OSSForks/node
1
0
Fork 0
mirror of https://github.com/zebrajr/node.git synced 2025-12-06 00:20:08 +01:00
Code Issues Actions 8 Packages Projects Releases Wiki Activity

deps: upgrade openssl sources to openssl-3.5.3

Browse Source 
PR-URL: https://github.com/nodejs/node/pull/59901
Reviewed-By: Richard Lau <richard.lau@ibm.com>
Reviewed-By: Filip Skokan <panva.ip@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
This commit is contained in:
Node.js GitHub Bot 2025-09-16 15:39:48 +00:00
parent f6f8eb7c25
commit 3a5c97ef50
99 changed files with 562 additions and 361 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
deps/openssl/openssl/CHANGES.md vendored
View File

@ -28,6 +28,56 @@ OpenSSL Releases
OpenSSL 3.5
-----------
### Changes between 3.5.2 and 3.5.3 [16 Sep 2025]
* Avoided a potential race condition introduced in 3.5.1, where
`OSSL_STORE_CTX` kept open during lookup while potentially being used
by multiple threads simultaneously, that could lead to potential crashes
when multiple concurrent TLS connections are served.
*Matt Caswell*
* The FIPS provider no longer performs a PCT on key import for RSA, DH,
and EC keys (that was introduced in 3.5.2), following the latest update
on that requirement in FIPS 140-3 IG 10.3.A additional comment 1.
*Dr Paul Dale*
* Secure memory allocation calls are no longer used for HMAC keys.
*Dr Paul Dale*
* `openssl req` no longer generates certificates with an empty extension list
when SKID/AKID are set to `none` during generation.
*David Benjamin*
* The man page date is now derived from the release date provided
in `VERSION.dat` and not the current date for the released builds.
*Enji Cooper*
* Hardened the provider implementation of the RSA public key "encrypt"
operation to add a missing check that the caller-indicated output buffer
size is at least as large as the byte count of the RSA modulus. The issue
was reported by Arash Ale Ebrahim from SYSPWN.
This operation is typically invoked via `EVP_PKEY_encrypt(3)`. Callers that
in fact provide a sufficiently large buffer, but fail to correctly indicate
its size may now encounter unexpected errors. In applications that attempt
RSA public encryption into a buffer that is too small, an out-of-bounds
write is now avoided and an error is reported instead.
*Viktor Dukhovni*
* Added FIPS 140-3 PCT on DH key generation.
*Nikola Pajkovsky*
* Fixed the synthesised `OPENSSL_VERSION_NUMBER`.
*Richard Levitte*
### Changes between 3.5.1 and 3.5.2 [5 Aug 2025]
* The FIPS provider now performs a PCT on key import for RSA, EC and ECX.

14
deps/openssl/openssl/Configurations/unix-Makefile.tmpl vendored
View File

@ -3,6 +3,8 @@
##
## {- join("\n## ", @autowarntext) -}
{-
use Time::Piece;
use OpenSSL::Util;
our $makedep_scheme = $config{makedep_scheme};
@ -74,6 +76,15 @@ FIPSKEY={- $config{FIPSKEY} -}
VERSION={- "$config{full_version}" -}
VERSION_NUMBER={- "$config{version}" -}
RELEASE_DATE={- my $t = localtime;
if ($config{"release_date"}) {
# Provide the user with a more meaningful error message
# than the default internal parsing error from
# `Time::Piece->strptime(..)`.
eval { $t = Time::Piece->strptime($config{"release_date"}, "%d %b %Y"); } ||
die "Parsing \$config{release_date} ('$config{release_date}') failed: $@";
}
$t->strftime("%Y-%m-%d") -}
MAJOR={- $config{major} -}
MINOR={- $config{minor} -}
SHLIB_VERSION_NUMBER={- $config{shlib_version} -}
@ -1565,7 +1576,8 @@ EOF
return <<"EOF";
$args{src}: $pod
pod2man --name=$name --section=$section\$(MANSUFFIX) --center=OpenSSL \\
--release=\$(VERSION) $pod >\$\@
--date=\$(RELEASE_DATE) --release=\$(VERSION) \\
$pod >\$\@
EOF
} elsif (platform->isdef($args{src})) {
#

10
deps/openssl/openssl/NEWS.md vendored
View File

@ -23,6 +23,16 @@ OpenSSL Releases
OpenSSL 3.5
-----------
### Major changes between OpenSSL 3.5.2 and OpenSSL 3.5.3 [16 Sep 2025]
* Added FIPS 140-3 PCT on DH key generation.
*Nikola Pajkovsky*
* Fixed the synthesised `OPENSSL_VERSION_NUMBER`.
*Richard Levitte*
### Major changes between OpenSSL 3.5.1 and OpenSSL 3.5.2 [5 Aug 2025]
* none

2
deps/openssl/openssl/NOTES-WINDOWS.md vendored
View File

@ -125,7 +125,7 @@ format:
`\\HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432node\OpenSSL-<version>-<ctx>`
Where `<version>` is the major.minor version of the library being
built, and `<ctx>` is the value specified by `-DOPENSSL_WINCTX`. This allows
built, and `<ctx>` is the value specified by `-DOSSL_WINCTX`. This allows
for multiple openssl builds to be created and installed on a single system, in
which each library can use its own set of registry keys.

4
deps/openssl/openssl/VERSION.dat vendored
View File

@ -1,7 +1,7 @@
MAJOR=3
MINOR=5
PATCH=2
PATCH=3
PRE_RELEASE_TAG=
BUILD_METADATA=
RELEASE_DATE="5 Aug 2025"
RELEASE_DATE="16 Sep 2025"
SHLIB_VERSION=3

1
deps/openssl/openssl/apps/cms.c vendored
View File

@ -1280,6 +1280,7 @@ int cms_main(int argc, char **argv)
goto end;
}
if (ret <= 0) {
BIO_printf(bio_err, "Error writing CMS output\n");
ret = 6;
goto end;
}

2
deps/openssl/openssl/apps/enc.c vendored
View File

@ -260,6 +260,8 @@ int enc_main(int argc, char **argv)
goto opthelp;
if (k)
n *= 1024;
if (n > INT_MAX)
goto opthelp;
bsize = (int)n;
break;
case OPT_K:

1
deps/openssl/openssl/apps/include/apps.h vendored
View File

@ -103,7 +103,6 @@ int wrap_password_callback(char *buf, int bufsiz, int verify, void *cb_data);
/* progress callback for dsaparam, dhparam, req, genpkey, etc. */
int progress_cb(EVP_PKEY_CTX *ctx);
int chopup_args(ARGS *arg, char *buf);
void dump_cert_text(BIO *out, X509 *x);
void print_name(BIO *out, const char *title, const X509_NAME *nm);
void print_bignum_var(BIO *, const BIGNUM *, const char *,

49
deps/openssl/openssl/apps/lib/apps.c vendored
View File

@ -83,55 +83,6 @@ static int set_multi_opts(unsigned long *flags, const char *arg,
const NAME_EX_TBL *in_tbl);
int app_init(long mesgwin);
int chopup_args(ARGS *arg, char *buf)
{
int quoted;
char c = '\0', *p = NULL;
arg->argc = 0;
if (arg->size == 0) {
arg->size = 20;
arg->argv = app_malloc(sizeof(*arg->argv) * arg->size, "argv space");
}
for (p = buf;;) {
/* Skip whitespace. */
while (*p && isspace(_UC(*p)))
p++;
if (*p == '\0')
break;
/* The start of something good :-) */
if (arg->argc >= arg->size) {
char **tmp;
arg->size += 20;
tmp = OPENSSL_realloc(arg->argv, sizeof(*arg->argv) * arg->size);
if (tmp == NULL)
return 0;
arg->argv = tmp;
}
quoted = *p == '\'' || *p == '"';
if (quoted)
c = *p++;
arg->argv[arg->argc++] = p;
/* now look for the end of this */
if (quoted) {
while (*p && *p != c)
p++;
*p++ = '\0';
} else {
while (*p && !isspace(_UC(*p)))
p++;
if (*p)
*p++ = '\0';
}
}
arg->argv[arg->argc] = NULL;
return 1;
}
#ifndef APP_INIT
int app_init(long mesgwin)
{

21
deps/openssl/openssl/apps/ocsp.c vendored
View File

@ -662,7 +662,8 @@ redo_accept:
resp =
OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST,
NULL);
send_ocsp_response(cbio, resp);
if (resp != NULL)
send_ocsp_response(cbio, resp);
}
goto done_resp;
}
@ -764,16 +765,18 @@ redo_accept:
BIO_free(derbio);
}
i = OCSP_response_status(resp);
if (i != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
BIO_printf(out, "Responder Error: %s (%d)\n",
OCSP_response_status_str(i), i);
if (!ignore_err)
if (resp != NULL) {
i = OCSP_response_status(resp);
if (i != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
BIO_printf(out, "Responder Error: %s (%d)\n",
OCSP_response_status_str(i), i);
if (!ignore_err)
goto end;
}
}
if (resp_text)
OCSP_RESPONSE_print(out, resp, 0);
if (resp_text)
OCSP_RESPONSE_print(out, resp, 0);
}
/* If running as responder don't verify our own response */
if (cbio != NULL) {

5
deps/openssl/openssl/crypto/aes/asm/aes-s390x.pl vendored
View File

@ -1,5 +1,5 @@
#! /usr/bin/env perl
# Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2007-2025 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@ -1431,6 +1431,9 @@ $code.=<<___ if (!$softonly);
st${g} $s3,0($sp) # backchain
la %r1,$stdframe($sp)
xc $stdframe+0(64,$sp),$stdframe+0($sp) # clear reserved/unused
# in parameter block
lmg $s2,$s3,0($key) # copy key
stg $s2,$stdframe+80($sp)
stg $s3,$stdframe+88($sp)

22
deps/openssl/openssl/crypto/asn1/asn_mime.c vendored
View File

@ -168,6 +168,19 @@ static int asn1_write_micalg(BIO *out, STACK_OF(X509_ALGOR) *mdalgs)
BIO_write(out, ",", 1);
write_comma = 1;
md_nid = OBJ_obj2nid(sk_X509_ALGOR_value(mdalgs, i)->algorithm);
/* RFC 8702 does not define a micalg for SHAKE, assuming "shake-<bitlen>" */
if (md_nid == NID_shake128) {
if (BIO_puts(out, "shake-128") < 0)
goto err;
continue;
}
if (md_nid == NID_shake256) {
if (BIO_puts(out, "shake-256") < 0)
goto err;
continue;
}
md = EVP_get_digestbynid(md_nid);
if (md && md->md_ctrl) {
int rv;
@ -204,15 +217,15 @@ static int asn1_write_micalg(BIO *out, STACK_OF(X509_ALGOR) *mdalgs)
case NID_id_GostR3411_94:
BIO_puts(out, "gostr3411-94");
goto err;
break;
case NID_id_GostR3411_2012_256:
BIO_puts(out, "gostr3411-2012-256");
goto err;
break;
case NID_id_GostR3411_2012_512:
BIO_puts(out, "gostr3411-2012-512");
goto err;
break;
default:
if (have_unknown) {
@ -272,7 +285,8 @@ int SMIME_write_ASN1_ex(BIO *bio, ASN1_VALUE *val, BIO *data, int flags,
BIO_printf(bio, "Content-Type: multipart/signed;");
BIO_printf(bio, " protocol=\"%ssignature\";", mime_prefix);
BIO_puts(bio, " micalg=\"");
asn1_write_micalg(bio, mdalgs);
if (!asn1_write_micalg(bio, mdalgs))
return 0;
BIO_printf(bio, "\"; boundary=\"----%s\"%s%s",
bound, mime_eol, mime_eol);
BIO_printf(bio, "This is an S/MIME signed message%s%s",

25
deps/openssl/openssl/crypto/bio/bss_dgram.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 2005-2024 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2005-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -464,11 +464,11 @@ static int dgram_write(BIO *b, const char *in, int inl)
return ret;
}
static long dgram_get_mtu_overhead(bio_dgram_data *data)
static long dgram_get_mtu_overhead(BIO_ADDR *addr)
{
long ret;
switch (BIO_ADDR_family(&data->peer)) {
switch (BIO_ADDR_family(addr)) {
case AF_INET:
/*
* Assume this is UDP - 20 bytes for IP, 8 bytes for UDP
@ -480,7 +480,8 @@ static long dgram_get_mtu_overhead(bio_dgram_data *data)
{
# ifdef IN6_IS_ADDR_V4MAPPED
struct in6_addr tmp_addr;
if (BIO_ADDR_rawaddress(&data->peer, &tmp_addr, NULL)
if (BIO_ADDR_rawaddress(addr, &tmp_addr, NULL)
&& IN6_IS_ADDR_V4MAPPED(&tmp_addr))
/*
* Assume this is UDP - 20 bytes for IP, 8 bytes for UDP
@ -666,11 +667,7 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
&sockopt_len)) < 0 || sockopt_val < 0) {
ret = 0;
} else {
/*
* we assume that the transport protocol is UDP and no IP
* options are used.
*/
data->mtu = sockopt_val - 8 - 20;
data->mtu = sockopt_val - dgram_get_mtu_overhead(&addr);
ret = data->mtu;
}
break;
@ -682,11 +679,7 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
|| sockopt_val < 0) {
ret = 0;
} else {
/*
* we assume that the transport protocol is UDP and no IPV6
* options are used.
*/
data->mtu = sockopt_val - 8 - 40;
data->mtu = sockopt_val - dgram_get_mtu_overhead(&addr);
ret = data->mtu;
}
break;
@ -700,7 +693,7 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
# endif
break;
case BIO_CTRL_DGRAM_GET_FALLBACK_MTU:
ret = -dgram_get_mtu_overhead(data);
ret = -dgram_get_mtu_overhead(&data->peer);
switch (BIO_ADDR_family(&data->peer)) {
case AF_INET:
ret += 576;
@ -956,7 +949,7 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
}
break;
case BIO_CTRL_DGRAM_GET_MTU_OVERHEAD:
ret = dgram_get_mtu_overhead(data);
ret = dgram_get_mtu_overhead(&data->peer);
break;
/*

