archive/node
1
0
Fork 0
mirror of https://github.com/nodejs/node.git synced 2025-08-15 13:48:44 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

deps: upgrade openssl sources to openssl-3.5.2

Browse source 
PR-URL: https://github.com/nodejs/node/pull/59371
Reviewed-By: Richard Lau <richard.lau@ibm.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Filip Skokan <panva.ip@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
This commit is contained in:
Node.js GitHub Bot 2025-08-05 17:06:14 +00:00
parent 5baff3e47b
commit 6b0e79968b
72 changed files with 438 additions and 198 deletions
Download patch file Download diff file Expand all files Collapse all files

7
deps/openssl/openssl/CHANGES.md vendored
View file

@ -28,6 +28,13 @@ OpenSSL Releases
OpenSSL 3.5
-----------
### Changes between 3.5.1 and 3.5.2 [5 Aug 2025]
* The FIPS provider now performs a PCT on key import for RSA, EC and ECX.
This is mandated by FIPS 140-3 IG 10.3.A additional comment 1.
*Dr Paul Dale*
### Changes between 3.5.0 and 3.5.1 [1 Jul 2025]
* Fix x509 application adds trusted use instead of rejected use.

4
deps/openssl/openssl/NEWS.md vendored
View file

@ -23,6 +23,10 @@ OpenSSL Releases
OpenSSL 3.5
-----------
### Major changes between OpenSSL 3.5.1 and OpenSSL 3.5.2 [5 Aug 2025]
* none
### Major changes between OpenSSL 3.5.0 and OpenSSL 3.5.1 [1 Jul 2025]
OpenSSL 3.5.1 is a security patch release. The most severe CVE fixed in this

4
deps/openssl/openssl/VERSION.dat vendored
View file

@ -1,7 +1,7 @@
MAJOR=3
MINOR=5
PATCH=1
PATCH=2
PRE_RELEASE_TAG=
BUILD_METADATA=
RELEASE_DATE="1 Jul 2025"
RELEASE_DATE="5 Aug 2025"
SHLIB_VERSION=3

2
deps/openssl/openssl/apps/asn1parse.c vendored
View file

@ -40,8 +40,8 @@ const OPTIONS asn1parse_options[] = {
{"length", OPT_LENGTH, 'p', "length of section in file"},
{"strparse", OPT_STRPARSE, 'p',
"offset; a series of these can be used to 'dig'"},
{"genstr", OPT_GENSTR, 's', "string to generate ASN1 structure from"},
{OPT_MORE_STR, 0, 0, "into multiple ASN1 blob wrappings"},
{"genstr", OPT_GENSTR, 's', "string to generate ASN1 structure from"},
{"genconf", OPT_GENCONF, 's', "file to generate ASN1 structure from"},
{"strictpem", OPT_STRICTPEM, 0,
"equivalent to '-inform pem' (obsolete)"},

4
deps/openssl/openssl/apps/rand.c vendored
View file

@ -1,5 +1,5 @@
/*
* Copyright 1998-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1998-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -199,7 +199,7 @@ int rand_main(int argc, char **argv)
int chunk;
chunk = scaled_num > buflen ? (int)buflen : (int)scaled_num;
r = RAND_bytes(buf, chunk);
r = RAND_bytes_ex(app_get0_libctx(), buf, chunk, 0);
if (r <= 0)
goto end;
if (format != FORMAT_TEXT) {

34
deps/openssl/openssl/crypto/dh/dh_check.c vendored
View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -16,6 +16,7 @@
#include <stdio.h>
#include "internal/cryptlib.h"
#include <openssl/bn.h>
#include <openssl/self_test.h>
#include "dh_local.h"
#include "crypto/dh.h"
@ -329,17 +330,27 @@ end:
* FFC pairwise check from SP800-56A R3.
* Section 5.6.2.1.4 Owner Assurance of Pair-wise Consistency
*/
int ossl_dh_check_pairwise(const DH *dh)
int ossl_dh_check_pairwise(const DH *dh, int return_on_null_numbers)
{
int ret = 0;
BN_CTX *ctx = NULL;
BIGNUM *pub_key = NULL;
OSSL_SELF_TEST *st = NULL;
OSSL_CALLBACK *stcb = NULL;
void *stcbarg = NULL;
if (dh->params.p == NULL
|| dh->params.g == NULL
|| dh->priv_key == NULL
|| dh->pub_key == NULL)
return 0;
return return_on_null_numbers;
OSSL_SELF_TEST_get_callback(dh->libctx, &stcb, &stcbarg);
st = OSSL_SELF_TEST_new(stcb, stcbarg);
if (st == NULL)
goto err;
OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_PCT,
OSSL_SELF_TEST_DESC_PCT_DH);
ctx = BN_CTX_new_ex(dh->libctx);
if (ctx == NULL)
@ -351,10 +362,27 @@ int ossl_dh_check_pairwise(const DH *dh)
/* recalculate the public key = (g ^ priv) mod p */
if (!ossl_dh_generate_public_key(ctx, dh, dh->priv_key, pub_key))
goto err;
#ifdef FIPS_MODULE
{
int len;
unsigned char bytes[1024] = {0}; /* Max key size of 8192 bits */
if (BN_num_bytes(pub_key) > (int)sizeof(bytes))
goto err;
len = BN_bn2bin(pub_key, bytes);
OSSL_SELF_TEST_oncorrupt_byte(st, bytes);
if (BN_bin2bn(bytes, len, pub_key) == NULL)
goto err;
}
#endif
/* check it matches the existing public_key */
ret = BN_cmp(pub_key, dh->pub_key) == 0;
err:
BN_free(pub_key);
BN_CTX_free(ctx);
OSSL_SELF_TEST_onend(st, ret);
OSSL_SELF_TEST_free(st);
return ret;
}

28
deps/openssl/openssl/crypto/encode_decode/decoder_lib.c vendored
View file

@ -537,6 +537,14 @@ static void collect_extra_decoder(OSSL_DECODER *decoder, void *arg)
}
}
static int decoder_sk_cmp(const OSSL_DECODER_INSTANCE *const *a,
const OSSL_DECODER_INSTANCE *const *b)
{
if ((*a)->score == (*b)->score)
return (*a)->order - (*b)->order;
return (*a)->score - (*b)->score;
}
int OSSL_DECODER_CTX_add_extra(OSSL_DECODER_CTX *ctx,
OSSL_LIB_CTX *libctx, const char *propq)
{
@ -595,6 +603,26 @@ int OSSL_DECODER_CTX_add_extra(OSSL_DECODER_CTX *ctx,
OSSL_DECODER_do_all_provided(libctx, collect_all_decoders, skdecoders);
numdecoders = sk_OSSL_DECODER_num(skdecoders);
/*
* If there are provided or default properties, sort the initial decoder list
* by property matching score so that the highest scored provider is selected
* first.
*/
if (propq != NULL || ossl_ctx_global_properties(libctx, 0) != NULL) {
int num_decoder_insts = sk_OSSL_DECODER_INSTANCE_num(ctx->decoder_insts);
int i;
OSSL_DECODER_INSTANCE *di;
sk_OSSL_DECODER_INSTANCE_compfunc old_cmp =
sk_OSSL_DECODER_INSTANCE_set_cmp_func(ctx->decoder_insts, decoder_sk_cmp);
for (i = 0; i < num_decoder_insts; i++) {
di = sk_OSSL_DECODER_INSTANCE_value(ctx->decoder_insts, i);
di->order = i;
}
sk_OSSL_DECODER_INSTANCE_sort(ctx->decoder_insts);
sk_OSSL_DECODER_INSTANCE_set_cmp_func(ctx->decoder_insts, old_cmp);
}
memset(&data, 0, sizeof(data));
data.ctx = ctx;
data.w_prev_start = 0;

