/openssl/openssl/include/crypto/bn_conf.h | 1 - deps/openssl/openssl/include/crypto/dh.h | 4 +- .../openssl/openssl/include/crypto/dso_conf.h | 1 - deps/openssl/openssl/include/crypto/rsa.h | 6 +- .../openssl/include/internal/param_names.h | 1 - .../openssl/include/internal/quic_ackm.h | 4 +- deps/openssl/openssl/include/openssl/asn1.h | 1 - deps/openssl/openssl/include/openssl/asn1t.h | 1 - deps/openssl/openssl/include/openssl/bio.h | 1 - deps/openssl/openssl/include/openssl/cmp.h | 1 - deps/openssl/openssl/include/openssl/cms.h | 1 - deps/openssl/openssl/include/openssl/comp.h | 1 - deps/openssl/openssl/include/openssl/conf.h | 1 - .../openssl/include/openssl/configuration.h | 1 - .../openssl/include/openssl/core_dispatch.h | 4 + .../openssl/include/openssl/core_names.h | 1 - deps/openssl/openssl/include/openssl/crmf.h | 1 - deps/openssl/openssl/include/openssl/crypto.h | 1 - deps/openssl/openssl/include/openssl/ct.h | 1 - deps/openssl/openssl/include/openssl/err.h | 1 - deps/openssl/openssl/include/openssl/ess.h | 1 - .../openssl/openssl/include/openssl/fipskey.h | 1 - deps/openssl/openssl/include/openssl/lhash.h | 1 - deps/openssl/openssl/include/openssl/ocsp.h | 1 - .../openssl/include/openssl/opensslv.h | 1 - deps/openssl/openssl/include/openssl/pem.h | 1 + deps/openssl/openssl/include/openssl/pkcs12.h | 1 - deps/openssl/openssl/include/openssl/pkcs7.h | 1 - .../openssl/include/openssl/safestack.h | 1 - .../openssl/include/openssl/self_test.h | 1 + deps/openssl/openssl/include/openssl/srp.h | 1 - deps/openssl/openssl/include/openssl/ssl.h | 1 - deps/openssl/openssl/include/openssl/ui.h | 1 - deps/openssl/openssl/include/openssl/x509.h | 1 - .../openssl/include/openssl/x509_acert.h | 1 - .../openssl/include/openssl/x509_vfy.h | 1 - deps/openssl/openssl/include/openssl/x509v3.h | 1 - .../openssl/providers/fips-sources.checksums | 32 +++---- deps/openssl/openssl/providers/fips.checksum | 2 +- .../openssl/openssl/providers/fips/fipsprov.c | 9 ++ .../openssl/providers/fips/self_test_data.inc | 87 +++++++------------ .../encode_decode/decode_pem2der.c | 1 + .../implementations/kem/ml_kem_kem.c | 2 +- .../implementations/keymgmt/dh_kmgmt.c | 18 +++- .../implementations/keymgmt/ec_kmgmt.c | 17 ++++ .../implementations/keymgmt/ecx_kmgmt.c | 23 ++++- .../implementations/keymgmt/rsa_kmgmt.c | 18 ++++ deps/openssl/openssl/providers/legacyprov.c | 11 ++- deps/openssl/openssl/ssl/quic/quic_ackm.c | 33 +++++-- deps/openssl/openssl/ssl/quic/quic_channel.c | 3 +- .../openssl/openssl/ssl/quic/quic_rx_depack.c | 28 ++---- .../openssl/util/perl/TLSProxy/Proxy.pm | 27 +++++- 72 files changed, 438 insertions(+), 198 deletions(-) delete mode 100644 deps/openssl/openssl/include/crypto/bn_conf.h delete mode 100644 deps/openssl/openssl/include/crypto/dso_conf.h delete mode 100644 deps/openssl/openssl/include/internal/param_names.h delete mode 100644 deps/openssl/openssl/include/openssl/asn1.h delete mode 100644 deps/openssl/openssl/include/openssl/asn1t.h delete mode 100644 deps/openssl/openssl/include/openssl/bio.h delete mode 100644 deps/openssl/openssl/include/openssl/cmp.h delete mode 100644 deps/openssl/openssl/include/openssl/cms.h delete mode 100644 deps/openssl/openssl/include/openssl/comp.h delete mode 100644 deps/openssl/openssl/include/openssl/conf.h delete mode 100644 deps/openssl/openssl/include/openssl/configuration.h delete mode 100644 deps/openssl/openssl/include/openssl/core_names.h delete mode 100644 deps/openssl/openssl/include/openssl/crmf.h delete mode 100644 deps/openssl/openssl/include/openssl/crypto.h delete mode 100644 deps/openssl/openssl/include/openssl/ct.h delete mode 100644 deps/openssl/openssl/include/openssl/err.h delete mode 100644 deps/openssl/openssl/include/openssl/ess.h delete mode 100644 deps/openssl/openssl/include/openssl/fipskey.h delete mode 100644 deps/openssl/openssl/include/openssl/lhash.h delete mode 100644 deps/openssl/openssl/include/openssl/ocsp.h delete mode 100644 deps/openssl/openssl/include/openssl/opensslv.h delete mode 100644 deps/openssl/openssl/include/openssl/pkcs12.h delete mode 100644 deps/openssl/openssl/include/openssl/pkcs7.h delete mode 100644 deps/openssl/openssl/include/openssl/safestack.h delete mode 100644 deps/openssl/openssl/include/openssl/srp.h delete mode 100644 deps/openssl/openssl/include/openssl/ssl.h delete mode 100644 deps/openssl/openssl/include/openssl/ui.h delete mode 100644 deps/openssl/openssl/include/openssl/x509.h delete mode 100644 deps/openssl/openssl/include/openssl/x509_acert.h delete mode 100644 deps/openssl/openssl/include/openssl/x509_vfy.h delete mode 100644 deps/openssl/openssl/include/openssl/x509v3.h diff --git a/deps/openssl/openssl/CHANGES.md b/deps/openssl/openssl/CHANGES.md index 2978ebfa2d1..c9682a863ff 100644 --- a/deps/openssl/openssl/CHANGES.md +++ b/deps/openssl/openssl/CHANGES.md @@ -28,6 +28,13 @@ OpenSSL Releases OpenSSL 3.5 ----------- +### Changes between 3.5.1 and 3.5.2 [5 Aug 2025] + + * The FIPS provider now performs a PCT on key import for RSA, EC and ECX. + This is mandated by FIPS 140-3 IG 10.3.A additional comment 1. + + *Dr Paul Dale* + ### Changes between 3.5.0 and 3.5.1 [1 Jul 2025] * Fix x509 application adds trusted use instead of rejected use. diff --git a/deps/openssl/openssl/NEWS.md b/deps/openssl/openssl/NEWS.md index e5fe9477903..0d7cf139fa2 100644 --- a/deps/openssl/openssl/NEWS.md +++ b/deps/openssl/openssl/NEWS.md @@ -23,6 +23,10 @@ OpenSSL Releases OpenSSL 3.5 ----------- +### Major changes between OpenSSL 3.5.1 and OpenSSL 3.5.2 [5 Aug 2025] + + * none + ### Major changes between OpenSSL 3.5.0 and OpenSSL 3.5.1 [1 Jul 2025] OpenSSL 3.5.1 is a security patch release. The most severe CVE fixed in this diff --git a/deps/openssl/openssl/VERSION.dat b/deps/openssl/openssl/VERSION.dat index f931934a197..a5925c8d533 100644 --- a/deps/openssl/openssl/VERSION.dat +++ b/deps/openssl/openssl/VERSION.dat @@ -1,7 +1,7 @@ MAJOR=3 MINOR=5 -PATCH=1 +PATCH=2 PRE_RELEASE_TAG= BUILD_METADATA= -RELEASE_DATE="1 Jul 2025" +RELEASE_DATE="5 Aug 2025" SHLIB_VERSION=3 diff --git a/deps/openssl/openssl/apps/asn1parse.c b/deps/openssl/openssl/apps/asn1parse.c index 4f882396d03..4540d5f5fb6 100644 --- a/deps/openssl/openssl/apps/asn1parse.c +++ b/deps/openssl/openssl/apps/asn1parse.c @@ -40,8 +40,8 @@ const OPTIONS asn1parse_options[] = { {"length", OPT_LENGTH, 'p', "length of section in file"}, {"strparse", OPT_STRPARSE, 'p', "offset; a series of these can be used to 'dig'"}, - {"genstr", OPT_GENSTR, 's', "string to generate ASN1 structure from"}, {OPT_MORE_STR, 0, 0, "into multiple ASN1 blob wrappings"}, + {"genstr", OPT_GENSTR, 's', "string to generate ASN1 structure from"}, {"genconf", OPT_GENCONF, 's', "file to generate ASN1 structure from"}, {"strictpem", OPT_STRICTPEM, 0, "equivalent to '-inform pem' (obsolete)"}, diff --git a/deps/openssl/openssl/apps/rand.c b/deps/openssl/openssl/apps/rand.c index b123a151ea7..da747c1783e 100644 --- a/deps/openssl/openssl/apps/rand.c +++ b/deps/openssl/openssl/apps/rand.c @@ -1,5 +1,5 @@ /* - * Copyright 1998-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1998-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -199,7 +199,7 @@ int rand_main(int argc, char **argv) int chunk; chunk = scaled_num > buflen ? (int)buflen : (int)scaled_num; - r = RAND_bytes(buf, chunk); + r = RAND_bytes_ex(app_get0_libctx(), buf, chunk, 0); if (r <= 0) goto end; if (format != FORMAT_TEXT) { diff --git a/deps/openssl/openssl/crypto/dh/dh_check.c b/deps/openssl/openssl/crypto/dh/dh_check.c index ae23f61839e..2d899dc96f6 100644 --- a/deps/openssl/openssl/crypto/dh/dh_check.c +++ b/deps/openssl/openssl/crypto/dh/dh_check.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -16,6 +16,7 @@ #include #include "internal/cryptlib.h" #include +#include #include "dh_local.h" #include "crypto/dh.h" @@ -329,17 +330,27 @@ end: * FFC pairwise check from SP800-56A R3. * Section 5.6.2.1.4 Owner Assurance of Pair-wise Consistency */ -int ossl_dh_check_pairwise(const DH *dh) +int ossl_dh_check_pairwise(const DH *dh, int return_on_null_numbers) { int ret = 0; BN_CTX *ctx = NULL; BIGNUM *pub_key = NULL; + OSSL_SELF_TEST *st = NULL; + OSSL_CALLBACK *stcb = NULL; + void *stcbarg = NULL; if (dh->params.p == NULL || dh->params.g == NULL || dh->priv_key == NULL || dh->pub_key == NULL) - return 0; + return return_on_null_numbers; + + OSSL_SELF_TEST_get_callback(dh->libctx, &stcb, &stcbarg); + st = OSSL_SELF_TEST_new(stcb, stcbarg); + if (st == NULL) + goto err; + OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_PCT, + OSSL_SELF_TEST_DESC_PCT_DH); ctx = BN_CTX_new_ex(dh->libctx); if (ctx == NULL) @@ -351,10 +362,27 @@ int ossl_dh_check_pairwise(const DH *dh) /* recalculate the public key = (g ^ priv) mod p */ if (!ossl_dh_generate_public_key(ctx, dh, dh->priv_key, pub_key)) goto err; + +#ifdef FIPS_MODULE + { + int len; + unsigned char bytes[1024] = {0}; /* Max key size of 8192 bits */ + + if (BN_num_bytes(pub_key) > (int)sizeof(bytes)) + goto err; + len = BN_bn2bin(pub_key, bytes); + OSSL_SELF_TEST_oncorrupt_byte(st, bytes); + if (BN_bin2bn(bytes, len, pub_key) == NULL) + goto err; + } +#endif /* check it matches the existing public_key */ ret = BN_cmp(pub_key, dh->pub_key) == 0; -err: + err: BN_free(pub_key); BN_CTX_free(ctx); + + OSSL_SELF_TEST_onend(st, ret); + OSSL_SELF_TEST_free(st); return