14
deps/openssl/openssl/crypto/dh/dh_key.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -267,7 +267,7 @@ static int generate_key(DH *dh)
int ok = 0;
int generate_new_key = 0;
#ifndef FIPS_MODULE
unsigned l;
int l;
#endif
BN_CTX *ctx = NULL;
BIGNUM *pub_key = NULL, *priv_key = NULL;
@ -327,11 +327,13 @@ static int generate_key(DH *dh)
goto err;
#else
if (dh->params.q == NULL) {
/* secret exponent length, must satisfy 2^(l-1) <= p */
if (dh->length != 0
&& dh->length >= BN_num_bits(dh->params.p))
/* secret exponent length, must satisfy 2^l < (p-1)/2 */
l = BN_num_bits(dh->params.p);
if (dh->length >= l)
goto err;
l = dh->length ? dh->length : BN_num_bits(dh->params.p) - 1;
l -= 2;
if (dh->length != 0 && dh->length < l)
l = dh->length;
if (!BN_priv_rand_ex(priv_key, l, BN_RAND_TOP_ONE,
BN_RAND_BOTTOM_ANY, 0, ctx))
goto err;

2
deps/openssl/openssl/crypto/dh/dh_pmeth.c vendored
View File

@ -408,7 +408,7 @@ static int pkey_dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
}
dh = (DH *)EVP_PKEY_get0_DH(ctx->pkey);
dhpub = EVP_PKEY_get0_DH(ctx->peerkey);
if (dhpub == NULL) {
if (dhpub == NULL || dh == NULL) {
ERR_raise(ERR_LIB_DH, DH_R_KEYS_NOT_SET);
return 0;
}

1
deps/openssl/openssl/crypto/err/openssl.txt vendored
View File

@ -1076,6 +1076,7 @@ PROV_R_FAILED_TO_SIGN:175:failed to sign
PROV_R_FINAL_CALL_OUT_OF_ORDER:237:final call out of order
PROV_R_FIPS_MODULE_CONDITIONAL_ERROR:227:fips module conditional error
PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE:224:fips module entering error state
PROV_R_FIPS_MODULE_IMPORT_PCT_ERROR:253:fips module import pct error
PROV_R_FIPS_MODULE_IN_ERROR_STATE:225:fips module in error state
PROV_R_GENERATE_ERROR:191:generate error
PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE:165:\

7
deps/openssl/openssl/crypto/evp/p_seal.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -55,6 +55,7 @@ int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
for (i = 0; i < npubk; i++) {
size_t keylen = len;
size_t outlen = EVP_PKEY_get_size(pubk[i]);
pctx = EVP_PKEY_CTX_new_from_pkey(libctx, pubk[i], NULL);
if (pctx == NULL) {
@ -63,9 +64,9 @@ int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
}
if (EVP_PKEY_encrypt_init(pctx) <= 0
|| EVP_PKEY_encrypt(pctx, ek[i], &keylen, key, keylen) <= 0)
|| EVP_PKEY_encrypt(pctx, ek[i], &outlen, key, keylen) <= 0)
goto err;
ekl[i] = (int)keylen;
ekl[i] = (int)outlen;
EVP_PKEY_CTX_free(pctx);
}
pctx = NULL;

2
deps/openssl/openssl/crypto/evp/skeymgmt_meth.c vendored
View File

@ -197,7 +197,7 @@ void EVP_SKEYMGMT_do_all_provided(OSSL_LIB_CTX *libctx,
void (*fn)(EVP_SKEYMGMT *skeymgmt, void *arg),
void *arg)
{
evp_generic_do_all(libctx, OSSL_OP_KEYMGMT,
evp_generic_do_all(libctx, OSSL_OP_SKEYMGMT,
(void (*)(void *, void *))fn, arg,
skeymgmt_from_algorithm,
(int (*)(void *))EVP_SKEYMGMT_up_ref,

4
deps/openssl/openssl/crypto/perlasm/x86asm.pl vendored
View File

@ -174,9 +174,9 @@ sub ::vprotd
sub ::endbranch
{
&::generic("%ifdef __CET__\n");
&::generic("#ifdef __CET__\n");
&::data_byte(0xf3,0x0f,0x1e,0xfb);
&::generic("%endif\n");
&::generic("#endif\n");
}
# label management

7
deps/openssl/openssl/crypto/pkcs7/pk7_doit.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -361,8 +361,11 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio)
if (xalg->parameter == NULL)
goto err;
}
if (EVP_CIPHER_param_to_asn1(ctx, xalg->parameter) <= 0)
if (EVP_CIPHER_param_to_asn1(ctx, xalg->parameter) <= 0) {
ASN1_TYPE_free(xalg->parameter);
xalg->parameter = NULL;
goto err;
}
}
/* Lets do the pub key stuff :-) */

4
deps/openssl/openssl/crypto/provider_core.c vendored
View File

@ -562,8 +562,10 @@ OSSL_PROVIDER *ossl_provider_new(OSSL_LIB_CTX *libctx, const char *name,
template.parameters = sk_INFOPAIR_deep_copy(p->parameters,
infopair_copy,
infopair_free);
if (template.parameters == NULL)
if (template.parameters == NULL) {
CRYPTO_THREAD_unlock(store->lock);
return NULL;
}
break;
}
CRYPTO_THREAD_unlock(store->lock);

6
deps/openssl/openssl/crypto/rand/randfile.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -167,6 +167,10 @@ int RAND_load_file(const char *file, long bytes)
/* If given a bytecount, and we did it, break. */
if (bytes > 0 && (bytes -= i) <= 0)
break;
/* We can hit a signed integer overflow on the next iteration */
if (ret > INT_MAX - RAND_LOAD_BUF_SIZE)
break;
}
OPENSSL_cleanse(buf, sizeof(buf));

5
deps/openssl/openssl/crypto/riscv32cpuid.pl vendored
View File

@ -1,5 +1,5 @@
#! /usr/bin/env perl
# Copyright 2022-2024 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2022-2025 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@ -94,7 +94,8 @@ $code .= <<___;
.globl riscv_vlen_asm
.type riscv_vlen_asm,\@function
riscv_vlen_asm:
csrr $ret, vlenb
# 0xc22 is CSR vlenb
csrr $ret, 0xc22
slli $ret, $ret, 3
ret
.size riscv_vlen_asm,.-riscv_vlen_asm

5
deps/openssl/openssl/crypto/riscv64cpuid.pl vendored
View File

@ -1,5 +1,5 @@
#! /usr/bin/env perl
# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2022-2025 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@ -94,7 +94,8 @@ $code .= <<___;
.globl riscv_vlen_asm
.type riscv_vlen_asm,\@function
riscv_vlen_asm:
csrr $ret, vlenb
# 0xc22 is CSR vlenb
csrr $ret, 0xc22
slli $ret, $ret, 3
ret
.size riscv_vlen_asm,.-riscv_vlen_asm

2
deps/openssl/openssl/crypto/rsa/rsa_gen.c vendored
View File

@ -745,7 +745,7 @@ int ossl_rsa_key_pairwise_test(RSA *rsa)
OSSL_SELF_TEST_get_callback(rsa->libctx, &stcb, &stcbarg);
res = rsa_keygen_pairwise_test(rsa, stcb, stcbarg);
if (res <= 0)
ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT);
ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT_IMPORT);
return res;
}
#endif /* FIPS_MODULE */

8
deps/openssl/openssl/crypto/rsa/rsa_pmeth.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 2006-2024 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2006-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -228,7 +228,7 @@ static int pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx,
return -1;
ret = RSA_public_decrypt(siglen, sig, rctx->tbuf, rsa,
RSA_X931_PADDING);
if (ret < 1)
if (ret <= 0)
return 0;
ret--;
if (rctx->tbuf[ret] != RSA_X931_hash_id(EVP_MD_get_type(rctx->md))) {
@ -255,7 +255,7 @@ static int pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx,
} else {
ret = RSA_public_decrypt(siglen, sig, rout, rsa, rctx->pad_mode);
}
if (ret < 0)
if (ret <= 0)
return ret;
*routlen = ret;
return 1;
@ -313,7 +313,7 @@ static int pkey_rsa_verify(EVP_PKEY_CTX *ctx,
return -1;
rslen = RSA_public_decrypt(siglen, sig, rctx->tbuf,
rsa, rctx->pad_mode);
if (rslen == 0)
if (rslen <= 0)
return 0;
}

39
deps/openssl/openssl/crypto/sleep.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 2022-2024 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2022-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -9,9 +9,10 @@
#include <openssl/crypto.h>
#include "internal/e_os.h"
#include "internal/time.h"
/* system-specific variants defining OSSL_sleep() */
#if defined(OPENSSL_SYS_UNIX) || defined(__DJGPP__)
#if (defined(OPENSSL_SYS_UNIX) || defined(__DJGPP__)) && !defined(OPENSSL_USE_SLEEP_BUSYLOOP)
# if defined(OPENSSL_USE_USLEEP) \
|| defined(__DJGPP__) \
@ -26,7 +27,7 @@
*/
# include <unistd.h>
void OSSL_sleep(uint64_t millis)
static void ossl_sleep_millis(uint64_t millis)
{
unsigned int s = (unsigned int)(millis / 1000);
unsigned int us = (unsigned int)((millis % 1000) * 1000);
@ -45,7 +46,7 @@ void OSSL_sleep(uint64_t millis)
# elif defined(__TANDEM) && !defined(_REENTRANT)
# include <cextdecs.h(PROCESS_DELAY_)>
void OSSL_sleep(uint64_t millis)
static void ossl_sleep_millis(uint64_t millis)
{
/* HPNS does not support usleep for non threaded apps */
PROCESS_DELAY_(millis * 1000);
@ -55,7 +56,7 @@ void OSSL_sleep(uint64_t millis)
/* nanosleep is defined by POSIX.1-2001 */
# include <time.h>
void OSSL_sleep(uint64_t millis)
static void ossl_sleep_millis(uint64_t millis)
{
struct timespec ts;
@ -68,7 +69,7 @@ void OSSL_sleep(uint64_t millis)
#elif defined(_WIN32) && !defined(OPENSSL_SYS_UEFI)
# include <windows.h>
void OSSL_sleep(uint64_t millis)
static void ossl_sleep_millis(uint64_t millis)
{
/*
* Windows' Sleep() takes a DWORD argument, which is smaller than
@ -83,7 +84,7 @@ void OSSL_sleep(uint64_t millis)
#else
/* Fallback to a busy wait */
# include "internal/time.h"
# define USE_SLEEP_SECS
static void ossl_sleep_secs(uint64_t secs)
{
@ -107,10 +108,28 @@ static void ossl_sleep_millis(uint64_t millis)
while (ossl_time_compare(ossl_time_now(), finish) < 0)
/* busy wait */ ;
}
#endif /* defined(OPENSSL_SYS_UNIX) || defined(__DJGPP__) */
void OSSL_sleep(uint64_t millis)
{
ossl_sleep_secs(millis / 1000);
ossl_sleep_millis(millis % 1000);
OSSL_TIME now = ossl_time_now();
OSSL_TIME finish = ossl_time_add(now, ossl_ms2time(millis));
uint64_t left = millis;
#if defined(USE_SLEEP_SECS)
do {
ossl_sleep_secs(left / 1000);
now = ossl_time_now();
left = ossl_time2ms(ossl_time_subtract(finish, now));
} while (ossl_time_compare(now, finish) < 0 && left > 1000);
if (ossl_time_compare(now, finish) >= 0)
return;
#endif
do {
ossl_sleep_millis(left);
now = ossl_time_now();
left = ossl_time2ms(ossl_time_subtract(finish, now));
} while (ossl_time_compare(now, finish) < 0);
}
#endif /* defined(OPENSSL_SYS_UNIX) || defined(__DJGPP__) */

24
deps/openssl/openssl/crypto/slh_dsa/slh_dsa_key.c vendored
View File

@ -76,6 +76,17 @@ static void slh_dsa_key_hash_dup(SLH_DSA_KEY *dst, const SLH_DSA_KEY *src)
EVP_MAC_up_ref(src->hmac);
}
/**
* @brief Return the libctx associated with a SLH_DSA_KEY object
*
* @param key A SLH_DSA_KEY to extract the libctx from.
* @returns The new OSSL_LIB_CTX object on success, or NULL failure
*/
OSSL_LIB_CTX *ossl_slh_dsa_key_get0_libctx(const SLH_DSA_KEY *key)
{
return key != NULL ? key->libctx : NULL;
}
/**
* @brief Create a new SLH_DSA_KEY object
*
@ -235,6 +246,15 @@ int ossl_slh_dsa_key_pairwise_check(const SLH_DSA_KEY *key)
return ret;
}
void ossl_slh_dsa_key_reset(SLH_DSA_KEY *key)
{
key->pub = NULL;
if (key->has_priv) {
key->has_priv = 0;
OPENSSL_cleanse(key->priv, sizeof(key->priv));
}
}
/**
* @brief Load a SLH_DSA key from raw data.
*
@ -293,9 +313,7 @@ int ossl_slh_dsa_key_fromdata(SLH_DSA_KEY *key, const OSSL_PARAM params[],
key->pub = p;
return 1;
err:
key->pub = NULL;
key->has_priv = 0;
OPENSSL_cleanse(key->priv, priv_len);
ossl_slh_dsa_key_reset(key);
return 0;
}