62
deps/openssl/openssl/crypto/encode_decode/decoder_pkey.c vendored
View file

@ -222,15 +222,21 @@ struct collect_data_st {
int total; /* number of matching results */
char error_occurred;
char keytype_resolved;
OSSL_PROPERTY_LIST *pq;
STACK_OF(EVP_KEYMGMT) *keymgmts;
};
static void collect_decoder_keymgmt(EVP_KEYMGMT *keymgmt, OSSL_DECODER *decoder,
/*
* Add decoder instance to the decoder context if it is compatible. Returns 1
* if a decoder was added, 0 otherwise.
*/
static int collect_decoder_keymgmt(EVP_KEYMGMT *keymgmt, OSSL_DECODER *decoder,
void *provctx, struct collect_data_st *data)
{
void *decoderctx = NULL;
OSSL_DECODER_INSTANCE *di = NULL;
const OSSL_PROPERTY_LIST *props;
/*
* We already checked the EVP_KEYMGMT is applicable in check_keymgmt so we
@ -239,17 +245,17 @@ static void collect_decoder_keymgmt(EVP_KEYMGMT *keymgmt, OSSL_DECODER *decoder,
if (keymgmt->name_id != decoder->base.id)
/* Mismatch is not an error, continue. */
return;
return 0;
if ((decoderctx = decoder->newctx(provctx)) == NULL) {
data->error_occurred = 1;
return;
return 0;
}
if ((di = ossl_decoder_instance_new(decoder, decoderctx)) == NULL) {
decoder->freectx(decoderctx);
data->error_occurred = 1;
return;
return 0;
}
/*
@ -263,7 +269,7 @@ static void collect_decoder_keymgmt(EVP_KEYMGMT *keymgmt, OSSL_DECODER *decoder,
|| OPENSSL_strcasecmp(data->ctx->start_input_type, "PEM") != 0)) {
/* Mismatch is not an error, continue. */
ossl_decoder_instance_free(di);
return;
return 0;
}
OSSL_TRACE_BEGIN(DECODER) {
@ -275,13 +281,30 @@ static void collect_decoder_keymgmt(EVP_KEYMGMT *keymgmt, OSSL_DECODER *decoder,
OSSL_DECODER_get0_properties(decoder));
} OSSL_TRACE_END(DECODER);
/*
* Get the property match score so the decoders can be prioritized later.
*/
props = ossl_decoder_parsed_properties(decoder);
if (data->pq != NULL && props != NULL) {
di->score = ossl_property_match_count(data->pq, props);
/*
* Mismatch of mandatory properties is not an error, the decoder is just
* ignored, continue.
*/
if (di->score < 0) {
ossl_decoder_instance_free(di);
return 0;
}
}
if (!ossl_decoder_ctx_add_decoder_inst(data->ctx, di)) {
ossl_decoder_instance_free(di);
data->error_occurred = 1;
return;
return 0;
}
++data->total;
return 1;
}
static void collect_decoder(OSSL_DECODER *decoder, void *arg)
@ -321,7 +344,9 @@ static void collect_decoder(OSSL_DECODER *decoder, void *arg)
for (i = 0; i < end_i; ++i) {
keymgmt = sk_EVP_KEYMGMT_value(keymgmts, i);
collect_decoder_keymgmt(keymgmt, decoder, provctx, data);
/* Only add this decoder once */
if (collect_decoder_keymgmt(keymgmt, decoder, provctx, data))
break;
if (data->error_occurred)
return;
}
@ -407,6 +432,8 @@ static int ossl_decoder_ctx_setup_for_pkey(OSSL_DECODER_CTX *ctx,
struct decoder_pkey_data_st *process_data = NULL;
struct collect_data_st collect_data = { NULL };
STACK_OF(EVP_KEYMGMT) *keymgmts = NULL;
OSSL_PROPERTY_LIST **plp;
OSSL_PROPERTY_LIST *pq = NULL, *p2 = NULL;
OSSL_TRACE_BEGIN(DECODER) {
const char *input_type = ctx->start_input_type;
@ -442,6 +469,25 @@ static int ossl_decoder_ctx_setup_for_pkey(OSSL_DECODER_CTX *ctx,
process_data->selection = ctx->selection;
process_data->keymgmts = keymgmts;
/*
* Collect passed and default properties to prioritize the decoders.
*/
if (propquery != NULL)
p2 = pq = ossl_parse_query(libctx, propquery, 1);
plp = ossl_ctx_global_properties(libctx, 0);
if (plp != NULL && *plp != NULL) {
if (pq == NULL) {
pq = *plp;
} else {
p2 = ossl_property_merge(pq, *plp);
ossl_property_free(pq);
if (p2 == NULL)
goto err;
pq = p2;
}
}
/*
* Enumerate all keymgmts into a stack.
*
@ -461,6 +507,7 @@ static int ossl_decoder_ctx_setup_for_pkey(OSSL_DECODER_CTX *ctx,
collect_data.libctx = libctx;
collect_data.keymgmts = keymgmts;
collect_data.keytype = keytype;
collect_data.pq = pq;
EVP_KEYMGMT_do_all_provided(libctx, collect_keymgmt, &collect_data);
if (collect_data.error_occurred)
@ -496,6 +543,7 @@ static int ossl_decoder_ctx_setup_for_pkey(OSSL_DECODER_CTX *ctx,
ok = 1;
err:
decoder_clean_pkey_construct_arg(process_data);
ossl_property_free(p2);
return ok;
}

2
deps/openssl/openssl/crypto/encode_decode/encoder_local.h vendored
View file

@ -109,6 +109,8 @@ struct ossl_decoder_instance_st {
const char *input_type; /* Never NULL */
const char *input_structure; /* May be NULL */
int input_type_id;
int order; /* For stable ordering of decoders wrt proqs */
int score; /* For ordering decoders wrt proqs */
unsigned int flag_input_structure_was_set : 1;
};

8
deps/openssl/openssl/crypto/evp/asymcipher.c vendored
View file

@ -261,10 +261,12 @@ int EVP_PKEY_encrypt(EVP_PKEY_CTX *ctx,
cipher = ctx->op.ciph.cipher;
desc = cipher->description != NULL ? cipher->description : "";
ERR_set_mark();
ret = cipher->encrypt(ctx->op.ciph.algctx, out, outlen, (out == NULL ? 0 : *outlen), in, inlen);
if (ret <= 0)
if (ret <= 0 && ERR_count_to_mark() == 0)
ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_ASYM_CIPHER_FAILURE,
"%s encrypt:%s", cipher->type_name, desc);
ERR_clear_last_mark();
return ret;
legacy:
@ -309,10 +311,12 @@ int EVP_PKEY_decrypt(EVP_PKEY_CTX *ctx,
cipher = ctx->op.ciph.cipher;
desc = cipher->description != NULL ? cipher->description : "";
ERR_set_mark();
ret = cipher->decrypt(ctx->op.ciph.algctx, out, outlen, (out == NULL ? 0 : *outlen), in, inlen);
if (ret <= 0)
if (ret <= 0 && ERR_count_to_mark() == 0)
ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_ASYM_CIPHER_FAILURE,
"%s decrypt:%s", cipher->type_name, desc);
ERR_clear_last_mark();
return ret;

4
deps/openssl/openssl/crypto/evp/keymgmt_meth.c vendored
View file

@ -460,10 +460,12 @@ void *evp_keymgmt_gen(const EVP_KEYMGMT *keymgmt, void *genctx,
return NULL;
}
ERR_set_mark();
ret = keymgmt->gen(genctx, cb, cbarg);
if (ret == NULL)
if (ret == NULL && ERR_count_to_mark() == 0)
ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_KEYMGMT_FAILURE,
"%s key generation:%s", keymgmt->type_name, desc);
ERR_clear_last_mark();
return ret;
}

24
deps/openssl/openssl/crypto/evp/m_sigver.c vendored
View file

@ -426,10 +426,12 @@ int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize)
return 0;
}
ERR_set_mark();
ret = signature->digest_sign_update(pctx->op.sig.algctx, data, dsize);
if (ret <= 0)
if (ret <= 0 && ERR_count_to_mark() == 0)
ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_SIGNATURE_FAILURE,
"%s digest_sign_update:%s", signature->type_name, desc);
ERR_clear_last_mark();
return ret;
legacy:
@ -470,10 +472,12 @@ int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize)
return 0;
}
ERR_set_mark();
ret = signature->digest_verify_update(pctx->op.sig.algctx, data, dsize);
if (ret <= 0)
if (ret <= 0 && ERR_count_to_mark() == 0)
ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_SIGNATURE_FAILURE,
"%s digest_verify_update:%s", signature->type_name, desc);
ERR_clear_last_mark();
return ret;
legacy:
@ -523,11 +527,13 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
pctx = dctx;
}
ERR_set_mark();
r = signature->digest_sign_final(pctx->op.sig.algctx, sigret, siglen,
sigret == NULL ? 0 : *siglen);
if (!r)
if (!r && ERR_count_to_mark() == 0)
ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_SIGNATURE_FAILURE,
"%s digest_sign_final:%s", signature->type_name, desc);
ERR_clear_last_mark();
if (dctx == NULL && sigret != NULL)
ctx->flags |= EVP_MD_CTX_FLAG_FINALISED;
else
@ -634,11 +640,13 @@ int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen,
if (sigret != NULL)
ctx->flags |= EVP_MD_CTX_FLAG_FINALISED;
ERR_set_mark();
ret = signature->digest_sign(pctx->op.sig.algctx, sigret, siglen,
sigret == NULL ? 0 : *siglen, tbs, tbslen);
if (ret <= 0)
if (ret <= 0 && ERR_count_to_mark() == 0)
ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_SIGNATURE_FAILURE,
"%s digest_sign:%s", signature->type_name, desc);
ERR_clear_last_mark();
return ret;
}
} else {
@ -689,10 +697,12 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig,
pctx = dctx;
}
ERR_set_mark();
r = signature->digest_verify_final(pctx->op.sig.algctx, sig, siglen);
if (!r)
if (!r && ERR_count_to_mark() == 0)
ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_SIGNATURE_FAILURE,
"%s digest_verify_final:%s", signature->type_name, desc);
ERR_clear_last_mark();
if (dctx == NULL)
ctx->flags |= EVP_MD_CTX_FLAG_FINALISED;
else
@ -765,10 +775,12 @@ int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret,
int ret;
ctx->flags |= EVP_MD_CTX_FLAG_FINALISED;
ERR_set_mark();
ret = signature->digest_verify(pctx->op.sig.algctx, sigret, siglen, tbs, tbslen);
if (ret <= 0)
if (ret <= 0 && ERR_count_to_mark() == 0)
ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_SIGNATURE_FAILURE,
"%s digest_verify:%s", signature->type_name, desc);
ERR_clear_last_mark();
return ret;
}
} else {

4
deps/openssl/openssl/crypto/perlasm/x86asm.pl vendored
View file

@ -174,9 +174,9 @@ sub ::vprotd
sub ::endbranch
{
&::generic("%ifdef __CET__\n");
&::generic("#ifdef __CET__\n");
&::data_byte(0xf3,0x0f,0x1e,0xfb);
&::generic("%endif\n");
&::generic("#endif\n");
}
# label management

6
deps/openssl/openssl/crypto/provider_core.c vendored
View file

@ -2419,6 +2419,11 @@ static int core_pop_error_to_mark(const OSSL_CORE_HANDLE *handle)
return ERR_pop_to_mark();
}
static int core_count_to_mark(const OSSL_CORE_HANDLE *handle)
{
return ERR_count_to_mark();
}
static void core_indicator_get_callback(OPENSSL_CORE_CTX *libctx,
OSSL_INDICATOR_CALLBACK **cb)
{
@ -2600,6 +2605,7 @@ static const OSSL_DISPATCH core_dispatch_[] = {
{ OSSL_FUNC_CORE_CLEAR_LAST_ERROR_MARK,
(void (*)(void))core_clear_last_error_mark },
{ OSSL_FUNC_CORE_POP_ERROR_TO_MARK, (void (*)(void))core_pop_error_to_mark },
{ OSSL_FUNC_CORE_COUNT_TO_MARK, (void (*)(void))core_count_to_mark },
{ OSSL_FUNC_BIO_NEW_FILE, (void (*)(void))ossl_core_bio_new_file },
{ OSSL_FUNC_BIO_NEW_MEMBUF, (void (*)(void))ossl_core_bio_new_mem_buf },
{ OSSL_FUNC_BIO_READ_EX, (void (*)(void))ossl_core_bio_read_ex },