ret; } diff --git a/deps/openssl/openssl/crypto/encode_decode/decoder_lib.c b/deps/openssl/openssl/crypto/encode_decode/decoder_lib.c index ffcf3cde115..dedfb24e569 100644 --- a/deps/openssl/openssl/crypto/encode_decode/decoder_lib.c +++ b/deps/openssl/openssl/crypto/encode_decode/decoder_lib.c @@ -537,6 +537,14 @@ static void collect_extra_decoder(OSSL_DECODER *decoder, void *arg) } } +static int decoder_sk_cmp(const OSSL_DECODER_INSTANCE *const *a, + const OSSL_DECODER_INSTANCE *const *b) +{ + if ((*a)->score == (*b)->score) + return (*a)->order - (*b)->order; + return (*a)->score - (*b)->score; +} + int OSSL_DECODER_CTX_add_extra(OSSL_DECODER_CTX *ctx, OSSL_LIB_CTX *libctx, const char *propq) { @@ -595,6 +603,26 @@ int OSSL_DECODER_CTX_add_extra(OSSL_DECODER_CTX *ctx, OSSL_DECODER_do_all_provided(libctx, collect_all_decoders, skdecoders); numdecoders = sk_OSSL_DECODER_num(skdecoders); + /* + * If there are provided or default properties, sort the initial decoder list + * by property matching score so that the highest scored provider is selected + * first. + */ + if (propq != NULL || ossl_ctx_global_properties(libctx, 0) != NULL) { + int num_decoder_insts = sk_OSSL_DECODER_INSTANCE_num(ctx->decoder_insts); + int i; + OSSL_DECODER_INSTANCE *di; + sk_OSSL_DECODER_INSTANCE_compfunc old_cmp = + sk_OSSL_DECODER_INSTANCE_set_cmp_func(ctx->decoder_insts, decoder_sk_cmp); + + for (i = 0; i < num_decoder_insts; i++) { + di = sk_OSSL_DECODER_INSTANCE_value(ctx->decoder_insts, i); + di->order = i; + } + sk_OSSL_DECODER_INSTANCE_sort(ctx->decoder_insts); + sk_OSSL_DECODER_INSTANCE_set_cmp_func(ctx->decoder_insts, old_cmp); + } + memset(&data, 0, sizeof(data)); data.ctx = ctx; data.w_prev_start = 0; diff --git a/deps/openssl/openssl/crypto/encode_decode/decoder_pkey.c b/deps/openssl/openssl/crypto/encode_decode/decoder_pkey.c index f99566bde74..9fc4e231233 100644 --- a/deps/openssl/openssl/crypto/encode_decode/decoder_pkey.c +++ b/deps/openssl/openssl/crypto/encode_decode/decoder_pkey.c @@ -222,15 +222,21 @@ struct collect_data_st { int total; /* number of matching results */ char error_occurred; char keytype_resolved; + OSSL_PROPERTY_LIST *pq; STACK_OF(EVP_KEYMGMT) *keymgmts; }; -static void collect_decoder_keymgmt(EVP_KEYMGMT *keymgmt, OSSL_DECODER *decoder, - void *provctx, struct collect_data_st *data) +/* + * Add decoder instance to the decoder context if it is compatible. Returns 1 + * if a decoder was added, 0 otherwise. + */ +static int collect_decoder_keymgmt(EVP_KEYMGMT *keymgmt, OSSL_DECODER *decoder, + void *provctx, struct collect_data_st *data) { void *decoderctx = NULL; OSSL_DECODER_INSTANCE *di = NULL; + const OSSL_PROPERTY_LIST *props; /* * We already checked the EVP_KEYMGMT is applicable in check_keymgmt so we @@ -239,17 +245,17 @@ static void collect_decoder_keymgmt(EVP_KEYMGMT *keymgmt, OSSL_DECODER *decoder, if (keymgmt->name_id != decoder->base.id) /* Mismatch is not an error, continue. */ - return; + return 0; if ((decoderctx = decoder->newctx(provctx)) == NULL) { data->error_occurred = 1; - return; + return 0; } if ((di = ossl_decoder_instance_new(decoder, decoderctx)) == NULL) { decoder->freectx(decoderctx); data->error_occurred = 1; - return; + return 0; } /* @@ -263,7 +269,7 @@ static void collect_decoder_keymgmt(EVP_KEYMGMT *keymgmt, OSSL_DECODER *decoder, || OPENSSL_strcasecmp(data->ctx->start_input_type, "PEM") != 0)) { /* Mismatch is not an error, continue. */ ossl_decoder_instance_free(di); - return; + return 0; } OSSL_TRACE_BEGIN(DECODER) { @@ -275,13 +281,30 @@ static void collect_decoder_keymgmt(EVP_KEYMGMT *keymgmt, OSSL_DECODER *decoder, OSSL_DECODER_get0_properties(decoder)); } OSSL_TRACE_END(DECODER); + /* + * Get the property match score so the decoders can be prioritized later. + */ + props = ossl_decoder_parsed_properties(decoder); + if (data->pq != NULL && props != NULL) { + di->score = ossl_property_match_count(data->pq, props); + /* + * Mismatch of mandatory properties is not an error, the decoder is just + * ignored, continue. + */ + if (di->score < 0) { + ossl_decoder_instance_free(di); + return 0; + } + } + if (!ossl_decoder_ctx_add_decoder_inst(data->ctx, di)) { ossl_decoder_instance_free(di); data->error_occurred = 1; - return; + return 0; } ++data->total; + return 1; } static void collect_decoder(OSSL_DECODER *decoder, void *arg) @@ -321,7 +344,9 @@ static void collect_decoder(OSSL_DECODER *decoder, void *arg) for (i = 0; i < end_i; ++i) { keymgmt = sk_EVP_KEYMGMT_value(keymgmts, i); - collect_decoder_keymgmt(keymgmt, decoder, provctx, data); + /* Only add this decoder once */ + if (collect_decoder_keymgmt(keymgmt, decoder, provctx, data)) + break; if (data->error_occurred) return; } @@ -407,6 +432,8 @@ static int ossl_decoder_ctx_setup_for_pkey(OSSL_DECODER_CTX *ctx, struct decoder_pkey_data_st *process_data = NULL; struct collect_data_st collect_data = { NULL }; STACK_OF(EVP_KEYMGMT) *keymgmts = NULL; + OSSL_PROPERTY_LIST **plp; + OSSL_PROPERTY_LIST *pq = NULL, *p2 = NULL; OSSL_TRACE_BEGIN(DECODER) { const char *input_type = ctx->start_input_type; @@ -442,6 +469,25 @@ static int ossl_decoder_ctx_setup_for_pkey(OSSL_DECODER_CTX *ctx, process_data->selection = ctx->selection; process_data->keymgmts = keymgmts; + /* + * Collect passed and default properties to prioritize the decoders. + */ + if (propquery != NULL) + p2 = pq = ossl_parse_query(libctx, propquery, 1); + + plp = ossl_ctx_global_properties(libctx, 0); + if (plp != NULL && *plp != NULL) { + if (pq == NULL) { + pq = *plp; + } else { + p2 = ossl_property_merge(pq, *plp); + ossl_property_free(pq); + if (p2 == NULL) + goto err; + pq = p2; + } + } + /* * Enumerate all keymgmts into a stack. * @@ -457,10 +503,11 @@ static int ossl_decoder_ctx_setup_for_pkey(OSSL_DECODER_CTX *ctx, * upfront, as this ensures that the names for all loaded providers have * been registered by the time we try to resolve the keytype string. */ - collect_data.ctx = ctx; - collect_data.libctx = libctx; - collect_data.keymgmts = keymgmts; - collect_data.keytype = keytype; + collect_data.ctx = ctx; + collect_data.libctx = libctx; + collect_data.keymgmts = keymgmts; + collect_data.keytype = keytype; + collect_data.pq = pq; EVP_KEYMGMT_do_all_provided(libctx, collect_keymgmt, &collect_data); if (collect_data.error_occurred) @@ -496,6 +543,7 @@ static int ossl_decoder_ctx_setup_for_pkey(OSSL_DECODER_CTX *ctx, ok = 1; err: decoder_clean_pkey_construct_arg(process_data); + ossl_property_free(p2); return ok; } diff --git a/deps/openssl/openssl/crypto/encode_decode/encoder_local.h b/deps/openssl/openssl/crypto/encode_decode/encoder_local.h index a2846d309ea..11e52cfeec7 100644 --- a/deps/openssl/openssl/crypto/encode_decode/encoder_local.h +++ b/deps/openssl/openssl/crypto/encode_decode/encoder_local.h @@ -109,6 +109,8 @@ struct ossl_decoder_instance_st { const char *input_type; /* Never NULL */ const char *input_structure; /* May be NULL */ int input_type_id; + int order; /* For stable ordering of decoders wrt proqs */ + int score; /* For ordering decoders wrt proqs */ unsigned int flag_input_structure_was_set : 1; }; diff --git a/deps/openssl/openssl/crypto/evp/asymcipher.c b/deps/openssl/openssl/crypto/evp/asymcipher.c index 975170c0aa0..c97ce338fdf 100644 --- a/deps/openssl/openssl/crypto/evp/asymcipher.c +++ b/deps/openssl/openssl/crypto/evp/asymcipher.c @@ -261,10 +261,12 @@ int EVP_PKEY_encrypt(EVP_PKEY_CTX *ctx, cipher = ctx->op.ciph.cipher; desc = cipher->description != NULL ? cipher->description : ""; + ERR_set_mark(); ret = cipher->encrypt(ctx->op.ciph.algctx, out, outlen, (out == NULL ? 0 : *outlen), in, inlen); - if (ret <= 0) + if (ret <= 0 && ERR_count_to_mark() == 0) ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_ASYM_CIPHER_FAILURE, "%s encrypt:%s", cipher->type_name, desc); + ERR_clear_last_mark(); return ret; legacy: @@ -309,10 +311,12 @@ int EVP_PKEY_decrypt(EVP_PKEY_CTX *ctx, cipher = ctx->op.ciph.cipher; desc = cipher->description != NULL ? cipher->description : ""; + ERR_set_mark(); ret = cipher->decrypt(ctx->op.ciph.algctx, out, outlen, (out == NULL ? 0 : *outlen), in, inlen); - if (ret <= 0) + if (ret <= 0 && ERR_count_to_mark() == 0) ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_ASYM_CIPHER_FAILURE, "%s decrypt:%s", cipher->type_name, desc); + ERR_clear_last_mark(); return ret; diff --git a/deps/openssl/openssl/crypto/evp/keymgmt_meth.c b/deps/openssl/openssl/crypto/evp/keymgmt_meth.c index f54684852b7..f57153b2c1a 100644 --- a/deps/openssl/openssl/crypto/evp/keymgmt_meth.c +++ b/deps/openssl/openssl/crypto/evp/keymgmt_meth.c @@ -460,10 +460,12 @@ void *evp_keymgmt_gen(const EVP_KEYMGMT *keymgmt, void *genctx, return NULL; } + ERR_set_mark(); ret = keymgmt->gen(genctx, cb, cbarg); - if (ret == NULL) + if (ret == NULL && ERR_count_to_mark() == 0) ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_KEYMGMT_FAILURE, "%s key generation:%s", keymgmt->type_name, desc); + ERR_clear_last_mark(); return ret; } diff --git a/deps/openssl/openssl/crypto/evp/m_sigver.c b/deps/openssl/openssl/crypto/evp/m_sigver.c index d5df497da77..c27ed6dbe9b 100644 --- a/deps/openssl/openssl/crypto/evp/m_sigver.c +++ b/deps/openssl/openssl/crypto/evp/m_sigver.c @@ -426,10 +426,12 @@ int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize) return 0; } + ERR_set_mark(); ret = signature->digest_sign_update(pctx->op.sig.algctx, data, dsize); - if (ret <= 0) + if (ret <= 0 && ERR_count_to_mark() == 0) ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_SIGNATURE_FAILURE, "%s digest_sign_update:%s", signature->type_name, desc); + ERR_clear_last_mark(); return ret; legacy: @@ -470,10 +472,12 @@ int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize) return 0; } + ERR_set_mark(); ret = signature->digest_verify_update(pctx->op.sig.algctx, data, dsize); - if (ret <= 0) + if (ret <= 0 && ERR_count_to_mark() == 0) ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_SIGNATURE_FAILURE, "%s digest_verify_update:%s", signature->type_name, desc); + ERR_clear_last_mark(); return ret; legacy: @@ -523,11 +527,13 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, pctx = dctx; } + ERR_set_mark(); r = signature->digest_sign_final(pctx->op.sig.algctx, sigret, siglen, sigret == NULL ? 