34
deps/openssl/openssl/crypto/x509/by_store.c vendored
View File

@ -17,7 +17,6 @@ typedef struct cached_store_st {
char *uri;
OSSL_LIB_CTX *libctx;
char *propq;
OSSL_STORE_CTX *ctx;
} CACHED_STORE;
DEFINE_STACK_OF(CACHED_STORE)
@ -27,14 +26,12 @@ static int cache_objects(X509_LOOKUP *lctx, CACHED_STORE *store,
const OSSL_STORE_SEARCH *criterion, int depth)
{
int ok = 0;
OSSL_STORE_CTX *ctx = store->ctx;
OSSL_STORE_CTX *ctx;
X509_STORE *xstore = X509_LOOKUP_get_store(lctx);
if (ctx == NULL
&& (ctx = OSSL_STORE_open_ex(store->uri, store->libctx, store->propq,
NULL, NULL, NULL, NULL, NULL)) == NULL)
if ((ctx = OSSL_STORE_open_ex(store->uri, store->libctx, store->propq,
NULL, NULL, NULL, NULL, NULL)) == NULL)
return 0;
store->ctx = ctx;
/*
* We try to set the criterion, but don't care if it was valid or not.
@ -79,7 +76,6 @@ static int cache_objects(X509_LOOKUP *lctx, CACHED_STORE *store,
substore.uri = (char *)OSSL_STORE_INFO_get0_NAME(info);
substore.libctx = store->libctx;
substore.propq = store->propq;
substore.ctx = NULL;
ok = cache_objects(lctx, &substore, criterion, depth - 1);
}
} else {
@ -105,7 +101,6 @@ static int cache_objects(X509_LOOKUP *lctx, CACHED_STORE *store,
break;
}
OSSL_STORE_close(ctx);
store->ctx = NULL;
return ok;
}
@ -114,7 +109,6 @@ static int cache_objects(X509_LOOKUP *lctx, CACHED_STORE *store,
static void free_store(CACHED_STORE *store)
{
if (store != NULL) {
OSSL_STORE_close(store->ctx);
OPENSSL_free(store->uri);
OPENSSL_free(store->propq);
OPENSSL_free(store);
@ -136,6 +130,7 @@ static int by_store_ctrl_ex(X509_LOOKUP *ctx, int cmd, const char *argp,
if (argp != NULL) {
STACK_OF(CACHED_STORE) *stores = X509_LOOKUP_get_method_data(ctx);
CACHED_STORE *store = OPENSSL_zalloc(sizeof(*store));
OSSL_STORE_CTX *sctx;
if (store == NULL) {
return 0;
@ -145,14 +140,20 @@ static int by_store_ctrl_ex(X509_LOOKUP *ctx, int cmd, const char *argp,
store->libctx = libctx;
if (propq != NULL)
store->propq = OPENSSL_strdup(propq);
store->ctx = OSSL_STORE_open_ex(argp, libctx, propq, NULL, NULL,
NULL, NULL, NULL);
if (store->ctx == NULL
/*
* We open this to check for errors now - so we can report those
* errors early.
*/
sctx = OSSL_STORE_open_ex(argp, libctx, propq, NULL, NULL,
NULL, NULL, NULL);
if (sctx == NULL
|| (propq != NULL && store->propq == NULL)
|| store->uri == NULL) {
OSSL_STORE_close(sctx);
free_store(store);
return 0;
}
OSSL_STORE_close(sctx);
if (stores == NULL) {
stores = sk_CACHED_STORE_new_null();
@ -174,7 +175,6 @@ static int by_store_ctrl_ex(X509_LOOKUP *ctx, int cmd, const char *argp,
store.uri = (char *)argp;
store.libctx = libctx;
store.propq = (char *)propq;
store.ctx = NULL;
return cache_objects(ctx, &store, NULL, 0);
}
default:
@ -218,8 +218,14 @@ static int by_store_subject(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
OSSL_STORE_SEARCH_free(criterion);
if (ok)
if (ok) {
X509_STORE *store = X509_LOOKUP_get_store(ctx);
if (!ossl_x509_store_read_lock(store))
return 0;
tmp = X509_OBJECT_retrieve_by_subject(store_objects, type, name);
X509_STORE_unlock(store);
}
ok = 0;
if (tmp != NULL) {

6
deps/openssl/openssl/crypto/x509/t_req.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -40,7 +40,7 @@ int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags,
long l;
int i;
EVP_PKEY *pkey;
STACK_OF(X509_EXTENSION) *exts;
STACK_OF(X509_EXTENSION) *exts = NULL;
char mlch = ' ';
int nmindent = 0, printok = 0;
@ -191,6 +191,7 @@ int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags,
goto err;
}
sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
exts = NULL;
}
}
@ -204,6 +205,7 @@ int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags,
return 1;
err:
sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
ERR_raise(ERR_LIB_X509, ERR_R_BUF_LIB);
return 0;
}

4
deps/openssl/openssl/crypto/x509/v3_attrdesc.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2024-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -67,6 +67,8 @@ static int i2r_HASH(X509V3_EXT_METHOD *method,
}
if (BIO_printf(out, "%*sHash Value: ", indent, "") <= 0)
return 0;
if (hash->hashValue == NULL)
return 0;
return ossl_bio_print_hex(out, hash->hashValue->data, hash->hashValue->length);
}

2
deps/openssl/openssl/crypto/x509/v3_purp.c vendored
View File

@ -186,7 +186,7 @@ int X509_PURPOSE_add(int id, int trust, int flags,
return 0;
}
if (trust < X509_TRUST_DEFAULT || name == NULL || sname == NULL || ck == NULL) {
ERR_raise(ERR_LIB_X509, ERR_R_PASSED_INVALID_ARGUMENT);
ERR_raise(ERR_LIB_X509V3, ERR_R_PASSED_INVALID_ARGUMENT);
return 0;
}

20
deps/openssl/openssl/crypto/x509/x509_ext.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -42,9 +42,21 @@ X509_EXTENSION *X509_CRL_get_ext(const X509_CRL *x, int loc)
return X509v3_get_ext(x->crl.extensions, loc);
}
static X509_EXTENSION *delete_ext(STACK_OF(X509_EXTENSION) **sk, int loc)
{
X509_EXTENSION *ret = X509v3_delete_ext(*sk, loc);
/* Empty extension lists are omitted. */
if (*sk != NULL && sk_X509_EXTENSION_num(*sk) == 0) {
sk_X509_EXTENSION_pop_free(*sk, X509_EXTENSION_free);
*sk = NULL;
}
return ret;
}
X509_EXTENSION *X509_CRL_delete_ext(X509_CRL *x, int loc)
{
return X509v3_delete_ext(x->crl.extensions, loc);
return delete_ext(&x->crl.extensions, loc);
}
void *X509_CRL_get_ext_d2i(const X509_CRL *x, int nid, int *crit, int *idx)
@ -91,7 +103,7 @@ X509_EXTENSION *X509_get_ext(const X509 *x, int loc)
X509_EXTENSION *X509_delete_ext(X509 *x, int loc)
{
return X509v3_delete_ext(x->cert_info.extensions, loc);
return delete_ext(&x->cert_info.extensions, loc);
}
int X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc)
@ -139,7 +151,7 @@ X509_EXTENSION *X509_REVOKED_get_ext(const X509_REVOKED *x, int loc)
X509_EXTENSION *X509_REVOKED_delete_ext(X509_REVOKED *x, int loc)
{
return X509v3_delete_ext(x->extensions, loc);
return delete_ext(&x->extensions, loc);
}
int X509_REVOKED_add_ext(X509_REVOKED *x, X509_EXTENSION *ex, int loc)

1
deps/openssl/openssl/crypto/x509/x509_local.h vendored
View File

@ -159,3 +159,4 @@ int ossl_x509_likely_issued(X509 *issuer, X509 *subject);
int ossl_x509_signing_allowed(const X509 *issuer, const X509 *subject);
int ossl_x509_store_ctx_get_by_subject(const X509_STORE_CTX *ctx, X509_LOOKUP_TYPE type,
const X509_NAME *name, X509_OBJECT *ret);
int ossl_x509_store_read_lock(X509_STORE *xs);

6
deps/openssl/openssl/crypto/x509/x509_lu.c vendored
View File

@ -44,7 +44,7 @@ int X509_STORE_lock(X509_STORE *xs)
return CRYPTO_THREAD_write_lock(xs->lock);
}
static int x509_store_read_lock(X509_STORE *xs)
int ossl_x509_store_read_lock(X509_STORE *xs)
{
return CRYPTO_THREAD_read_lock(xs->lock);
}
@ -331,7 +331,7 @@ int ossl_x509_store_ctx_get_by_subject(const X509_STORE_CTX *ctx, X509_LOOKUP_TY
stmp.type = X509_LU_NONE;
stmp.data.x509 = NULL;
if (!x509_store_read_lock(store))
if (!ossl_x509_store_read_lock(store))
return 0;
/* Should already be sorted...but just in case */
if (!sk_X509_OBJECT_is_sorted(store->objs)) {
@ -604,7 +604,7 @@ STACK_OF(X509_OBJECT) *X509_STORE_get1_objects(X509_STORE *store)
return NULL;
}
if (!x509_store_read_lock(store))
if (!ossl_x509_store_read_lock(store))
return NULL;
objs = sk_X509_OBJECT_deep_copy(store->objs, x509_object_dup,

5
deps/openssl/openssl/crypto/x509/x509_vpm.c vendored
View File

@ -635,6 +635,11 @@ const X509_VERIFY_PARAM *X509_VERIFY_PARAM_get0(int id)
{
int num = OSSL_NELEM(default_table);
if (id < 0) {
ERR_raise(ERR_LIB_X509, ERR_R_PASSED_INVALID_ARGUMENT);
return NULL;
}
if (id < num)
return default_table + id;
return sk_X509_VERIFY_PARAM_value(param_table, id - num);

1
deps/openssl/openssl/include/crypto/bn_conf.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/bn_conf.h"

1
deps/openssl/openssl/include/crypto/dso_conf.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/dso_conf.h"

2
deps/openssl/openssl/include/crypto/slh_dsa.h vendored
View File

@ -23,9 +23,11 @@
typedef struct slh_dsa_hash_ctx_st SLH_DSA_HASH_CTX;
typedef struct slh_dsa_key_st SLH_DSA_KEY;
__owur OSSL_LIB_CTX *ossl_slh_dsa_key_get0_libctx(const SLH_DSA_KEY *key);
__owur SLH_DSA_KEY *ossl_slh_dsa_key_new(OSSL_LIB_CTX *libctx, const char *propq,
const char *alg);
void ossl_slh_dsa_key_free(SLH_DSA_KEY *key);
void ossl_slh_dsa_key_reset(SLH_DSA_KEY *key);
__owur SLH_DSA_KEY *ossl_slh_dsa_key_dup(const SLH_DSA_KEY *src, int selection);
__owur int ossl_slh_dsa_key_equal(const SLH_DSA_KEY *key1, const SLH_DSA_KEY *key2,
int selection);

1
deps/openssl/openssl/include/internal/param_names.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/param_names.h"

11
deps/openssl/openssl/include/internal/quic_record_rx.h vendored
View File

@ -167,6 +167,17 @@ int ossl_qrx_provide_secret(OSSL_QRX *qrx,
const unsigned char *secret,
size_t secret_len);
/*
* Utility function to update the pn space from a src to a dst qrx.
* Occasionally we use a temporary qrx to do packet validation on quic frames
* that are not yet associated with a channel, and in the event a validation is
* successful AND we allocate a new qrx for the newly created channel, we need
* to migrate the largest_pn values recorded in the tmp qrx to the channel qrx.
* If we don't then PN decoding fails in cases where the initial PN is a large value.
* This function does that migration for us
*/
void ossl_qrx_update_pn_space(OSSL_QRX *src, OSSL_QRX *dst);
/*
* Informs the QRX that it can now discard key material for a given EL. The QRX
* will no longer be able to process incoming packets received at that

1
deps/openssl/openssl/include/openssl/asn1.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/asn1.h"

1
deps/openssl/openssl/include/openssl/asn1t.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/asn1t.h"

1
deps/openssl/openssl/include/openssl/bio.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/bio.h"

1
deps/openssl/openssl/include/openssl/cmp.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/cmp.h"

1
deps/openssl/openssl/include/openssl/cms.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/cms.h"

1
deps/openssl/openssl/include/openssl/comp.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/comp.h"

1
deps/openssl/openssl/include/openssl/conf.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/conf.h"

1
deps/openssl/openssl/include/openssl/configuration.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/configuration.h"

1
deps/openssl/openssl/include/openssl/core_names.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/core_names.h"

1
deps/openssl/openssl/include/openssl/crmf.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/crmf.h"

1
deps/openssl/openssl/include/openssl/crypto.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/crypto.h"