15
deps/openssl/openssl/crypto/rsa/rsa_gen.c vendored
View file

@ -734,3 +734,18 @@ err:
return ret;
}
#ifdef FIPS_MODULE
int ossl_rsa_key_pairwise_test(RSA *rsa)
{
OSSL_CALLBACK *stcb;
void *stcbarg;
int res;
OSSL_SELF_TEST_get_callback(rsa->libctx, &stcb, &stcbarg);
res = rsa_keygen_pairwise_test(rsa, stcb, stcbarg);
if (res <= 0)
ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT);
return res;
}
#endif /* FIPS_MODULE */

3
deps/openssl/openssl/crypto/slh_dsa/slh_hash.c vendored
View file

@ -158,6 +158,9 @@ slh_hmsg_sha2(SLH_DSA_HASH_CTX *hctx, const uint8_t *r, const uint8_t *pk_seed,
int sz = EVP_MD_get_size(hctx->key->md_big);
size_t seed_len = (size_t)sz + 2 * n;
if (sz <= 0)
return 0;
memcpy(seed, r, n);
memcpy(seed + n, pk_seed, n);
return digest_4(hctx->md_big_ctx, r, n, pk_seed, n, pk_root, n, msg, msg_len,

6
deps/openssl/openssl/crypto/sm2/sm2_sign.c vendored
View file

@ -1,5 +1,5 @@
/*
* Copyright 2017-2024 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2017-2025 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2017 Ribose Inc. All Rights Reserved.
* Ported from Ribose contributions from Botan.
*
@ -220,6 +220,10 @@ static ECDSA_SIG *sm2_sig_gen(const EC_KEY *key, const BIGNUM *e)
BIGNUM *tmp = NULL;
OSSL_LIB_CTX *libctx = ossl_ec_key_get_libctx(key);
if (dA == NULL) {
ERR_raise(ERR_LIB_SM2, SM2_R_INVALID_PRIVATE_KEY);
goto done;
}
kG = EC_POINT_new(group);
if (kG == NULL) {
ERR_raise(ERR_LIB_SM2, ERR_R_EC_LIB);

17
deps/openssl/openssl/crypto/store/store_lib.c vendored
View file

@ -428,12 +428,6 @@ OSSL_STORE_INFO *OSSL_STORE_load(OSSL_STORE_CTX *ctx)
if (ctx->loader != NULL)
OSSL_TRACE(STORE, "Loading next object\n");
if (ctx->cached_info != NULL
&& sk_OSSL_STORE_INFO_num(ctx->cached_info) == 0) {
sk_OSSL_STORE_INFO_free(ctx->cached_info);
ctx->cached_info = NULL;
}
if (ctx->cached_info != NULL) {
v = sk_OSSL_STORE_INFO_shift(ctx->cached_info);
} else {
@ -556,14 +550,23 @@ int OSSL_STORE_error(OSSL_STORE_CTX *ctx)
int OSSL_STORE_eof(OSSL_STORE_CTX *ctx)
{
int ret = 1;
int ret = 0;
if (ctx->cached_info != NULL
&& sk_OSSL_STORE_INFO_num(ctx->cached_info) == 0) {
sk_OSSL_STORE_INFO_free(ctx->cached_info);
ctx->cached_info = NULL;
}
if (ctx->cached_info == NULL) {
ret = 1;
if (ctx->fetched_loader != NULL)
ret = ctx->loader->p_eof(ctx->loader_ctx);
#ifndef OPENSSL_NO_DEPRECATED_3_0
if (ctx->fetched_loader == NULL)
ret = ctx->loader->eof(ctx->loader_ctx);
#endif
}
return ret != 0;
}

15
deps/openssl/openssl/crypto/x509/x_crl.c vendored
View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -289,6 +289,7 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
static int setup_idp(X509_CRL *crl, ISSUING_DIST_POINT *idp)
{
int idp_only = 0;
int ret = 0;
/* Set various flags according to IDP */
crl->idp_flags |= IDP_PRESENT;
@ -320,7 +321,17 @@ static int setup_idp(X509_CRL *crl, ISSUING_DIST_POINT *idp)
crl->idp_reasons &= CRLDP_ALL_REASONS;
}
return DIST_POINT_set_dpname(idp->distpoint, X509_CRL_get_issuer(crl));
ret = DIST_POINT_set_dpname(idp->distpoint, X509_CRL_get_issuer(crl));
/*
* RFC5280 specifies that if onlyContainsUserCerts, onlyContainsCACerts,
* indirectCRL, and OnlyContainsAttributeCerts are all FALSE, there must
* be either a distributionPoint field or an onlySomeReasons field present.
*/
if (crl->idp_flags == IDP_PRESENT && idp->distpoint == NULL)
crl->idp_flags |= IDP_INVALID;
return ret;
}
ASN1_SEQUENCE_ref(X509_CRL, crl_cb) = {

5
deps/openssl/openssl/fuzz/dtlsserver.c vendored
View file

@ -1,5 +1,5 @@
/*
* Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2016-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -590,10 +590,7 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
SSL *server;
BIO *in;
BIO *out;
#if !defined(OPENSSL_NO_EC) \
|| (!defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DEPRECATED_3_0))
BIO *bio_buf;
#endif
SSL_CTX *ctx;
int ret;
#ifndef OPENSSL_NO_DEPRECATED_3_0

1
deps/openssl/openssl/include/crypto/bn_conf.h vendored
View file

@ -1 +0,0 @@
#include "../../../config/bn_conf.h"

4
deps/openssl/openssl/include/crypto/dh.h vendored
View file

@ -1,5 +1,5 @@
/*
* Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2020-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -42,7 +42,7 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh);
int ossl_dh_check_pub_key_partial(const DH *dh, const BIGNUM *pub_key, int *ret);
int ossl_dh_check_priv_key(const DH *dh, const BIGNUM *priv_key, int *ret);
int ossl_dh_check_pairwise(const DH *dh);
int ossl_dh_check_pairwise(const DH *dh, int return_on_null_numbers);
const DH_METHOD *ossl_dh_get_method(const DH *dh);

1
deps/openssl/openssl/include/crypto/dso_conf.h vendored
View file

@ -1 +0,0 @@
#include "../../../config/dso_conf.h"

6
deps/openssl/openssl/include/crypto/rsa.h vendored
View file

@ -1,5 +1,5 @@
/*
* Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -124,6 +124,10 @@ ASN1_STRING *ossl_rsa_ctx_to_pss_string(EVP_PKEY_CTX *pkctx);
int ossl_rsa_pss_to_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pkctx,
const X509_ALGOR *sigalg, EVP_PKEY *pkey);
# ifdef FIPS_MODULE
int ossl_rsa_key_pairwise_test(RSA *rsa);
# endif /* FIPS_MODULE */
# if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
int ossl_rsa_acvp_test_gen_params_new(OSSL_PARAM **dst, const OSSL_PARAM src[]);
void ossl_rsa_acvp_test_gen_params_free(OSSL_PARAM *dst);

1
deps/openssl/openssl/include/internal/param_names.h vendored
View file

@ -1 +0,0 @@
#include "../../../config/param_names.h"

4
deps/openssl/openssl/include/internal/quic_ackm.h vendored
View file

@ -1,5 +1,5 @@
/*
* Copyright 2022-2024 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2022-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -23,7 +23,7 @@ OSSL_ACKM *ossl_ackm_new(OSSL_TIME (*now)(void *arg),
void *now_arg,
OSSL_STATM *statm,
const OSSL_CC_METHOD *cc_method,
OSSL_CC_DATA *cc_data);
OSSL_CC_DATA *cc_data, int is_server);
void ossl_ackm_free(OSSL_ACKM *ackm);
void ossl_ackm_set_loss_detection_deadline_callback(OSSL_ACKM *ackm,

1
deps/openssl/openssl/include/openssl/asn1.h vendored
View file

@ -1 +0,0 @@
#include "../../../config/asn1.h"

1
deps/openssl/openssl/include/openssl/asn1t.h vendored
View file

@ -1 +0,0 @@
#include "../../../config/asn1t.h"

1
deps/openssl/openssl/include/openssl/bio.h vendored
View file

@ -1 +0,0 @@
#include "../../../config/bio.h"

1
deps/openssl/openssl/include/openssl/cmp.h vendored
View file

@ -1 +0,0 @@
#include "../../../config/cmp.h"

1
deps/openssl/openssl/include/openssl/cms.h vendored
View file

@ -1 +0,0 @@
#include "../../../config/cms.h"

1
deps/openssl/openssl/include/openssl/comp.h vendored
View file

@ -1 +0,0 @@
#include "../../../config/comp.h"

1
deps/openssl/openssl/include/openssl/conf.h vendored
View file

@ -1 +0,0 @@
#include "../../../config/conf.h"

1
deps/openssl/openssl/include/openssl/configuration.h vendored
View file

@ -1 +0,0 @@
#include "../../../config/configuration.h"

4
deps/openssl/openssl/include/openssl/core_dispatch.h vendored
View file

@ -253,6 +253,10 @@ OSSL_CORE_MAKE_FUNC(int, provider_up_ref,
OSSL_CORE_MAKE_FUNC(int, provider_free,
(const OSSL_CORE_HANDLE *prov, int deactivate))
/* Additional error functions provided by the core */
# define OSSL_FUNC_CORE_COUNT_TO_MARK 120
OSSL_CORE_MAKE_FUNC(int, core_count_to_mark, (const OSSL_CORE_HANDLE *prov))
/* Functions provided by the provider to the Core, reserved numbers 1024-1535 */
# define OSSL_FUNC_PROVIDER_TEARDOWN 1024
OSSL_CORE_MAKE_FUNC(void, provider_teardown, (void *provctx))