0 : *siglen); - if (!r) + if (!r && ERR_count_to_mark() == 0) ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_SIGNATURE_FAILURE, "%s digest_sign_final:%s", signature->type_name, desc); + ERR_clear_last_mark(); if (dctx == NULL && sigret != NULL) ctx->flags |= EVP_MD_CTX_FLAG_FINALISED; else @@ -634,11 +640,13 @@ int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen, if (sigret != NULL) ctx->flags |= EVP_MD_CTX_FLAG_FINALISED; + ERR_set_mark(); ret = signature->digest_sign(pctx->op.sig.algctx, sigret, siglen, sigret == NULL ? 0 : *siglen, tbs, tbslen); - if (ret <= 0) + if (ret <= 0 && ERR_count_to_mark() == 0) ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_SIGNATURE_FAILURE, "%s digest_sign:%s", signature->type_name, desc); + ERR_clear_last_mark(); return ret; } } else { @@ -689,10 +697,12 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig, pctx = dctx; } + ERR_set_mark(); r = signature->digest_verify_final(pctx->op.sig.algctx, sig, siglen); - if (!r) + if (!r && ERR_count_to_mark() == 0) ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_SIGNATURE_FAILURE, "%s digest_verify_final:%s", signature->type_name, desc); + ERR_clear_last_mark(); if (dctx == NULL) ctx->flags |= EVP_MD_CTX_FLAG_FINALISED; else @@ -765,10 +775,12 @@ int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret, int ret; ctx->flags |= EVP_MD_CTX_FLAG_FINALISED; + ERR_set_mark(); ret = signature->digest_verify(pctx->op.sig.algctx, sigret, siglen, tbs, tbslen); - if (ret <= 0) + if (ret <= 0 && ERR_count_to_mark() == 0) ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_SIGNATURE_FAILURE, "%s digest_verify:%s", signature->type_name, desc); + ERR_clear_last_mark(); return ret; } } else { diff --git a/deps/openssl/openssl/crypto/perlasm/x86asm.pl b/deps/openssl/openssl/crypto/perlasm/x86asm.pl index 05b5ff94c54..2ec16c5571d 100644 --- a/deps/openssl/openssl/crypto/perlasm/x86asm.pl +++ b/deps/openssl/openssl/crypto/perlasm/x86asm.pl @@ -174,9 +174,9 @@ sub ::vprotd sub ::endbranch { - &::generic("%ifdef __CET__\n"); + &::generic("#ifdef __CET__\n"); &::data_byte(0xf3,0x0f,0x1e,0xfb); - &::generic("%endif\n"); + &::generic("#endif\n"); } # label management diff --git a/deps/openssl/openssl/crypto/provider_core.c b/deps/openssl/openssl/crypto/provider_core.c index 0b675946485..ce5cf36eef9 100644 --- a/deps/openssl/openssl/crypto/provider_core.c +++ b/deps/openssl/openssl/crypto/provider_core.c @@ -2419,6 +2419,11 @@ static int core_pop_error_to_mark(const OSSL_CORE_HANDLE *handle) return ERR_pop_to_mark(); } +static int core_count_to_mark(const OSSL_CORE_HANDLE *handle) +{ + return ERR_count_to_mark(); +} + static void core_indicator_get_callback(OPENSSL_CORE_CTX *libctx, OSSL_INDICATOR_CALLBACK **cb) { @@ -2600,6 +2605,7 @@ static const OSSL_DISPATCH core_dispatch_[] = { { OSSL_FUNC_CORE_CLEAR_LAST_ERROR_MARK, (void (*)(void))core_clear_last_error_mark }, { OSSL_FUNC_CORE_POP_ERROR_TO_MARK, (void (*)(void))core_pop_error_to_mark }, + { OSSL_FUNC_CORE_COUNT_TO_MARK, (void (*)(void))core_count_to_mark }, { OSSL_FUNC_BIO_NEW_FILE, (void (*)(void))ossl_core_bio_new_file }, { OSSL_FUNC_BIO_NEW_MEMBUF, (void (*)(void))ossl_core_bio_new_mem_buf }, { OSSL_FUNC_BIO_READ_EX, (void (*)(void))ossl_core_bio_read_ex }, diff --git a/deps/openssl/openssl/crypto/rsa/rsa_gen.c b/deps/openssl/openssl/crypto/rsa/rsa_gen.c index f76bb774836..32084a822ca 100644 --- a/deps/openssl/openssl/crypto/rsa/rsa_gen.c +++ b/deps/openssl/openssl/crypto/rsa/rsa_gen.c @@ -734,3 +734,18 @@ err: return ret; } + +#ifdef FIPS_MODULE +int ossl_rsa_key_pairwise_test(RSA *rsa) +{ + OSSL_CALLBACK *stcb; + void *stcbarg; + int res; + + OSSL_SELF_TEST_get_callback(rsa->libctx, &stcb, &stcbarg); + res = rsa_keygen_pairwise_test(rsa, stcb, stcbarg); + if (res <= 0) + ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT); + return res; +} +#endif /* FIPS_MODULE */ diff --git a/deps/openssl/openssl/crypto/slh_dsa/slh_hash.c b/deps/openssl/openssl/crypto/slh_dsa/slh_hash.c index 6a8d6bab03c..8eb8ab4e860 100644 --- a/deps/openssl/openssl/crypto/slh_dsa/slh_hash.c +++ b/deps/openssl/openssl/crypto/slh_dsa/slh_hash.c @@ -158,6 +158,9 @@ slh_hmsg_sha2(SLH_DSA_HASH_CTX *hctx, const uint8_t *r, const uint8_t *pk_seed, int sz = EVP_MD_get_size(hctx->key->md_big); size_t seed_len = (size_t)sz + 2 * n; + if (sz <= 0) + return 0; + memcpy(seed, r, n); memcpy(seed + n, pk_seed, n); return digest_4(hctx->md_big_ctx, r, n, pk_seed, n, pk_root, n, msg, msg_len, diff --git a/deps/openssl/openssl/crypto/sm2/sm2_sign.c b/deps/openssl/openssl/crypto/sm2/sm2_sign.c index 28cf95cc48c..7c49128b47d 100644 --- a/deps/openssl/openssl/crypto/sm2/sm2_sign.c +++ b/deps/openssl/openssl/crypto/sm2/sm2_sign.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2025 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2017 Ribose Inc. All Rights Reserved. * Ported from Ribose contributions from Botan. * @@ -220,6 +220,10 @@ static ECDSA_SIG *sm2_sig_gen(const EC_KEY *key, const BIGNUM *e) BIGNUM *tmp = NULL; OSSL_LIB_CTX *libctx = ossl_ec_key_get_libctx(key); + if (dA == NULL) { + ERR_raise(ERR_LIB_SM2, SM2_R_INVALID_PRIVATE_KEY); + goto done; + } kG = EC_POINT_new(group); if (kG == NULL) { ERR_raise(ERR_LIB_SM2, ERR_R_EC_LIB); diff --git a/deps/openssl/openssl/crypto/store/store_lib.c b/deps/openssl/openssl/crypto/store/store_lib.c index 505d606f4a9..ebf170c3e8f 100644 --- a/deps/openssl/openssl/crypto/store/store_lib.c +++ b/deps/openssl/openssl/crypto/store/store_lib.c @@ -428,12 +428,6 @@ OSSL_STORE_INFO *OSSL_STORE_load(OSSL_STORE_CTX *ctx) if (ctx->loader != NULL) OSSL_TRACE(STORE, "Loading next object\n"); - if (ctx->cached_info != NULL - && sk_OSSL_STORE_INFO_num(ctx->cached_info) == 0) { - sk_OSSL_STORE_INFO_free(ctx->cached_info); - ctx->cached_info = NULL; - } - if (ctx->cached_info != NULL) { v = sk_OSSL_STORE_INFO_shift(ctx->cached_info); } else { @@ -556,14 +550,23 @@ int OSSL_STORE_error(OSSL_STORE_CTX *ctx) int OSSL_STORE_eof(OSSL_STORE_CTX *ctx) { - int ret = 1; + int ret = 0; - if (ctx->fetched_loader != NULL) - ret = ctx->loader->p_eof(ctx->loader_ctx); + if (ctx->cached_info != NULL + && sk_OSSL_STORE_INFO_num(ctx->cached_info) == 0) { + sk_OSSL_STORE_INFO_free(ctx->cached_info); + ctx->cached_info = NULL; + } + + if (ctx->cached_info == NULL) { + ret = 1; + if (ctx->fetched_loader != NULL) + ret = ctx->loader->p_eof(ctx->loader_ctx); #ifndef OPENSSL_NO_DEPRECATED_3_0 - if (ctx->fetched_loader == NULL) - ret = ctx->loader->eof(ctx->loader_ctx); + if (ctx->fetched_loader == NULL) + ret = ctx->loader->eof(ctx->loader_ctx); #endif + } return ret != 0; } diff --git a/deps/openssl/openssl/crypto/x509/x_crl.c b/deps/openssl/openssl/crypto/x509/x_crl.c index 2601a019f87..7af3e9a7e7f 100644 --- a/deps/openssl/openssl/crypto/x509/x_crl.c +++ b/deps/openssl/openssl/crypto/x509/x_crl.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -289,6 +289,7 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, static int setup_idp(X509_CRL *crl, ISSUING_DIST_POINT *idp) { int idp_only = 0; + int ret = 0; /* Set various flags according to IDP */ crl->idp_flags |= IDP_PRESENT; @@ -320,7 +321,17 @@ static int setup_idp(X509_CRL *crl, ISSUING_DIST_POINT *idp) crl->idp_reasons &= CRLDP_ALL_REASONS; } - return DIST_POINT_set_dpname(idp->distpoint, X509_CRL_get_issuer(crl)); + ret = DIST_POINT_set_dpname(idp->distpoint, X509_CRL_get_issuer(crl)); + + /* + * RFC5280 specifies that if onlyContainsUserCerts, onlyContainsCACerts, + * indirectCRL, and OnlyContainsAttributeCerts are all FALSE, there must + * be either a distributionPoint field or an onlySomeReasons field present. + */ + if (crl->idp_flags == IDP_PRESENT && idp->distpoint == NULL) + crl->idp_flags |= IDP_INVALID; + + return ret; } ASN1_SEQUENCE_ref(X509_CRL, crl_cb) = { diff --git a/deps/openssl/openssl/fuzz/dtlsserver.c b/deps/openssl/openssl/fuzz/dtlsserver.c index 68ddb1e6e68..7ea57ea0533 100644 --- a/deps/openssl/openssl/fuzz/dtlsserver.c +++ b/deps/openssl/openssl/fuzz/dtlsserver.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -590,10 +590,7 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len) SSL *server; BIO *in; BIO *out; -#if !defined(OPENSSL_NO_EC) \ - || (!defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DEPRECATED_3_0)) BIO *bio_buf; -#endif SSL_CTX *ctx; int ret; #ifndef OPENSSL_NO_DEPRECATED_3_0 diff --git a/deps/openssl/openssl/include/crypto/bn_conf.h b/deps/openssl/openssl/include/crypto/bn_conf.h deleted file mode 100644 index 79400c6472a..00000000000 --- a/deps/openssl/openssl/include/crypto/bn_conf.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/bn_conf.h" diff --git a/deps/openssl/openssl/include/crypto/dh.h b/deps/openssl/openssl/include/crypto/dh.h index 51232d18c24..b4a4a3c1fae 100644 --- a/deps/openssl/openssl/include/crypto/dh.h +++ b/deps/openssl/openssl/include/crypto/dh.h @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -42,7 +42,7 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh); int ossl_dh_check_pub_key_partial(const DH *dh, const BIGNUM *pub_key, int *ret); int ossl_dh_check_priv_key(const DH *dh, const BIGNUM *priv_key, int *ret); -int ossl_dh_check_pairwise(const DH *dh); +int ossl_dh_check_pairwise(const DH *dh, int return_on_null_numbers); const DH_METHOD *ossl_dh_get_method(const DH *dh); diff --git a/deps/openssl/openssl/include/crypto/dso_conf.h b/deps/openssl/openssl/include/crypto/dso_conf.h deleted file mode 100644 index e7f2afa9872..00000000000 --- a/deps/openssl/openssl/include/crypto/dso_conf.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/dso_conf.h" diff --git a/deps/openssl/openssl/include/crypto/rsa.h b/deps/openssl/openssl/include/crypto/rsa.h index dcb465cbcae..ffbc95a7788 100644 --- a/deps/openssl/openssl/include/crypto/rsa.h +++ b/deps/openssl/openssl/include/crypto/rsa.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -124,6 +124,10 @@ ASN1_STRING *ossl_rsa_ctx_to_pss_string(EVP_PKEY_CTX *pkctx); int ossl_rsa_pss_to_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pkctx, const X509_ALGOR *sigalg, EVP_PKEY *pkey); +# ifdef FIPS_MODULE +int ossl_rsa_key_pairwise_test(RSA *rsa); +# endif /* FIPS_MODULE */ + # if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS) int ossl_rsa_acvp_test_gen_params_new(OSSL_PARAM **dst, const OSSL_PARAM src[]); void ossl_rsa_acvp_test_gen_params_free(OSSL_PARAM *dst); diff --git a/deps/openssl/openssl/include/internal/param_names.h b/deps/openssl/openssl/include/internal/param_names.h deleted file mode 100644 index 2878ad3c8c3..00000000000 --- a/deps/openssl/openssl/include/internal/param_names.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/param_names.h" diff --git a/deps/openssl/openssl/include/internal/quic_ackm.h b/deps/openssl/openssl/include/internal/quic_ackm.h index c271dfca2e1..949d91903bb 100644 --- a/deps/openssl/openssl/include/internal/quic_ackm.h +++ b/deps/openssl/openssl/include/internal/quic_ackm.h @@ -1,5 +1,5 @@ /* - * Copyright 2022-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -23,7 +23,7 @@ OSSL_ACKM *ossl_ackm_new(OSSL_TIME (*now)(void *arg), void *now_arg, OSSL_STATM *statm, const OSSL_CC_METHOD *cc_method, - OSSL_CC_DATA *cc_data); + OSSL_CC_DATA *cc_data, int is_server); void ossl_ackm_free(OSSL_ACKM *ackm); void ossl_ackm_set_loss_detection_deadline_callback(OSSL_ACKM *ackm, diff --git a/deps/openssl/openssl/include/openssl/asn1.h b/deps/openssl/openssl/include/openssl/asn1.h deleted file mode 100644 index cd9fc7cc706..00000000000 --- a/deps/openssl/openssl/include/openssl/asn1.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/asn1.h" diff --git a/deps/openssl/openssl/include/openssl/asn1t.h b/deps/openssl/openssl/include/openssl/asn1t.h deleted file mode 100644 index 6ff4f574949..00000000000 --- a/deps/openssl/openssl/include/openssl/asn1t.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/asn1t.h" diff --git a/deps/openssl/openssl/include/openssl/bio.h b/deps/openssl/openssl/include/openssl/bio.h deleted file mode 100644 index dcece3cb4d6..00000000000 --- a/deps/openssl/openssl/include/openssl/bio.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/bio.h" diff --git a/deps/openssl/openssl/include/openssl/cmp.h b/deps/openssl/openssl/include/openssl/cmp.h deleted file mode 100644 index 7c8a6dc96fc..00000000000 --- a/deps/openssl/openssl/include/openssl/cmp.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/cmp.h" diff --git a/deps/openssl/openssl/include/openssl/cms.h b/deps/openssl/openssl/include/openssl/cms.h deleted file mode 100644 index 33a00775c9f..00000000000 --- a/deps/openssl/openssl/include/openssl/cms.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/cms.h" diff --git a/deps/openssl/openssl/include/openssl/comp.h b/deps/openssl/openssl/include/openssl/comp.h deleted file mode 100644 index 2c5927233fc..00000000000 --- a/deps/openssl/openssl/include/openssl/comp.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/comp.h" diff --git a/deps/openssl/openssl/include/openssl/conf.h b/deps/openssl/openssl/include/openssl/conf.h deleted file mode 100644 index 2712886cafc..00000000000 --- a/deps/openssl/openssl/include/openssl/conf.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/conf.h" diff --git a/deps/openssl/openssl/include/openssl/configuration.h b/deps/openssl/openssl/include/openssl/configuration.h deleted file mode 100644 index 8ffad996047..00000000000 --- a/deps/openssl/openssl/include/openssl/configuration.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/configuration.h" diff --git a/deps/openssl/openssl/include/openssl/core_dispatch.h b/deps/openssl/openssl/include/openssl/core_dispatch.h index 690a38206a3..13de04e2622 100644 --- a/deps/openssl/openssl/include/openssl/core_dispatch.h +++ b/deps/openssl/openssl/include/openssl/core_dispatch.h @@ -253,6 +253,10 @@ OSSL_CORE_MAKE_FUNC(int, provider_up_ref, OSSL_CORE_MAKE_FUNC(int, provider_free, (const OSSL_CORE_HANDLE *prov, int deactivate)) +/* Additional error functions provided by the core */ +# define OSSL_FUNC_CORE_COUNT_TO_MARK 120 +OSSL_CORE_MAKE_FUNC(int, core_count_to_mark, (const OSSL_CORE_HANDLE *prov)) + /* Functions provided by the provider to the Core, reserved numbers 1024-1535 */ # define OSSL_FUNC_PROVIDER_TEARDOWN 1024 OSSL_CORE_MAKE_FUNC(void, provider_teardown, (void *provctx)) diff --git a/deps/openssl/openssl/include/openssl/core_names.h b/deps/openssl/openssl/include/openssl/core_names.h deleted file mode 100644 index b7b7d7c73d1..00000000000 --- a/deps/openssl/openssl/include/openssl/core_names.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/core_names.h" diff --git a/deps/openssl/openssl/include/openssl/crmf.h b/deps/openssl/openssl/include/openssl/crmf.h deleted file mode 100644 index 4103852ecb2..00000000000 --- a/deps/openssl/openssl/include/openssl/crmf.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/crmf.h" diff --git a/deps/openssl/openssl/include/openssl/crypto.h b/deps/openssl/openssl/include/openssl/crypto.h deleted file mode 100644 index 6d0e701ebd3..00000000000 --- a/deps/openssl/openssl/include/openssl/crypto.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/crypto.h" diff --git a/deps/openssl/openssl/include/openssl/ct.h b/deps/openssl/openssl/include/openssl/ct.h deleted file mode 100644 index 7ebb8438713..00000000000 --- a/deps/openssl/openssl/include/openssl/ct.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/ct.h" diff --git a/deps/openssl/openssl/include/openssl/err.h b/deps/openssl/openssl/include/openssl/err.h deleted file mode 100644 index bf482070474..00000000000 --- a/deps/openssl/openssl/include/openssl/err.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/err.h" diff --git a/deps/openssl/openssl/include/openssl/ess.h b/deps/openssl/openssl/include/openssl/ess.h deleted file mode 100644 index 64cc0162251..00000000000 --- a/deps/openssl/openssl/include/openssl/ess.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/ess.h" diff --git a/deps/openssl/openssl/include/openssl/fipskey.h b/deps/openssl/openssl/include/openssl/fipskey.h deleted file mode 100644 index c012013d98d..00000000000 --- a/deps/openssl/openssl/include/openssl/fipskey.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/fipskey.h" diff --git a/deps/openssl/openssl/include/openssl/lhash.h b/deps/openssl/openssl/include/openssl/lhash.h deleted file mode 100644 index 8d824f5cfe6..00000000000 --- a/deps/openssl/openssl/include/openssl/lhash.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/lhash.h" diff --git a/deps/openssl/openssl/include/openssl/ocsp.h b/deps/openssl/openssl/include/openssl/ocsp.h deleted file mode 100644 index 5b13afedf36..00000000000 --- a/deps/openssl/openssl/include/openssl/ocsp.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/ocsp.h" diff --git a/deps/openssl/openssl/include/openssl/opensslv.h b/deps/openssl/openssl/include/openssl/opensslv.h deleted file mode 100644 index 078cfba40fb..00000000000 --- a/deps/openssl/openssl/include/openssl/opensslv.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/opensslv.h" diff --git a/deps/openssl/openssl/include/openssl/pem.h b/deps/openssl/openssl/include/openssl/pem.h index 94424e6c209..de1b6581f28 100644 --- a/deps/openssl/openssl/include/openssl/pem.h +++ b/deps/openssl/openssl/include/openssl/pem.h @@ -57,6 +57,7 @@ extern "C" { # define PEM_STRING_ECPRIVATEKEY "EC PRIVATE KEY" # define PEM_STRING_PARAMETERS "PARAMETERS" # define PEM_STRING_CMS "CMS" +# define PEM_STRING_SM2PRIVATEKEY "SM2 PRIVATE KEY" # define PEM_STRING_SM2PARAMETERS "SM2 PARAMETERS" # define PEM_STRING_ACERT "ATTRIBUTE CERTIFICATE" diff --git a/deps/openssl/openssl/include/openssl/pkcs12.h b/deps/openssl/openssl/include/openssl/pkcs12.h deleted file mode 100644 index 2d7e2c08e99..00000000000 --- a/deps/openssl/openssl/include/openssl/pkcs12.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/pkcs12.h" diff --git a/deps/openssl/openssl/include/openssl/pkcs7.h b/deps/openssl/openssl/include/openssl/pkcs7.h deleted file mode 100644 index b553f9d0f05..00000000000 --- a/deps/openssl/openssl/include/openssl/pkcs7.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/pkcs7.h" diff --git a/deps/openssl/openssl/include/openssl/safestack.h b/deps/openssl/openssl/include/openssl/safestack.h deleted file mode 100644 index 989eafb3302..00000000000 --- a/deps/openssl/openssl/include/openssl/safestack.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/safestack.h" diff --git a/deps/openssl/openssl/include/openssl/self_test.h b/deps/openssl/openssl/include/openssl/self_test.h index 2d39e096eea..c4439cb2871 100644 --- a/deps/openssl/openssl/include/openssl/self_test.h +++ b/deps/openssl/openssl/include/openssl/self_test.h @@ -50,6 +50,7 @@ extern "C" { # define OSSL_SELF_TEST_DESC_PCT_RSA_PKCS1 "RSA" # define OSSL_SELF_TEST_DESC_PCT_ECDSA "ECDSA" # define OSSL_SELF_TEST_DESC_PCT_EDDSA "EDDSA" +# define OSSL_SELF_TEST_DESC_PCT_DH "DH" # define OSSL_SELF_TEST_DESC_PCT_DSA "DSA" # define OSSL_SELF_TEST_DESC_PCT_ML_DSA "ML-DSA" # define OSSL_SELF_TEST_DESC_PCT_ML_KEM "ML-KEM" diff --git a/deps/openssl/openssl/include/openssl/srp.h b/deps/openssl/openssl/include/openssl/srp.h deleted file mode 100644 index 9df42dad4c3..00000000000 --- a/deps/openssl/openssl/include/openssl/srp.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/srp.h" diff --git a/deps/openssl/openssl/include/openssl/ssl.h b/deps/openssl/openssl/include/openssl/ssl.h deleted file mode 100644 index eb74ca98a97..00000000000 --- a/deps/openssl/openssl/include/openssl/ssl.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/ssl.h" diff --git a/deps/openssl/openssl/include/openssl/ui.h b/deps/openssl/openssl/include/openssl/ui.h deleted file mode 100644 index f5edb766b4f..00000000000 --- a/deps/openssl/openssl/include/openssl/ui.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/ui.h" diff --git a/deps/openssl/openssl/include/openssl/x509.h b/deps/openssl/openssl/include/openssl/x509.h deleted file mode 100644 index ed28bd68cb2..00000000000 --- a/deps/openssl/openssl/include/openssl/x509.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/x509.h" diff --git a/deps/openssl/openssl/include/openssl/x509_acert.h b/deps/openssl/openssl/include/openssl/x509_acert.h deleted file mode 100644 index 331904d4184..00000000000 --- a/deps/openssl/openssl/include/openssl/x509_acert.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/x509_acert.h" diff --git a/deps/openssl/openssl/include/openssl/x509_vfy.h b/deps/openssl/openssl/include/openssl/x509_vfy.h deleted file mode 100644 index 9270a3ee097..00000000000 --- a/deps/openssl/openssl/include/openssl/x509_vfy.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/x509_vfy.h" diff --git a/deps/openssl/openssl/include/openssl/x509v3.h b/deps/openssl/openssl/include/openssl/x509v3.h deleted file mode 100644 index 5629ae9a3a9..00000000000 --- a/deps/openssl/openssl/include/openssl/x509v3.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/x509v3.h" diff --git a/deps/openssl/openssl/providers/fips-sources.checksums b/deps/openssl/openssl/providers/fips-sources.checksums index 9f25bac77f3..04b820f1f1e 100644 --- a/deps/openssl/openssl/providers/fips-sources.checksums +++ b/deps/openssl/openssl/providers/fips-sources.checksums @@ -136,7 +136,7 @@ eeef5722ad56bf1af2ff71681bcc8b8525bc7077e973c98cee920ce9bcc66c81 crypto/des/ecb 9549901d6f0f96cd17bd76c2b6cb33fb25641707bfdb8ed34aab250c34f7f4f6 crypto/des/set_key.c 8344811b14d151f6cd40a7bc45c8f4a1106252b119c1d5e6a589a023f39b107d crypto/des/spr.h a54b1b60cf48ca89dfb3f71d299794dd6c2e462c576b0fe583d1448f819c80ea crypto/dh/dh_backend.c -24cf9462da6632c52b726041271f8a43dfb3f74414abe460d9cc9c7fd2fd2d7d crypto/dh/dh_check.c +9db32c052fb3cf7c36ab8e642f4852c2fa68a7b6bae0e3b1746522f826827068 crypto/dh/dh_check.c c117ac4fd24369c7813ac9dc9685640700a82bb32b0f7e038e85afd6c8db75c7 crypto/dh/dh_gen.c 6b17861887b2535159b9e6ca4f927767dad3e71b6e8be50055bc784f78e92d64 crypto/dh/dh_group_params.c a539a8930035fee3b723d74a1d13e931ff69a2b523c83d4a2d0d9db6c78ba902 crypto/dh/dh_kdf.c @@ -204,7 +204,7 @@ a47d8541bb2cc180f4c7d3ac0f888657e17621b318ea8a2eacdefb1926efb500 crypto/ec/ecp_ 43f81968983e9a466b7dc9cffe64302418703f7a66adcbac4b7c4d8cb19c9af5 crypto/ec/ecx_backend.c 5ee19c357c318b2948ff5d9118a626a6207af2b2eade7d8536051d4a522668d3 crypto/ec/ecx_backend.h 2be4ca60082891bdc99f8c6ebc5392c1f0a7a53f0bcf18dcf5497a7aee0b9c84 crypto/ec/ecx_key.c -73c956c97fd558b0fd267934657fb829fd8d9ab12dda2d96d3ca1521f0416ca8 crypto/evp/asymcipher.c +c1f04d877f96f2d0852290e34b1994dd48222650ac1121903cee9c259fe3ebf2 crypto/evp/asymcipher.c 80da494704c8fc54fea36e5de7100a6c2fdcc5f8c50f43ac477df5f56fa57e58 crypto/evp/dh_support.c bc9f3b827e3d29ac485fff9fb1c8f71d7e2bcd883ccc44c776de2f620081df58 crypto/evp/digest.c 838277f228cd3025cf95a9cd435e5606ad1fb5d207bbb057aa29892e6a657c55 crypto/evp/ec_support.c @@ -219,7 +219,7 @@ baccbd623a94ba350c07e0811033ad66a2c892ef51ccb051b4a65bf2ba625a85 crypto/evp/evp 90742590db894920ffdb737a450ee591488aa455802e777400b1bf887618fd7a crypto/evp/kdf_meth.c 948f7904e81008588288a1ba7969b9de83546c687230ffe2a3fd0be1651bce8f crypto/evp/kem.c 55d141a74405415ad21789abcace9557f1d1ef54cf207e99993bf0a801f4b81e crypto/evp/keymgmt_lib.c -5cb9ddc6a7434bd7e063bf85455c2025fb34e4eb846d7d113dbcedc25eeac7a3 crypto/evp/keymgmt_meth.c +d57908a9473d2af324f32549649016f7a3c196b5ac8b54d6ca3c82f84cab5d48 crypto/evp/keymgmt_meth.c 9e44d1ffb52fee194b12c50962907c8637e7d92f08339345ec9fd3bd4a248e69 crypto/evp/mac_lib.c cd611921dc773b47207c036b9108ec820ab39d67780ba4adc9ccb9dc8da58627 crypto/evp/mac_meth.c 4f0a9a7baa72c6984edb53c46101b6ff774543603bec1e1d3a6123adf27e41db crypto/evp/p_lib.c @@ -322,7 +322,7 @@ f0c8792a99132e0b9c027cfa7370f45594a115934cdc9e8f23bdd64abecaf7fd crypto/rsa/rsa 1b828f428f0e78b591378f7b780164c4574620c68f9097de041cbd576f811bf6 crypto/rsa/rsa_backend.c 38a102cd1da1f6ca5a46e6a22f018237964336274385f5c70cbedcaa6997647e crypto/rsa/rsa_chk.c e762c599b17d5c89f4b1c9eb7d0ca1f04a95d815c86a3e72c30b231ce57fb199 crypto/rsa/rsa_crpt.c -a3d20f27ae3cb41af5b62febd0bb19025e59d401b136306d570cdba103b15542 crypto/rsa/rsa_gen.c +026645569b11cf7c1247e4537cc004eea4469ed661391aef4fbc13e96c4952ca crypto/rsa/rsa_gen.c f22bc4e2c3acab83e67820c906c1caf048ec1f0d4fcb7472c1bec753c75f8e93 crypto/rsa/rsa_lib.c 5ae8edaf654645996385fbd420ef73030762fc146bf41deb5294d6d83e257a16 crypto/rsa/rsa_local.h cf0b75cd54b61b9b9a290ef18d0ddce9fb26a029a54eb3f720d9b25188440f00 crypto/rsa/rsa_mp_names.c @@ -397,7 +397,7 @@ c26498960895d435af4ef5f592d98a0c011c00609bbba8bbd0078d4a4f081609 crypto/slh_dsa 4c7981f7db69025f52495c549fb3b3a76be62b9e13072c3f3b7f1dedeaf8cc91 crypto/slh_dsa/slh_dsa_key.h 5dcb631891eb6afcd27a6b19d2de4d493c71dab159e53620d86d9b96642e97e8 crypto/slh_dsa/slh_dsa_local.h adb3f4dea52396935b8442df7b36ed99324d3f3e8ce3fdf714d6dfd683e1f9f0 crypto/slh_dsa/slh_fors.c -ff320d5fc65580eb85e4e0530f332af515124a5ec8915b5a7ec04acad524c11d crypto/slh_dsa/slh_hash.c +3891252acdefc4eff77d7a65cc35d77bdca8083c9dd0d44ff91889ceafcccb45 crypto/slh_dsa/slh_hash.c a146cdf01b4b6e20127f0e48b30ed5e8820bec0fca2d9423c7b63eddf0f19af3 crypto/slh_dsa/slh_hash.h 6402664fbb259808a6f7b5a5d6be2b4a3cc8a905399d97b160cdb3e4a97c02c4 crypto/slh_dsa/slh_hypertree.c 98ba100862bb45d13bcddff79bc55e44eadd95f528dd49accb4da3ca85fcc52d crypto/slh_dsa/slh_params.c @@ -433,7 +433,7 @@ e69b2b20fb415e24b970941c84a62b752b5d0175bc68126e467f7cc970495504 include/crypto 6c72cfa9e59d276c1debcfd36a0aff277539b43d2272267147fad4165d72747c include/crypto/ctype.h f69643f16687c5a290b2ce6b846c6d1dddabfaf7e4d26fde8b1181955de32833 include/crypto/decoder.h 89693e0a7528a9574e1d2f80644b29e3b895d3684111dd07c18cc5bed28b45b7 include/crypto/des_platform.h -daf508bb7ed5783f1c8c622f0c230e179244dd3f584e1223a19ab95930fbcb4f include/crypto/dh.h +48d133a1eb8c3b3198cfe1cafda47f9abe8050d53004f3874f258a78f29b9e48 include/crypto/dh.h 679f6e52d9becdf51fde1649478083d18fa4f5a6ece21eeb1decf70f739f49d5 include/crypto/dsa.h c7aafee54cc3ace0c563f15aa5af2cdce13e2cfc4f9a9a133952825fb7c8faf5 include/crypto/ec.h adf369f3c9392e9f2dec5a87f61ac9e48160f4a763dae51d4ad5306c4ca4e226 include/crypto/ecx.h @@ -445,7 +445,7 @@ bbe5e52d84e65449a13e42cd2d6adce59b8ed6e73d6950917aa77dc1f3f5dff6 include/crypto 6e7762e7fb63f56d25b24f70209f4dc834c59a87f74467531ec81646f565dbe3 include/crypto/modes.h 920bc48a4dad3712bdcef188c0ce8e8a8304e0ce332b54843bab366fc5eab472 include/crypto/rand.h 71f23915ea74e93971fb0205901031be3abea7ffef2c52e4cc4848515079f68d include/crypto/rand_pool.h -6f16685ffbc97dc2ac1240bfddf4bbac2dd1ad83fff6da91aee6f3f64c6ee8ff include/crypto/rsa.h +b1df067691f9741ef9c42b2e5f12461bcd87b745514fc5701b9c9402fb10b224 include/crypto/rsa.h 32f0149ab1d82fddbdfbbc44e3078b4a4cc6936d35187e0f8d02cc0bc19f2401 include/crypto/security_bits.h 80338f3865b7c74aab343879432a6399507b834e2f55dd0e9ee7a5eeba11242a include/crypto/sha.h 0814571bff328719cc1e5a73a4daf6f5810b17f9e50fe63287f91f445f053213 include/crypto/slh_dsa.h @@ -511,7 +511,7 @@ bb45de4eafdd89c14096e9af9b0aee12b09adcee43b9313a3a373294dec99142 include/openss 69d98c5230b1c2a1b70c3e6b244fcfd8460a80ebf548542ea43bb1a57fe6cf57 include/openssl/configuration.h.in 6b3810dac6c9d6f5ee36a10ad6d895a5e4553afdfb9641ce9b7dc5db7eef30b7 include/openssl/conftypes.h 28c6f0ede39c821dcf4abeeb4e41972038ebb3e3c9d0a43ffdf28edb559470e1 include/openssl/core.h -940f6276e5bab8a7c59eedba56150902e619823c10dc5e50cf63575be6be9ba0 include/openssl/core_dispatch.h +b59255ddb1ead5531c3f0acf72fa6627d5c7192f3d23e9536eed00f32258c43b include/openssl/core_dispatch.h d37532e62315d733862d0bff8d8de9fe40292a75deacae606f4776e544844316 include/openssl/core_names.h.in 57898905771752f6303e2b1cca1c9a41ea5e9c7bf08ee06531213a65e960e424 include/openssl/crypto.h.in 628e2a9e67412e2903ecb75efb27b262db1f266b805c07ece6b85bf7ffa19dac include/openssl/cryptoerr.h @@ -559,7 +559,7 @@ ed785c451189aa5f7299f9f32a841e7f25b67c4ee937c8de8491a39240f5bd9d include/openss 2f4f0106e9b2db6636491dbe3ef81b80dbf01aefe6f73d19663423b7fcd54466 include/openssl/rsa.h 2f339ba2f22b8faa406692289a6e51fdbbb04b03f85cf3ca849835e58211ad23 include/openssl/rsaerr.h 6586f2187991731835353de0ffad0b6b57609b495e53d0f32644491ece629eb2 include/openssl/safestack.h.in -b0c9ed3ce37034524623c579e8a2ea0feb6aab39e7489ce66e2b6bf28ec81840 include/openssl/self_test.h +cad320f140eade8a90b4d068e03d2fc0448204656f8c1270f69be82bc3272806 include/openssl/self_test.h a435cb5d87a37c05921afb2d68f581018ec9f62fd9b3194ab651139b24f616d2 include/openssl/sha.h c169a015d7be52b7b99dd41c418a48d97e52ad21687c39c512a83a7c3f3ddb70 include/openssl/stack.h 22d7584ad609e30e818b54dca1dfae8dea38913fffedd25cd540c550372fb9a6 include/openssl/symhacks.h @@ -611,14 +611,14 @@ bde6107744cf6840a4c350a48265ed000c49b0524fa60b0d68d6d7b33df5fce6 providers/comm 8ea192553b423e881d85118c70bcb26a40fbdee4e110f230c966939c76f4aa7e providers/common/securitycheck_fips.c abd5997bc33b681a4ab275978b92aebca0806a4a3f0c2f41dacf11b3b6f4e101 providers/fips/fips_entry.c d8cb05784ae8533a7d9569d4fbaaea4175b63a7c9f4fb0f254215224069dea6b providers/fips/fipsindicator.c -e9383013a79a8223784a69a66bb610d16d54e61ea978f67a3d31de9f48cd4627 providers/fips/fipsprov.c +485441c31b5ff7916a12d0b8438d131a58cbc1ff6267cd266ae2dd6128c825cc providers/fips/fipsprov.c 7be8349d3b557b6d9d5f87d318253a73d21123628a08f50726502abf0e3d8a44 providers/fips/include/fips/fipsindicator.h ef204adc49776214dbb299265bc4f2c40b48848cbea4c25b8029f2b46a5c9797 providers/fips/include/fips_indicator_params.inc f2581d7b4e105f2bb6d30908f3c2d9959313be08cec6dbeb49030c125a7676d3 providers/fips/include/fips_selftest_params.inc 669f76f742bcaaf28846b057bfab97da7c162d69da244de71b7c743bf16e430f providers/fips/include/fipscommon.h 1af975061d9ea273fd337c74ccaab7b9331ab781d887c4e7164c5ac35e2c2e94 providers/fips/self_test.c 5c2c6c2f69e2eb01b88fa35630f27948e00dd2c2fd351735c74f34ccb2005cbe providers/fips/self_test.h -9c5c8131ee9a5b2d1056b5548db3269c00445294134cb30b631707f69f8904f1 providers/fips/self_test_data.inc +826d559ea7019c5db557679c3fe1ff5022be0132789c847d61da3c293fc02227 providers/fips/self_test_data.inc 2e568e2b161131240e97bd77a730c2299f961c2f1409ea8466422fc07f9be23f providers/fips/self_test_kats.c 7a368f6c6a5636593018bf10faecc3be1005e7cb3f0647f25c62b6f0fb7ac974 providers/implementations/asymciphers/rsa_enc.c c2f1b12c64fc369dfc3b9bc9e76a76de7280e6429adaee55d332eb1971ad1879 providers/implementations/ciphers/cipher_aes.c @@ -692,20 +692,20 @@ abe2b0f3711eaa34846e155cffc9242e4051c45de896f747afd5ac9d87f637dc providers/impl e18ef50cd62647a2cc784c45169d75054dccd58fc106bf623d921de995bb3c34 providers/implementations/kdfs/sskdf.c 6d9767a99a5b46d44ac9e0898ee18d219c04dfb34fda42e71d54adccbed7d57c providers/implementations/kdfs/tls1_prf.c 88d04ff4c93648a4fbfd9ce137cfc64f2c85e1850593c1ab35334b8b3de8ad99 providers/implementations/kdfs/x942kdf.c -3e199221ff78d80a3678e917dbbd232c5cd15f35b7c41bac92b60f766f656af7 providers/implementations/kem/ml_kem_kem.c +b04249bcc64d6f7ec16f494afef252356b2f56424a034ab53def90463de0cb6f providers/implementations/kem/ml_kem_kem.c a2e2b44064ef44b880b89ab6adc83686936acaa906313a37e5ec69d632912034 providers/implementations/kem/mlx_kem.c c764555b9dc9b273c280514a5d2d44156f82f3e99155a77c627f2c773209bcd7 providers/implementations/kem/rsa_kem.c -b9f7fc5c19f637cee55b0a435b838f5de3a5573ca376ba602e90f70855a78852 providers/implementations/keymgmt/dh_kmgmt.c +a780a73b02f97d42a621fe096adf57a362b458cd5e5cfe1e3e619e88a407c7d7 providers/implementations/keymgmt/dh_kmgmt.c 24cc3cc8e8681c77b7f96c83293bd66045fd8ad69f756e673ca7f8ca9e82b0af providers/implementations/keymgmt/dsa_kmgmt.c -e10086c31aafae0562054e3b07f12409e39b87b5e96ee7668c231c37861aa447 providers/implementations/keymgmt/ec_kmgmt.c +967ab174fa4fadb4d4b1d226a1870028a3945d6e85c04d08f215686fe8fd2a07 providers/implementations/keymgmt/ec_kmgmt.c 258ae17bb2dd87ed1511a8eb3fe99eed9b77f5c2f757215ff6b3d0e8791fc251 providers/implementations/keymgmt/ec_kmgmt_imexport.inc -d042d687da861d2a39658c6b857a6507a70fa78cecdf883bd1dcdafcf102e084 providers/implementations/keymgmt/ecx_kmgmt.c +b335f1aca68f0b0b3f31e73473de264c812a932517d5a2c2339754d3e3f72a8a providers/implementations/keymgmt/ecx_kmgmt.c daf35a7ab961ef70aefca981d80407935904c5da39dca6692432d6e6bc98759d providers/implementations/keymgmt/kdf_legacy_kmgmt.c d97d7c8d3410b3e560ef2becaea2a47948e22205be5162f964c5e51a7eef08cb providers/implementations/keymgmt/mac_legacy_kmgmt.c 24384616fcba4eb5594ccb2ebc199bcee8494ce1b3f4ac7824f17743e39c0279 providers/implementations/keymgmt/ml_dsa_kmgmt.c 830c339dfc7f301ce5267ef9b0dc173b84d9597509c1a61ae038f3c01af78f45 providers/implementations/keymgmt/ml_kem_kmgmt.c e15b780a1489bbe4c7d40d6aaa3bccfbf973e3946578f460eeb8373c657eee91 providers/implementations/keymgmt/mlx_kmgmt.c -9376a19735fcc79893cb3c6b0cff17a2cae61db9e9165d9a30f8def7f8e8e7c7 providers/implementations/keymgmt/rsa_kmgmt.c +d63d47e8705772c4269dbdb110400ec9a6dc49ea2217f3d2aecc8ce733d9e47f providers/implementations/keymgmt/rsa_kmgmt.c 6f0a786170ba9af860e36411d158ac0bd74bcb4d75c818a0cebadbc764759283 providers/implementations/keymgmt/slh_dsa_kmgmt.c 9d02d481b9c7c0c9e0932267d1a3e1fef00830aaa03093f000b88aa042972b9f providers/implementations/macs/cmac_prov.c 3c558b57fff3588b6832475e0b1c5be590229ad50d95a6ebb089b62bf5fe382d providers/implementations/macs/gmac_prov.c diff --git a/deps/openssl/openssl/providers/fips.checksum b/deps/openssl/openssl/providers/fips.checksum index f9e822a7f9f..0f8f0c2ec6c 100644 --- a/deps/openssl/openssl/providers/fips.checksum +++ b/deps/openssl/openssl/providers/fips.checksum @@ -1 +1 @@ -cffe76b0bc6464c7c864d5e2eaaf528439cb6c9908dc75666d530aa8a65e152e providers/fips-sources.checksums +ef8128a08964171aaf5852362d97486b641fe521ad648e0c1108fd6d7f5a78ba providers/fips-sources.checksums diff --git a/deps/openssl/openssl/providers/fips/fipsprov.c b/deps/openssl/openssl/providers/fips/fipsprov.c index 4b9a0574625..e260b5b6652 100644 --- a/deps/openssl/openssl/providers/fips/fipsprov.c +++ b/deps/openssl/openssl/providers/fips/fipsprov.c @@ -65,6 +65,7 @@ static OSSL_FUNC_core_vset_error_fn *c_vset_error; static OSSL_FUNC_core_set_error_mark_fn *c_set_error_mark; static OSSL_FUNC_core_clear_last_error_mark_fn *c_clear_last_error_mark; static OSSL_FUNC_core_pop_error_to_mark_fn *c_pop_error_to_mark; +static OSSL_FUNC_core_count_to_mark_fn *c_count_to_mark; static OSSL_FUNC_CRYPTO_malloc_fn *c_CRYPTO_malloc; static OSSL_FUNC_CRYPTO_zalloc_fn *c_CRYPTO_zalloc; static OSSL_FUNC_CRYPTO_free_fn *c_CRYPTO_free; @@ -797,6 +798,9 @@ int OSSL_provider_init_int(const OSSL_CORE_HANDLE *handle, case OSSL_FUNC_CORE_POP_ERROR_TO_MARK: set_func(c_pop_error_to_mark, OSSL_FUNC_core_pop_error_to_mark(in)); break; + case OSSL_FUNC_CORE_COUNT_TO_MARK: + set_func(c_count_to_mark, OSSL_FUNC_core_count_to_mark(in)); + break; case OSSL_FUNC_CRYPTO_MALLOC: set_func(c_CRYPTO_malloc, OSSL_FUNC_CRYPTO_malloc(in)); break; @@ -1035,6 +1039,11 @@ int ERR_pop_to_mark(void) return c_pop_error_to_mark(NULL); } +int ERR_count_to_mark(void) +{ + return c_count_to_mark != NULL ? c_count_to_mark(NULL) : 0; +} + /* * This must take a library context, since it's called from the depths * of crypto/initthread.c code, where it's (correctly) assumed that the diff --git a/deps/openssl/openssl/providers/fips/self_test_data.inc b/deps/openssl/openssl/providers/fips/self_test_data.inc index 5cbb5352a59..a8d0469900c 100644 --- a/deps/openssl/openssl/providers/fips/self_test_data.inc +++ b/deps/openssl/openssl/providers/fips/self_test_data.inc @@ -208,28 +208,6 @@ static const ST_KAT_DIGEST st_kat_digest_tests[] = /*- CIPHER TEST DATA */ -/* DES3 test data */ -static const unsigned char des_ede3_cbc_pt[] = { - 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96, - 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A, - 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C, - 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51 -}; -static const unsigned char des_ede3_cbc_key[] = { - 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, - 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01, - 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01, 0x23 -}; -static const unsigned char des_ede3_cbc_iv[] = { - 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17 -}; -static const unsigned char des_ede3_cbc_ct[] = { - 0x20, 0x79, 0xC3, 0xD5, 0x3A, 0xA7, 0x63, 0xE1, - 0x93, 0xB7, 0x9E, 0x25, 0x69, 0xAB, 0x52, 0x62, - 0x51, 0x65, 0x70, 0x48, 0x1F, 0x25, 0xB5, 0x0F, - 0x73, 0xC0, 0xBD, 0xA8, 0x5C, 0x8E, 0x0D, 0xA7 -}; - /* AES-256 GCM test data */ static const unsigned char aes_256_gcm_key[] = { 0x92, 0xe1, 0x1d, 0xcd, 0xaa, 0x86, 0x6f, 0x5c, @@ -907,38 +885,39 @@ static const unsigned char dh_priv[] = { 0x40, 0xb8, 0xfc, 0xe6 }; static const unsigned char dh_pub[] = { - 0x95, 0xdd, 0x33, 0x8d, 0x29, 0xe5, 0x71, 0x04, - 0x92, 0xb9, 0x18, 0x31, 0x7b, 0x72, 0xa3, 0x69, - 0x36, 0xe1, 0x95, 0x1a, 0x2e, 0xe5, 0xa5, 0x59, - 0x16, 0x99, 0xc0, 0x48, 0x6d, 0x0d, 0x4f, 0x9b, - 0xdd, 0x6d, 0x5a, 0x3f, 0x6b, 0x98, 0x89, 0x0c, - 0x62, 0xb3, 0x76, 0x52, 0xd3, 0x6e, 0x71, 0x21, - 0x11, 0xe6, 0x8a, 0x73, 0x55, 0x37, 0x25, 0x06, - 0x99, 0xef, 0xe3, 0x30, 0x53, 0x73, 0x91, 0xfb, - 0xc2, 0xc5, 0x48, 0xbc, 0x5a, 0xc3, 0xe5, 0xb2, - 0x33, 0x86, 0xc3, 0xee, 0xf5, 0xeb, 0x43, 0xc0, - 0x99, 0xd7, 0x0a, 0x52, 0x02, 0x68, 0x7e, 0x83, - 0x96, 0x42, 0x48, 0xfc, 0xa9, 0x1f, 0x40, 0x90, - 0x8e, 0x8f, 0xb3, 0x31, 0x93, 0x15, 0xf6, 0xd2, - 0x60, 0x6d, 0x7f, 0x7c, 0xd5, 0x2c, 0xc6, 0xe7, - 0xc5, 0x84, 0x3a, 0xfb, 0x22, 0x51, 0x9c, 0xf0, - 0xf0, 0xf9, 0xd3, 0xa0, 0xa4, 0xe8, 0xc8, 0x88, - 0x99, 0xef, 0xed, 0xe7, 0x36, 0x43, 0x51, 0xfb, - 0x6a, 0x36, 0x3e, 0xe7, 0x17, 0xe5, 0x44, 0x5a, - 0xda, 0xb4, 0xc9, 0x31, 0xa6, 0x48, 0x39, 0x97, - 0xb8, 0x7d, 0xad, 0x83, 0x67, 0x7e, 0x4d, 0x1d, - 0x3a, 0x77, 0x75, 0xe0, 0xf6, 0xd0, 0x0f, 0xdf, - 0x73, 0xc7, 0xad, 0x80, 0x1e, 0x66, 0x5a, 0x0e, - 0x5a, 0x79, 0x6d, 0x0a, 0x03, 0x80, 0xa1, 0x9f, - 0xa1, 0x82, 0xef, 0xc8, 0xa0, 0x4f, 0x5e, 0x4d, - 0xb9, 0x0d, 0x1a, 0x86, 0x37, 0xf9, 0x5d, 0xb1, - 0x64, 0x36, 0xbd, 0xc8, 0xf3, 0xfc, 0x09, 0x6c, - 0x4f, 0xf7, 0xf2, 0x34, 0xbe, 0x8f, 0xef, 0x47, - 0x9a, 0xc4, 0xb0, 0xdc, 0x4b, 0x77, 0x26, 0x3e, - 0x07, 0xd9, 0x95, 0x9d, 0xe0, 0xf1, 0xbf, 0x3f, - 0x0a, 0xe3, 0xd9, 0xd5, 0x0e, 0x4b, 0x89, 0xc9, - 0x9e, 0x3e, 0xa1, 0x21, 0x73, 0x43, 0xdd, 0x8c, - 0x65, 0x81, 0xac, 0xc4, 0x95, 0x9c, 0x91, 0xd3 + 0x00, 0x8f, 0x81, 0x67, 0x68, 0xce, 0x97, 0x99, + 0x7e, 0x11, 0x5c, 0xad, 0x5b, 0xe1, 0x0c, 0xd4, + 0x15, 0x44, 0xdf, 0xc2, 0x47, 0xe7, 0x06, 0x27, + 0x5e, 0xf3, 0x9d, 0x5c, 0x4b, 0x2e, 0x35, 0x05, + 0xfd, 0x3c, 0x8f, 0x35, 0x85, 0x1b, 0x82, 0xdd, + 0x49, 0xc9, 0xa8, 0x7e, 0x3a, 0x5f, 0x33, 0xdc, + 0x8f, 0x5e, 0x32, 0x76, 0xe1, 0x52, 0x1b, 0x88, + 0x85, 0xda, 0xa9, 0x1d, 0x5f, 0x1c, 0x05, 0x3a, + 0xd4, 0x8d, 0xbb, 0xe7, 0x46, 0x46, 0x1e, 0x29, + 0x4b, 0x5a, 0x02, 0x88, 0x46, 0x94, 0xd0, 0x68, + 0x7d, 0xb2, 0x9f, 0x3a, 0x3d, 0x82, 0x05, 0xe5, + 0xa7, 0xbe, 0x6c, 0x7e, 0x24, 0x35, 0x25, 0x14, + 0xf3, 0x45, 0x08, 0x90, 0xfc, 0x55, 0x2e, 0xa8, + 0xb8, 0xb1, 0x89, 0x15, 0x94, 0x51, 0x44, 0xa9, + 0x9f, 0x68, 0xcb, 0x90, 0xbc, 0xd3, 0xae, 0x02, + 0x37, 0x26, 0xe4, 0xe9, 0x1a, 0x90, 0x95, 0x7e, + 0x1d, 0xac, 0x0c, 0x91, 0x97, 0x83, 0x24, 0x83, + 0xb9, 0xa1, 0x40, 0x72, 0xac, 0xf0, 0x55, 0x32, + 0x18, 0xab, 0xb8, 0x90, 0xda, 0x13, 0x4a, 0xc8, + 0x4b, 0x7c, 0x18, 0xbc, 0x33, 0xbf, 0x99, 0x85, + 0x39, 0x3e, 0xc6, 0x95, 0x9b, 0x48, 0x8e, 0xbe, + 0x46, 0x59, 0x48, 0x41, 0x0d, 0x37, 0x25, 0x94, + 0xbe, 0x8d, 0xf5, 0x81, 0x52, 0xf6, 0xdc, 0xeb, + 0x98, 0xd7, 0x3b, 0x44, 0x61, 0x6f, 0xa3, 0xef, + 0x7b, 0xfe, 0xbb, 0xc2, 0x8e, 0x46, 0x63, 0xbc, + 0x52, 0x65, 0xf9, 0xf8, 0x85, 0x41, 0xdf, 0x82, + 0x4a, 0x10, 0x2a, 0xe3, 0x0c, 0xb7, 0xad, 0x84, + 0xa6, 0x6f, 0x4e, 0x8e, 0x96, 0x1e, 0x04, 0xf7, + 0x57, 0x39, 0xca, 0x58, 0xd4, 0xef, 0x5a, 0xf1, + 0xf5, 0x69, 0xc2, 0xb1, 0x5c, 0x0a, 0xce, 0xbe, + 0x38, 0x01, 0xb5, 0x3f, 0x07, 0x8a, 0x72, 0x90, + 0x10, 0xac, 0x51, 0x3a, 0x96, 0x43, 0xdf, 0x6f, + 0xea }; static const unsigned char dh_peer_pub[] = { 0x1f, 0xc1, 0xda, 0x34, 0x1d, 0x1a, 0x84, 0x6a, diff --git a/deps/openssl/openssl/providers/implementations/encode_decode/decode_pem2der.c b/deps/openssl/openssl/providers/implementations/encode_decode/decode_pem2der.c index abea679fe19..a38c71883dd 100644 --- a/deps/openssl/openssl/providers/implementations/encode_decode/decode_pem2der.c +++ b/deps/openssl/openssl/providers/implementations/encode_decode/decode_pem2der.c @@ -151,6 +151,7 @@ static int pem2der_decode(void *vctx, OSSL_CORE_BIO *cin, int selection, { PEM_STRING_DSAPARAMS, OSSL_OBJECT_PKEY, "DSA", "type-specific" }, { PEM_STRING_ECPRIVATEKEY, OSSL_OBJECT_PKEY, "EC", "type-specific" }, { PEM_STRING_ECPARAMETERS, OSSL_OBJECT_PKEY, "EC", "type-specific" }, + { PEM_STRING_SM2PRIVATEKEY, OSSL_OBJECT_PKEY, "SM2", "type-specific" }, { PEM_STRING_SM2PARAMETERS, OSSL_OBJECT_PKEY, "SM2", "type-specific" }, { PEM_STRING_RSA, OSSL_OBJECT_PKEY, "RSA", "type-specific" }, { PEM_STRING_RSA_PUBLIC, OSSL_OBJECT_PKEY, "RSA", "type-specific" }, diff --git a/deps/openssl/openssl/providers/implementations/kem/ml_kem_kem.c b/deps/openssl/openssl/providers/implementations/kem/ml_kem_kem.c index ac798cb4b6b..27aa3b81983 100644 --- a/deps/openssl/openssl/providers/implementations/kem/ml_kem_kem.c +++ b/deps/openssl/openssl/providers/implementations/kem/ml_kem_kem.c @@ -171,7 +171,7 @@ static int ml_kem_encapsulate(void *vctx, unsigned char *ctext, size_t *clen, return 1; } if (shsec == NULL) { - ERR_raise_data(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL, + ERR_raise_data(ERR_LIB_PROV, PROV_R_NULL_OUTPUT_BUFFER, "NULL shared-secret buffer"); goto end; } diff --git a/deps/openssl/openssl/providers/implementations/keymgmt/dh_kmgmt.c b/deps/openssl/openssl/providers/implementations/keymgmt/dh_kmgmt.c index c2ee8593557..98a8a45cf15 100644 --- a/deps/openssl/openssl/providers/implementations/keymgmt/dh_kmgmt.c +++ b/deps/openssl/openssl/providers/implementations/keymgmt/dh_kmgmt.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -19,10 +19,12 @@ #include #include #include +#include #include "prov/implementations.h" #include "prov/providercommon.h" #include "prov/provider_ctx.h" #include "crypto/dh.h" +#include "internal/fips.h" #include "internal/sizes.h" static OSSL_FUNC_keymgmt_new_fn dh_newdata; @@ -207,6 +209,18 @@ static int dh_import(void *keydata, int selection, const OSSL_PARAM params[]) selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY ? 1 : 0; ok = ok && ossl_dh_key_fromdata(dh, params, include_private); +#ifdef FIPS_MODULE + /* + * FIPS 140-3 IG 10.3.A additional comment 1 mandates that a pairwise + * consistency check be undertaken on key import. The required test + * is described in SP 800-56Ar3 5.6.2.1.4. + */ + if (ok > 0 && !ossl_fips_self_testing()) { + ok = ossl_dh_check_pairwise(dh, 1); + if (ok <= 0) + ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT); + } +#endif /* FIPS_MODULE */ } return ok; @@ -440,7 +454,7 @@ static int dh_validate(const void *keydata, int selection, int checktype) if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == OSSL_KEYMGMT_SELECT_KEYPAIR) - ok = ok && ossl_dh_check_pairwise(dh); + ok = ok && ossl_dh_check_pairwise(dh, 0); return ok; } diff --git a/deps/openssl/openssl/providers/implementations/keymgmt/ec_kmgmt.c b/deps/openssl/openssl/providers/implementations/keymgmt/ec_kmgmt.c index 9421aabb145..7d3c2231697 100644 --- a/deps/openssl/openssl/providers/implementations/keymgmt/ec_kmgmt.c +++ b/deps/openssl/openssl/providers/implementations/keymgmt/ec_kmgmt.c @@ -20,12 +20,14 @@ #include #include #include +#include #include "crypto/bn.h" #include "crypto/ec.h" #include "prov/implementations.h" #include "prov/providercommon.h" #include "prov/provider_ctx.h" #include "prov/securitycheck.h" +#include "internal/fips.h" #include "internal/param_build_set.h" #ifndef FIPS_MODULE @@ -429,6 +431,21 @@ int common_import(void *keydata, int selection, const OSSL_PARAM params[], if ((selection & OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS) != 0) ok = ok && ossl_ec_key_otherparams_fromdata(ec, params); +#ifdef FIPS_MODULE + if (ok > 0 + && !ossl_fips_self_testing() + && EC_KEY_get0_public_key(ec) != NULL + && EC_KEY_get0_private_key(ec) != NULL + && EC_KEY_get0_group(ec) != NULL) { + BN_CTX *bnctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(ec)); + + ok = bnctx != NULL && ossl_ec_key_pairwise_check(ec, bnctx); + BN_CTX_free(bnctx); + if (ok <= 0) + ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT); + } +#endif /* FIPS_MODULE */ + return ok; } diff --git a/deps/openssl/openssl/providers/implementations/keymgmt/ecx_kmgmt.c b/deps/openssl/openssl/providers/implementations/keymgmt/ecx_kmgmt.c index c2ac805ad1f..faf25606e33 100644 --- a/deps/openssl/openssl/providers/implementations/keymgmt/ecx_kmgmt.c +++ b/deps/openssl/openssl/providers/implementations/keymgmt/ecx_kmgmt.c @@ -17,6 +17,7 @@ #include #include #include +#include "internal/fips.h" #include "internal/param_build_set.h" #include #include "crypto/ecx.h" @@ -92,6 +93,15 @@ static void *s390x_ecd_keygen25519(struct ecx_gen_ctx *gctx); static void *s390x_ecd_keygen448(struct ecx_gen_ctx *gctx); #endif +#ifdef FIPS_MODULE +static int ecd_fips140_pairwise_test(const ECX_KEY *ecx, int type, int self_test); +#endif /* FIPS_MODULE */ + +static ossl_inline int ecx_key_type_is_ed(ECX_KEY_TYPE type) +{ + return type == ECX_KEY_TYPE_ED25519 || type == ECX_KEY_TYPE_ED448; +} + static void *x25519_new_key(void *provctx) { if (!ossl_prov_is_running()) @@ -208,6 +218,14 @@ static int ecx_import(void *keydata, int selection, const OSSL_PARAM params[]) include_private = selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY ? 1 : 0; ok = ok && ossl_ecx_key_fromdata(key, params, include_private); +#ifdef FIPS_MODULE + if (ok > 0 && ecx_key_type_is_ed(key->type) && !ossl_fips_self_testing()) + if (key->haspubkey && key->privkey != NULL) { + ok = ecd_fips140_pairwise_test(key, key->type, 1); + if (ok <= 0) + ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT); + } +#endif /* FIPS_MODULE */ return ok; } @@ -703,8 +721,7 @@ static void *ecx_gen(struct ecx_gen_ctx *gctx) } #ifndef FIPS_MODULE if (gctx->dhkem_ikm != NULL && gctx->dhkem_ikmlen != 0) { - if (gctx->type == ECX_KEY_TYPE_ED25519 - || gctx->type == ECX_KEY_TYPE_ED448) + if (ecx_key_type_is_ed(gctx->type)) goto err; if (!ossl_ecx_dhkem_derive_private(key, privkey, gctx->dhkem_ikm, gctx->dhkem_ikmlen)) @@ -968,7 +985,7 @@ static int ecx_validate(const void *keydata, int selection, int type, if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != OSSL_KEYMGMT_SELECT_KEYPAIR) return ok; - if (type == ECX_KEY_TYPE_ED25519 || type == ECX_KEY_TYPE_ED448) + if (ecx_key_type_is_ed(type)) ok = ok && ecd_key_pairwise_check(ecx, type); else ok = ok && ecx_key_pairwise_check(ecx, type); diff --git a/deps/openssl/openssl/providers/implementations/keymgmt/rsa_kmgmt.c b/deps/openssl/openssl/providers/implementations/keymgmt/rsa_kmgmt.c index 77d09500942..380c1c087b4 100644 --- a/deps/openssl/openssl/providers/implementations/keymgmt/rsa_kmgmt.c +++ b/deps/openssl/openssl/providers/implementations/keymgmt/rsa_kmgmt.c @@ -25,6 +25,7 @@ #include "prov/provider_ctx.h" #include "crypto/rsa.h" #include "crypto/cryptlib.h" +#include "internal/fips.h" #include "internal/param_build_set.h" static OSSL_FUNC_keymgmt_new_fn rsa_newdata; @@ -196,6 +197,23 @@ static int rsa_import(void *keydata, int selection, const OSSL_PARAM params[]) ok = ok && ossl_rsa_fromdata(rsa, params, include_private); } +#ifdef FIPS_MODULE + if (ok > 0 && !ossl_fips_self_testing()) { + const BIGNUM *n, *e, *d, *dp, *dq, *iq, *p, *q; + + RSA_get0_key(rsa, &n, &e, &d); + RSA_get0_crt_params(rsa, &dp, &dq, &iq); + p = RSA_get0_p(rsa); + q = RSA_get0_q(rsa); + + /* Check for the public key */ + if (n != NULL && e != NULL) + /* Check for private key in straightforward or CRT form */ + if (d != NULL || (p != NULL && q != NULL && dp != NULL + && dq != NULL && iq != NULL)) + ok = ossl_rsa_key_pairwise_test(rsa); + } +#endif /* FIPS_MODULE */ return ok; } diff --git a/deps/openssl/openssl/providers/legacyprov.c b/deps/openssl/openssl/providers/legacyprov.c index 16e3639e76f..6dbe3a8505d 100644 --- a/deps/openssl/openssl/providers/legacyprov.c +++ b/deps/openssl/openssl/providers/legacyprov.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -48,6 +48,7 @@ static OSSL_FUNC_core_vset_error_fn *c_vset_error; static OSSL_FUNC_core_set_error_mark_fn *c_set_error_mark; static OSSL_FUNC_core_clear_last_error_mark_fn *c_clear_last_error_mark; static OSSL_FUNC_core_pop_error_to_mark_fn *c_pop_error_to_mark; +static OSSL_FUNC_core_count_to_mark_fn *c_count_to_mark; #endif /* Parameters we provide to the core */ @@ -234,6 +235,9 @@ int OSSL_provider_init(const OSSL_CORE_HANDLE *handle, case OSSL_FUNC_CORE_POP_ERROR_TO_MARK: set_func(c_pop_error_to_mark, OSSL_FUNC_core_pop_error_to_mark(tmp)); break; + case OSSL_FUNC_CORE_COUNT_TO_MARK: + set_func(c_count_to_mark, OSSL_FUNC_core_count_to_mark(in)); + break; } } #endif @@ -301,4 +305,9 @@ int ERR_pop_to_mark(void) { return c_pop_error_to_mark(NULL); } + +int ERR_count_to_mark(void) +{ + return c_count_to_mark != NULL ? c_count_to_mark(NULL) : 0; +} #endif diff --git a/deps/openssl/openssl/ssl/quic/quic_ackm.c b/deps/openssl/openssl/ssl/quic/quic_ackm.c index 75a1e5741a0..93c83a36d8f 100644 --- a/deps/openssl/openssl/ssl/quic/quic_ackm.c +++ b/deps/openssl/openssl/ssl/quic/quic_ackm.c @@ -1,5 +1,5 @@ /* - * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -536,6 +536,9 @@ struct ossl_ackm_st { /* Set to 1 when the handshake is confirmed. */ char handshake_confirmed; + /* Set to 1 when attached to server channel */ + char is_server; + /* Set to 1 when the peer has completed address validation. */ char peer_completed_addr_validation; @@ -855,7 +858,13 @@ static OSSL_TIME ackm_get_pto_time_and_space(OSSL_ACKM *ackm, int *space) } for (i = QUIC_PN_SPACE_INITIAL; i < QUIC_PN_SPACE_NUM; ++i) { - if (ackm->ack_eliciting_bytes_in_flight[i] == 0) + /* + * RFC 9002 section 6.2.2.1 keep probe timeout armed until + * handshake is confirmed (client sees HANDSHAKE_DONE message + * from server). + */ + if (ackm->ack_eliciting_bytes_in_flight[i] == 0 && + (ackm->handshake_confirmed == 1 || ackm->is_server == 1)) continue; if (i == QUIC_PN_SPACE_APP) { @@ -875,10 +884,18 @@ static OSSL_TIME ackm_get_pto_time_and_space(OSSL_ACKM *ackm, int *space) } } - t = ossl_time_add(ackm->time_of_last_ack_eliciting_pkt[i], duration); - if (ossl_time_compare(t, pto_timeout) < 0) { - pto_timeout = t; - pto_space = i; + /* + * Only re-arm timer if stack has sent at least one ACK eliciting frame. + * If stack has sent no ACK eliciting frame at given encryption level then + * particular timer is zero and we must not attempt to set it. Timer keeps + * time since epoch (Jan 1 1970) and we must not set timer to past. + */ + if (!ossl_time_is_zero(ackm->time_of_last_ack_eliciting_pkt[i])) { + t = ossl_time_add(ackm->time_of_last_ack_eliciting_pkt[i], duration); + if (ossl_time_compare(t, pto_timeout) < 0) { + pto_timeout = t; + pto_space = i; + } } } @@ -1021,7 +1038,8 @@ OSSL_ACKM *ossl_ackm_new(OSSL_TIME (*now)(void *arg), void *now_arg, OSSL_STATM *statm, const OSSL_CC_METHOD *cc_method, - OSSL_CC_DATA *cc_data) + OSSL_CC_DATA *cc_data, + int is_server) { OSSL_ACKM *ackm; int i; @@ -1045,6 +1063,7 @@ OSSL_ACKM *ossl_ackm_new(OSSL_TIME (*now)(void *arg), ackm->statm = statm; ackm->cc_method = cc_method; ackm->cc_data = cc_data; + ackm->is_server = (char)is_server; ackm->rx_max_ack_delay = ossl_ms2time(QUIC_DEFAULT_MAX_ACK_DELAY); ackm->tx_max_ack_delay = DEFAULT_TX_MAX_ACK_DELAY; diff --git a/deps/openssl/openssl/ssl/quic/quic_channel.c b/deps/openssl/openssl/ssl/quic/quic_channel.c index 8fb651d9ceb..f8e4252ba48 100644 --- a/deps/openssl/openssl/ssl/quic/quic_channel.c +++ b/deps/openssl/openssl/ssl/quic/quic_channel.c @@ -242,7 +242,8 @@ static int ch_init(QUIC_CHANNEL *ch) goto err; if ((ch->ackm = ossl_ackm_new(get_time, ch, &ch->statm, - ch->cc_method, ch->cc_data)) == NULL) + ch->cc_method, ch->cc_data, + ch->is_server)) == NULL) goto err; if (!ossl_quic_stream_map_init(&ch->qsm, get_stream_limit, ch, diff --git a/deps/openssl/openssl/ssl/quic/quic_rx_depack.c b/deps/openssl/openssl/ssl/quic/quic_rx_depack.c index a36b02d5dcb..f800d898419 100644 --- a/deps/openssl/openssl/ssl/quic/quic_rx_depack.c +++ b/deps/openssl/openssl/ssl/quic/quic_rx_depack.c @@ -1429,16 +1429,8 @@ int ossl_quic_handle_frames(QUIC_CHANNEL *ch, OSSL_QRX_PKT *qpacket) uint32_t enc_level; size_t dgram_len = qpacket->datagram_len; - /* - * ok has three states: - * -1 error with ackm_data uninitialized - * 0 error with ackm_data initialized - * 1 success (ackm_data initialized) - */ - int ok = -1; /* Assume the worst */ - if (ch == NULL) - goto end; + return 0; ch->did_crypto_frame = 0; @@ -1456,9 +1448,8 @@ int ossl_quic_handle_frames(QUIC_CHANNEL *ch, OSSL_QRX_PKT *qpacket) * Retry and Version Negotiation packets should not be passed to this * function. */ - goto end; + return 0; - ok = 0; /* Still assume the worst */ ackm_data.pkt_space = ossl_quic_enc_level_to_pn_space(enc_level); /* @@ -1480,18 +1471,9 @@ int ossl_quic_handle_frames(QUIC_CHANNEL *ch, OSSL_QRX_PKT *qpacket) enc_level, qpacket->time, &ackm_data)) - goto end; + return 0; - ok = 1; - end: - /* - * ASSUMPTION: If this function is called at all, |qpacket| is - * a legitimate packet, even if its contents aren't. - * Therefore, we call ossl_ackm_on_rx_packet() unconditionally, as long as - * |ackm_data| has at least been initialized. - */ - if (ok >= 0) - ossl_ackm_on_rx_packet(ch->ackm, &ackm_data); + ossl_ackm_on_rx_packet(ch->ackm, &ackm_data); - return ok > 0; + return 1; } diff --git a/deps/openssl/openssl/util/perl/TLSProxy/Proxy.pm b/deps/openssl/openssl/util/perl/TLSProxy/Proxy.pm index b76f9e931ec..ccc4814f6fd 100644 --- a/deps/openssl/openssl/util/perl/TLSProxy/Proxy.pm +++ b/deps/openssl/openssl/util/perl/TLSProxy/Proxy.pm @@ -97,7 +97,23 @@ sub new_dtls { sub init { - require IO::Socket::IP; + my $useSockInet = 0; + eval { + require IO::Socket::IP; + my $s = IO::Socket::IP->new( + LocalAddr => "::1", + LocalPort => 0, + Listen=>1, + ); + $s or die "\n"; + $s->close(); + }; + if ($@ eq "") { + require IO::Socket::IP; + } else { + $useSockInet = 1; + } + my $class = shift; my ($filter, $execute, @@ -118,8 +134,13 @@ sub init $test_client_port = 49152 + int(rand(65535 - 49152)); my $test_sock; if ($useINET6 == 0) { - $test_sock = IO::Socket::IP->new(LocalPort => $test_client_port, - LocalAddr => $test_client_addr); + if ($useSockInet == 0) { + $test_sock = IO::Socket::IP->new(LocalPort => $test_client_port, + LocalAddr => $test_client_addr); + } else { + $test_sock = IO::Socket::INET->new(LocalAddr => $test_client_addr, + LocalPort => $test_client_port); + } } else { $test_sock = IO::Socket::INET6->new(LocalAddr => $test_client_addr, LocalPort => $test_client_port,