8
deps/openssl/openssl/include/openssl/crypto.h.in vendored
View File

@ -1,7 +1,7 @@
/*
* {- join("\n * ", @autowarntext) -}
*
* Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
@ -335,9 +335,9 @@ OSSL_CRYPTO_ALLOC void *CRYPTO_zalloc(size_t num, const char *file, int line);
OSSL_CRYPTO_ALLOC void *CRYPTO_aligned_alloc(size_t num, size_t align,
void **freeptr, const char *file,
int line);
OSSL_CRYPTO_ALLOC void *CRYPTO_memdup(const void *str, size_t siz, const char *file, int line);
OSSL_CRYPTO_ALLOC char *CRYPTO_strdup(const char *str, const char *file, int line);
OSSL_CRYPTO_ALLOC char *CRYPTO_strndup(const char *str, size_t s, const char *file, int line);
void *CRYPTO_memdup(const void *str, size_t siz, const char *file, int line);
char *CRYPTO_strdup(const char *str, const char *file, int line);
char *CRYPTO_strndup(const char *str, size_t s, const char *file, int line);
void CRYPTO_free(void *ptr, const char *file, int line);
void CRYPTO_clear_free(void *ptr, size_t num, const char *file, int line);
void *CRYPTO_realloc(void *addr, size_t num, const char *file, int line);

1
deps/openssl/openssl/include/openssl/ct.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/ct.h"

1
deps/openssl/openssl/include/openssl/err.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/err.h"

1
deps/openssl/openssl/include/openssl/ess.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/ess.h"

1
deps/openssl/openssl/include/openssl/fipskey.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/fipskey.h"

1
deps/openssl/openssl/include/openssl/lhash.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/lhash.h"

1
deps/openssl/openssl/include/openssl/ocsp.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/ocsp.h"

1
deps/openssl/openssl/include/openssl/opensslv.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/opensslv.h"

9
deps/openssl/openssl/include/openssl/opensslv.h.in vendored
View File

@ -1,7 +1,7 @@
/*
* {- join("\n * ", @autowarntext) -}
*
* Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1999-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -90,16 +90,11 @@ extern "C" {
# define OPENSSL_VERSION_TEXT "OpenSSL {- "$config{full_version} $config{release_date}" -}"
/* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
# ifdef OPENSSL_VERSION_PRE_RELEASE
# define _OPENSSL_VERSION_PRE_RELEASE 0x0L
# else
# define _OPENSSL_VERSION_PRE_RELEASE 0xfL
# endif
# define OPENSSL_VERSION_NUMBER \
( (OPENSSL_VERSION_MAJOR<<28) \
|(OPENSSL_VERSION_MINOR<<20) \
|(OPENSSL_VERSION_PATCH<<4) \
|_OPENSSL_VERSION_PRE_RELEASE )
|{- @config{prerelease} ? "0x0L" : "0xfL" -} )
# ifdef __cplusplus
}

1
deps/openssl/openssl/include/openssl/pkcs12.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/pkcs12.h"

1
deps/openssl/openssl/include/openssl/pkcs7.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/pkcs7.h"

1
deps/openssl/openssl/include/openssl/proverr.h vendored
View File

@ -49,6 +49,7 @@
# define PROV_R_FINAL_CALL_OUT_OF_ORDER 237
# define PROV_R_FIPS_MODULE_CONDITIONAL_ERROR 227
# define PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE 224
# define PROV_R_FIPS_MODULE_IMPORT_PCT_ERROR 253
# define PROV_R_FIPS_MODULE_IN_ERROR_STATE 225
# define PROV_R_GENERATE_ERROR 191
# define PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE 165

1
deps/openssl/openssl/include/openssl/safestack.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/safestack.h"

1
deps/openssl/openssl/include/openssl/self_test.h vendored
View File

@ -31,6 +31,7 @@ extern "C" {
# define OSSL_SELF_TEST_TYPE_CRNG "Continuous_RNG_Test"
# define OSSL_SELF_TEST_TYPE_PCT "Conditional_PCT"
# define OSSL_SELF_TEST_TYPE_PCT_KAT "Conditional_KAT"
# define OSSL_SELF_TEST_TYPE_PCT_IMPORT "Import_PCT"
# define OSSL_SELF_TEST_TYPE_KAT_INTEGRITY "KAT_Integrity"
# define OSSL_SELF_TEST_TYPE_KAT_CIPHER "KAT_Cipher"
# define OSSL_SELF_TEST_TYPE_KAT_ASYM_CIPHER "KAT_AsymmetricCipher"

1
deps/openssl/openssl/include/openssl/srp.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/srp.h"

1
deps/openssl/openssl/include/openssl/ssl.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/ssl.h"

1
deps/openssl/openssl/include/openssl/ui.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/ui.h"

1
deps/openssl/openssl/include/openssl/x509.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/x509.h"

1
deps/openssl/openssl/include/openssl/x509_acert.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/x509_acert.h"

1
deps/openssl/openssl/include/openssl/x509_vfy.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/x509_vfy.h"

1
deps/openssl/openssl/include/openssl/x509v3.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/x509v3.h"

2
deps/openssl/openssl/providers/common/provider_err.c vendored
View File

@ -63,6 +63,8 @@ static const ERR_STRING_DATA PROV_str_reasons[] = {
"fips module conditional error"},
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE),
"fips module entering error state"},
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FIPS_MODULE_IMPORT_PCT_ERROR),
"fips module import pct error"},
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FIPS_MODULE_IN_ERROR_STATE),
"fips module in error state"},
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_GENERATE_ERROR), "generate error"},

25
deps/openssl/openssl/providers/common/securitycheck_fips.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2020-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -98,18 +98,33 @@ int ossl_fips_ind_digest_exch_check(OSSL_FIPS_IND *ind, int id,
int ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND *ind, int id,
OSSL_LIB_CTX *libctx,
int nid, int sha1_allowed,
int sha512_trunc_allowed,
const char *desc,
OSSL_FIPS_IND_CHECK_CB *config_check_f)
{
int approved;
const char *op = "none";
if (nid == NID_undef)
switch (nid) {
case NID_undef:
approved = 0;
else
approved = sha1_allowed || nid != NID_sha1;
break;
case NID_sha512_224:
case NID_sha512_256:
approved = sha512_trunc_allowed;
op = "Digest Truncated SHA512";
break;
case NID_sha1:
approved = sha1_allowed;
op = "Digest SHA1";
break;
default:
approved = 1;
break;
}
if (!approved) {
if (!ossl_FIPS_IND_on_unapproved(ind, id, libctx, desc, "Digest SHA1",
if (!ossl_FIPS_IND_on_unapproved(ind, id, libctx, desc, op,
config_check_f)) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST);
return 0;