1
deps/openssl/openssl/include/openssl/core_names.h vendored
View file

@ -1 +0,0 @@
#include "../../../config/core_names.h"

1
deps/openssl/openssl/include/openssl/crmf.h vendored
View file

@ -1 +0,0 @@
#include "../../../config/crmf.h"

1
deps/openssl/openssl/include/openssl/crypto.h vendored
View file

@ -1 +0,0 @@
#include "../../../config/crypto.h"

1
deps/openssl/openssl/include/openssl/ct.h vendored
View file

@ -1 +0,0 @@
#include "../../../config/ct.h"

1
deps/openssl/openssl/include/openssl/err.h vendored
View file

@ -1 +0,0 @@
#include "../../../config/err.h"

1
deps/openssl/openssl/include/openssl/ess.h vendored
View file

@ -1 +0,0 @@
#include "../../../config/ess.h"

1
deps/openssl/openssl/include/openssl/fipskey.h vendored
View file

@ -1 +0,0 @@
#include "../../../config/fipskey.h"

1
deps/openssl/openssl/include/openssl/lhash.h vendored
View file

@ -1 +0,0 @@
#include "../../../config/lhash.h"

1
deps/openssl/openssl/include/openssl/ocsp.h vendored
View file

@ -1 +0,0 @@
#include "../../../config/ocsp.h"

1
deps/openssl/openssl/include/openssl/opensslv.h vendored
View file

@ -1 +0,0 @@
#include "../../../config/opensslv.h"

1
deps/openssl/openssl/include/openssl/pem.h vendored
View file

@ -57,6 +57,7 @@ extern "C" {
# define PEM_STRING_ECPRIVATEKEY "EC PRIVATE KEY"
# define PEM_STRING_PARAMETERS "PARAMETERS"
# define PEM_STRING_CMS "CMS"
# define PEM_STRING_SM2PRIVATEKEY "SM2 PRIVATE KEY"
# define PEM_STRING_SM2PARAMETERS "SM2 PARAMETERS"
# define PEM_STRING_ACERT "ATTRIBUTE CERTIFICATE"

1
deps/openssl/openssl/include/openssl/pkcs12.h vendored
View file

@ -1 +0,0 @@
#include "../../../config/pkcs12.h"

1
deps/openssl/openssl/include/openssl/pkcs7.h vendored
View file

@ -1 +0,0 @@
#include "../../../config/pkcs7.h"

1
deps/openssl/openssl/include/openssl/safestack.h vendored
View file

@ -1 +0,0 @@
#include "../../../config/safestack.h"

1
deps/openssl/openssl/include/openssl/self_test.h vendored
View file

@ -50,6 +50,7 @@ extern "C" {
# define OSSL_SELF_TEST_DESC_PCT_RSA_PKCS1 "RSA"
# define OSSL_SELF_TEST_DESC_PCT_ECDSA "ECDSA"
# define OSSL_SELF_TEST_DESC_PCT_EDDSA "EDDSA"
# define OSSL_SELF_TEST_DESC_PCT_DH "DH"
# define OSSL_SELF_TEST_DESC_PCT_DSA "DSA"
# define OSSL_SELF_TEST_DESC_PCT_ML_DSA "ML-DSA"
# define OSSL_SELF_TEST_DESC_PCT_ML_KEM "ML-KEM"

1
deps/openssl/openssl/include/openssl/srp.h vendored
View file

@ -1 +0,0 @@
#include "../../../config/srp.h"

1
deps/openssl/openssl/include/openssl/ssl.h vendored
View file

@ -1 +0,0 @@
#include "../../../config/ssl.h"

1
deps/openssl/openssl/include/openssl/ui.h vendored
View file

@ -1 +0,0 @@
#include "../../../config/ui.h"

1
deps/openssl/openssl/include/openssl/x509.h vendored
View file

@ -1 +0,0 @@
#include "../../../config/x509.h"

1
deps/openssl/openssl/include/openssl/x509_acert.h vendored
View file

@ -1 +0,0 @@
#include "../../../config/x509_acert.h"

1
deps/openssl/openssl/include/openssl/x509_vfy.h vendored
View file

@ -1 +0,0 @@
#include "../../../config/x509_vfy.h"

1
deps/openssl/openssl/include/openssl/x509v3.h vendored
View file

@ -1 +0,0 @@
#include "../../../config/x509v3.h"