58
deps/openssl/openssl/providers/fips-sources.checksums vendored
View File

@ -16,7 +16,7 @@ e1f3805332eb811d9d0c9377b67fe0681063364f1af84d8598f7daa30da65b4d crypto/aes/asm
ecd9bdfaf25cdd3d8ec0c50cb4306d98374da1c6056e27e0cf31a057dc5ee150 crypto/aes/asm/aes-riscv64-zvkb-zvkned.pl
d372152dac004b96a89f8531256bd05597ca0b614b444bb02aee93238dcf83ab crypto/aes/asm/aes-riscv64-zvkned.pl
f0388e17ba4268ed0b562da60e0780072180a824a379b79fafb60e25b8da3b52 crypto/aes/asm/aes-riscv64.pl
ecbfe826f4c514810c3ee20e265f4f621149694c298554b2682e5de4f029f14f crypto/aes/asm/aes-s390x.pl
290ae2a09826d24e83763415a021e328d41a163f41cff8c9e3b882e973677f33 crypto/aes/asm/aes-s390x.pl
ee4e8cacef972942d2a89c1a83c984df9cad87c61a54383403c5c4864c403ba1 crypto/aes/asm/aes-sparcv9.pl
391497550eaca253f64b2aba7ba2e53c6bae7dff01583bc6bfc12e930bb7e217 crypto/aes/asm/aes-x86_64.pl
c56c324667b67d726e040d70379efba5b270e2937f403c1b5979018b836903c7 crypto/aes/asm/aesfx-sparcv9.pl
@ -228,7 +228,7 @@ cd611921dc773b47207c036b9108ec820ab39d67780ba4adc9ccb9dc8da58627 crypto/evp/mac
c2c8f6d17dc3d85ffcced051047c0b00ce99d119635f4626c5c6db3d59d86fbb crypto/evp/pmeth_lib.c
ba4ff38738cbcfd3841d53a2fab92227638ceca176d3ffe50e486c9dcbabb5dd crypto/evp/s_lib.c
3c003fa01341a69c461b75cffd93cf31a1899373d7e95a1ef3754ea1bfbb77fe crypto/evp/signature.c
a3ba57f8181cfbbf017fe1d4fa8d80f4999eea6d2834b0bcda22b60e6a5e31e3 crypto/evp/skeymgmt_meth.c
30af153213f8b008955486000c5a92507dc694c4af9ac6ed6fef3f290efa3e52 crypto/evp/skeymgmt_meth.c
64f7e366e681930ba10267272b87dba223b9744a01c27ba0504a4941802a580d crypto/ex_data.c
d986ec74995b05ff65a68df320ab45894ba35d7be4906f8d78ca5fca294a4e6c crypto/ffc/ffc_backend.c
a12af33e605315cdddd6d759e70cd9632f0f33682b9aa7103ed1ecd354fc7e55 crypto/ffc/ffc_dh.c
@ -309,20 +309,20 @@ f50450f7e5f6896fb8e3cde2fdc11cc543124c854ef9d88252a166606ca80081 crypto/params_
d32105cb087d708d0504a787f74bc163cc398c299faf2e98d6bb5ae02f5ce9b7 crypto/property/property_parse.c
a7cefda6a117550e2c76e0f307565ce1e11640b11ba10c80e469a837fd1212a3 crypto/property/property_query.c
20e69b9d594dfc443075eddbb0e6bcc0ed36ca51993cd50cc5a4f86eb31127f8 crypto/property/property_string.c
faa002fd33a147494ea93dbd1cef07138c6f61432d6465ceb4a34118e31e0a72 crypto/provider_core.c
10644e9d20214660706de58d34edf635c110d4e4f2628cd5284a08c60ed9aff8 crypto/provider_core.c
d0af10d4091b2032aac1b7db80f8c2e14fa7176592716b25b9437ab6b53c0a89 crypto/provider_local.h
5ba2e1c74ddcd0453d02e32612299d1eef18eff8493a7606c15d0dc3738ad1d9 crypto/provider_predefined.c
e13cf63765dd538a75eb9d2cb8fcb0243e6bd2988dd420c83806a69984dad558 crypto/rand/rand_lib.c
fd03b9bb2c23470fa40880ed3bf9847bb17d50592101a78c0ad7a0f121209788 crypto/rand/rand_local.h
426ba915ca65a770f8264129f8ac47db7aaf06c6ae51517c5d775eacdf91b9f6 crypto/rcu_internal.h
48f6a98e3d7e9ae79f2d2b8ea9965d0c4ec3b1a4473adbceb47fe1e7930dc3c1 crypto/riscv32cpuid.pl
f6c5a1440de995a115dbba5f732b294e2e6d94aa520687afd1e776af1ba48cf8 crypto/riscv64cpuid.pl
0c1d3e0e857e9e4f84752a8ef0b619d8af0d81427b52facbd0174e685dac9a47 crypto/riscv32cpuid.pl
231263dffc16987f5288592ebf4c0738902d5146bfc16bcd8a157e044cb697da crypto/riscv64cpuid.pl
0b0f3c7757447c2374338f2008c6545a1d176dcbdb41f06873f4681dc43fd42e crypto/riscvcap.c
f0c8792a99132e0b9c027cfa7370f45594a115934cdc9e8f23bdd64abecaf7fd crypto/rsa/rsa_acvp_test_params.c
1b828f428f0e78b591378f7b780164c4574620c68f9097de041cbd576f811bf6 crypto/rsa/rsa_backend.c
38a102cd1da1f6ca5a46e6a22f018237964336274385f5c70cbedcaa6997647e crypto/rsa/rsa_chk.c
e762c599b17d5c89f4b1c9eb7d0ca1f04a95d815c86a3e72c30b231ce57fb199 crypto/rsa/rsa_crpt.c
026645569b11cf7c1247e4537cc004eea4469ed661391aef4fbc13e96c4952ca crypto/rsa/rsa_gen.c
0fa3e4687510e2d91c8f4b1c460b1d51375d9855ed825b3d6697620b146b52d1 crypto/rsa/rsa_gen.c
f22bc4e2c3acab83e67820c906c1caf048ec1f0d4fcb7472c1bec753c75f8e93 crypto/rsa/rsa_lib.c
5ae8edaf654645996385fbd420ef73030762fc146bf41deb5294d6d83e257a16 crypto/rsa/rsa_local.h
cf0b75cd54b61b9b9a290ef18d0ddce9fb26a029a54eb3f720d9b25188440f00 crypto/rsa/rsa_mp_names.c
@ -393,7 +393,7 @@ dfd99e02830973ab349409ac6ba0ee901ba7736216030965bd7e5a54356abd7c crypto/slh_dsa
1a2e505ac8ef45ff46f36ab89f5fb1d6a6888b2123a7cb75cf0eae849ee5de70 crypto/slh_dsa/slh_adrs.h
11d3895ea104d1238999f00b2beee4de71f35eea79065ac7b4536ee79d61d2dd crypto/slh_dsa/slh_dsa.c
ab7b580b1cba302c5675918b457794a3b3d00aac42297312d9447bc6f6a40b09 crypto/slh_dsa/slh_dsa_hash_ctx.c
c26498960895d435af4ef5f592d98a0c011c00609bbba8bbd0078d4a4f081609 crypto/slh_dsa/slh_dsa_key.c
36007c2d3c7f6a405745a25d1a10b97ce781c7541b1610e51981f549c9852a5b crypto/slh_dsa/slh_dsa_key.c
4c7981f7db69025f52495c549fb3b3a76be62b9e13072c3f3b7f1dedeaf8cc91 crypto/slh_dsa/slh_dsa_key.h
5dcb631891eb6afcd27a6b19d2de4d493c71dab159e53620d86d9b96642e97e8 crypto/slh_dsa/slh_dsa_local.h
adb3f4dea52396935b8442df7b36ed99324d3f3e8ce3fdf714d6dfd683e1f9f0 crypto/slh_dsa/slh_fors.c
@ -448,7 +448,7 @@ bbe5e52d84e65449a13e42cd2d6adce59b8ed6e73d6950917aa77dc1f3f5dff6 include/crypto
b1df067691f9741ef9c42b2e5f12461bcd87b745514fc5701b9c9402fb10b224 include/crypto/rsa.h
32f0149ab1d82fddbdfbbc44e3078b4a4cc6936d35187e0f8d02cc0bc19f2401 include/crypto/security_bits.h
80338f3865b7c74aab343879432a6399507b834e2f55dd0e9ee7a5eeba11242a include/crypto/sha.h
0814571bff328719cc1e5a73a4daf6f5810b17f9e50fe63287f91f445f053213 include/crypto/slh_dsa.h
dc7808729c3231a08bbe470b3e1b562420030f59f7bc05b14d7b516fa77b4f3a include/crypto/slh_dsa.h
7676b02824b2d68df6bddeb251e9b8a8fa2e35a95dad9a7ebeca53f9ab8d2dad include/crypto/sparse_array.h
d6d1cd1ec7581046f5a84359a32ed41caad9e7c1b4d1eb9665ea4763de10e6b3 include/crypto/types.h
27d13538d9303b1c2f0b2ce9b6d376097ce7661354fbefbde24b7ef07206ea45 include/internal/bio.h
@ -513,7 +513,7 @@ bb45de4eafdd89c14096e9af9b0aee12b09adcee43b9313a3a373294dec99142 include/openss
28c6f0ede39c821dcf4abeeb4e41972038ebb3e3c9d0a43ffdf28edb559470e1 include/openssl/core.h
b59255ddb1ead5531c3f0acf72fa6627d5c7192f3d23e9536eed00f32258c43b include/openssl/core_dispatch.h
d37532e62315d733862d0bff8d8de9fe40292a75deacae606f4776e544844316 include/openssl/core_names.h.in
57898905771752f6303e2b1cca1c9a41ea5e9c7bf08ee06531213a65e960e424 include/openssl/crypto.h.in
01ed3af4e25b9be3453a8f13d7dd3b4e9e73889bbed338e0d4b8021f0d17aa82 include/openssl/crypto.h.in
628e2a9e67412e2903ecb75efb27b262db1f266b805c07ece6b85bf7ffa19dac include/openssl/cryptoerr.h
bbc82260cbcadd406091f39b9e3b5ea63146d9a4822623ead16fa12c43ab9fc6 include/openssl/cryptoerr_legacy.h
83af275af84cf88c4e420030a9ea07c38d1887009c8f471874ed1458a4b1cda7 include/openssl/decoder.h
@ -546,20 +546,20 @@ a8a45996fd21411cb7ed610bc202dbd06570cdfa0a2d14f7dfc8bfadc820e636 include/openss
cb6bca3913c60a57bac39583eee0f789d49c3d29be3ecde9aecc7f3287117aa5 include/openssl/objects.h
d25537af264684dff033dd8ae62b0348f868fcfec4aa51fa8f07bcfa4bd807ad include/openssl/objectserr.h
fe6acd42c3e90db31aaafc2236a7d30ebfa53c4c07ea4d8265064c7fcb951970 include/openssl/opensslconf.h
1bf52d136e94f727a96651c1f48ad040482f35dae152519ccd585efd410b92f0 include/openssl/opensslv.h.in
fc914a750d798ac9fc9287e6359cfa1da214b91651deaaaa7e1a46b595cd0425 include/openssl/opensslv.h.in
767d9d7d5051c937a3ce8a268c702902fda93eeaa210a94dfde1f45c23277d20 include/openssl/param_build.h
1c442aaaa4dda7fbf727a451bc676fb4d855ef617c14dc77ff2a5e958ae33c3e include/openssl/params.h
44f178176293c6ce8142890ff9dc2d466364c734e4e811f56bd62010c5403183 include/openssl/pkcs7.h.in
8394828da6fd7a794777320c955d27069bfef694356c25c62b7a9eb47cd55832 include/openssl/pkcs7err.h
ed785c451189aa5f7299f9f32a841e7f25b67c4ee937c8de8491a39240f5bd9d include/openssl/prov_ssl.h
7c0e616ec99ac03d241da8def32cebf2679d9cacc93f58d2c2c4b05faf0011ea include/openssl/proverr.h
d8e2e31fbf88649efaabb6a999d9c464d4462b016c65c6bdf830b2ab4261a792 include/openssl/proverr.h
01ecfa6add534dfe98c23382e0f2faf86f627c21ce16c5b49bf90333fb4cac9f include/openssl/provider.h
765846563fbd69411aff6ce00bcc22f577f6407f5a80d592edb1dc10b580a145 include/openssl/rand.h
1c135b1e5ef06e052f554d52a744a9a807a8c371c848389ad836f9e4a923dd8e include/openssl/randerr.h
2f4f0106e9b2db6636491dbe3ef81b80dbf01aefe6f73d19663423b7fcd54466 include/openssl/rsa.h
2f339ba2f22b8faa406692289a6e51fdbbb04b03f85cf3ca849835e58211ad23 include/openssl/rsaerr.h
6586f2187991731835353de0ffad0b6b57609b495e53d0f32644491ece629eb2 include/openssl/safestack.h.in
cad320f140eade8a90b4d068e03d2fc0448204656f8c1270f69be82bc3272806 include/openssl/self_test.h
39300fe80a46e0b76e07f10ada73a0ba55887c8cd5f98180b337ef6d5a3344d1 include/openssl/self_test.h
a435cb5d87a37c05921afb2d68f581018ec9f62fd9b3194ab651139b24f616d2 include/openssl/sha.h
c169a015d7be52b7b99dd41c418a48d97e52ad21687c39c512a83a7c3f3ddb70 include/openssl/stack.h
22d7584ad609e30e818b54dca1dfae8dea38913fffedd25cd540c550372fb9a6 include/openssl/symhacks.h
@ -604,23 +604,23 @@ c02d1fa866192dee1bf6d06338714efad5e7cae6ac0470ba20820599b4f811e8 providers/comm
f221ca9b117c9cccb776bb230f71b86553ce6c24196bea120124a4be7b8a712f providers/common/include/prov/providercommon.h
4a6e35be7600e78633324422f019443747a62777eba4987efc50f900c43fda25 providers/common/include/prov/securitycheck.h
ba12773ee7d5afbd55e240798a0e36a2b0bdb4472f3aa3984bb8059f68cfba25 providers/common/provider_ctx.c
c67989723273186af8d0fa7019fe5564957a21dd9867645cfab6ba54f8871df4 providers/common/provider_err.c
1f724e74106fa406999d706ec4b88c7185d2d1ceb7cc431a3340f778f533dbda providers/common/provider_err.c
c4032b7cb033b588c6eb0585b8dfbed029d5b112a74ddd134dbcb1d78b0f9684 providers/common/provider_seeding.c
976aed982b0091a8f5320ee15e9b3d56c638c2a6b8481ddf9478d07927522f82 providers/common/provider_util.c
bde6107744cf6840a4c350a48265ed000c49b0524fa60b0d68d6d7b33df5fce6 providers/common/securitycheck.c
8ea192553b423e881d85118c70bcb26a40fbdee4e110f230c966939c76f4aa7e providers/common/securitycheck_fips.c
c0ba8608dd7719c9a8d9f8668ce60007eaadd6635162d4448815a7b76a9b2439 providers/common/securitycheck_fips.c
abd5997bc33b681a4ab275978b92aebca0806a4a3f0c2f41dacf11b3b6f4e101 providers/fips/fips_entry.c
d8cb05784ae8533a7d9569d4fbaaea4175b63a7c9f4fb0f254215224069dea6b providers/fips/fipsindicator.c
485441c31b5ff7916a12d0b8438d131a58cbc1ff6267cd266ae2dd6128c825cc providers/fips/fipsprov.c
7be8349d3b557b6d9d5f87d318253a73d21123628a08f50726502abf0e3d8a44 providers/fips/include/fips/fipsindicator.h
6e024bbebae12014997c105df04c22bd07bbbc0a0b0a9ddd14fb798dbd3f0f26 providers/fips/include/fips/fipsindicator.h
ef204adc49776214dbb299265bc4f2c40b48848cbea4c25b8029f2b46a5c9797 providers/fips/include/fips_indicator_params.inc
f2581d7b4e105f2bb6d30908f3c2d9959313be08cec6dbeb49030c125a7676d3 providers/fips/include/fips_selftest_params.inc
669f76f742bcaaf28846b057bfab97da7c162d69da244de71b7c743bf16e430f providers/fips/include/fipscommon.h
1af975061d9ea273fd337c74ccaab7b9331ab781d887c4e7164c5ac35e2c2e94 providers/fips/self_test.c
f111fd7e016af8cc6f96cd8059c28227b328dd466ed137ae0c0bc0c3c3eec3ba providers/fips/self_test.c
5c2c6c2f69e2eb01b88fa35630f27948e00dd2c2fd351735c74f34ccb2005cbe providers/fips/self_test.h
826d559ea7019c5db557679c3fe1ff5022be0132789c847d61da3c293fc02227 providers/fips/self_test_data.inc
663441de9aba1d1b81ce02b3acded520b88cc460330d4d98adb7450d9664c474 providers/fips/self_test_data.inc
2e568e2b161131240e97bd77a730c2299f961c2f1409ea8466422fc07f9be23f providers/fips/self_test_kats.c
7a368f6c6a5636593018bf10faecc3be1005e7cb3f0647f25c62b6f0fb7ac974 providers/implementations/asymciphers/rsa_enc.c
dde79dfdedfe0e73006a0cf912fdde1ff109dfbc5ba6ecab319c938bc4275950 providers/implementations/asymciphers/rsa_enc.c
c2f1b12c64fc369dfc3b9bc9e76a76de7280e6429adaee55d332eb1971ad1879 providers/implementations/ciphers/cipher_aes.c
6ba7d817081cf0d87ba7bfb38cd9d70e41505480bb8bc796ef896f68d4514ea6 providers/implementations/ciphers/cipher_aes.h
c20072ecf42c87f9fad2ea241d358f57ed2a04cf0cc51bdb8cb5086172f6fc8a providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c
@ -695,21 +695,21 @@ e18ef50cd62647a2cc784c45169d75054dccd58fc106bf623d921de995bb3c34 providers/impl
b04249bcc64d6f7ec16f494afef252356b2f56424a034ab53def90463de0cb6f providers/implementations/kem/ml_kem_kem.c
a2e2b44064ef44b880b89ab6adc83686936acaa906313a37e5ec69d632912034 providers/implementations/kem/mlx_kem.c
c764555b9dc9b273c280514a5d2d44156f82f3e99155a77c627f2c773209bcd7 providers/implementations/kem/rsa_kem.c
a780a73b02f97d42a621fe096adf57a362b458cd5e5cfe1e3e619e88a407c7d7 providers/implementations/keymgmt/dh_kmgmt.c
56e173f4ddb3e91314abd79b18de513c8cbc645669a287942fca4632c3851f6b providers/implementations/keymgmt/dh_kmgmt.c
24cc3cc8e8681c77b7f96c83293bd66045fd8ad69f756e673ca7f8ca9e82b0af providers/implementations/keymgmt/dsa_kmgmt.c
967ab174fa4fadb4d4b1d226a1870028a3945d6e85c04d08f215686fe8fd2a07 providers/implementations/keymgmt/ec_kmgmt.c
36a9c1c8658ce7918453827cb58ed52787e590e3f148c5510deeb2c16c25a29d providers/implementations/keymgmt/ec_kmgmt.c
258ae17bb2dd87ed1511a8eb3fe99eed9b77f5c2f757215ff6b3d0e8791fc251 providers/implementations/keymgmt/ec_kmgmt_imexport.inc
b335f1aca68f0b0b3f31e73473de264c812a932517d5a2c2339754d3e3f72a8a providers/implementations/keymgmt/ecx_kmgmt.c
9728d696d249b2d224724c9872138a60e1998e5cfa5c49f3f48ad0666f7eed34 providers/implementations/keymgmt/ecx_kmgmt.c
daf35a7ab961ef70aefca981d80407935904c5da39dca6692432d6e6bc98759d providers/implementations/keymgmt/kdf_legacy_kmgmt.c
d97d7c8d3410b3e560ef2becaea2a47948e22205be5162f964c5e51a7eef08cb providers/implementations/keymgmt/mac_legacy_kmgmt.c
24384616fcba4eb5594ccb2ebc199bcee8494ce1b3f4ac7824f17743e39c0279 providers/implementations/keymgmt/ml_dsa_kmgmt.c
830c339dfc7f301ce5267ef9b0dc173b84d9597509c1a61ae038f3c01af78f45 providers/implementations/keymgmt/ml_kem_kmgmt.c
a428de71082fd01e5dcfa030a6fc34f6700b86d037b4e22f015c917862a158ce providers/implementations/keymgmt/ml_dsa_kmgmt.c
ae129b80f400c2d520262a44842fb02898d6986dd1417ac468293dc104337120 providers/implementations/keymgmt/ml_kem_kmgmt.c
e15b780a1489bbe4c7d40d6aaa3bccfbf973e3946578f460eeb8373c657eee91 providers/implementations/keymgmt/mlx_kmgmt.c
d63d47e8705772c4269dbdb110400ec9a6dc49ea2217f3d2aecc8ce733d9e47f providers/implementations/keymgmt/rsa_kmgmt.c
6f0a786170ba9af860e36411d158ac0bd74bcb4d75c818a0cebadbc764759283 providers/implementations/keymgmt/slh_dsa_kmgmt.c
d37e7a96253cf146e45c9adf9dbf83ab83fccbe41a5e5a6736f9085a60c38167 providers/implementations/keymgmt/rsa_kmgmt.c
6bb62b5417afb24a43b726148862770689f420a310722398f714f396ba07f205 providers/implementations/keymgmt/slh_dsa_kmgmt.c
9d02d481b9c7c0c9e0932267d1a3e1fef00830aaa03093f000b88aa042972b9f providers/implementations/macs/cmac_prov.c
3c558b57fff3588b6832475e0b1c5be590229ad50d95a6ebb089b62bf5fe382d providers/implementations/macs/gmac_prov.c
3b5e591e8f6c6ba721a20d978452c9aae9a8259b3595b158303a49b35f286e53 providers/implementations/macs/hmac_prov.c
b78305d36f248499a97800873a6bd215b2b7ae2e767c04b7ffcbad7add066040 providers/implementations/macs/hmac_prov.c
6f9100c9cdd39f94601d04a6564772686571711ff198cf8469e86444d1ba25f3 providers/implementations/macs/kmac_prov.c
4115f822e2477cd2c92a1c956cca1e4dbc5d86366e2a44a37526756153c0e432 providers/implementations/rands/drbg.c
b7e24bb9265501e37253e801028f3fd0af5111a100c0b2005c53d43f02c03389 providers/implementations/rands/drbg_ctr.c
@ -718,12 +718,12 @@ b7e24bb9265501e37253e801028f3fd0af5111a100c0b2005c53d43f02c03389 providers/impl
2c63defffcc681ada17a6cc3eb895634fd8bf86110796a6381cc3dedd26fd47d providers/implementations/rands/drbg_local.h
ddae75f1e08416c92802faafba9d524e3bf58c13e9fcb51735733e161006f89e providers/implementations/rands/fips_crng_test.c
04e726d547a00d0254362b0ebd3ddf87f58a53b78d3a070a1620f5fa714330bb providers/implementations/rands/test_rng.c
bd3c3d166be0e171e08e1cd03a943a643b4c181f11d8dde5e508d50163ac0cb8 providers/implementations/signature/dsa_sig.c
848ecf7587757410f98661a22fdf6eece53cc317224a22826d838131a47de8b0 providers/implementations/signature/ecdsa_sig.c
732a4402f2621e2b676f0c0e885fb5ca8bc22d00842d47e7607a875fdff8a980 providers/implementations/signature/dsa_sig.c
72d09f89a9645d365fb357a512fb5687c04a924c34f1bbfc17e17c1ca169d7c6 providers/implementations/signature/ecdsa_sig.c
bd48b0fe43f0d0d91eb34bdfd48fbcfd69bceabf0ddc678702fe9ef968064bb6 providers/implementations/signature/eddsa_sig.c
e0e67e402ff19b0d2eb5228d7ebd70b9477c12595ac34d6f201373d7c8a516f4 providers/implementations/signature/mac_legacy_sig.c
51251a1ca4c0b6faea059de5d5268167fe47565163317177d09db39978134f78 providers/implementations/signature/ml_dsa_sig.c
6c370ec1d3393fa9ac7125e26700fbc0ea05bfd489ddacd1bb6da9b990da26d1 providers/implementations/signature/rsa_sig.c
bab268ab5ad1d5e8dfdd8c01d25b216c657406ec2ff4e7ce190814ac7b92509f providers/implementations/signature/rsa_sig.c
14e7640b4db5e59e29b0266256d3d821adf871afa9703e18285f2fc957ac5971 providers/implementations/signature/slh_dsa_sig.c
21f537f9083f0341d9d1b0ace090a8d8f0b2b9e9cf76771c359b6ea00667a469 providers/implementations/skeymgmt/aes_skmgmt.c
2dbf9b8e738fad556c3248fb554ff4cc269ade3c86fa3d2786ba9b6d6016bf22 providers/implementations/skeymgmt/generic.c

2
deps/openssl/openssl/providers/fips.checksum vendored
View File

@ -1 +1 @@
ef8128a08964171aaf5852362d97486b641fe521ad648e0c1108fd6d7f5a78ba providers/fips-sources.checksums
8d0c2c2b986f4c98f511c9aa020e98aa984dce5976d8e1966a7721f8b559cda8 providers/fips-sources.checksums

3
deps/openssl/openssl/providers/fips/include/fips/fipsindicator.h vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 2023-2024 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2023-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -134,6 +134,7 @@ int ossl_fips_ind_digest_exch_check(OSSL_FIPS_IND *ind, int id, OSSL_LIB_CTX *li
int ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND *ind, int id,
OSSL_LIB_CTX *libctx,
int nid, int sha1_allowed,
int sha512_trunc_allowed,
const char *desc,
OSSL_FIPS_IND_CHECK_CB *config_check_f);

13
deps/openssl/openssl/providers/fips/self_test.c vendored
View File

@ -424,9 +424,18 @@ void SELF_TEST_disable_conditional_error_state(void)
void ossl_set_error_state(const char *type)
{
int cond_test = (type != NULL && strcmp(type, OSSL_SELF_TEST_TYPE_PCT) == 0);
int cond_test = 0;
int import_pct = 0;
if (!cond_test || (FIPS_conditional_error_check == 1)) {
if (type != NULL) {
cond_test = strcmp(type, OSSL_SELF_TEST_TYPE_PCT) == 0;
import_pct = strcmp(type, OSSL_SELF_TEST_TYPE_PCT_IMPORT) == 0;
}
if (import_pct) {
/* Failure to import is transient to avoid a DoS attack */
ERR_raise(ERR_LIB_PROV, PROV_R_FIPS_MODULE_IMPORT_PCT_ERROR);
} else if (!cond_test || (FIPS_conditional_error_check == 1)) {
set_fips_state(FIPS_STATE_ERROR);
ERR_raise(ERR_LIB_PROV, PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE);
} else {