32
deps/openssl/openssl/providers/fips-sources.checksums vendored
View file

@ -136,7 +136,7 @@ eeef5722ad56bf1af2ff71681bcc8b8525bc7077e973c98cee920ce9bcc66c81 crypto/des/ecb
9549901d6f0f96cd17bd76c2b6cb33fb25641707bfdb8ed34aab250c34f7f4f6 crypto/des/set_key.c
8344811b14d151f6cd40a7bc45c8f4a1106252b119c1d5e6a589a023f39b107d crypto/des/spr.h
a54b1b60cf48ca89dfb3f71d299794dd6c2e462c576b0fe583d1448f819c80ea crypto/dh/dh_backend.c
24cf9462da6632c52b726041271f8a43dfb3f74414abe460d9cc9c7fd2fd2d7d crypto/dh/dh_check.c
9db32c052fb3cf7c36ab8e642f4852c2fa68a7b6bae0e3b1746522f826827068 crypto/dh/dh_check.c
c117ac4fd24369c7813ac9dc9685640700a82bb32b0f7e038e85afd6c8db75c7 crypto/dh/dh_gen.c
6b17861887b2535159b9e6ca4f927767dad3e71b6e8be50055bc784f78e92d64 crypto/dh/dh_group_params.c
a539a8930035fee3b723d74a1d13e931ff69a2b523c83d4a2d0d9db6c78ba902 crypto/dh/dh_kdf.c
@ -204,7 +204,7 @@ a47d8541bb2cc180f4c7d3ac0f888657e17621b318ea8a2eacdefb1926efb500 crypto/ec/ecp_
43f81968983e9a466b7dc9cffe64302418703f7a66adcbac4b7c4d8cb19c9af5 crypto/ec/ecx_backend.c
5ee19c357c318b2948ff5d9118a626a6207af2b2eade7d8536051d4a522668d3 crypto/ec/ecx_backend.h
2be4ca60082891bdc99f8c6ebc5392c1f0a7a53f0bcf18dcf5497a7aee0b9c84 crypto/ec/ecx_key.c
73c956c97fd558b0fd267934657fb829fd8d9ab12dda2d96d3ca1521f0416ca8 crypto/evp/asymcipher.c
c1f04d877f96f2d0852290e34b1994dd48222650ac1121903cee9c259fe3ebf2 crypto/evp/asymcipher.c
80da494704c8fc54fea36e5de7100a6c2fdcc5f8c50f43ac477df5f56fa57e58 crypto/evp/dh_support.c
bc9f3b827e3d29ac485fff9fb1c8f71d7e2bcd883ccc44c776de2f620081df58 crypto/evp/digest.c
838277f228cd3025cf95a9cd435e5606ad1fb5d207bbb057aa29892e6a657c55 crypto/evp/ec_support.c
@ -219,7 +219,7 @@ baccbd623a94ba350c07e0811033ad66a2c892ef51ccb051b4a65bf2ba625a85 crypto/evp/evp
90742590db894920ffdb737a450ee591488aa455802e777400b1bf887618fd7a crypto/evp/kdf_meth.c
948f7904e81008588288a1ba7969b9de83546c687230ffe2a3fd0be1651bce8f crypto/evp/kem.c
55d141a74405415ad21789abcace9557f1d1ef54cf207e99993bf0a801f4b81e crypto/evp/keymgmt_lib.c
5cb9ddc6a7434bd7e063bf85455c2025fb34e4eb846d7d113dbcedc25eeac7a3 crypto/evp/keymgmt_meth.c
d57908a9473d2af324f32549649016f7a3c196b5ac8b54d6ca3c82f84cab5d48 crypto/evp/keymgmt_meth.c
9e44d1ffb52fee194b12c50962907c8637e7d92f08339345ec9fd3bd4a248e69 crypto/evp/mac_lib.c
cd611921dc773b47207c036b9108ec820ab39d67780ba4adc9ccb9dc8da58627 crypto/evp/mac_meth.c
4f0a9a7baa72c6984edb53c46101b6ff774543603bec1e1d3a6123adf27e41db crypto/evp/p_lib.c
@ -322,7 +322,7 @@ f0c8792a99132e0b9c027cfa7370f45594a115934cdc9e8f23bdd64abecaf7fd crypto/rsa/rsa
1b828f428f0e78b591378f7b780164c4574620c68f9097de041cbd576f811bf6 crypto/rsa/rsa_backend.c
38a102cd1da1f6ca5a46e6a22f018237964336274385f5c70cbedcaa6997647e crypto/rsa/rsa_chk.c
e762c599b17d5c89f4b1c9eb7d0ca1f04a95d815c86a3e72c30b231ce57fb199 crypto/rsa/rsa_crpt.c
a3d20f27ae3cb41af5b62febd0bb19025e59d401b136306d570cdba103b15542 crypto/rsa/rsa_gen.c
026645569b11cf7c1247e4537cc004eea4469ed661391aef4fbc13e96c4952ca crypto/rsa/rsa_gen.c
f22bc4e2c3acab83e67820c906c1caf048ec1f0d4fcb7472c1bec753c75f8e93 crypto/rsa/rsa_lib.c
5ae8edaf654645996385fbd420ef73030762fc146bf41deb5294d6d83e257a16 crypto/rsa/rsa_local.h
cf0b75cd54b61b9b9a290ef18d0ddce9fb26a029a54eb3f720d9b25188440f00 crypto/rsa/rsa_mp_names.c
@ -397,7 +397,7 @@ c26498960895d435af4ef5f592d98a0c011c00609bbba8bbd0078d4a4f081609 crypto/slh_dsa
4c7981f7db69025f52495c549fb3b3a76be62b9e13072c3f3b7f1dedeaf8cc91 crypto/slh_dsa/slh_dsa_key.h
5dcb631891eb6afcd27a6b19d2de4d493c71dab159e53620d86d9b96642e97e8 crypto/slh_dsa/slh_dsa_local.h
adb3f4dea52396935b8442df7b36ed99324d3f3e8ce3fdf714d6dfd683e1f9f0 crypto/slh_dsa/slh_fors.c
ff320d5fc65580eb85e4e0530f332af515124a5ec8915b5a7ec04acad524c11d crypto/slh_dsa/slh_hash.c
3891252acdefc4eff77d7a65cc35d77bdca8083c9dd0d44ff91889ceafcccb45 crypto/slh_dsa/slh_hash.c
a146cdf01b4b6e20127f0e48b30ed5e8820bec0fca2d9423c7b63eddf0f19af3 crypto/slh_dsa/slh_hash.h
6402664fbb259808a6f7b5a5d6be2b4a3cc8a905399d97b160cdb3e4a97c02c4 crypto/slh_dsa/slh_hypertree.c
98ba100862bb45d13bcddff79bc55e44eadd95f528dd49accb4da3ca85fcc52d crypto/slh_dsa/slh_params.c
@ -433,7 +433,7 @@ e69b2b20fb415e24b970941c84a62b752b5d0175bc68126e467f7cc970495504 include/crypto
6c72cfa9e59d276c1debcfd36a0aff277539b43d2272267147fad4165d72747c include/crypto/ctype.h
f69643f16687c5a290b2ce6b846c6d1dddabfaf7e4d26fde8b1181955de32833 include/crypto/decoder.h
89693e0a7528a9574e1d2f80644b29e3b895d3684111dd07c18cc5bed28b45b7 include/crypto/des_platform.h
daf508bb7ed5783f1c8c622f0c230e179244dd3f584e1223a19ab95930fbcb4f include/crypto/dh.h
48d133a1eb8c3b3198cfe1cafda47f9abe8050d53004f3874f258a78f29b9e48 include/crypto/dh.h
679f6e52d9becdf51fde1649478083d18fa4f5a6ece21eeb1decf70f739f49d5 include/crypto/dsa.h
c7aafee54cc3ace0c563f15aa5af2cdce13e2cfc4f9a9a133952825fb7c8faf5 include/crypto/ec.h
adf369f3c9392e9f2dec5a87f61ac9e48160f4a763dae51d4ad5306c4ca4e226 include/crypto/ecx.h
@ -445,7 +445,7 @@ bbe5e52d84e65449a13e42cd2d6adce59b8ed6e73d6950917aa77dc1f3f5dff6 include/crypto
6e7762e7fb63f56d25b24f70209f4dc834c59a87f74467531ec81646f565dbe3 include/crypto/modes.h
920bc48a4dad3712bdcef188c0ce8e8a8304e0ce332b54843bab366fc5eab472 include/crypto/rand.h
71f23915ea74e93971fb0205901031be3abea7ffef2c52e4cc4848515079f68d include/crypto/rand_pool.h
6f16685ffbc97dc2ac1240bfddf4bbac2dd1ad83fff6da91aee6f3f64c6ee8ff include/crypto/rsa.h
b1df067691f9741ef9c42b2e5f12461bcd87b745514fc5701b9c9402fb10b224 include/crypto/rsa.h
32f0149ab1d82fddbdfbbc44e3078b4a4cc6936d35187e0f8d02cc0bc19f2401 include/crypto/security_bits.h
80338f3865b7c74aab343879432a6399507b834e2f55dd0e9ee7a5eeba11242a include/crypto/sha.h
0814571bff328719cc1e5a73a4daf6f5810b17f9e50fe63287f91f445f053213 include/crypto/slh_dsa.h
@ -511,7 +511,7 @@ bb45de4eafdd89c14096e9af9b0aee12b09adcee43b9313a3a373294dec99142 include/openss
69d98c5230b1c2a1b70c3e6b244fcfd8460a80ebf548542ea43bb1a57fe6cf57 include/openssl/configuration.h.in
6b3810dac6c9d6f5ee36a10ad6d895a5e4553afdfb9641ce9b7dc5db7eef30b7 include/openssl/conftypes.h
28c6f0ede39c821dcf4abeeb4e41972038ebb3e3c9d0a43ffdf28edb559470e1 include/openssl/core.h
940f6276e5bab8a7c59eedba56150902e619823c10dc5e50cf63575be6be9ba0 include/openssl/core_dispatch.h
b59255ddb1ead5531c3f0acf72fa6627d5c7192f3d23e9536eed00f32258c43b include/openssl/core_dispatch.h
d37532e62315d733862d0bff8d8de9fe40292a75deacae606f4776e544844316 include/openssl/core_names.h.in
57898905771752f6303e2b1cca1c9a41ea5e9c7bf08ee06531213a65e960e424 include/openssl/crypto.h.in
628e2a9e67412e2903ecb75efb27b262db1f266b805c07ece6b85bf7ffa19dac include/openssl/cryptoerr.h
@ -559,7 +559,7 @@ ed785c451189aa5f7299f9f32a841e7f25b67c4ee937c8de8491a39240f5bd9d include/openss
2f4f0106e9b2db6636491dbe3ef81b80dbf01aefe6f73d19663423b7fcd54466 include/openssl/rsa.h
2f339ba2f22b8faa406692289a6e51fdbbb04b03f85cf3ca849835e58211ad23 include/openssl/rsaerr.h
6586f2187991731835353de0ffad0b6b57609b495e53d0f32644491ece629eb2 include/openssl/safestack.h.in
b0c9ed3ce37034524623c579e8a2ea0feb6aab39e7489ce66e2b6bf28ec81840 include/openssl/self_test.h
cad320f140eade8a90b4d068e03d2fc0448204656f8c1270f69be82bc3272806 include/openssl/self_test.h
a435cb5d87a37c05921afb2d68f581018ec9f62fd9b3194ab651139b24f616d2 include/openssl/sha.h
c169a015d7be52b7b99dd41c418a48d97e52ad21687c39c512a83a7c3f3ddb70 include/openssl/stack.h
22d7584ad609e30e818b54dca1dfae8dea38913fffedd25cd540c550372fb9a6 include/openssl/symhacks.h
@ -611,14 +611,14 @@ bde6107744cf6840a4c350a48265ed000c49b0524fa60b0d68d6d7b33df5fce6 providers/comm
8ea192553b423e881d85118c70bcb26a40fbdee4e110f230c966939c76f4aa7e providers/common/securitycheck_fips.c
abd5997bc33b681a4ab275978b92aebca0806a4a3f0c2f41dacf11b3b6f4e101 providers/fips/fips_entry.c
d8cb05784ae8533a7d9569d4fbaaea4175b63a7c9f4fb0f254215224069dea6b providers/fips/fipsindicator.c
e9383013a79a8223784a69a66bb610d16d54e61ea978f67a3d31de9f48cd4627 providers/fips/fipsprov.c
485441c31b5ff7916a12d0b8438d131a58cbc1ff6267cd266ae2dd6128c825cc providers/fips/fipsprov.c
7be8349d3b557b6d9d5f87d318253a73d21123628a08f50726502abf0e3d8a44 providers/fips/include/fips/fipsindicator.h
ef204adc49776214dbb299265bc4f2c40b48848cbea4c25b8029f2b46a5c9797 providers/fips/include/fips_indicator_params.inc
f2581d7b4e105f2bb6d30908f3c2d9959313be08cec6dbeb49030c125a7676d3 providers/fips/include/fips_selftest_params.inc
669f76f742bcaaf28846b057bfab97da7c162d69da244de71b7c743bf16e430f providers/fips/include/fipscommon.h
1af975061d9ea273fd337c74ccaab7b9331ab781d887c4e7164c5ac35e2c2e94 providers/fips/self_test.c
5c2c6c2f69e2eb01b88fa35630f27948e00dd2c2fd351735c74f34ccb2005cbe providers/fips/self_test.h
9c5c8131ee9a5b2d1056b5548db3269c00445294134cb30b631707f69f8904f1 providers/fips/self_test_data.inc
826d559ea7019c5db557679c3fe1ff5022be0132789c847d61da3c293fc02227 providers/fips/self_test_data.inc
2e568e2b161131240e97bd77a730c2299f961c2f1409ea8466422fc07f9be23f providers/fips/self_test_kats.c
7a368f6c6a5636593018bf10faecc3be1005e7cb3f0647f25c62b6f0fb7ac974 providers/implementations/asymciphers/rsa_enc.c
c2f1b12c64fc369dfc3b9bc9e76a76de7280e6429adaee55d332eb1971ad1879 providers/implementations/ciphers/cipher_aes.c
@ -692,20 +692,20 @@ abe2b0f3711eaa34846e155cffc9242e4051c45de896f747afd5ac9d87f637dc providers/impl
e18ef50cd62647a2cc784c45169d75054dccd58fc106bf623d921de995bb3c34 providers/implementations/kdfs/sskdf.c
6d9767a99a5b46d44ac9e0898ee18d219c04dfb34fda42e71d54adccbed7d57c providers/implementations/kdfs/tls1_prf.c
88d04ff4c93648a4fbfd9ce137cfc64f2c85e1850593c1ab35334b8b3de8ad99 providers/implementations/kdfs/x942kdf.c
3e199221ff78d80a3678e917dbbd232c5cd15f35b7c41bac92b60f766f656af7 providers/implementations/kem/ml_kem_kem.c
b04249bcc64d6f7ec16f494afef252356b2f56424a034ab53def90463de0cb6f providers/implementations/kem/ml_kem_kem.c
a2e2b44064ef44b880b89ab6adc83686936acaa906313a37e5ec69d632912034 providers/implementations/kem/mlx_kem.c
c764555b9dc9b273c280514a5d2d44156f82f3e99155a77c627f2c773209bcd7 providers/implementations/kem/rsa_kem.c
b9f7fc5c19f637cee55b0a435b838f5de3a5573ca376ba602e90f70855a78852 providers/implementations/keymgmt/dh_kmgmt.c
a780a73b02f97d42a621fe096adf57a362b458cd5e5cfe1e3e619e88a407c7d7 providers/implementations/keymgmt/dh_kmgmt.c
24cc3cc8e8681c77b7f96c83293bd66045fd8ad69f756e673ca7f8ca9e82b0af providers/implementations/keymgmt/dsa_kmgmt.c
e10086c31aafae0562054e3b07f12409e39b87b5e96ee7668c231c37861aa447 providers/implementations/keymgmt/ec_kmgmt.c
967ab174fa4fadb4d4b1d226a1870028a3945d6e85c04d08f215686fe8fd2a07 providers/implementations/keymgmt/ec_kmgmt.c
258ae17bb2dd87ed1511a8eb3fe99eed9b77f5c2f757215ff6b3d0e8791fc251 providers/implementations/keymgmt/ec_kmgmt_imexport.inc
d042d687da861d2a39658c6b857a6507a70fa78cecdf883bd1dcdafcf102e084 providers/implementations/keymgmt/ecx_kmgmt.c
b335f1aca68f0b0b3f31e73473de264c812a932517d5a2c2339754d3e3f72a8a providers/implementations/keymgmt/ecx_kmgmt.c
daf35a7ab961ef70aefca981d80407935904c5da39dca6692432d6e6bc98759d providers/implementations/keymgmt/kdf_legacy_kmgmt.c
d97d7c8d3410b3e560ef2becaea2a47948e22205be5162f964c5e51a7eef08cb providers/implementations/keymgmt/mac_legacy_kmgmt.c
24384616fcba4eb5594ccb2ebc199bcee8494ce1b3f4ac7824f17743e39c0279 providers/implementations/keymgmt/ml_dsa_kmgmt.c
830c339dfc7f301ce5267ef9b0dc173b84d9597509c1a61ae038f3c01af78f45 providers/implementations/keymgmt/ml_kem_kmgmt.c
e15b780a1489bbe4c7d40d6aaa3bccfbf973e3946578f460eeb8373c657eee91 providers/implementations/keymgmt/mlx_kmgmt.c
9376a19735fcc79893cb3c6b0cff17a2cae61db9e9165d9a30f8def7f8e8e7c7 providers/implementations/keymgmt/rsa_kmgmt.c
d63d47e8705772c4269dbdb110400ec9a6dc49ea2217f3d2aecc8ce733d9e47f providers/implementations/keymgmt/rsa_kmgmt.c
6f0a786170ba9af860e36411d158ac0bd74bcb4d75c818a0cebadbc764759283 providers/implementations/keymgmt/slh_dsa_kmgmt.c
9d02d481b9c7c0c9e0932267d1a3e1fef00830aaa03093f000b88aa042972b9f providers/implementations/macs/cmac_prov.c
3c558b57fff3588b6832475e0b1c5be590229ad50d95a6ebb089b62bf5fe382d providers/implementations/macs/gmac_prov.c

2
deps/openssl/openssl/providers/fips.checksum vendored
View file

@ -1 +1 @@
cffe76b0bc6464c7c864d5e2eaaf528439cb6c9908dc75666d530aa8a65e152e providers/fips-sources.checksums
ef8128a08964171aaf5852362d97486b641fe521ad648e0c1108fd6d7f5a78ba providers/fips-sources.checksums

9
deps/openssl/openssl/providers/fips/fipsprov.c vendored
View file

@ -65,6 +65,7 @@ static OSSL_FUNC_core_vset_error_fn *c_vset_error;
static OSSL_FUNC_core_set_error_mark_fn *c_set_error_mark;
static OSSL_FUNC_core_clear_last_error_mark_fn *c_clear_last_error_mark;
static OSSL_FUNC_core_pop_error_to_mark_fn *c_pop_error_to_mark;
static OSSL_FUNC_core_count_to_mark_fn *c_count_to_mark;
static OSSL_FUNC_CRYPTO_malloc_fn *c_CRYPTO_malloc;
static OSSL_FUNC_CRYPTO_zalloc_fn *c_CRYPTO_zalloc;
static OSSL_FUNC_CRYPTO_free_fn *c_CRYPTO_free;
@ -797,6 +798,9 @@ int OSSL_provider_init_int(const OSSL_CORE_HANDLE *handle,
case OSSL_FUNC_CORE_POP_ERROR_TO_MARK:
set_func(c_pop_error_to_mark, OSSL_FUNC_core_pop_error_to_mark(in));
break;
case OSSL_FUNC_CORE_COUNT_TO_MARK:
set_func(c_count_to_mark, OSSL_FUNC_core_count_to_mark(in));
break;
case OSSL_FUNC_CRYPTO_MALLOC:
set_func(c_CRYPTO_malloc, OSSL_FUNC_CRYPTO_malloc(in));
break;
@ -1035,6 +1039,11 @@ int ERR_pop_to_mark(void)
return c_pop_error_to_mark(NULL);
}
int ERR_count_to_mark(void)
{
return c_count_to_mark != NULL ? c_count_to_mark(NULL) : 0;
}
/*
* This must take a library context, since it's called from the depths
* of crypto/initthread.c code, where it's (correctly) assumed that the

87
deps/openssl/openssl/providers/fips/self_test_data.inc vendored
View file

@ -208,28 +208,6 @@ static const ST_KAT_DIGEST st_kat_digest_tests[] =
/*- CIPHER TEST DATA */
/* DES3 test data */
static const unsigned char des_ede3_cbc_pt[] = {
0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51
};
static const unsigned char des_ede3_cbc_key[] = {
0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF,
0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01,
0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01, 0x23
};
static const unsigned char des_ede3_cbc_iv[] = {
0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17
};
static const unsigned char des_ede3_cbc_ct[] = {
0x20, 0x79, 0xC3, 0xD5, 0x3A, 0xA7, 0x63, 0xE1,
0x93, 0xB7, 0x9E, 0x25, 0x69, 0xAB, 0x52, 0x62,
0x51, 0x65, 0x70, 0x48, 0x1F, 0x25, 0xB5, 0x0F,
0x73, 0xC0, 0xBD, 0xA8, 0x5C, 0x8E, 0x0D, 0xA7
};
/* AES-256 GCM test data */
static const unsigned char aes_256_gcm_key[] = {
0x92, 0xe1, 0x1d, 0xcd, 0xaa, 0x86, 0x6f, 0x5c,
@ -907,38 +885,39 @@ static const unsigned char dh_priv[] = {
0x40, 0xb8, 0xfc, 0xe6
};
static const unsigned char dh_pub[] = {
0x95, 0xdd, 0x33, 0x8d, 0x29, 0xe5, 0x71, 0x04,
0x92, 0xb9, 0x18, 0x31, 0x7b, 0x72, 0xa3, 0x69,
0x36, 0xe1, 0x95, 0x1a, 0x2e, 0xe5, 0xa5, 0x59,
0x16, 0x99, 0xc0, 0x48, 0x6d, 0x0d, 0x4f, 0x9b,
0xdd, 0x6d, 0x5a, 0x3f, 0x6b, 0x98, 0x89, 0x0c,
0x62, 0xb3, 0x76, 0x52, 0xd3, 0x6e, 0x71, 0x21,
0x11, 0xe6, 0x8a, 0x73, 0x55, 0x37, 0x25, 0x06,
0x99, 0xef, 0xe3, 0x30, 0x53, 0x73, 0x91, 0xfb,
0xc2, 0xc5, 0x48, 0xbc, 0x5a, 0xc3, 0xe5, 0xb2,
0x33, 0x86, 0xc3, 0xee, 0xf5, 0xeb, 0x43, 0xc0,
0x99, 0xd7, 0x0a, 0x52, 0x02, 0x68, 0x7e, 0x83,
0x96, 0x42, 0x48, 0xfc, 0xa9, 0x1f, 0x40, 0x90,
0x8e, 0x8f, 0xb3, 0x31, 0x93, 0x15, 0xf6, 0xd2,
0x60, 0x6d, 0x7f, 0x7c, 0xd5, 0x2c, 0xc6, 0xe7,
0xc5, 0x84, 0x3a, 0xfb, 0x22, 0x51, 0x9c, 0xf0,
0xf0, 0xf9, 0xd3, 0xa0, 0xa4, 0xe8, 0xc8, 0x88,
0x99, 0xef, 0xed, 0xe7, 0x36, 0x43, 0x51, 0xfb,
0x6a, 0x36, 0x3e, 0xe7, 0x17, 0xe5, 0x44, 0x5a,
0xda, 0xb4, 0xc9, 0x31, 0xa6, 0x48, 0x39, 0x97,
0xb8, 0x7d, 0xad, 0x83, 0x67, 0x7e, 0x4d, 0x1d,
0x3a, 0x77, 0x75, 0xe0, 0xf6, 0xd0, 0x0f, 0xdf,
0x73, 0xc7, 0xad, 0x80, 0x1e, 0x66, 0x5a, 0x0e,
0x5a, 0x79, 0x6d, 0x0a, 0x03, 0x80, 0xa1, 0x9f,
0xa1, 0x82, 0xef, 0xc8, 0xa0, 0x4f, 0x5e, 0x4d,
0xb9, 0x0d, 0x1a, 0x86, 0x37, 0xf9, 0x5d, 0xb1,
0x64, 0x36, 0xbd, 0xc8, 0xf3, 0xfc, 0x09, 0x6c,
0x4f, 0xf7, 0xf2, 0x34, 0xbe, 0x8f, 0xef, 0x47,
0x9a, 0xc4, 0xb0, 0xdc, 0x4b, 0x77, 0x26, 0x3e,
0x07, 0xd9, 0x95, 0x9d, 0xe0, 0xf1, 0xbf, 0x3f,
0x0a, 0xe3, 0xd9, 0xd5, 0x0e, 0x4b, 0x89, 0xc9,
0x9e, 0x3e, 0xa1, 0x21, 0x73, 0x43, 0xdd, 0x8c,
0x65, 0x81, 0xac, 0xc4, 0x95, 0x9c, 0x91, 0xd3
0x00, 0x8f, 0x81, 0x67, 0x68, 0xce, 0x97, 0x99,
0x7e, 0x11, 0x5c, 0xad, 0x5b, 0xe1, 0x0c, 0xd4,
0x15, 0x44, 0xdf, 0xc2, 0x47, 0xe7, 0x06, 0x27,
0x5e, 0xf3, 0x9d, 0x5c, 0x4b, 0x2e, 0x35, 0x05,
0xfd, 0x3c, 0x8f, 0x35, 0x85, 0x1b, 0x82, 0xdd,
0x49, 0xc9, 0xa8, 0x7e, 0x3a, 0x5f, 0x33, 0xdc,
0x8f, 0x5e, 0x32, 0x76, 0xe1, 0x52, 0x1b, 0x88,
0x85, 0xda, 0xa9, 0x1d, 0x5f, 0x1c, 0x05, 0x3a,
0xd4, 0x8d, 0xbb, 0xe7, 0x46, 0x46, 0x1e, 0x29,
0x4b, 0x5a, 0x02, 0x88, 0x46, 0x94, 0xd0, 0x68,
0x7d, 0xb2, 0x9f, 0x3a, 0x3d, 0x82, 0x05, 0xe5,
0xa7, 0xbe, 0x6c, 0x7e, 0x24, 0x35, 0x25, 0x14,
0xf3, 0x45, 0x08, 0x90, 0xfc, 0x55, 0x2e, 0xa8,
0xb8, 0xb1, 0x89, 0x15, 0x94, 0x51, 0x44, 0xa9,
0x9f, 0x68, 0xcb, 0x90, 0xbc, 0xd3, 0xae, 0x02,
0x37, 0x26, 0xe4, 0xe9, 0x1a, 0x90, 0x95, 0x7e,
0x1d, 0xac, 0x0c, 0x91, 0x97, 0x83, 0x24, 0x83,
0xb9, 0xa1, 0x40, 0x72, 0xac, 0xf0, 0x55, 0x32,
0x18, 0xab, 0xb8, 0x90, 0xda, 0x13, 0x4a, 0xc8,
0x4b, 0x7c, 0x18, 0xbc, 0x33, 0xbf, 0x99, 0x85,
0x39, 0x3e, 0xc6, 0x95, 0x9b, 0x48, 0x8e, 0xbe,
0x46, 0x59, 0x48, 0x41, 0x0d, 0x37, 0x25, 0x94,
0xbe, 0x8d, 0xf5, 0x81, 0x52, 0xf6, 0xdc, 0xeb,
0x98, 0xd7, 0x3b, 0x44, 0x61, 0x6f, 0xa3, 0xef,
0x7b, 0xfe, 0xbb, 0xc2, 0x8e, 0x46, 0x63, 0xbc,
0x52, 0x65, 0xf9, 0xf8, 0x85, 0x41, 0xdf, 0x82,
0x4a, 0x10, 0x2a, 0xe3, 0x0c, 0xb7, 0xad, 0x84,
0xa6, 0x6f, 0x4e, 0x8e, 0x96, 0x1e, 0x04, 0xf7,
0x57, 0x39, 0xca, 0x58, 0xd4, 0xef, 0x5a, 0xf1,
0xf5, 0x69, 0xc2, 0xb1, 0x5c, 0x0a, 0xce, 0xbe,
0x38, 0x01, 0xb5, 0x3f, 0x07, 0x8a, 0x72, 0x90,
0x10, 0xac, 0x51, 0x3a, 0x96, 0x43, 0xdf, 0x6f,
0xea
};
static const unsigned char dh_peer_pub[] = {
0x1f, 0xc1, 0xda, 0x34, 0x1d, 0x1a, 0x84, 0x6a,

1
deps/openssl/openssl/providers/implementations/encode_decode/decode_pem2der.c vendored
View file

@ -151,6 +151,7 @@ static int pem2der_decode(void *vctx, OSSL_CORE_BIO *cin, int selection,
{ PEM_STRING_DSAPARAMS, OSSL_OBJECT_PKEY, "DSA", "type-specific" },
{ PEM_STRING_ECPRIVATEKEY, OSSL_OBJECT_PKEY, "EC", "type-specific" },
{ PEM_STRING_ECPARAMETERS, OSSL_OBJECT_PKEY, "EC", "type-specific" },
{ PEM_STRING_SM2PRIVATEKEY, OSSL_OBJECT_PKEY, "SM2", "type-specific" },
{ PEM_STRING_SM2PARAMETERS, OSSL_OBJECT_PKEY, "SM2", "type-specific" },
{ PEM_STRING_RSA, OSSL_OBJECT_PKEY, "RSA", "type-specific" },
{ PEM_STRING_RSA_PUBLIC, OSSL_OBJECT_PKEY, "RSA", "type-specific" },

2
deps/openssl/openssl/providers/implementations/kem/ml_kem_kem.c vendored
View file

@ -171,7 +171,7 @@ static int ml_kem_encapsulate(void *vctx, unsigned char *ctext, size_t *clen,
return 1;
}
if (shsec == NULL) {
ERR_raise_data(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL,
ERR_raise_data(ERR_LIB_PROV, PROV_R_NULL_OUTPUT_BUFFER,
"NULL shared-secret buffer");
goto end;
}

18
deps/openssl/openssl/providers/implementations/keymgmt/dh_kmgmt.c vendored
View file

@ -1,5 +1,5 @@
/*
* Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -19,10 +19,12 @@
#include <openssl/core_names.h>
#include <openssl/bn.h>
#include <openssl/err.h>
#include <openssl/self_test.h>
#include "prov/implementations.h"
#include "prov/providercommon.h"
#include "prov/provider_ctx.h"
#include "crypto/dh.h"
#include "internal/fips.h"
#include "internal/sizes.h"
static OSSL_FUNC_keymgmt_new_fn dh_newdata;
@ -207,6 +209,18 @@ static int dh_import(void *keydata, int selection, const OSSL_PARAM params[])
selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY ? 1 : 0;
ok = ok && ossl_dh_key_fromdata(dh, params, include_private);
#ifdef FIPS_MODULE
/*
* FIPS 140-3 IG 10.3.A additional comment 1 mandates that a pairwise
* consistency check be undertaken on key import. The required test
* is described in SP 800-56Ar3 5.6.2.1.4.
*/
if (ok > 0 && !ossl_fips_self_testing()) {
ok = ossl_dh_check_pairwise(dh, 1);
if (ok <= 0)
ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT);
}
#endif /* FIPS_MODULE */
}
return ok;
@ -440,7 +454,7 @@ static int dh_validate(const void *keydata, int selection, int checktype)
if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR)
== OSSL_KEYMGMT_SELECT_KEYPAIR)
ok = ok && ossl_dh_check_pairwise(dh);
ok = ok && ossl_dh_check_pairwise(dh, 0);
return ok;
}

17
deps/openssl/openssl/providers/implementations/keymgmt/ec_kmgmt.c vendored
View file

@ -20,12 +20,14 @@
#include <openssl/err.h>
#include <openssl/objects.h>
#include <openssl/proverr.h>
#include <openssl/self_test.h>
#include "crypto/bn.h"
#include "crypto/ec.h"
#include "prov/implementations.h"
#include "prov/providercommon.h"
#include "prov/provider_ctx.h"
#include "prov/securitycheck.h"
#include "internal/fips.h"
#include "internal/param_build_set.h"
#ifndef FIPS_MODULE
@ -429,6 +431,21 @@ int common_import(void *keydata, int selection, const OSSL_PARAM params[],
if ((selection & OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS) != 0)
ok = ok && ossl_ec_key_otherparams_fromdata(ec, params);
#ifdef FIPS_MODULE
if (ok > 0
&& !ossl_fips_self_testing()
&& EC_KEY_get0_public_key(ec) != NULL
&& EC_KEY_get0_private_key(ec) != NULL
&& EC_KEY_get0_group(ec) != NULL) {
BN_CTX *bnctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(ec));
ok = bnctx != NULL && ossl_ec_key_pairwise_check(ec, bnctx);
BN_CTX_free(bnctx);
if (ok <= 0)
ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT);
}
#endif /* FIPS_MODULE */
return ok;
}

23
deps/openssl/openssl/providers/implementations/keymgmt/ecx_kmgmt.c vendored
View file

@ -17,6 +17,7 @@
#include <openssl/evp.h>
#include <openssl/rand.h>
#include <openssl/self_test.h>
#include "internal/fips.h"
#include "internal/param_build_set.h"
#include <openssl/param_build.h>
#include "crypto/ecx.h"
@ -92,6 +93,15 @@ static void *s390x_ecd_keygen25519(struct ecx_gen_ctx *gctx);
static void *s390x_ecd_keygen448(struct ecx_gen_ctx *gctx);
#endif
#ifdef FIPS_MODULE
static int ecd_fips140_pairwise_test(const ECX_KEY *ecx, int type, int self_test);
#endif /* FIPS_MODULE */
static ossl_inline int ecx_key_type_is_ed(ECX_KEY_TYPE type)
{
return type == ECX_KEY_TYPE_ED25519 || type == ECX_KEY_TYPE_ED448;
}
static void *x25519_new_key(void *provctx)
{
if (!ossl_prov_is_running())
@ -208,6 +218,14 @@ static int ecx_import(void *keydata, int selection, const OSSL_PARAM params[])
include_private = selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY ? 1 : 0;
ok = ok && ossl_ecx_key_fromdata(key, params, include_private);
#ifdef FIPS_MODULE
if (ok > 0 && ecx_key_type_is_ed(key->type) && !ossl_fips_self_testing())
if (key->haspubkey && key->privkey != NULL) {
ok = ecd_fips140_pairwise_test(key, key->type, 1);
if (ok <= 0)
ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT);
}
#endif /* FIPS_MODULE */
return ok;
}
@ -703,8 +721,7 @@ static void *ecx_gen(struct ecx_gen_ctx *gctx)
}
#ifndef FIPS_MODULE
if (gctx->dhkem_ikm != NULL && gctx->dhkem_ikmlen != 0) {
if (gctx->type == ECX_KEY_TYPE_ED25519
|| gctx->type == ECX_KEY_TYPE_ED448)
if (ecx_key_type_is_ed(gctx->type))
goto err;
if (!ossl_ecx_dhkem_derive_private(key, privkey,
gctx->dhkem_ikm, gctx->dhkem_ikmlen))
@ -968,7 +985,7 @@ static int ecx_validate(const void *keydata, int selection, int type,
if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != OSSL_KEYMGMT_SELECT_KEYPAIR)
return ok;
if (type == ECX_KEY_TYPE_ED25519 || type == ECX_KEY_TYPE_ED448)
if (ecx_key_type_is_ed(type))
ok = ok && ecd_key_pairwise_check(ecx, type);
else
ok = ok && ecx_key_pairwise_check(ecx, type);

18
deps/openssl/openssl/providers/implementations/keymgmt/rsa_kmgmt.c vendored
View file

@ -25,6 +25,7 @@
#include "prov/provider_ctx.h"
#include "crypto/rsa.h"
#include "crypto/cryptlib.h"
#include "internal/fips.h"
#include "internal/param_build_set.h"
static OSSL_FUNC_keymgmt_new_fn rsa_newdata;
@ -196,6 +197,23 @@ static int rsa_import(void *keydata, int selection, const OSSL_PARAM params[])
ok = ok && ossl_rsa_fromdata(rsa, params, include_private);
}
#ifdef FIPS_MODULE
if (ok > 0 && !ossl_fips_self_testing()) {
const BIGNUM *n, *e, *d, *dp, *dq, *iq, *p, *q;
RSA_get0_key(rsa, &n, &e, &d);
RSA_get0_crt_params(rsa, &dp, &dq, &iq);
p = RSA_get0_p(rsa);
q = RSA_get0_q(rsa);
/* Check for the public key */
if (n != NULL && e != NULL)
/* Check for private key in straightforward or CRT form */
if (d != NULL || (p != NULL && q != NULL && dp != NULL
&& dq != NULL && iq != NULL))
ok = ossl_rsa_key_pairwise_test(rsa);
}
#endif /* FIPS_MODULE */
return ok;
}

11
deps/openssl/openssl/providers/legacyprov.c vendored
View file

@ -1,5 +1,5 @@
/*
* Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -48,6 +48,7 @@ static OSSL_FUNC_core_vset_error_fn *c_vset_error;
static OSSL_FUNC_core_set_error_mark_fn *c_set_error_mark;
static OSSL_FUNC_core_clear_last_error_mark_fn *c_clear_last_error_mark;
static OSSL_FUNC_core_pop_error_to_mark_fn *c_pop_error_to_mark;
static OSSL_FUNC_core_count_to_mark_fn *c_count_to_mark;
#endif
/* Parameters we provide to the core */
@ -234,6 +235,9 @@ int OSSL_provider_init(const OSSL_CORE_HANDLE *handle,
case OSSL_FUNC_CORE_POP_ERROR_TO_MARK:
set_func(c_pop_error_to_mark, OSSL_FUNC_core_pop_error_to_mark(tmp));
break;
case OSSL_FUNC_CORE_COUNT_TO_MARK:
set_func(c_count_to_mark, OSSL_FUNC_core_count_to_mark(in));
break;
}
}
#endif
@ -301,4 +305,9 @@ int ERR_pop_to_mark(void)
{
return c_pop_error_to_mark(NULL);
}
int ERR_count_to_mark(void)
{
return c_count_to_mark != NULL ? c_count_to_mark(NULL) : 0;
}
#endif

25
deps/openssl/openssl/ssl/quic/quic_ackm.c vendored
View file

@ -1,5 +1,5 @@
/*
* Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2022-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -536,6 +536,9 @@ struct ossl_ackm_st {
/* Set to 1 when the handshake is confirmed. */
char handshake_confirmed;
/* Set to 1 when attached to server channel */
char is_server;
/* Set to 1 when the peer has completed address validation. */
char peer_completed_addr_validation;
@ -855,7 +858,13 @@ static OSSL_TIME ackm_get_pto_time_and_space(OSSL_ACKM *ackm, int *space)
}
for (i = QUIC_PN_SPACE_INITIAL; i < QUIC_PN_SPACE_NUM; ++i) {
if (ackm->ack_eliciting_bytes_in_flight[i] == 0)
/*
* RFC 9002 section 6.2.2.1 keep probe timeout armed until
* handshake is confirmed (client sees HANDSHAKE_DONE message
* from server).
*/
if (ackm->ack_eliciting_bytes_in_flight[i] == 0 &&
(ackm->handshake_confirmed == 1 || ackm->is_server == 1))
continue;
if (i == QUIC_PN_SPACE_APP) {
@ -875,12 +884,20 @@ static OSSL_TIME ackm_get_pto_time_and_space(OSSL_ACKM *ackm, int *space)
}
}
/*
* Only re-arm timer if stack has sent at least one ACK eliciting frame.
* If stack has sent no ACK eliciting frame at given encryption level then
* particular timer is zero and we must not attempt to set it. Timer keeps
* time since epoch (Jan 1 1970) and we must not set timer to past.
*/
if (!ossl_time_is_zero(ackm->time_of_last_ack_eliciting_pkt[i])) {
t = ossl_time_add(ackm->time_of_last_ack_eliciting_pkt[i], duration);
if (ossl_time_compare(t, pto_timeout) < 0) {
pto_timeout = t;
pto_space = i;
}
}
}
*space = pto_space;
return pto_timeout;
@ -1021,7 +1038,8 @@ OSSL_ACKM *ossl_ackm_new(OSSL_TIME (*now)(void *arg),
void *now_arg,
OSSL_STATM *statm,
const OSSL_CC_METHOD *cc_method,
OSSL_CC_DATA *cc_data)
OSSL_CC_DATA *cc_data,
int is_server)
{
OSSL_ACKM *ackm;
int i;
@ -1045,6 +1063,7 @@ OSSL_ACKM *ossl_ackm_new(OSSL_TIME (*now)(void *arg),
ackm->statm = statm;
ackm->cc_method = cc_method;
ackm->cc_data = cc_data;
ackm->is_server = (char)is_server;
ackm->rx_max_ack_delay = ossl_ms2time(QUIC_DEFAULT_MAX_ACK_DELAY);
ackm->tx_max_ack_delay = DEFAULT_TX_MAX_ACK_DELAY;

3
deps/openssl/openssl/ssl/quic/quic_channel.c vendored
View file

@ -242,7 +242,8 @@ static int ch_init(QUIC_CHANNEL *ch)
goto err;
if ((ch->ackm = ossl_ackm_new(get_time, ch, &ch->statm,
ch->cc_method, ch->cc_data)) == NULL)
ch->cc_method, ch->cc_data,
ch->is_server)) == NULL)
goto err;
if (!ossl_quic_stream_map_init(&ch->qsm, get_stream_limit, ch,

26
deps/openssl/openssl/ssl/quic/quic_rx_depack.c vendored
View file

@ -1429,16 +1429,8 @@ int ossl_quic_handle_frames(QUIC_CHANNEL *ch, OSSL_QRX_PKT *qpacket)
uint32_t enc_level;
size_t dgram_len = qpacket->datagram_len;
/*
* ok has three states:
* -1 error with ackm_data uninitialized
* 0 error with ackm_data initialized
* 1 success (ackm_data initialized)
*/
int ok = -1; /* Assume the worst */
if (ch == NULL)
goto end;
return 0;
ch->did_crypto_frame = 0;
@ -1456,9 +1448,8 @@ int ossl_quic_handle_frames(QUIC_CHANNEL *ch, OSSL_QRX_PKT *qpacket)
* Retry and Version Negotiation packets should not be passed to this
* function.
*/
goto end;
return 0;
ok = 0; /* Still assume the worst */
ackm_data.pkt_space = ossl_quic_enc_level_to_pn_space(enc_level);
/*
@ -1480,18 +1471,9 @@ int ossl_quic_handle_frames(QUIC_CHANNEL *ch, OSSL_QRX_PKT *qpacket)
enc_level,
qpacket->time,
&ackm_data))
goto end;
return 0;
ok = 1;
end:
/*
* ASSUMPTION: If this function is called at all, |qpacket| is
* a legitimate packet, even if its contents aren't.
* Therefore, we call ossl_ackm_on_rx_packet() unconditionally, as long as
* |ackm_data| has at least been initialized.
*/
if (ok >= 0)
ossl_ackm_on_rx_packet(ch->ackm, &ackm_data);
return ok > 0;
return 1;
}

21
deps/openssl/openssl/util/perl/TLSProxy/Proxy.pm vendored
View file

@ -97,7 +97,23 @@ sub new_dtls {
sub init
{
my $useSockInet = 0;
eval {
require IO::Socket::IP;
my $s = IO::Socket::IP->new(
LocalAddr => "::1",
LocalPort => 0,
Listen=>1,
);
$s or die "\n";
$s->close();
};
if ($@ eq "") {
require IO::Socket::IP;
} else {
$useSockInet = 1;
}
my $class = shift;
my ($filter,
$execute,
@ -118,8 +134,13 @@ sub init
$test_client_port = 49152 + int(rand(65535 - 49152));
my $test_sock;
if ($useINET6 == 0) {
if ($useSockInet == 0) {
$test_sock = IO::Socket::IP->new(LocalPort => $test_client_port,
LocalAddr => $test_client_addr);
} else {
$test_sock = IO::Socket::INET->new(LocalAddr => $test_client_addr,
LocalPort => $test_client_port);
}
} else {
$test_sock = IO::Socket::INET6->new(LocalAddr => $test_client_addr,
LocalPort => $test_client_port,