134
deps/openssl/openssl/providers/fips/self_test_data.inc vendored
View File

@ -169,6 +169,12 @@ typedef struct st_kat_kem_st {
} ST_KAT_KEM;
/*- DIGEST SELF TEST DATA */
static const unsigned char sha1_pt[] = "abc";
static const unsigned char sha1_digest[] = {
0xA9, 0x99, 0x3E, 0x36, 0x47, 0x06, 0x81, 0x6A,
0xBA, 0x3E, 0x25, 0x71, 0x78, 0x50, 0xC2, 0x6C,
0x9C, 0xD0, 0xD8, 0x9D
};
static const unsigned char sha512_pt[] = "abc";
static const unsigned char sha512_digest[] = {
0xDD, 0xAF, 0x35, 0xA1, 0x93, 0x61, 0x7A, 0xBA, 0xCC, 0x41, 0x73, 0x49,
@ -187,11 +193,17 @@ static const unsigned char sha3_256_digest[] = {
/*
* Note:
* SHA1 and SHA256 are tested by higher level algorithms so a
* SHA256 is tested by higher level algorithms so a
* CAST is not needed.
*/
static const ST_KAT_DIGEST st_kat_digest_tests[] =
{
{
OSSL_SELF_TEST_DESC_MD_SHA1,
"SHA1",
ITM_STR(sha1_pt),
ITM(sha1_digest),
},
{
OSSL_SELF_TEST_DESC_MD_SHA2,
"SHA512",
@ -342,7 +354,7 @@ static const ST_KAT_PARAM hkdf_params[] = {
ST_KAT_PARAM_END()
};
static const char sskdf_digest[] = "SHA224";
static const char sskdf_digest[] = "SHA256";
static const unsigned char sskdf_secret[] = {
0x6d, 0xbd, 0xc2, 0x3f, 0x04, 0x54, 0x88, 0xe4,
0x06, 0x27, 0x57, 0xb0, 0x6b, 0x9e, 0xba, 0xe1,
@ -361,8 +373,8 @@ static const unsigned char sskdf_otherinfo[] = {
0x9b, 0x1e, 0xe0, 0xec, 0x3f, 0x8d, 0xbe
};
static const unsigned char sskdf_expected[] = {
0xa4, 0x62, 0xde, 0x16, 0xa8, 0x9d, 0xe8, 0x46,
0x6e, 0xf5, 0x46, 0x0b, 0x47, 0xb8
0x27, 0xce, 0x57, 0xed, 0xb1, 0x7e, 0x1f, 0xf2,
0xe4, 0x79, 0x2e, 0x84, 0x8b, 0x04, 0xf1, 0xae
};
static const ST_KAT_PARAM sskdf_params[] = {
ST_KAT_PARAM_UTF8STRING(OSSL_KDF_PARAM_DIGEST, sskdf_digest),
@ -371,7 +383,7 @@ static const ST_KAT_PARAM sskdf_params[] = {
ST_KAT_PARAM_END()
};
static const char x942kdf_digest[] = "SHA1";
static const char x942kdf_digest[] = "SHA256";
static const char x942kdf_cekalg[] = "AES-128-WRAP";
static const unsigned char x942kdf_secret[] = {
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
@ -379,8 +391,8 @@ static const unsigned char x942kdf_secret[] = {
0x10, 0x11, 0x12, 0x13
};
static const unsigned char x942kdf_expected[] = {
0xd6, 0xd6, 0xb0, 0x94, 0xc1, 0x02, 0x7a, 0x7d,
0xe6, 0xe3, 0x11, 0x72, 0x94, 0xa3, 0x53, 0x64
0x79, 0x66, 0xa0, 0x38, 0x22, 0x28, 0x1e, 0xa3,
0xeb, 0x08, 0xd9, 0xbc, 0x69, 0x5b, 0xd8, 0xff
};
static const ST_KAT_PARAM x942kdf_params[] = {
ST_KAT_PARAM_UTF8STRING(OSSL_KDF_PARAM_DIGEST, x942kdf_digest),
@ -787,51 +799,73 @@ static const unsigned char drbg_ctr_aes128_pr_df_expected[] = {
/*
* HMAC_DRBG.rsp
*
* [SHA-1]
* [SHA-256]
* [PredictionResistance = True]
* [EntropyInputLen = 128]
* [NonceLen = 64]
* [PersonalizationStringLen = 128]
* [AdditionalInputLen = 128]
* [ReturnedBitsLen = 640]
* [EntropyInputLen = 256]
* [NonceLen = 128]
* [PersonalizationStringLen = 256]
* [AdditionalInputLen = 256]
* [ReturnedBitsLen = 1024]
*
* COUNT = 0
*/
static const unsigned char drbg_hmac_sha1_pr_entropyin[] = {
0x68, 0x0f, 0xac, 0xe9, 0x0d, 0x7b, 0xca, 0x21, 0xd4, 0xa0, 0xed, 0xb7,
0x79, 0x9e, 0xe5, 0xd8
static const unsigned char drbg_hmac_sha2_pr_entropyin[] = {
0xca, 0x85, 0x19, 0x11, 0x34, 0x93, 0x84, 0xbf,
0xfe, 0x89, 0xde, 0x1c, 0xbd, 0xc4, 0x6e, 0x68,
0x31, 0xe4, 0x4d, 0x34, 0xa4, 0xfb, 0x93, 0x5e,
0xe2, 0x85, 0xdd, 0x14, 0xb7, 0x1a, 0x74, 0x88
};
static const unsigned char drbg_hmac_sha1_pr_nonce[] = {
0xb7, 0xbe, 0x9e, 0xed, 0xdd, 0x0e, 0x3b, 0x4b
static const unsigned char drbg_hmac_sha2_pr_nonce[] = {
0x65, 0x9b, 0xa9, 0x6c, 0x60, 0x1d, 0xc6, 0x9f,
0xc9, 0x02, 0x94, 0x08, 0x05, 0xec, 0x0c, 0xa8
};
static const unsigned char drbg_hmac_sha1_pr_persstr[] = {
0xf5, 0x8c, 0x40, 0xae, 0x70, 0xf7, 0xa5, 0x56, 0x48, 0xa9, 0x31, 0xa0,
0xa9, 0x31, 0x3d, 0xd7
static const unsigned char drbg_hmac_sha2_pr_persstr[] = {
0xe7, 0x2d, 0xd8, 0x59, 0x0d, 0x4e, 0xd5, 0x29,
0x55, 0x15, 0xc3, 0x5e, 0xd6, 0x19, 0x9e, 0x9d,
0x21, 0x1b, 0x8f, 0x06, 0x9b, 0x30, 0x58, 0xca,
0xa6, 0x67, 0x0b, 0x96, 0xef, 0x12, 0x08, 0xd0
};
static const unsigned char drbg_hmac_sha1_pr_entropyinpr0[] = {
0x7c, 0xaf, 0xe2, 0x31, 0x63, 0x0a, 0xa9, 0x5a, 0x74, 0x2c, 0x4e, 0x5f,
0x5f, 0x22, 0xc6, 0xa4
static const unsigned char drbg_hmac_sha2_pr_entropyinpr0[] = {
0x5c, 0xac, 0xc6, 0x81, 0x65, 0xa2, 0xe2, 0xee,
0x20, 0x81, 0x2f, 0x35, 0xec, 0x73, 0xa7, 0x9d,
0xbf, 0x30, 0xfd, 0x47, 0x54, 0x76, 0xac, 0x0c,
0x44, 0xfc, 0x61, 0x74, 0xcd, 0xac, 0x2b, 0x55
};
static const unsigned char drbg_hmac_sha1_pr_entropyinpr1[] = {
0x1c, 0x0d, 0x77, 0x92, 0x89, 0x88, 0x27, 0x94, 0x8a, 0x58, 0x9f, 0x82,
0x2d, 0x1a, 0xf7, 0xa6
static const unsigned char drbg_hmac_sha2_pr_entropyinpr1[] = {
0x8d, 0xf0, 0x13, 0xb4, 0xd1, 0x03, 0x52, 0x30,
0x73, 0x91, 0x7d, 0xdf, 0x6a, 0x86, 0x97, 0x93,
0x05, 0x9e, 0x99, 0x43, 0xfc, 0x86, 0x54, 0x54,
0x9e, 0x7a, 0xb2, 0x2f, 0x7c, 0x29, 0xf1, 0x22
};
static const unsigned char drbg_hmac_sha1_pr_addin0[] = {
0xdc, 0x36, 0x63, 0xf0, 0x62, 0x78, 0x9c, 0xd1, 0x5c, 0xbb, 0x20, 0xc3,
0xc1, 0x8c, 0xd9, 0xd7
static const unsigned char drbg_hmac_sha2_pr_addin0[] = {
0x79, 0x3a, 0x7e, 0xf8, 0xf6, 0xf0, 0x48, 0x2b,
0xea, 0xc5, 0x42, 0xbb, 0x78, 0x5c, 0x10, 0xf8,
0xb7, 0xb4, 0x06, 0xa4, 0xde, 0x92, 0x66, 0x7a,
0xb1, 0x68, 0xec, 0xc2, 0xcf, 0x75, 0x73, 0xc6
};
static const unsigned char drbg_hmac_sha1_pr_addin1[] = {
0xfe, 0x85, 0xb0, 0xab, 0x14, 0xc6, 0x96, 0xe6, 0x9c, 0x24, 0xe7, 0xb5,
0xa1, 0x37, 0x12, 0x0c
static const unsigned char drbg_hmac_sha2_pr_addin1[] = {
0x22, 0x38, 0xcd, 0xb4, 0xe2, 0x3d, 0x62, 0x9f,
0xe0, 0xc2, 0xa8, 0x3d, 0xd8, 0xd5, 0x14, 0x4c,
0xe1, 0xa6, 0x22, 0x9e, 0xf4, 0x1d, 0xab, 0xe2,
0xa9, 0x9f, 0xf7, 0x22, 0xe5, 0x10, 0xb5, 0x30
};
static const unsigned char drbg_hmac_sha1_pr_expected[] = {
0x68, 0x00, 0x4b, 0x3a, 0x28, 0xf7, 0xf0, 0x1c, 0xf9, 0xe9, 0xb5, 0x71,
0x20, 0x79, 0xef, 0x80, 0x87, 0x1b, 0x08, 0xb9, 0xa9, 0x1b, 0xcd, 0x2b,
0x9f, 0x09, 0x4d, 0xa4, 0x84, 0x80, 0xb3, 0x4c, 0xaf, 0xd5, 0x59, 0x6b,
0x0c, 0x0a, 0x48, 0xe1, 0x48, 0xda, 0xbc, 0x6f, 0x77, 0xb8, 0xff, 0xaf,
0x18, 0x70, 0x28, 0xe1, 0x04, 0x13, 0x7a, 0x4f, 0xeb, 0x1c, 0x72, 0xb0,
0xc4, 0x4f, 0xe8, 0xb1, 0xaf, 0xab, 0xa5, 0xbc, 0xfd, 0x86, 0x67, 0xf2,
0xf5, 0x5b, 0x46, 0x06, 0x63, 0x2e, 0x3c, 0xbc
static const unsigned char drbg_hmac_sha2_pr_expected[] = {
0xb1, 0xd1, 0x7c, 0x00, 0x2a, 0x7f, 0xeb, 0xd2,
0x84, 0x12, 0xd8, 0xe5, 0x8a, 0x7f, 0x32, 0x31,
0x8e, 0x4e, 0xe3, 0x60, 0x5a, 0x99, 0xb0, 0x5b,
0x05, 0xd5, 0x93, 0x56, 0xd5, 0xf0, 0xc6, 0xb4,
0x96, 0x0a, 0x4b, 0x8f, 0x96, 0x3b, 0x7e, 0xfa,
0x55, 0xbb, 0x68, 0x72, 0xfb, 0xea, 0xc7, 0xb9,
0x9b, 0x78, 0xde, 0xa8, 0xf3, 0x53, 0x19, 0x73,
0x63, 0x7c, 0x94, 0x6a, 0x9c, 0xab, 0x33, 0x49,
0x74, 0x4b, 0x24, 0xa0, 0x85, 0x1d, 0xd4, 0x7f,
0x2b, 0x3b, 0x46, 0x0c, 0x2c, 0x61, 0x84, 0x6e,
0x91, 0x18, 0x1d, 0x62, 0xd4, 0x2c, 0x60, 0xa4,
0xef, 0xda, 0x5e, 0xd5, 0x79, 0x02, 0xbf, 0xd7,
0x02, 0xb3, 0x49, 0xc5, 0x49, 0x52, 0xc7, 0xf6,
0x44, 0x76, 0x9d, 0x8e, 0xf4, 0x01, 0x5e, 0xcc,
0x5f, 0x5b, 0xbd, 0x4a, 0xf0, 0x61, 0x34, 0x68,
0x8e, 0x30, 0x05, 0x0e, 0x04, 0x97, 0xfb, 0x0a
};
static const ST_KAT_DRBG st_kat_drbg_tests[] =
@ -862,15 +896,15 @@ static const ST_KAT_DRBG st_kat_drbg_tests[] =
},
{
OSSL_SELF_TEST_DESC_DRBG_HMAC,
"HMAC-DRBG", "digest", "SHA1",
ITM(drbg_hmac_sha1_pr_entropyin),
ITM(drbg_hmac_sha1_pr_nonce),
ITM(drbg_hmac_sha1_pr_persstr),
ITM(drbg_hmac_sha1_pr_entropyinpr0),
ITM(drbg_hmac_sha1_pr_entropyinpr1),
ITM(drbg_hmac_sha1_pr_addin0),
ITM(drbg_hmac_sha1_pr_addin1),
ITM(drbg_hmac_sha1_pr_expected)
"HMAC-DRBG", "digest", "SHA256",
ITM(drbg_hmac_sha2_pr_entropyin),
ITM(drbg_hmac_sha2_pr_nonce),
ITM(drbg_hmac_sha2_pr_persstr),
ITM(drbg_hmac_sha2_pr_entropyinpr0),
ITM(drbg_hmac_sha2_pr_entropyinpr1),
ITM(drbg_hmac_sha2_pr_addin0),
ITM(drbg_hmac_sha2_pr_addin1),
ITM(drbg_hmac_sha2_pr_expected)
}
};

19
deps/openssl/openssl/providers/implementations/asymciphers/rsa_enc.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -151,6 +151,7 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen,
size_t outsize, const unsigned char *in, size_t inlen)
{
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
size_t len = RSA_size(prsactx->rsa);
int ret;
if (!ossl_prov_is_running())
@ -168,17 +169,21 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen,
}
#endif
if (out == NULL) {
size_t len = RSA_size(prsactx->rsa);
if (len == 0) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY);
return 0;
}
if (len == 0) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY);
return 0;
}
if (out == NULL) {
*outlen = len;
return 1;
}
if (outsize < len) {
ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
return 0;
}
if (prsactx->pad_mode == RSA_PKCS1_OAEP_PADDING) {
int rsasize = RSA_size(prsactx->rsa);
unsigned char *tbuf;

21
deps/openssl/openssl/providers/implementations/keymgmt/dh_kmgmt.c vendored
View File

@ -209,18 +209,6 @@ static int dh_import(void *keydata, int selection, const OSSL_PARAM params[])
selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY ? 1 : 0;
ok = ok && ossl_dh_key_fromdata(dh, params, include_private);
#ifdef FIPS_MODULE
/*
* FIPS 140-3 IG 10.3.A additional comment 1 mandates that a pairwise
* consistency check be undertaken on key import. The required test
* is described in SP 800-56Ar3 5.6.2.1.4.
*/
if (ok > 0 && !ossl_fips_self_testing()) {
ok = ossl_dh_check_pairwise(dh, 1);
if (ok <= 0)
ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT);
}
#endif /* FIPS_MODULE */
}
return ok;
@ -806,6 +794,15 @@ static void *dh_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
gctx->gen_type == DH_PARAMGEN_TYPE_FIPS_186_2);
if (DH_generate_key(dh) <= 0)
goto end;
#ifdef FIPS_MODULE
if (!ossl_fips_self_testing()) {
ret = ossl_dh_check_pairwise(dh, 0);
if (ret <= 0) {
ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT);
goto end;
}
}
#endif /* FIPS_MODULE */
}
DH_clear_flags(dh, DH_FLAG_TYPE_MASK);
DH_set_flags(dh, gctx->dh_type);

30
deps/openssl/openssl/providers/implementations/keymgmt/ec_kmgmt.c vendored
View File

@ -431,21 +431,6 @@ int common_import(void *keydata, int selection, const OSSL_PARAM params[],
if ((selection & OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS) != 0)
ok = ok && ossl_ec_key_otherparams_fromdata(ec, params);
#ifdef FIPS_MODULE
if (ok > 0
&& !ossl_fips_self_testing()
&& EC_KEY_get0_public_key(ec) != NULL
&& EC_KEY_get0_private_key(ec) != NULL
&& EC_KEY_get0_group(ec) != NULL) {
BN_CTX *bnctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(ec));
ok = bnctx != NULL && ossl_ec_key_pairwise_check(ec, bnctx);
BN_CTX_free(bnctx);
if (ok <= 0)
ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT);
}
#endif /* FIPS_MODULE */
return ok;
}
@ -1347,6 +1332,21 @@ static void *ec_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
if (gctx->group_check != NULL)
ret = ret && ossl_ec_set_check_group_type_from_name(ec,
gctx->group_check);
#ifdef FIPS_MODULE
if (ret > 0
&& !ossl_fips_self_testing()
&& EC_KEY_get0_public_key(ec) != NULL
&& EC_KEY_get0_private_key(ec) != NULL
&& EC_KEY_get0_group(ec) != NULL) {
BN_CTX *bnctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(ec));
ret = bnctx != NULL && ossl_ec_key_pairwise_check(ec, bnctx);
BN_CTX_free(bnctx);
if (ret <= 0)
ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT);
}
#endif /* FIPS_MODULE */
if (ret)
return ec;
err:

2
deps/openssl/openssl/providers/implementations/keymgmt/ecx_kmgmt.c vendored
View File

@ -223,7 +223,7 @@ static int ecx_import(void *keydata, int selection, const OSSL_PARAM params[])
if (key->haspubkey && key->privkey != NULL) {
ok = ecd_fips140_pairwise_test(key, key->type, 1);
if (ok <= 0)
ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT);
ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT_IMPORT);
}
#endif /* FIPS_MODULE */
return ok;

13
deps/openssl/openssl/providers/implementations/keymgmt/ml_dsa_kmgmt.c vendored
View File

@ -268,6 +268,7 @@ static int ml_dsa_import(void *keydata, int selection, const OSSL_PARAM params[]
{
ML_DSA_KEY *key = keydata;
int include_priv;
int res;
if (!ossl_prov_is_running() || key == NULL)
return 0;
@ -276,7 +277,17 @@ static int ml_dsa_import(void *keydata, int selection, const OSSL_PARAM params[]
return 0;
include_priv = ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0);
return ml_dsa_key_fromdata(key, params, include_priv);
res = ml_dsa_key_fromdata(key, params, include_priv);
#ifdef FIPS_MODULE
if (res > 0) {
res = ml_dsa_pairwise_test(key);
if (!res) {
ossl_ml_dsa_key_reset(key);
ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT_IMPORT);
}
}
#endif /* FIPS_MODULE */
return res;
}
#define ML_DSA_IMEXPORTABLE_PARAMETERS \

4
deps/openssl/openssl/providers/implementations/keymgmt/ml_kem_kmgmt.c vendored
View File

@ -475,7 +475,7 @@ static int ml_kem_import(void *vkey, int selection, const OSSL_PARAM params[])
if (res > 0 && include_private
&& !ml_kem_pairwise_test(key, key->prov_flags)) {
#ifdef FIPS_MODULE
ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT);
ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT_IMPORT);
#endif
ossl_ml_kem_key_reset(key);
res = 0;
@ -504,7 +504,7 @@ static const OSSL_PARAM *ml_kem_gettable_params(void *provctx)
}
#ifndef FIPS_MODULE
void *ml_kem_load(const void *reference, size_t reference_sz)
static void *ml_kem_load(const void *reference, size_t reference_sz)
{
ML_KEM_KEY *key = NULL;
uint8_t *encoded_dk = NULL;

17
deps/openssl/openssl/providers/implementations/keymgmt/rsa_kmgmt.c vendored
View File

@ -197,23 +197,6 @@ static int rsa_import(void *keydata, int selection, const OSSL_PARAM params[])
ok = ok && ossl_rsa_fromdata(rsa, params, include_private);
}
#ifdef FIPS_MODULE
if (ok > 0 && !ossl_fips_self_testing()) {
const BIGNUM *n, *e, *d, *dp, *dq, *iq, *p, *q;
RSA_get0_key(rsa, &n, &e, &d);
RSA_get0_crt_params(rsa, &dp, &dq, &iq);
p = RSA_get0_p(rsa);
q = RSA_get0_q(rsa);
/* Check for the public key */
if (n != NULL && e != NULL)
/* Check for private key in straightforward or CRT form */
if (d != NULL || (p != NULL && q != NULL && dp != NULL
&& dq != NULL && iq != NULL))
ok = ossl_rsa_key_pairwise_test(rsa);
}
#endif /* FIPS_MODULE */
return ok;
}

29
deps/openssl/openssl/providers/implementations/keymgmt/slh_dsa_kmgmt.c vendored
View File

@ -11,6 +11,7 @@
#include <openssl/core_names.h>
#include <openssl/param_build.h>
#include <openssl/self_test.h>
#include <openssl/proverr.h>
#include "crypto/slh_dsa.h"
#include "internal/fips.h"
#include "internal/param_build_set.h"
@ -18,6 +19,11 @@
#include "prov/providercommon.h"
#include "prov/provider_ctx.h"
#ifdef FIPS_MODULE
static int slh_dsa_fips140_pairwise_test(const SLH_DSA_KEY *key,
SLH_DSA_HASH_CTX *ctx);
#endif /* FIPS_MODULE */
static OSSL_FUNC_keymgmt_free_fn slh_dsa_free_key;
static OSSL_FUNC_keymgmt_has_fn slh_dsa_has;
static OSSL_FUNC_keymgmt_match_fn slh_dsa_match;
@ -281,9 +287,8 @@ static void *slh_dsa_gen_init(void *provctx, int selection,
* Refer to FIPS 140-3 IG 10.3.A Additional Comment 1
* Perform a pairwise test for SLH_DSA by signing and verifying a signature.
*/
static int slh_dsa_fips140_pairwise_test(SLH_DSA_HASH_CTX *ctx,
const SLH_DSA_KEY *key,
OSSL_LIB_CTX *lib_ctx)
static int slh_dsa_fips140_pairwise_test(const SLH_DSA_KEY *key,
SLH_DSA_HASH_CTX *ctx)
{
int ret = 0;
OSSL_SELF_TEST *st = NULL;
@ -293,15 +298,25 @@ static int slh_dsa_fips140_pairwise_test(SLH_DSA_HASH_CTX *ctx,
size_t msg_len = sizeof(msg);
uint8_t *sig = NULL;
size_t sig_len;
OSSL_LIB_CTX *lib_ctx;
int alloc_ctx = 0;
/* During self test, it is a waste to do this test */
if (ossl_fips_self_testing())
return 1;
if (ctx == NULL) {
ctx = ossl_slh_dsa_hash_ctx_new(key);
if (ctx == NULL)
return 0;
alloc_ctx = 1;
}
lib_ctx = ossl_slh_dsa_key_get0_libctx(key);
OSSL_SELF_TEST_get_callback(lib_ctx, &cb, &cb_arg);
st = OSSL_SELF_TEST_new(cb, cb_arg);
if (st == NULL)
return 0;
goto err;
OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_PCT,
OSSL_SELF_TEST_DESC_PCT_SLH_DSA);
@ -322,6 +337,8 @@ static int slh_dsa_fips140_pairwise_test(SLH_DSA_HASH_CTX *ctx,
ret = 1;
err:
if (alloc_ctx)
ossl_slh_dsa_hash_ctx_free(ctx);
OPENSSL_free(sig);
OSSL_SELF_TEST_onend(st, ret);
OSSL_SELF_TEST_free(st);
@ -342,12 +359,12 @@ static void *slh_dsa_gen(void *genctx, const char *alg)
return NULL;
ctx = ossl_slh_dsa_hash_ctx_new(key);
if (ctx == NULL)
return NULL;
goto err;
if (!ossl_slh_dsa_generate_key(ctx, key, gctx->libctx,
gctx->entropy, gctx->entropy_len))
goto err;
#ifdef FIPS_MODULE
if (!slh_dsa_fips140_pairwise_test(ctx, key, gctx->libctx)) {
if (!slh_dsa_fips140_pairwise_test(key, ctx)) {
ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT);
goto err;
}

17
deps/openssl/openssl/providers/implementations/macs/hmac_prov.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 2018-2024 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2018-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -98,7 +98,7 @@ static void hmac_free(void *vmacctx)
if (macctx != NULL) {
HMAC_CTX_free(macctx->ctx);
ossl_prov_digest_reset(&macctx->digest);
OPENSSL_secure_clear_free(macctx->key, macctx->keylen);
OPENSSL_clear_free(macctx->key, macctx->keylen);
OPENSSL_free(macctx);
}
}
@ -127,13 +127,13 @@ static void *hmac_dup(void *vsrc)
return NULL;
}
if (src->key != NULL) {
/* There is no "secure" OPENSSL_memdup */
dst->key = OPENSSL_secure_malloc(src->keylen > 0 ? src->keylen : 1);
dst->key = OPENSSL_malloc(src->keylen > 0 ? src->keylen : 1);
if (dst->key == NULL) {
hmac_free(dst);
return 0;
}
memcpy(dst->key, src->key, src->keylen);
if (src->keylen > 0)
memcpy(dst->key, src->key, src->keylen);
}
return dst;
}
@ -178,13 +178,14 @@ static int hmac_setkey(struct hmac_data_st *macctx,
#endif
if (macctx->key != NULL)
OPENSSL_secure_clear_free(macctx->key, macctx->keylen);
OPENSSL_clear_free(macctx->key, macctx->keylen);
/* Keep a copy of the key in case we need it for TLS HMAC */
macctx->key = OPENSSL_secure_malloc(keylen > 0 ? keylen : 1);
macctx->key = OPENSSL_malloc(keylen > 0 ? keylen : 1);
if (macctx->key == NULL)
return 0;
memcpy(macctx->key, key, keylen);
if (keylen > 0)
memcpy(macctx->key, key, keylen);
macctx->keylen = keylen;
digest = ossl_prov_digest_md(&macctx->digest);

2
deps/openssl/openssl/providers/implementations/signature/dsa_sig.c vendored
View File

@ -193,7 +193,7 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx,
if (!ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND_GET(ctx),
OSSL_FIPS_IND_SETTABLE1,
ctx->libctx,
md_nid, sha1_allowed, desc,
md_nid, sha1_allowed, 0, desc,
ossl_fips_config_signature_digest_check))
goto err;
}

2
deps/openssl/openssl/providers/implementations/signature/ecdsa_sig.c vendored
View File

@ -219,7 +219,7 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx,
if (!ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND_GET(ctx),
OSSL_FIPS_IND_SETTABLE1,
ctx->libctx,
md_nid, sha1_allowed, desc,
md_nid, sha1_allowed, 0, desc,
ossl_fips_config_signature_digest_check))
goto err;
}

8
deps/openssl/openssl/providers/implementations/signature/rsa_sig.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -411,7 +411,7 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,
if (!ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND_GET(ctx),
OSSL_FIPS_IND_SETTABLE1,
ctx->libctx,
md_nid, sha1_allowed, desc,
md_nid, sha1_allowed, 1, desc,
ossl_fips_config_signature_digest_check))
goto err;
}
@ -952,7 +952,7 @@ static int rsa_verify_recover(void *vprsactx,
return 0;
ret = RSA_public_decrypt(siglen, sig, prsactx->tbuf, prsactx->rsa,
RSA_X931_PADDING);
if (ret < 1) {
if (ret <= 0) {
ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
return 0;
}
@ -1002,7 +1002,7 @@ static int rsa_verify_recover(void *vprsactx,
} else {
ret = RSA_public_decrypt(siglen, sig, rout, prsactx->rsa,
prsactx->pad_mode);
if (ret < 0) {
if (ret <= 0) {
ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
return 0;
}

2
deps/openssl/openssl/ssl/d1_lib.c vendored
View File

@ -863,7 +863,7 @@ int dtls1_shutdown(SSL *s)
BIO *wbio;
SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
if (s == NULL)
if (sc == NULL)
return -1;
wbio = SSL_get_wbio(s);

15
deps/openssl/openssl/ssl/quic/quic_channel.c vendored
View File

@ -1331,8 +1331,20 @@ static int ch_on_transport_params(const unsigned char *params,
ossl_unused uint64_t rx_max_idle_timeout = 0;
ossl_unused const void *stateless_reset_token_p = NULL;
QUIC_PREFERRED_ADDR pfa;
SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ch->tls);
if (ch->got_remote_transport_params) {
/*
* When HRR happens the client sends the transport params in the new client
* hello again. Reset the transport params here and load them again.
*/
if (ch->is_server && sc->hello_retry_request != SSL_HRR_NONE
&& ch->got_remote_transport_params) {
ch->max_local_streams_bidi = 0;
ch->max_local_streams_uni = 0;
ch->got_local_transport_params = 0;
OPENSSL_free(ch->local_transport_params);
ch->local_transport_params = NULL;
} else if (ch->got_remote_transport_params) {
reason = "multiple transport parameter extensions";
goto malformed;
}
@ -2423,7 +2435,6 @@ static void ch_rx_handle_packet(QUIC_CHANNEL *ch, int channel_only)
if (!PACKET_get_net_4(&vpkt, &supported_ver))
return;
supported_ver = ntohl(supported_ver);
if (supported_ver == QUIC_VERSION_1) {
/*
* If the server supports version 1, set it as

1
deps/openssl/openssl/ssl/quic/quic_impl.c vendored
View File

@ -4769,6 +4769,7 @@ void ossl_quic_free_token_store(SSL_TOKEN_STORE *hdl)
ossl_crypto_mutex_free(&hdl->mutex);
lh_QUIC_TOKEN_doall(hdl->cache, free_this_token);
lh_QUIC_TOKEN_free(hdl->cache);
CRYPTO_FREE_REF(&hdl->references);
OPENSSL_free(hdl);
return;
}

3
deps/openssl/openssl/ssl/quic/quic_port.c vendored
View File

@ -1267,7 +1267,7 @@ static void port_send_version_negotiation(QUIC_PORT *port, BIO_ADDR *peer,
* Add the array of supported versions to the end of the packet
*/
for (i = 0; i < OSSL_NELEM(supported_versions); i++) {
if (!WPACKET_put_bytes_u32(&wpkt, htonl(supported_versions[i])))
if (!WPACKET_put_bytes_u32(&wpkt, supported_versions[i]))
return;
}
@ -1691,6 +1691,7 @@ static void port_default_packet_handler(QUIC_URXE *e, void *arg,
*/
while (ossl_qrx_read_pkt(qrx_src, &qrx_pkt) == 1)
ossl_quic_channel_inject_pkt(new_ch, qrx_pkt);
ossl_qrx_update_pn_space(qrx_src, new_ch->qrx);
}
/*

10
deps/openssl/openssl/ssl/quic/quic_record_rx.c vendored
View File

@ -237,6 +237,16 @@ static void qrx_cleanup_urxl(OSSL_QRX *qrx, QUIC_URXE_LIST *l)
}
}
void ossl_qrx_update_pn_space(OSSL_QRX *src, OSSL_QRX *dst)
{
size_t i;
for (i = 0; i < QUIC_PN_SPACE_NUM; i++)
dst->largest_pn[i] = src->largest_pn[i];
return;
}
void ossl_qrx_free(OSSL_QRX *qrx)
{
uint32_t i;

4
deps/openssl/openssl/ssl/quic/quic_record_tx.c vendored
View File

@ -279,12 +279,12 @@ static TXE *qtx_resize_txe(OSSL_QTX *qtx, TXE_LIST *txl, TXE *txe, size_t n)
* data.
*/
txe2 = OPENSSL_realloc(txe, sizeof(TXE) + n);
if (txe2 == NULL || txe == txe2) {
if (txe2 == NULL) {
if (p == NULL)
ossl_list_txe_insert_head(txl, txe);
else
ossl_list_txe_insert_after(txl, p, txe);
return txe2;
return NULL;
}
if (p == NULL)

10
deps/openssl/openssl/ssl/statem/extensions_clnt.c vendored
View File

@ -745,6 +745,7 @@ EXT_RETURN tls_construct_ctos_key_share(SSL_CONNECTION *s, WPACKET *pkt,
/* SSLfatal() already called */
return EXT_RETURN_FAIL;
}
valid_keyshare++;
} else {
if (s->ext.supportedgroups == NULL) /* use default */
add_only_one = 1;
@ -766,13 +767,18 @@ EXT_RETURN tls_construct_ctos_key_share(SSL_CONNECTION *s, WPACKET *pkt,
/* SSLfatal() already called */
return EXT_RETURN_FAIL;
}
valid_keyshare++;
if (add_only_one)
break;
valid_keyshare++;
}
}
if (valid_keyshare == 0) {
/* No key shares were allowed */
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_KEY_SHARE);
return EXT_RETURN_FAIL;
}
if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL;