OSSForks/node
1
0
Fork 0
mirror of https://github.com/zebrajr/node.git synced 2025-12-06 12:20:27 +01:00
Code Issues Actions 8 Packages Projects Releases Wiki Activity

deps: upgrade openssl sources to openssl-3.0.17

Browse Source 
PR-URL: https://github.com/nodejs/node/pull/59134
Reviewed-By: Filip Skokan <panva.ip@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
This commit is contained in:
Node.js GitHub Bot 2025-07-20 00:43:29 +00:00
parent 2258d38613
commit 4a28d76dd2
92 changed files with 700 additions and 571 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
deps/openssl/openssl/CHANGES.md vendored
View File

@ -28,6 +28,10 @@ breaking changes, and mappings for the large list of deprecated functions.
[Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod
### Changes between 3.0.16 and 3.0.17 [1 Jul 2025]
* none yet
### Changes between 3.0.15 and 3.0.16 [11 Feb 2025]
* Fixed timing side-channel in ECDSA signature computation.
@ -3273,7 +3277,7 @@ OpenSSL 1.1.1
* Support for TLSv1.3 added. Note that users upgrading from an earlier
version of OpenSSL should review their configuration settings to ensure
that they are still appropriate for TLSv1.3. For further information see:
<https://wiki.openssl.org/index.php/TLS1.3>
<https://github.com/openssl/openssl/wiki/TLS1.3>
*Matt Caswell*
@ -4561,7 +4565,7 @@ OpenSSL 1.1.0
* The GOST engine was out of date and therefore it has been removed. An up
to date GOST engine is now being maintained in an external repository.
See: <https://wiki.openssl.org/index.php/Binaries>. Libssl still retains
See: <https://github.com/openssl/openssl/wiki/Binaries>. Libssl still retains
support for GOST ciphersuites (these are only activated if a GOST engine
is present).
@ -5340,6 +5344,11 @@ OpenSSL 1.1.0
*Rob Percival <robpercival@google.com>*
* SSLv3 is by default disabled at build-time. Builds that are not
configured with "enable-ssl3" will not support SSLv3.
*Kurt Roeckx*
OpenSSL 1.0.2
-------------

3
deps/openssl/openssl/Configure vendored
View File

@ -1,6 +1,6 @@
#! /usr/bin/env perl
# -*- mode: perl; -*-
# Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2016-2025 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@ -157,6 +157,7 @@ my @gcc_devteam_warn = qw(
-Wextra
-Wno-unused-parameter
-Wno-missing-field-initializers
-Wno-unterminated-string-initialization
-Wswitch
-Wsign-compare
-Wshadow

10
deps/openssl/openssl/NEWS.md vendored
View File

@ -18,6 +18,14 @@ OpenSSL Releases
OpenSSL 3.0
-----------
### Major changes between OpenSSL 3.0.16 and OpenSSL 3.0.17 [1 Jul 2025]
OpenSSL 3.0.17 is a bug fix release.
This release incorporates the following bug fixes and mitigations:
* Miscellaneous minor bug fixes.
### Major changes between OpenSSL 3.0.15 and OpenSSL 3.0.16 [11 Feb 2025]
OpenSSL 3.0.16 is a security patch release. The most severe CVE fixed in this
@ -329,7 +337,7 @@ OpenSSL 1.1.1
* Rewrite of the packet construction code for "safer" packet handling
* Rewrite of the extension handling code
For further important information, see the [TLS1.3 page](
https://wiki.openssl.org/index.php/TLS1.3) in the OpenSSL Wiki.
https://github.com/openssl/openssl/wiki/TLS1.3) in the OpenSSL Wiki.
* Complete rewrite of the OpenSSL random number generator to introduce the
following capabilities

5
deps/openssl/openssl/NOTES-WINDOWS.md vendored
View File

@ -79,6 +79,11 @@ Quick start
OpenSSL or
- `perl Configure` to let Configure figure out the platform
a. If you don't plan to develop OpenSSL yourself and don't need to rebuild,
in other words, if you always do a new build, turning off the build
dependency feature can speed up build times by up to 50%:
`perl Configure no-makedepend`
6. `nmake`
7. `nmake test`

7
deps/openssl/openssl/README.md vendored
View File

@ -128,8 +128,7 @@ available online.
Wiki
----
There is a Wiki at [wiki.openssl.org] which is currently not very active.
It contains a lot of useful information, not all of which is up to date.
There is a [GitHub Wiki] which is currently not very active.
License
=======
@ -178,8 +177,8 @@ All rights reserved.
<https://github.com/openssl/openssl>
"OpenSSL GitHub Mirror"
[wiki.openssl.org]:
<https://wiki.openssl.org>
[GitHub Wiki]:
<https://github.com/openssl/openssl/wiki>
"OpenSSL Wiki"
[migration_guide(7ossl)]:

4
deps/openssl/openssl/VERSION.dat vendored
View File

@ -1,7 +1,7 @@
MAJOR=3
MINOR=0
PATCH=16
PATCH=17
PRE_RELEASE_TAG=
BUILD_METADATA=
RELEASE_DATE="11 Feb 2025"
RELEASE_DATE="1 Jul 2025"
SHLIB_VERSION=3

260
deps/openssl/openssl/apps/CA.pl.in vendored
View File

@ -1,5 +1,5 @@
#!{- $config{HASHBANGPERL} -}
# Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2000-2025 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@ -19,14 +19,17 @@ my @OPENSSL_CMDS = ("req", "ca", "pkcs12", "x509", "verify");
my $openssl = $ENV{'OPENSSL'} // "openssl";
$ENV{'OPENSSL'} = $openssl;
my @openssl = split_val($openssl);
my $OPENSSL_CONFIG = $ENV{"OPENSSL_CONFIG"} // "";
my @OPENSSL_CONFIG = split_val($OPENSSL_CONFIG);
# Command invocations.
my $REQ = "$openssl req $OPENSSL_CONFIG";
my $CA = "$openssl ca $OPENSSL_CONFIG";
my $VERIFY = "$openssl verify";
my $X509 = "$openssl x509";
my $PKCS12 = "$openssl pkcs12";
my @REQ = (@openssl, "req", @OPENSSL_CONFIG);
my @CA = (@openssl, "ca", @OPENSSL_CONFIG);
my @VERIFY = (@openssl, "verify");
my @X509 = (@openssl, "x509");
my @PKCS12 = (@openssl, "pkcs12");
# Default values for various configuration settings.
my $CATOP = "./demoCA";
@ -34,8 +37,10 @@ my $CAKEY = "cakey.pem";
my $CAREQ = "careq.pem";
my $CACERT = "cacert.pem";
my $CACRL = "crl.pem";
my $DAYS = "-days 365";
my $CADAYS = "-days 1095"; # 3 years
my @DAYS = qw(-days 365);
my @CADAYS = qw(-days 1095); # 3 years
my @EXTENSIONS = qw(-extensions v3_ca);
my @POLICY = qw(-policy policy_anything);
my $NEWKEY = "newkey.pem";
my $NEWREQ = "newreq.pem";
my $NEWCERT = "newcert.pem";
@ -43,31 +48,177 @@ my $NEWP12 = "newcert.p12";
# Commandline parsing
my %EXTRA;
my $WHAT = shift @ARGV || "";
my $WHAT = shift @ARGV // "";
@ARGV = parse_extra(@ARGV);
my $RET = 0;
sub split_val {
return split_val_win32(@_) if ($^O eq 'MSWin32');
my ($val) = @_;
my (@ret, @frag);
# Skip leading whitespace
$val =~ m{\A[ \t]*}ogc;
# Unix shell-compatible split
#
# Handles backslash escapes outside quotes and
# in double-quoted strings. Parameter and
# command-substitution is silently ignored.
# Bare newlines outside quotes and (trailing) backslashes are disallowed.
while (1) {
last if (pos($val) == length($val));
# The first char is never a SPACE or TAB. Possible matches are:
# 1. Ordinary string fragment
# 2. Single-quoted string
# 3. Double-quoted string
# 4. Backslash escape
# 5. Bare backlash or newline (rejected)
#
if ($val =~ m{\G([^'" \t\n\\]+)}ogc) {
# Ordinary string
push @frag, $1;
} elsif ($val =~ m{\G'([^']*)'}ogc) {
# Single-quoted string
push @frag, $1;
} elsif ($val =~ m{\G"}ogc) {
# Double-quoted string
push @frag, "";
while (1) {
last if ($val =~ m{\G"}ogc);
if ($val =~ m{\G([^"\\]+)}ogcs) {
# literals
push @frag, $1;
} elsif ($val =~ m{\G.(["\`\$\\])}ogc) {
# backslash-escaped special
push @frag, $1;
} elsif ($val =~ m{\G.(.)}ogcs) {
# backslashed non-special
push @frag, "\\$1" unless $1 eq "\n";
} else {
die sprintf("Malformed quoted string: %s\n", $val);
}
}
} elsif ($val =~ m{\G\\(.)}ogc) {
# Backslash is unconditional escape outside quoted strings
push @frag, $1 unless $1 eq "\n";
} else {
die sprintf("Bare backslash or newline in: '%s'\n", $val);
}
# Done if at SPACE, TAB or end, otherwise continue current fragment
#
next unless ($val =~ m{\G(?:[ \t]+|\z)}ogcs);
push @ret, join("", splice(@frag)) if (@frag > 0);
}
# Handle final fragment
push @ret, join("", splice(@frag)) if (@frag > 0);
return @ret;
}
sub split_val_win32 {
my ($val) = @_;
my (@ret, @frag);
# Skip leading whitespace
$val =~ m{\A[ \t]*}ogc;
# Windows-compatible split
# See: "Parsing C++ command-line arguments" in:
# https://learn.microsoft.com/en-us/cpp/cpp/main-function-command-line-args?view=msvc-170
#
# Backslashes are special only when followed by a double-quote
# Pairs of double-quotes make a single double-quote.
# Closing double-quotes may be omitted.
while (1) {
last if (pos($val) == length($val));
# The first char is never a SPACE or TAB.
# 1. Ordinary string fragment
# 2. Double-quoted string
# 3. Backslashes preceding a double-quote
# 4. Literal backslashes
# 5. Bare newline (rejected)
#
if ($val =~ m{\G([^" \t\n\\]+)}ogc) {
# Ordinary string
push @frag, $1;
} elsif ($val =~ m{\G"}ogc) {
# Double-quoted string
push @frag, "";
while (1) {
if ($val =~ m{\G("+)}ogc) {
# Two double-quotes make one literal double-quote
my $l = length($1);
push @frag, q{"} x int($l/2) if ($l > 1);
next if ($l % 2 == 0);
last;
}
if ($val =~ m{\G([^"\\]+)}ogc) {
push @frag, $1;
} elsif ($val =~ m{\G((?>[\\]+))(?=")}ogc) {
# Backslashes before a double-quote are escapes
my $l = length($1);
push @frag, q{\\} x int($l / 2);
if ($l % 2 == 1) {
++pos($val);
push @frag, q{"};
}
} elsif ($val =~ m{\G((?:(?>[\\]+)[^"\\]+)+)}ogc) {
# Backslashes not before a double-quote are not special
push @frag, $1;
} else {
# Tolerate missing closing double-quote
last;
}
}
} elsif ($val =~ m{\G((?>[\\]+))(?=")}ogc) {
my $l = length($1);
push @frag, q{\\} x int($l / 2);
if ($l % 2 == 1) {
++pos($val);
push @frag, q{"};
}
} elsif ($val =~ m{\G([\\]+)}ogc) {
# Backslashes not before a double-quote are not special
push @frag, $1;
} else {
die sprintf("Bare newline in: '%s'\n", $val);
}
# Done if at SPACE, TAB or end, otherwise continue current fragment
#
next unless ($val =~ m{\G(?:[ \t]+|\z)}ogcs);
push @ret, join("", splice(@frag)) if (@frag > 0);
}
# Handle final fragment
push @ret, join("", splice(@frag)) if (@frag);
return @ret;
}
# Split out "-extra-CMD value", and return new |@ARGV|. Fill in
# |EXTRA{CMD}| with list of values.
sub parse_extra
{
my @args;
foreach ( @OPENSSL_CMDS ) {
$EXTRA{$_} = '';
$EXTRA{$_} = [];
}
my @result;
while ( scalar(@_) > 0 ) {
my $arg = shift;
if ( $arg !~ m/-extra-([a-z0-9]+)/ ) {
push @result, $arg;
while (@_) {
my $arg = shift(@_);
if ( $arg !~ m{^-extra-(\w+)$} ) {
push @args, split_val($arg);
next;
}
$arg =~ s/-extra-//;
die("Unknown \"-${arg}-extra\" option, exiting")
unless scalar grep { $arg eq $_ } @OPENSSL_CMDS;
$EXTRA{$arg} .= " " . shift;
$arg = $1;
die "Unknown \"-extra-${arg}\" option, exiting\n"
unless grep { $arg eq $_ } @OPENSSL_CMDS;
die "Missing \"-extra-${arg}\" option value, exiting\n"
unless (@_ > 0);
push @{$EXTRA{$arg}}, split_val(shift(@_));
}
return @result;
return @args;
}
@ -110,9 +261,9 @@ sub copy_pemfile
# Wrapper around system; useful for debugging. Returns just the exit status
sub run
{
my $cmd = shift;
print "====\n$cmd\n" if $verbose;
my $status = system($cmd);
my ($cmd, @args) = @_;
print "====\n$cmd @args\n" if $verbose;
my $status = system {$cmd} $cmd, @args;
print "==> $status\n====\n" if $verbose;
return $status >> 8;
}
@ -131,17 +282,15 @@ EOF
if ($WHAT eq '-newcert' ) {
# create a certificate
$RET = run("$REQ -new -x509 -keyout $NEWKEY -out $NEWCERT $DAYS"
. " $EXTRA{req}");
$RET = run(@REQ, qw(-new -x509 -keyout), $NEWKEY, "-out", $NEWCERT, @DAYS, @{$EXTRA{req}});
print "Cert is in $NEWCERT, private key is in $NEWKEY\n" if $RET == 0;
} elsif ($WHAT eq '-precert' ) {
# create a pre-certificate
$RET = run("$REQ -x509 -precert -keyout $NEWKEY -out $NEWCERT $DAYS"
. " $EXTRA{req}");
$RET = run(@REQ, qw(-x509 -precert -keyout), $NEWKEY, "-out", $NEWCERT, @DAYS, @{$EXTRA{req}});
print "Pre-cert is in $NEWCERT, private key is in $NEWKEY\n" if $RET == 0;
} elsif ($WHAT =~ /^\-newreq(\-nodes)?$/ ) {
# create a certificate request
$RET = run("$REQ -new $1 -keyout $NEWKEY -out $NEWREQ $DAYS $EXTRA{req}");
$RET = run(@REQ, "-new", (defined $1 ? ($1,) : ()), "-keyout", $NEWKEY, "-out", $NEWREQ, @{$EXTRA{req}});
print "Request is in $NEWREQ, private key is in $NEWKEY\n" if $RET == 0;
} elsif ($WHAT eq '-newca' ) {
# create the directory hierarchy
@ -174,48 +323,45 @@ if ($WHAT eq '-newcert' ) {
copy_pemfile($FILE,"${CATOP}/$CACERT", "CERTIFICATE");
} else {
print "Making CA certificate ...\n";
$RET = run("$REQ -new -keyout ${CATOP}/private/$CAKEY"
. " -out ${CATOP}/$CAREQ $EXTRA{req}");
$RET = run("$CA -create_serial"
. " -out ${CATOP}/$CACERT $CADAYS -batch"
. " -keyfile ${CATOP}/private/$CAKEY -selfsign"
. " -extensions v3_ca"
. " -infiles ${CATOP}/$CAREQ $EXTRA{ca}") if $RET == 0;
$RET = run(@REQ, qw(-new -keyout), "${CATOP}/private/$CAKEY",
"-out", "${CATOP}/$CAREQ", @{$EXTRA{req}});
$RET = run(@CA, qw(-create_serial -out), "${CATOP}/$CACERT", @CADAYS,
qw(-batch -keyfile), "${CATOP}/private/$CAKEY", "-selfsign",
@EXTENSIONS, "-infiles", "${CATOP}/$CAREQ", @{$EXTRA{ca}})
if $RET == 0;
print "CA certificate is in ${CATOP}/$CACERT\n" if $RET == 0;
}
} elsif ($WHAT eq '-pkcs12' ) {
my $cname = $ARGV[0];
$cname = "My Certificate" unless defined $cname;
$RET = run("$PKCS12 -in $NEWCERT -inkey $NEWKEY"
. " -certfile ${CATOP}/$CACERT -out $NEWP12"
. " -export -name \"$cname\" $EXTRA{pkcs12}");
print "PKCS #12 file is in $NEWP12\n" if $RET == 0;
$RET = run(@PKCS12, "-in", $NEWCERT, "-inkey", $NEWKEY,
"-certfile", "${CATOP}/$CACERT", "-out", $NEWP12,
qw(-export -name), $cname, @{$EXTRA{pkcs12}});
print "PKCS#12 file is in $NEWP12\n" if $RET == 0;
} elsif ($WHAT eq '-xsign' ) {
$RET = run("$CA -policy policy_anything -infiles $NEWREQ $EXTRA{ca}");
$RET = run(@CA, @POLICY, "-infiles", $NEWREQ, @{$EXTRA{ca}});
} elsif ($WHAT eq '-sign' ) {
$RET = run("$CA -policy policy_anything -out $NEWCERT"
. " -infiles $NEWREQ $EXTRA{ca}");
$RET = run(@CA, @POLICY, "-out", $NEWCERT,
"-infiles", $NEWREQ, @{$EXTRA{ca}});
print "Signed certificate is in $NEWCERT\n" if $RET == 0;
} elsif ($WHAT eq '-signCA' ) {
$RET = run("$CA -policy policy_anything -out $NEWCERT"
. " -extensions v3_ca -infiles $NEWREQ $EXTRA{ca}");
$RET = run(@CA, @POLICY, "-out", $NEWCERT, @EXTENSIONS,
"-infiles", $NEWREQ, @{$EXTRA{ca}});
print "Signed CA certificate is in $NEWCERT\n" if $RET == 0;
} elsif ($WHAT eq '-signcert' ) {
$RET = run("$X509 -x509toreq -in $NEWREQ -signkey $NEWREQ"
. " -out tmp.pem $EXTRA{x509}");
$RET = run("$CA -policy policy_anything -out $NEWCERT"
. "-infiles tmp.pem $EXTRA{ca}") if $RET == 0;
$RET = run(@X509, qw(-x509toreq -in), $NEWREQ, "-signkey", $NEWREQ,
qw(-out tmp.pem), @{$EXTRA{x509}});
$RET = run(@CA, @POLICY, "-out", $NEWCERT,
qw(-infiles tmp.pem), @{$EXTRA{ca}}) if $RET == 0;
print "Signed certificate is in $NEWCERT\n" if $RET == 0;
} elsif ($WHAT eq '-verify' ) {
my @files = @ARGV ? @ARGV : ( $NEWCERT );
foreach my $file (@files) {
# -CAfile quoted for VMS, since the C RTL downcases all unquoted
# arguments to C programs
my $status = run("$VERIFY \"-CAfile\" ${CATOP}/$CACERT $file $EXTRA{verify}");
my $status = run(@VERIFY, "-CAfile", "${CATOP}/$CACERT", $file, @{$EXTRA{verify}});
$RET = $status if $status != 0;
}
} elsif ($WHAT eq '-crl' ) {
$RET = run("$CA -gencrl -out ${CATOP}/crl/$CACRL $EXTRA{ca}");
$RET = run(@CA, qw(-gencrl -out), "${CATOP}/crl/$CACRL", @{$EXTRA{ca}});
print "Generated CRL is in ${CATOP}/crl/$CACRL\n" if $RET == 0;
} elsif ($WHAT eq '-revoke' ) {
my $cname = $ARGV[0];
@ -223,10 +369,10 @@ if ($WHAT eq '-newcert' ) {
print "Certificate filename is required; reason optional.\n";
exit 1;
}
my $reason = $ARGV[1];
$reason = " -crl_reason $reason"
if defined $reason && crl_reason_ok($reason);
$RET = run("$CA -revoke \"$cname\"" . $reason . $EXTRA{ca});
my @reason;
@reason = ("-crl_reason", $ARGV[1])
if defined $ARGV[1] && crl_reason_ok($ARGV[1]);
$RET = run(@CA, "-revoke", $cname, @reason, @{$EXTRA{ca}});
} else {
print STDERR "Unknown arg \"$WHAT\"\n";
print STDERR "Use -help for help.\n";

4
deps/openssl/openssl/apps/cmp.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2007-2025 The OpenSSL Project Authors. All Rights Reserved.
* Copyright Nokia 2007-2019
* Copyright Siemens AG 2015-2019
*
@ -878,7 +878,7 @@ static int set_name(const char *str,
OSSL_CMP_CTX *ctx, const char *desc)
{
if (str != NULL) {
X509_NAME *n = parse_name(str, MBSTRING_ASC, 1, desc);
X509_NAME *n = parse_name(str, MBSTRING_UTF8, 1, desc);
if (n == NULL)
return 0;

2
deps/openssl/openssl/apps/cms.c vendored
View File

@ -983,7 +983,7 @@ int cms_main(int argc, char **argv)
goto end;
pctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
if (kparam != NULL) {
if (pctx != NULL && kparam != NULL) {
if (!cms_set_pkey_param(pctx, kparam->param))
goto end;
}

5
deps/openssl/openssl/apps/lib/apps.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -1688,6 +1688,9 @@ CA_DB *load_index(const char *dbfile, DB_ATTR *db_attr)
}
retdb->dbfname = OPENSSL_strdup(dbfile);
if (retdb->dbfname == NULL)
goto err;
#ifndef OPENSSL_NO_POSIX_IO
retdb->dbst = dbst;
#endif

4
deps/openssl/openssl/apps/lib/http_server.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -222,7 +222,7 @@ BIO *http_server_init_bio(const char *prog, const char *port)
int asock;
char name[40];
snprintf(name, sizeof(name), "[::]:%s", port); /* port may be "0" */
BIO_snprintf(name, sizeof(name), "[::]:%s", port); /* port may be "0" */
bufbio = BIO_new(BIO_f_buffer());
if (bufbio == NULL)
goto err;

6
deps/openssl/openssl/apps/ocsp.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 2001-2024 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2001-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -1049,6 +1049,10 @@ static void make_ocsp_response(BIO *err, OCSP_RESPONSE **resp, OCSP_REQUEST *req
}
bs = OCSP_BASICRESP_new();
if (bs == NULL) {
*resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR, bs);
goto end;
}
thisupd = X509_gmtime_adj(NULL, 0);
if (ndays != -1)
nextupd = X509_time_adj_ex(NULL, ndays, nmin * 60, NULL);

3
deps/openssl/openssl/apps/pkeyutl.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2006-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -371,6 +371,7 @@ int pkeyutl_main(int argc, char **argv)
if (EVP_PKEY_CTX_ctrl_str(ctx, opt, passwd) <= 0) {
BIO_printf(bio_err, "%s: Can't set parameter \"%s\":\n",
prog, opt);
OPENSSL_free(passwd);
goto end;
}
OPENSSL_free(passwd);

6
deps/openssl/openssl/apps/s_time.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -325,8 +325,10 @@ int s_time_main(int argc, char **argv)
*/
next:
if (!(perform & 2))
if (!(perform & 2)) {
ret = 0;
goto end;
}
printf("\n\nNow timing with session id reuse.\n");
/* Get an SSL object so we can reuse the session id */

6
deps/openssl/openssl/apps/storeutl.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2016-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -198,9 +198,7 @@ int storeutl_main(int argc, char *argv[])
}
break;
case OPT_CRITERION_FINGERPRINT:
if (criterion != 0
|| (criterion == OSSL_STORE_SEARCH_BY_KEY_FINGERPRINT
&& fingerprint != NULL)) {
if (criterion != 0) {
BIO_printf(bio_err, "%s: criterion already given.\n",
prog);
goto end;

4
deps/openssl/openssl/crypto/asn1/asn_mime.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2008-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -96,7 +96,7 @@ int i2d_ASN1_bio_stream(BIO *out, ASN1_VALUE *val, BIO *in, int flags,
* internally
*/
else
ASN1_item_i2d_bio(it, out, val);
rv = ASN1_item_i2d_bio(it, out, val);
return rv;
}

5
deps/openssl/openssl/crypto/asn1/tasn_enc.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2000-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -571,6 +571,9 @@ static int asn1_ex_i2c(const ASN1_VALUE **pval, unsigned char *cout, int *putype
return -1;
break;
case V_ASN1_UNDEF:
return -2;
case V_ASN1_NULL:
cont = NULL;
len = 0;

4
deps/openssl/openssl/crypto/bio/bio_dump.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -47,6 +47,8 @@ int BIO_dump_indent_cb(int (*cb) (const void *data, size_t len, void *u),
for (i = 0; i < rows; i++) {
n = BIO_snprintf(buf, sizeof(buf), "%*s%04x - ", indent, "",
i * dump_width);
if (n < 0)
return -1;
for (j = 0; j < dump_width; j++) {
if (SPACE(buf, n, 3)) {
if (((i * dump_width) + j) >= len) {

25
deps/openssl/openssl/crypto/bio/bio_print.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -535,6 +535,10 @@ static LDOUBLE abs_val(LDOUBLE value)
LDOUBLE result = value;
if (value < 0)
result = -value;
if (result > 0 && result / 2 == result) /* INF */
result = 0;
else if (result != result) /* NAN */
result = 0;
return result;
}
@ -590,6 +594,9 @@ fmtfp(char **sbuffer,
signvalue = '+';
else if (flags & DP_F_SPACE)
signvalue = ' ';
ufvalue = abs_val(fvalue);
if (ufvalue == 0 && fvalue != 0) /* INF or NAN? */
signvalue = '?';
/*
* G_FORMAT sometimes prints like E_FORMAT and sometimes like F_FORMAT
@ -597,12 +604,12 @@ fmtfp(char **sbuffer,
* that from here on.
*/
if (style == G_FORMAT) {
if (fvalue == 0.0) {
if (ufvalue == 0.0) {
realstyle = F_FORMAT;
} else if (fvalue < 0.0001) {
} else if (ufvalue < 0.0001) {
realstyle = E_FORMAT;
} else if ((max == 0 && fvalue >= 10)
|| (max > 0 && fvalue >= pow_10(max))) {
} else if ((max == 0 && ufvalue >= 10)
|| (max > 0 && ufvalue >= pow_10(max))) {
realstyle = E_FORMAT;
} else {
realstyle = F_FORMAT;
@ -612,9 +619,9 @@ fmtfp(char **sbuffer,
}
if (style != F_FORMAT) {
tmpvalue = fvalue;
tmpvalue = ufvalue;
/* Calculate the exponent */
if (fvalue != 0.0) {
if (ufvalue != 0.0) {
while (tmpvalue < 1) {
tmpvalue *= 10;
exp--;
@ -651,9 +658,9 @@ fmtfp(char **sbuffer,
}
}
if (realstyle == E_FORMAT)
fvalue = tmpvalue;
ufvalue = tmpvalue;
}
ufvalue = abs_val(fvalue);
/*
* By subtracting 65535 (2^16-1) we cancel the low order 15 bits
* of ULONG_MAX to avoid using imprecise floating point values.

241
deps/openssl/openssl/crypto/bn/README.pod vendored
View File

@ -1,241 +0,0 @@
=pod
=head1 NAME
bn_mul_words, bn_mul_add_words, bn_sqr_words, bn_div_words,
bn_add_words, bn_sub_words, bn_mul_comba4, bn_mul_comba8,
bn_sqr_comba4, bn_sqr_comba8, bn_cmp_words, bn_mul_normal,
bn_mul_low_normal, bn_mul_recursive, bn_mul_part_recursive,
bn_mul_low_recursive, bn_sqr_normal, bn_sqr_recursive,
bn_expand, bn_wexpand, bn_expand2, bn_fix_top, bn_check_top,
bn_print, bn_dump, bn_set_max, bn_set_high, bn_set_low - BIGNUM
library internal functions
=head1 SYNOPSIS
#include <openssl/bn.h>
BN_ULONG bn_mul_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w);
BN_ULONG bn_mul_add_words(BN_ULONG *rp, BN_ULONG *ap, int num,
BN_ULONG w);
void bn_sqr_words(BN_ULONG *rp, BN_ULONG *ap, int num);
BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d);
BN_ULONG bn_add_words(BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,
int num);
BN_ULONG bn_sub_words(BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,
int num);
void bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b);
void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b);
void bn_sqr_comba4(BN_ULONG *r, BN_ULONG *a);
void bn_sqr_comba8(BN_ULONG *r, BN_ULONG *a);
int bn_cmp_words(BN_ULONG *a, BN_ULONG *b, int n);
void bn_mul_normal(BN_ULONG *r, BN_ULONG *a, int na, BN_ULONG *b,
int nb);
void bn_mul_low_normal(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n);
void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
int dna, int dnb, BN_ULONG *tmp);
void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b,
int n, int tna, int tnb, BN_ULONG *tmp);
void bn_mul_low_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b,
int n2, BN_ULONG *tmp);
void bn_sqr_normal(BN_ULONG *r, BN_ULONG *a, int n, BN_ULONG *tmp);
void bn_sqr_recursive(BN_ULONG *r, BN_ULONG *a, int n2, BN_ULONG *tmp);
void mul(BN_ULONG r, BN_ULONG a, BN_ULONG w, BN_ULONG c);
void mul_add(BN_ULONG r, BN_ULONG a, BN_ULONG w, BN_ULONG c);
void sqr(BN_ULONG r0, BN_ULONG r1, BN_ULONG a);
BIGNUM *bn_expand(BIGNUM *a, int bits);
BIGNUM *bn_wexpand(BIGNUM *a, int n);
BIGNUM *bn_expand2(BIGNUM *a, int n);
void bn_fix_top(BIGNUM *a);
void bn_check_top(BIGNUM *a);
void bn_print(BIGNUM *a);
void bn_dump(BN_ULONG *d, int n);
void bn_set_max(BIGNUM *a);
void bn_set_high(BIGNUM *r, BIGNUM *a, int n);
void bn_set_low(BIGNUM *r, BIGNUM *a, int n);
=head1 DESCRIPTION
This page documents the internal functions used by the OpenSSL
B<BIGNUM> implementation. They are described here to facilitate
debugging and extending the library. They are I<not> to be used by
applications.
=head2 The BIGNUM structure
typedef struct bignum_st BIGNUM;
struct bignum_st
{
BN_ULONG *d; /* Pointer to an array of 'BN_BITS2' bit chunks. */
int top; /* Index of last used d +1. */
/* The next are internal book keeping for bn_expand. */
int dmax; /* Size of the d array. */
int neg; /* one if the number is negative */
int flags;
};
The integer value is stored in B<d>, a malloc()ed array of words (B<BN_ULONG>),
least significant word first. A B<BN_ULONG> can be either 16, 32 or 64 bits
in size, depending on the 'number of bits' (B<BITS2>) specified in
C<openssl/bn.h>.
B<dmax> is the size of the B<d> array that has been allocated. B<top>
is the number of words being used, so for a value of 4, bn.d[0]=4 and
bn.top=1. B<neg> is 1 if the number is negative. When a B<BIGNUM> is
B<0>, the B<d> field can be B<NULL> and B<top> == B<0>.
B<flags> is a bit field of flags which are defined in C<openssl/bn.h>. The
flags begin with B<BN_FLG_>. The macros BN_set_flags(b, n) and
BN_get_flags(b, n) exist to enable or fetch flag(s) B<n> from B<BIGNUM>
structure B<b>.
Various routines in this library require the use of temporary
B<BIGNUM> variables during their execution. Since dynamic memory
allocation to create B<BIGNUM>s is rather expensive when used in
conjunction with repeated subroutine calls, the B<BN_CTX> structure is
used. This structure contains B<BN_CTX_NUM> B<BIGNUM>s, see
L<BN_CTX_start(3)>.
=head2 Low-level arithmetic operations
These functions are implemented in C and for several platforms in
assembly language:
bn_mul_words(B<rp>, B<ap>, B<num>, B<w>) operates on the B<num> word
arrays B<rp> and B<ap>. It computes B<ap> * B<w>, places the result
in B<rp>, and returns the high word (carry).
bn_mul_add_words(B<rp>, B<ap>, B<num>, B<w>) operates on the B<num>
word arrays B<rp> and B<ap>. It computes B<ap> * B<w> + B<rp>, places
the result in B<rp>, and returns the high word (carry).
bn_sqr_words(B<rp>, B<ap>, B<n>) operates on the B<num> word array
B<ap> and the 2*B<num> word array B<ap>. It computes B<ap> * B<ap>
word-wise, and places the low and high bytes of the result in B<rp>.
bn_div_words(B<h>, B<l>, B<d>) divides the two word number (B<h>, B<l>)
by B<d> and returns the result.
bn_add_words(B<rp>, B<ap>, B<bp>, B<num>) operates on the B<num> word
arrays B<ap>, B<bp> and B<rp>. It computes B<ap> + B<bp>, places the
result in B<rp>, and returns the high word (carry).
bn_sub_words(B<rp>, B<ap>, B<bp>, B<num>) operates on the B<num> word
arrays B<ap>, B<bp> and B<rp>. It computes B<ap> - B<bp>, places the
result in B<rp>, and returns the carry (1 if B<bp> E<gt> B<ap>, 0
otherwise).
bn_mul_comba4(B<r>, B<a>, B<b>) operates on the 4 word arrays B<a> and
B<b> and the 8 word array B<r>. It computes B<a>*B<b> and places the
result in B<r>.
bn_mul_comba8(B<r>, B<a>, B<b>) operates on the 8 word arrays B<a> and
B<b> and the 16 word array B<r>. It computes B<a>*B<b> and places the
result in B<r>.
bn_sqr_comba4(B<r>, B<a>, B<b>) operates on the 4 word arrays B<a> and
B<b> and the 8 word array B<r>.
bn_sqr_comba8(B<r>, B<a>, B<b>) operates on the 8 word arrays B<a> and
B<b> and the 16 word array B<r>.
The following functions are implemented in C:
bn_cmp_words(B<a>, B<b>, B<n>) operates on the B<n> word arrays B<a>
and B<b>. It returns 1, 0 and -1 if B<a> is greater than, equal and
less than B<b>.
bn_mul_normal(B<r>, B<a>, B<na>, B<b>, B<nb>) operates on the B<na>
word array B<a>, the B<nb> word array B<b> and the B<na>+B<nb> word
array B<r>. It computes B<a>*B<b> and places the result in B<r>.
bn_mul_low_normal(B<r>, B<a>, B<b>, B<n>) operates on the B<n> word
arrays B<r>, B<a> and B<b>. It computes the B<n> low words of
B<a>*B<b> and places the result in B<r>.
bn_mul_recursive(B<r>, B<a>, B<b>, B<n2>, B<dna>, B<dnb>, B<t>) operates
on the word arrays B<a> and B<b> of length B<n2>+B<dna> and B<n2>+B<dnb>
(B<dna> and B<dnb> are currently allowed to be 0 or negative) and the 2*B<n2>
word arrays B<r> and B<t>. B<n2> must be a power of 2. It computes
B<a>*B<b> and places the result in B<r>.
bn_mul_part_recursive(B<r>, B<a>, B<b>, B<n>, B<tna>, B<tnb>, B<tmp>)
operates on the word arrays B<a> and B<b> of length B<n>+B<tna> and
B<n>+B<tnb> and the 4*B<n> word arrays B<r> and B<tmp>.
bn_mul_low_recursive(B<r>, B<a>, B<b>, B<n2>, B<tmp>) operates on the
B<n2> word arrays B<r> and B<tmp> and the B<n2>/2 word arrays B<a>
and B<b>.
BN_mul() calls bn_mul_normal(), or an optimized implementation if the
factors have the same size: bn_mul_comba8() is used if they are 8
words long, bn_mul_recursive() if they are larger than
B<BN_MULL_SIZE_NORMAL> and the size is an exact multiple of the word
size, and bn_mul_part_recursive() for others that are larger than
B<BN_MULL_SIZE_NORMAL>.
bn_sqr_normal(B<r>, B<a>, B<n>, B<tmp>) operates on the B<n> word array
B<a> and the 2*B<n> word arrays B<tmp> and B<r>.
The implementations use the following macros which, depending on the
architecture, may use "long long" C operations or inline assembler.
They are defined in C<bn_local.h>.
mul(B<r>, B<a>, B<w>, B<c>) computes B<w>*B<a>+B<c> and places the
low word of the result in B<r> and the high word in B<c>.
mul_add(B<r>, B<a>, B<w>, B<c>) computes B<w>*B<a>+B<r>+B<c> and
places the low word of the result in B<r> and the high word in B<c>.
sqr(B<r0>, B<r1>, B<a>) computes B<a>*B<a> and places the low word
of the result in B<r0> and the high word in B<r1>.
=head2 Size changes
bn_expand() ensures that B<b> has enough space for a B<bits> bit
number. bn_wexpand() ensures that B<b> has enough space for an
B<n> word number. If the number has to be expanded, both macros
call bn_expand2(), which allocates a new B<d> array and copies the
data. They return B<NULL> on error, B<b> otherwise.
The bn_fix_top() macro reduces B<a-E<gt>top> to point to the most
significant non-zero word plus one when B<a> has shrunk.
=head2 Debugging
bn_check_top() verifies that C<((a)-E<gt>top E<gt>= 0 && (a)-E<gt>top
E<lt>= (a)-E<gt>dmax)>. A violation will cause the program to abort.
bn_print() prints B<a> to stderr. bn_dump() prints B<n> words at B<d>
(in reverse order, i.e. most significant word first) to stderr.
bn_set_max() makes B<a> a static number with a B<dmax> of its current size.
This is used by bn_set_low() and bn_set_high() to make B<r> a read-only
B<BIGNUM> that contains the B<n> low or high words of B<a>.
If B<BN_DEBUG> is not defined, bn_check_top(), bn_print(), bn_dump()
and bn_set_max() are defined as empty macros.
=head1 SEE ALSO
L<bn(3)>
=head1 COPYRIGHT
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.
=cut

6
deps/openssl/openssl/crypto/cmp/cmp_client.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2007-2025 The OpenSSL Project Authors. All Rights Reserved.
* Copyright Nokia 2007-2019
* Copyright Siemens AG 2015-2019
*
@ -611,8 +611,10 @@ static int cert_response(OSSL_CMP_CTX *ctx, int sleep, int rid,
ERR_add_error_data(1, "; cannot extract certificate from response");
return 0;
}
if (!ossl_cmp_ctx_set0_newCert(ctx, cert))
if (!ossl_cmp_ctx_set0_newCert(ctx, cert)) {
X509_free(cert);
return 0;
}
/*
* if the CMP server returned certificates in the caPubs field, copy them

12
deps/openssl/openssl/crypto/cms/cms_pwri.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 2009-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2009-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -157,7 +157,8 @@ CMS_RecipientInfo *CMS_add0_recipient_password(CMS_ContentInfo *cms,
/* Setup PBE algorithm */
pwri->keyDerivationAlgorithm = PKCS5_pbkdf2_set(iter, NULL, 0, -1, -1);
pwri->keyDerivationAlgorithm = PKCS5_pbkdf2_set_ex(iter, NULL, 0, -1, -1,
cms_ctx->libctx);
if (pwri->keyDerivationAlgorithm == NULL)
goto err;
@ -351,9 +352,10 @@ int ossl_cms_RecipientInfo_pwri_crypt(const CMS_ContentInfo *cms,
/* Finish password based key derivation to setup key in "ctx" */
if (EVP_PBE_CipherInit(algtmp->algorithm,
(char *)pwri->pass, pwri->passlen,
algtmp->parameter, kekctx, en_de) < 0) {
if (EVP_PBE_CipherInit_ex(algtmp->algorithm,
(char *)pwri->pass, pwri->passlen,
algtmp->parameter, kekctx, en_de,
cms_ctx->libctx, cms_ctx->propq) < 0) {
ERR_raise(ERR_LIB_CMS, ERR_R_EVP_LIB);
goto err;
}

4
deps/openssl/openssl/crypto/dh/dh_pmeth.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2006-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -424,7 +424,7 @@ static int pkey_dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
ret = DH_compute_key_padded(key, dhpubbn, dh);
else
ret = DH_compute_key(key, dhpubbn, dh);
if (ret < 0)
if (ret <= 0)
return ret;
*keylen = ret;
return 1;

5
deps/openssl/openssl/crypto/encode_decode/encoder_pkey.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -207,6 +207,7 @@ encoder_construct_pkey(OSSL_ENCODER_INSTANCE *encoder_inst, void *arg)
static void encoder_destruct_pkey(void *arg)
{
struct construct_data_st *data = arg;
int match = (data->obj == data->constructed_obj);
if (data->encoder_inst != NULL) {
OSSL_ENCODER *encoder =
@ -215,6 +216,8 @@ static void encoder_destruct_pkey(void *arg)
encoder->free_object(data->constructed_obj);
}
data->constructed_obj = NULL;
if (match)
data->obj = NULL;
}
/*

3
deps/openssl/openssl/crypto/evp/bio_enc.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -159,6 +159,7 @@ static int enc_read(BIO *b, char *out, int outl)
/* Should be continue next time we are called? */
if (!BIO_should_retry(next)) {
ctx->cont = i;
ctx->finished = 1;
i = EVP_CipherFinal_ex(ctx->cipher,
ctx->buf, &(ctx->buf_len));
ctx->ok = i;

6
deps/openssl/openssl/crypto/evp/ctrl_params_translate.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2021-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -2827,11 +2827,15 @@ static int evp_pkey_ctx_setget_params_to_ctrl(EVP_PKEY_CTX *pctx,
int evp_pkey_ctx_set_params_to_ctrl(EVP_PKEY_CTX *ctx, const OSSL_PARAM *params)
{
if (ctx->keymgmt != NULL)
return 0;
return evp_pkey_ctx_setget_params_to_ctrl(ctx, SET, (OSSL_PARAM *)params);
}
int evp_pkey_ctx_get_params_to_ctrl(EVP_PKEY_CTX *ctx, OSSL_PARAM *params)
{
if (ctx->keymgmt != NULL)
return 0;
return evp_pkey_ctx_setget_params_to_ctrl(ctx, GET, params);
}

5
deps/openssl/openssl/crypto/evp/evp_pbe.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1999-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -40,7 +40,8 @@ static const EVP_PBE_CTL builtin_pbe[] = {
{EVP_PBE_TYPE_OUTER, NID_pbeWithSHA1AndRC2_CBC,
NID_rc2_64_cbc, NID_sha1, PKCS5_PBE_keyivgen, PKCS5_PBE_keyivgen_ex},
{EVP_PBE_TYPE_OUTER, NID_id_pbkdf2, -1, -1, PKCS5_v2_PBKDF2_keyivgen},
{EVP_PBE_TYPE_OUTER, NID_id_pbkdf2, -1, -1, PKCS5_v2_PBKDF2_keyivgen,
PKCS5_v2_PBKDF2_keyivgen_ex},
{EVP_PBE_TYPE_OUTER, NID_pbe_WithSHA1And128BitRC4,
NID_rc4, NID_sha1, PKCS12_PBE_keyivgen, &PKCS12_PBE_keyivgen_ex},

8
deps/openssl/openssl/crypto/evp/evp_rand.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2020-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -634,10 +634,8 @@ static int evp_rand_nonce_locked(EVP_RAND_CTX *ctx, unsigned char *out,
{
unsigned int str = evp_rand_strength_locked(ctx);
if (ctx->meth->nonce == NULL)
return 0;
if (ctx->meth->nonce(ctx->algctx, out, str, outlen, outlen))
return 1;
if (ctx->meth->nonce != NULL)
return ctx->meth->nonce(ctx->algctx, out, str, outlen, outlen) > 0;
return evp_rand_generate_locked(ctx, out, outlen, str, 0, NULL, 0);
}

10
deps/openssl/openssl/crypto/evp/exchange.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -430,7 +430,13 @@ int EVP_PKEY_derive_set_peer_ex(EVP_PKEY_CTX *ctx, EVP_PKEY *peer,
*/
if (provkey == NULL)
goto legacy;
return ctx->op.kex.exchange->set_peer(ctx->op.kex.algctx, provkey);
ret = ctx->op.kex.exchange->set_peer(ctx->op.kex.algctx, provkey);
if (ret <= 0)
return ret;
EVP_PKEY_free(ctx->peerkey);
ctx->peerkey = peer;
EVP_PKEY_up_ref(peer);
return 1;
legacy:
#ifdef FIPS_MODULE

4
deps/openssl/openssl/crypto/evp/legacy_sha.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -215,7 +215,7 @@ const EVP_MD *EVP_shake##bitlen(void) \
NID_shake##bitlen, \
0, \
bitlen / 8, \
EVP_MD_FLAG_XOF, \
EVP_MD_FLAG_XOF | EVP_MD_FLAG_DIGALGID_ABSENT, \
EVP_ORIG_GLOBAL, \
LEGACY_EVP_MD_METH_TABLE(shake_init, sha3_int_update, sha3_int_final, \
shake_ctrl, (KECCAK1600_WIDTH - bitlen * 2) / 8), \

17
deps/openssl/openssl/crypto/evp/pmeth_lib.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 2006-2024 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2006-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -501,6 +501,12 @@ EVP_PKEY_CTX *EVP_PKEY_CTX_dup(const EVP_PKEY_CTX *pctx)
}
rctx->legacy_keytype = pctx->legacy_keytype;
if (pctx->keymgmt != NULL) {
if (!EVP_KEYMGMT_up_ref(pctx->keymgmt))
goto err;
rctx->keymgmt = pctx->keymgmt;
}
if (EVP_PKEY_CTX_IS_DERIVE_OP(pctx)) {
if (pctx->op.kex.exchange != NULL) {
rctx->op.kex.exchange = pctx->op.kex.exchange;
@ -604,6 +610,9 @@ EVP_PKEY_CTX *EVP_PKEY_CTX_dup(const EVP_PKEY_CTX *pctx)
EVP_KEYMGMT *tmp_keymgmt = pctx->keymgmt;
void *provkey;
if (pctx->pkey == NULL)
return rctx;
provkey = evp_pkey_export_to_provider(pctx->pkey, pctx->libctx,
&tmp_keymgmt, pctx->propquery);
if (provkey == NULL)
@ -721,8 +730,9 @@ int EVP_PKEY_CTX_set_params(EVP_PKEY_CTX *ctx, const OSSL_PARAM *params)
ctx->op.encap.kem->set_ctx_params(ctx->op.encap.algctx,
params);
break;
#ifndef FIPS_MODULE
case EVP_PKEY_STATE_UNKNOWN:
break;
#ifndef FIPS_MODULE
case EVP_PKEY_STATE_LEGACY:
return evp_pkey_ctx_set_params_to_ctrl(ctx, params);
#endif
@ -759,8 +769,9 @@ int EVP_PKEY_CTX_get_params(EVP_PKEY_CTX *ctx, OSSL_PARAM *params)
ctx->op.encap.kem->get_ctx_params(ctx->op.encap.algctx,
params);
break;
#ifndef FIPS_MODULE
case EVP_PKEY_STATE_UNKNOWN:
break;
#ifndef FIPS_MODULE
case EVP_PKEY_STATE_LEGACY:
return evp_pkey_ctx_get_params_to_ctrl(ctx, params);
#endif

16
deps/openssl/openssl/crypto/http/http_client.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2001-2025 The OpenSSL Project Authors. All Rights Reserved.
* Copyright Siemens AG 2018-2020
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
@ -1138,13 +1138,12 @@ BIO *OSSL_HTTP_get(const char *url, const char *proxy, const char *no_proxy,
const char *expected_ct, int expect_asn1,
size_t max_resp_len, int timeout)
{
char *current_url, *redirection_url = NULL;
char *current_url;
int n_redirs = 0;
char *host;
char *port;
char *path;
int use_ssl;
OSSL_HTTP_REQ_CTX *rctx = NULL;
BIO *resp = NULL;
time_t max_time = timeout > 0 ? time(NULL) + timeout : 0;
@ -1156,6 +1155,9 @@ BIO *OSSL_HTTP_get(const char *url, const char *proxy, const char *no_proxy,
return NULL;
for (;;) {
char *redirection_url;
OSSL_HTTP_REQ_CTX *rctx;
if (!OSSL_HTTP_parse_url(current_url, &use_ssl, NULL /* user */, &host,
&port, NULL /* port_num */, &path, NULL, NULL))
break;
@ -1164,6 +1166,7 @@ BIO *OSSL_HTTP_get(const char *url, const char *proxy, const char *no_proxy,
use_ssl, bio, rbio, bio_update_fn, arg,
buf_size, timeout);
new_rpath:
redirection_url = NULL;
if (rctx != NULL) {
if (!OSSL_HTTP_set1_request(rctx, path, headers,
NULL /* content_type */,
@ -1173,9 +1176,9 @@ BIO *OSSL_HTTP_get(const char *url, const char *proxy, const char *no_proxy,
0 /* no keep_alive */)) {
OSSL_HTTP_REQ_CTX_free(rctx);
rctx = NULL;
} else {
} else {
resp = OSSL_HTTP_exchange(rctx, &redirection_url);
}
}
}
OPENSSL_free(path);
if (resp == NULL && redirection_url != NULL) {
@ -1190,7 +1193,6 @@ BIO *OSSL_HTTP_get(const char *url, const char *proxy, const char *no_proxy,
OPENSSL_free(host);
OPENSSL_free(port);
(void)OSSL_HTTP_close(rctx, 1);
rctx = NULL;
BIO_free(resp);
OPENSSL_free(current_url);
return NULL;
@ -1200,7 +1202,6 @@ BIO *OSSL_HTTP_get(const char *url, const char *proxy, const char *no_proxy,
OPENSSL_free(host);
OPENSSL_free(port);
(void)OSSL_HTTP_close(rctx, 1);
rctx = NULL;
continue;
}
/* if redirection not allowed, ignore it */
@ -1210,7 +1211,6 @@ BIO *OSSL_HTTP_get(const char *url, const char *proxy, const char *no_proxy,
OPENSSL_free(port);
if (!OSSL_HTTP_close(rctx, resp != NULL)) {
BIO_free(resp);
rctx = NULL;
resp = NULL;
}
break;

10
deps/openssl/openssl/crypto/params_dup.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2021-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -189,18 +189,18 @@ OSSL_PARAM *OSSL_PARAM_merge(const OSSL_PARAM *p1, const OSSL_PARAM *p2)
while (1) {
/* If list1 is finished just tack list2 onto the end */
if (*p1cur == NULL) {
do {
while (*p2cur != NULL) {
*dst++ = **p2cur;
p2cur++;
} while (*p2cur != NULL);
}
break;
}
/* If list2 is finished just tack list1 onto the end */
if (*p2cur == NULL) {
do {
while (*p1cur != NULL) {
*dst++ = **p1cur;
p1cur++;
} while (*p1cur != NULL);
}
break;
}
/* consume the list element with the smaller key */

10
deps/openssl/openssl/crypto/perlasm/sparcv9_modes.pl vendored
View File

@ -1,5 +1,5 @@
#! /usr/bin/env perl
# Copyright 2012-2016 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2012-2025 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@ -46,8 +46,8 @@ $::code.=<<___;
.align 32
${alg}${bits}_t4_cbc_encrypt:
save %sp, -$::frame, %sp
cmp $len, 0
be,pn $::size_t_cc, .L${bits}_cbc_enc_abort
cmp $len, 15
bleu,pn $::size_t_cc, .L${bits}_cbc_enc_abort
srln $len, 0, $len ! needed on v8+, "nop" on v9
sub $inp, $out, $blk_init ! $inp!=$out
___
@ -264,8 +264,8 @@ $::code.=<<___;
.align 32
${alg}${bits}_t4_cbc_decrypt:
save %sp, -$::frame, %sp
cmp $len, 0
be,pn $::size_t_cc, .L${bits}_cbc_dec_abort
cmp $len, 15
bleu,pn $::size_t_cc, .L${bits}_cbc_dec_abort
srln $len, 0, $len ! needed on v8+, "nop" on v9
sub $inp, $out, $blk_init ! $inp!=$out
___

4
deps/openssl/openssl/crypto/perlasm/x86asm.pl vendored
View File

@ -174,9 +174,9 @@ sub ::vprotd
sub ::endbranch
{
&::generic("%ifdef __CET__\n");
&::generic("#ifdef __CET__\n");
&::data_byte(0xf3,0x0f,0x1e,0xfb);
&::generic("%endif\n");
&::generic("#endif\n");
}
# label management

6
deps/openssl/openssl/crypto/pkcs7/pk7_smime.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1999-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -347,10 +347,8 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
if (flags & PKCS7_TEXT) {
if (!SMIME_text(tmpout, out)) {
ERR_raise(ERR_LIB_PKCS7, PKCS7_R_SMIME_TEXT_ERROR);
BIO_free(tmpout);
goto err;
}
BIO_free(tmpout);
}
/* Now Verify All Signatures */
@ -368,6 +366,8 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
ret = 1;
err:
if (flags & PKCS7_TEXT)
BIO_free(tmpout);
X509_STORE_CTX_free(cert_ctx);
OPENSSL_free(buf);
if (tmpin == indata) {

4
deps/openssl/openssl/crypto/property/property.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
@ -329,7 +329,7 @@ int ossl_method_store_add(OSSL_METHOD_STORE *store, const OSSL_PROVIDER *prov,
/* Insert into the hash table if required */
if (!ossl_property_write_lock(store)) {
OPENSSL_free(impl);
impl_free(impl);
return 0;
}
ossl_method_cache_flush(store, nid);

4
deps/openssl/openssl/crypto/provider_conf.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -331,7 +331,7 @@ static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name,
ok = provider_conf_params(NULL, &entry, NULL, value, cnf);
if (ok >= 1 && (entry.path != NULL || entry.parameters != NULL)) {
ok = ossl_provider_info_add_to_store(libctx, &entry);
added = 1;
added = ok;
}
if (added == 0)
ossl_provider_info_clear(&entry);

4
deps/openssl/openssl/crypto/threads_pthread.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2016-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -250,7 +250,7 @@ int CRYPTO_atomic_or(uint64_t *val, uint64_t op, uint64_t *ret,
int CRYPTO_atomic_load(uint64_t *val, uint64_t *ret, CRYPTO_RWLOCK *lock)
{
# if defined(__GNUC__) && defined(__ATOMIC_ACQUIRE) && !defined(BROKEN_CLANG_ATOMICS)
# if defined(__GNUC__) && defined(__ATOMIC_ACQ_REL) && !defined(BROKEN_CLANG_ATOMICS)
if (__atomic_is_lock_free(sizeof(*val), val)) {
__atomic_load(val, ret, __ATOMIC_ACQUIRE);
return 1;

18
deps/openssl/openssl/crypto/ts/ts_rsp_sign.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2006-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -645,8 +645,12 @@ static int ossl_ess_add1_signing_cert(PKCS7_SIGNER_INFO *si,
}
OPENSSL_free(pp);
return PKCS7_add_signed_attribute(si, NID_id_smime_aa_signingCertificate,
V_ASN1_SEQUENCE, seq);
if (!PKCS7_add_signed_attribute(si, NID_id_smime_aa_signingCertificate,
V_ASN1_SEQUENCE, seq)) {
ASN1_STRING_free(seq);
return 0;
}
return 1;
}
static int ossl_ess_add1_signing_cert_v2(PKCS7_SIGNER_INFO *si,
@ -668,8 +672,12 @@ static int ossl_ess_add1_signing_cert_v2(PKCS7_SIGNER_INFO *si,
}
OPENSSL_free(pp);
return PKCS7_add_signed_attribute(si, NID_id_smime_aa_signingCertificateV2,
V_ASN1_SEQUENCE, seq);
if (!PKCS7_add_signed_attribute(si, NID_id_smime_aa_signingCertificateV2,
V_ASN1_SEQUENCE, seq)) {
ASN1_STRING_free(seq);
return 0;
}
return 1;
}
static int ts_RESP_sign(TS_RESP_CTX *ctx)

52
deps/openssl/openssl/crypto/ui/ui_lib.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2001-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -207,6 +207,7 @@ int UI_dup_input_string(UI *ui, const char *prompt, int flags,
char *result_buf, int minsize, int maxsize)
{
char *prompt_copy = NULL;
int ret;
if (prompt != NULL) {
prompt_copy = OPENSSL_strdup(prompt);
@ -216,9 +217,13 @@ int UI_dup_input_string(UI *ui, const char *prompt, int flags,
}
}
return general_allocate_string(ui, prompt_copy, 1,
UIT_PROMPT, flags, result_buf, minsize,
maxsize, NULL);
ret = general_allocate_string(ui, prompt_copy, 1,
UIT_PROMPT, flags, result_buf, minsize,
maxsize, NULL);
if (ret <= 0)
OPENSSL_free(prompt_copy);
return ret;
}
int UI_add_verify_string(UI *ui, const char *prompt, int flags,
@ -235,6 +240,7 @@ int UI_dup_verify_string(UI *ui, const char *prompt, int flags,
const char *test_buf)
{
char *prompt_copy = NULL;
int ret;
if (prompt != NULL) {
prompt_copy = OPENSSL_strdup(prompt);
@ -244,9 +250,12 @@ int UI_dup_verify_string(UI *ui, const char *prompt, int flags,
}
}
return general_allocate_string(ui, prompt_copy, 1,
UIT_VERIFY, flags, result_buf, minsize,
maxsize, test_buf);
ret = general_allocate_string(ui, prompt_copy, 1,
UIT_VERIFY, flags, result_buf, minsize,
maxsize, test_buf);
if (ret <= 0)
OPENSSL_free(prompt_copy);
return ret;
}
int UI_add_input_boolean(UI *ui, const char *prompt, const char *action_desc,
@ -266,6 +275,7 @@ int UI_dup_input_boolean(UI *ui, const char *prompt, const char *action_desc,
char *action_desc_copy = NULL;
char *ok_chars_copy = NULL;
char *cancel_chars_copy = NULL;
int ret;
if (prompt != NULL) {
prompt_copy = OPENSSL_strdup(prompt);
@ -299,9 +309,14 @@ int UI_dup_input_boolean(UI *ui, const char *prompt, const char *action_desc,
}
}
return general_allocate_boolean(ui, prompt_copy, action_desc_copy,
ok_chars_copy, cancel_chars_copy, 1,
UIT_BOOLEAN, flags, result_buf);
ret = general_allocate_boolean(ui, prompt_copy, action_desc_copy,
ok_chars_copy, cancel_chars_copy, 1,
UIT_BOOLEAN, flags, result_buf);
if (ret <= 0)
goto err;
return ret;
err:
OPENSSL_free(prompt_copy);
OPENSSL_free(action_desc_copy);
@ -319,6 +334,7 @@ int UI_add_info_string(UI *ui, const char *text)
int UI_dup_info_string(UI *ui, const char *text)
{
char *text_copy = NULL;
int ret;
if (text != NULL) {
text_copy = OPENSSL_strdup(text);
@ -328,8 +344,11 @@ int UI_dup_info_string(UI *ui, const char *text)
}
}
return general_allocate_string(ui, text_copy, 1, UIT_INFO, 0, NULL,
0, 0, NULL);
ret = general_allocate_string(ui, text_copy, 1, UIT_INFO, 0, NULL,
0, 0, NULL);
if (ret <= 0)
OPENSSL_free(text_copy);
return ret;
}
int UI_add_error_string(UI *ui, const char *text)
@ -341,6 +360,7 @@ int UI_add_error_string(UI *ui, const char *text)
int UI_dup_error_string(UI *ui, const char *text)
{
char *text_copy = NULL;
int ret;
if (text != NULL) {
text_copy = OPENSSL_strdup(text);
@ -349,8 +369,12 @@ int UI_dup_error_string(UI *ui, const char *text)
return -1;
}
}
return general_allocate_string(ui, text_copy, 1, UIT_ERROR, 0, NULL,
0, 0, NULL);
ret = general_allocate_string(ui, text_copy, 1, UIT_ERROR, 0, NULL,
0, 0, NULL);
if (ret <= 0)
OPENSSL_free(text_copy);
return ret;
}
char *UI_construct_prompt(UI *ui, const char *phrase_desc,

131
deps/openssl/openssl/crypto/x509/by_store.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2018-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -7,23 +7,34 @@
* https://www.openssl.org/source/license.html
*/
#include <openssl/safestack.h>
#include <openssl/store.h>
#include "internal/cryptlib.h"
#include "crypto/x509.h"
#include "x509_local.h"
typedef struct cached_store_st {
char *uri;
OSSL_LIB_CTX *libctx;
char *propq;
OSSL_STORE_CTX *ctx;
} CACHED_STORE;
DEFINE_STACK_OF(CACHED_STORE)
/* Generic object loader, given expected type and criterion */
static int cache_objects(X509_LOOKUP *lctx, const char *uri,
const OSSL_STORE_SEARCH *criterion,
int depth, OSSL_LIB_CTX *libctx, const char *propq)
static int cache_objects(X509_LOOKUP *lctx, CACHED_STORE *store,
const OSSL_STORE_SEARCH *criterion, int depth)
{
int ok = 0;
OSSL_STORE_CTX *ctx = NULL;
OSSL_STORE_CTX *ctx = store->ctx;
X509_STORE *xstore = X509_LOOKUP_get_store(lctx);
if ((ctx = OSSL_STORE_open_ex(uri, libctx, propq, NULL, NULL, NULL,
NULL, NULL)) == NULL)
if (ctx == NULL
&& (ctx = OSSL_STORE_open_ex(store->uri, store->libctx, store->propq,
NULL, NULL, NULL, NULL, NULL)) == NULL)
return 0;
store->ctx = ctx;
/*
* We try to set the criterion, but don't care if it was valid or not.
@ -62,9 +73,15 @@ static int cache_objects(X509_LOOKUP *lctx, const char *uri,
* This is an entry in the "directory" represented by the current
* uri. if |depth| allows, dive into it.
*/
if (depth > 0)
ok = cache_objects(lctx, OSSL_STORE_INFO_get0_NAME(info),
criterion, depth - 1, libctx, propq);
if (depth > 0) {
CACHED_STORE substore;
substore.uri = (char *)OSSL_STORE_INFO_get0_NAME(info);
substore.libctx = store->libctx;
substore.propq = store->propq;
substore.ctx = NULL;
ok = cache_objects(lctx, &substore, criterion, depth - 1);
}
} else {
/*
* We know that X509_STORE_add_{cert|crl} increments the object's
@ -88,27 +105,38 @@ static int cache_objects(X509_LOOKUP *lctx, const char *uri,
break;
}
OSSL_STORE_close(ctx);
store->ctx = NULL;
return ok;
}
/* Because OPENSSL_free is a macro and for C type match */
static void free_uri(OPENSSL_STRING data)
static void free_store(CACHED_STORE *store)
{
OPENSSL_free(data);
if (store != NULL) {
OSSL_STORE_close(store->ctx);
OPENSSL_free(store->uri);
OPENSSL_free(store->propq);
OPENSSL_free(store);
}
}
static void by_store_free(X509_LOOKUP *ctx)
{
STACK_OF(OPENSSL_STRING) *uris = X509_LOOKUP_get_method_data(ctx);
sk_OPENSSL_STRING_pop_free(uris, free_uri);
STACK_OF(CACHED_STORE) *stores = X509_LOOKUP_get_method_data(ctx);
sk_CACHED_STORE_pop_free(stores, free_store);
}
static int by_store_ctrl_ex(X509_LOOKUP *ctx, int cmd, const char *argp,
long argl, char **retp, OSSL_LIB_CTX *libctx,
const char *propq)
{
/*
* In some cases below, failing to use the defaults shouldn't result in
* an error. |use_default| is used as the return code in those cases.
*/
int use_default = argp == NULL;
switch (cmd) {
case X509_L_ADD_STORE:
/* If no URI is given, use the default cert dir as default URI */
@ -118,21 +146,50 @@ static int by_store_ctrl_ex(X509_LOOKUP *ctx, int cmd, const char *argp,
argp = X509_get_default_cert_dir();
{
STACK_OF(OPENSSL_STRING) *uris = X509_LOOKUP_get_method_data(ctx);
char *data = OPENSSL_strdup(argp);
STACK_OF(CACHED_STORE) *stores = X509_LOOKUP_get_method_data(ctx);
CACHED_STORE *store = OPENSSL_zalloc(sizeof(*store));
if (data == NULL) {
if (store == NULL) {
return 0;
}
if (uris == NULL) {
uris = sk_OPENSSL_STRING_new_null();
X509_LOOKUP_set_method_data(ctx, uris);
store->uri = OPENSSL_strdup(argp);
store->libctx = libctx;
if (propq != NULL)
store->propq = OPENSSL_strdup(propq);
store->ctx = OSSL_STORE_open_ex(argp, libctx, propq, NULL, NULL,
NULL, NULL, NULL);
if (store->ctx == NULL
|| (propq != NULL && store->propq == NULL)
|| store->uri == NULL) {
free_store(store);
return use_default;
}
return sk_OPENSSL_STRING_push(uris, data) > 0;
if (stores == NULL) {
stores = sk_CACHED_STORE_new_null();
if (stores != NULL)
X509_LOOKUP_set_method_data(ctx, stores);
}
if (stores == NULL || sk_CACHED_STORE_push(stores, store) <= 0) {
free_store(store);
return 0;
}
return 1;
}
case X509_L_LOAD_STORE:
case X509_L_LOAD_STORE: {
/* This is a shortcut for quick loading of specific containers */
return cache_objects(ctx, argp, NULL, 0, libctx, propq);
CACHED_STORE store;
store.uri = (char *)argp;
store.libctx = libctx;
store.propq = (char *)propq;
store.ctx = NULL;
return cache_objects(ctx, &store, NULL, 0);
}
default:
/* Unsupported command */
return 0;
}
return 0;
@ -145,16 +202,15 @@ static int by_store_ctrl(X509_LOOKUP *ctx, int cmd,
}
static int by_store(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
const OSSL_STORE_SEARCH *criterion, X509_OBJECT *ret,
OSSL_LIB_CTX *libctx, const char *propq)
const OSSL_STORE_SEARCH *criterion, X509_OBJECT *ret)
{
STACK_OF(OPENSSL_STRING) *uris = X509_LOOKUP_get_method_data(ctx);
STACK_OF(CACHED_STORE) *stores = X509_LOOKUP_get_method_data(ctx);
int i;
int ok = 0;
for (i = 0; i < sk_OPENSSL_STRING_num(uris); i++) {
ok = cache_objects(ctx, sk_OPENSSL_STRING_value(uris, i), criterion,
1 /* depth */, libctx, propq);
for (i = 0; i < sk_CACHED_STORE_num(stores); i++) {
ok = cache_objects(ctx, sk_CACHED_STORE_value(stores, i), criterion,
1 /* depth */);
if (ok)
break;
@ -162,13 +218,12 @@ static int by_store(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
return ok;
}
static int by_store_subject_ex(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
const X509_NAME *name, X509_OBJECT *ret,
OSSL_LIB_CTX *libctx, const char *propq)
static int by_store_subject(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
const X509_NAME *name, X509_OBJECT *ret)
{
OSSL_STORE_SEARCH *criterion =
OSSL_STORE_SEARCH_by_name((X509_NAME *)name); /* won't modify it */
int ok = by_store(ctx, type, criterion, ret, libctx, propq);
int ok = by_store(ctx, type, criterion, ret);
STACK_OF(X509_OBJECT) *store_objects =
X509_STORE_get0_objects(X509_LOOKUP_get_store(ctx));
X509_OBJECT *tmp = NULL;
@ -216,12 +271,6 @@ static int by_store_subject_ex(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
return ok;
}
static int by_store_subject(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
const X509_NAME *name, X509_OBJECT *ret)
{
return by_store_subject_ex(ctx, type, name, ret, NULL, NULL);
}
/*
* We lack the implementations for get_by_issuer_serial, get_by_fingerprint
* and get_by_alias. There's simply not enough support in the X509_LOOKUP
@ -239,7 +288,7 @@ static X509_LOOKUP_METHOD x509_store_lookup = {
NULL, /* get_by_issuer_serial */
NULL, /* get_by_fingerprint */
NULL, /* get_by_alias */
by_store_subject_ex,
NULL, /* get_by_subject_ex */
by_store_ctrl_ex
};

8
deps/openssl/openssl/crypto/x509/v3_lib.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1999-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -99,7 +99,11 @@ int X509V3_EXT_add_alias(int nid_to, int nid_from)
*tmpext = *ext;
tmpext->ext_nid = nid_to;
tmpext->ext_flags |= X509V3_EXT_DYNAMIC;
return X509V3_EXT_add(tmpext);
if (!X509V3_EXT_add(tmpext)) {
OPENSSL_free(tmpext);
return 0;
}
return 1;
}
void X509V3_EXT_cleanup(void)

13
deps/openssl/openssl/e_os.h vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -126,17 +126,6 @@
# define EACCES 13
# endif
# include <string.h>
# ifdef _WIN64
# define strlen(s) _strlen31(s)
/* cut strings to 2GB */
static __inline unsigned int _strlen31(const char *str)
{
unsigned int len = 0;
while (*str && len < 0x80000000U)
str++, len++;
return len & 0x7FFFFFFF;
}
# endif
# include <malloc.h>
# if defined(_MSC_VER) && !defined(_WIN32_WCE) && !defined(_DLL) && defined(stdin)
# if _MSC_VER>=1300 && _MSC_VER<1600

6
deps/openssl/openssl/fuzz/x509.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2016-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -78,9 +78,13 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
resp = d2i_OCSP_RESPONSE(NULL, &p, len);
store = X509_STORE_new();
if (store == NULL)
goto err;
X509_STORE_add_cert(store, x509_2);
param = X509_VERIFY_PARAM_new();
if (param == NULL)
goto err;
X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_NO_CHECK_TIME);
X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_X509_STRICT);
X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_PARTIAL_CHAIN);

1
deps/openssl/openssl/include/crypto/bn_conf.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/bn_conf.h"

1
deps/openssl/openssl/include/crypto/dso_conf.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/dso_conf.h"

20
deps/openssl/openssl/include/internal/constant_time.h vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 2014-2024 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2014-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -296,6 +296,18 @@ static ossl_inline size_t value_barrier_s(size_t a)
return r;
}
/* Convenience method for unsigned char. */
static ossl_inline unsigned char value_barrier_8(unsigned char a)
{
#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)
unsigned char r;
__asm__("" : "=r"(r) : "0"(a));
#else
volatile unsigned char r = a;
#endif
return r;
}
static ossl_inline unsigned int constant_time_select(unsigned int mask,
unsigned int a,
unsigned int b)
@ -356,7 +368,7 @@ static ossl_inline void constant_time_cond_swap_32(uint32_t mask, uint32_t *a,
{
uint32_t xor = *a ^ *b;
xor &= mask;
xor &= value_barrier_32(mask);
*a ^= xor;
*b ^= xor;
}
@ -376,7 +388,7 @@ static ossl_inline void constant_time_cond_swap_64(uint64_t mask, uint64_t *a,
{
uint64_t xor = *a ^ *b;
xor &= mask;
xor &= value_barrier_64(mask);
*a ^= xor;
*b ^= xor;
}
@ -403,7 +415,7 @@ static ossl_inline void constant_time_cond_swap_buff(unsigned char mask,
for (i = 0; i < len; i++) {
tmp = a[i] ^ b[i];
tmp &= mask;
tmp &= value_barrier_8(mask);
a[i] ^= tmp;
b[i] ^= tmp;
}

1
deps/openssl/openssl/include/openssl/asn1.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/asn1.h"

1
deps/openssl/openssl/include/openssl/asn1t.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/asn1t.h"

1
deps/openssl/openssl/include/openssl/bio.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/bio.h"

1
deps/openssl/openssl/include/openssl/cmp.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/cmp.h"

1
deps/openssl/openssl/include/openssl/cms.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/cms.h"

1
deps/openssl/openssl/include/openssl/conf.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/conf.h"

1
deps/openssl/openssl/include/openssl/configuration.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/configuration.h"

1
deps/openssl/openssl/include/openssl/crmf.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/crmf.h"

1
deps/openssl/openssl/include/openssl/crypto.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/crypto.h"

1
deps/openssl/openssl/include/openssl/ct.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/ct.h"

1
deps/openssl/openssl/include/openssl/err.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/err.h"

1
deps/openssl/openssl/include/openssl/ess.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/ess.h"

1
deps/openssl/openssl/include/openssl/fipskey.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/fipskey.h"

1
deps/openssl/openssl/include/openssl/lhash.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/lhash.h"

1
deps/openssl/openssl/include/openssl/ocsp.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/ocsp.h"

1
deps/openssl/openssl/include/openssl/opensslv.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/opensslv.h"

1
deps/openssl/openssl/include/openssl/pkcs12.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/pkcs12.h"

1
deps/openssl/openssl/include/openssl/pkcs7.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/pkcs7.h"

1
deps/openssl/openssl/include/openssl/safestack.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/safestack.h"

1
deps/openssl/openssl/include/openssl/srp.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/srp.h"

1
deps/openssl/openssl/include/openssl/ssl.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/ssl.h"

1
deps/openssl/openssl/include/openssl/ui.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/ui.h"

1
deps/openssl/openssl/include/openssl/x509.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/x509.h"

1
deps/openssl/openssl/include/openssl/x509_vfy.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/x509_vfy.h"

1
deps/openssl/openssl/include/openssl/x509v3.h vendored
View File

@ -1 +0,0 @@
#include "../../../config/x509v3.h"

28
deps/openssl/openssl/providers/fips-sources.checksums vendored
View File

@ -197,9 +197,9 @@ e2705097cfab64e8d7eb2feba37c3f12b18aec74b135ad0c7f073efccf336d4c crypto/ec/ecx_
62c994fd91dc4a5a1a81dfa9391d6eadae62d3549b2e1b22acb2e7c4cd278f27 crypto/evp/evp_fetch.c
ebe32b2895f7f9767710674352c8949efe93b4bbb5e7b71c27bb5d1822339b46 crypto/evp/evp_lib.c
78f07bf50b6999611a4e9414ab3a20b219b0ab29ca2bd05002d6919a3f67b8eb crypto/evp/evp_local.h
117e679d49d2ae87e49d3c942ff0ce768959e8b9713f84a99025cabba462ccd5 crypto/evp/evp_rand.c
a801c0f785d2089d69872f0874bc91c2f90939839b5a1d76d33994eb5ced4754 crypto/evp/evp_rand.c
2a128617ec0178e9eeacbe41d75a5530755f41ea524cd124607543cf73456a0c crypto/evp/evp_utils.c
ca8c6cfd30efd53f2e5d1f19bcf09a3a3d0dff6d8947c3943d07a3f4b354aa86 crypto/evp/exchange.c
cedb38e16de356c6d3fcd087801db059ab8b5a857b3687ad36ff3e75654cc142 crypto/evp/exchange.c
9e25042581b73e295c059c6217f3ecf809134d518eb79b1b67f34e3ca9145677 crypto/evp/kdf_lib.c
1d72f5506984df1df8606e8c7045f041cf517223e2e1b50c4da8ba8bf1c6c186 crypto/evp/kdf_meth.c
5179624b8e03615dc9caedc9ec16d094fa081495613dd552d71c2c39475bcd83 crypto/evp/kem.c
@ -211,7 +211,7 @@ e7e8eb5683cd3fbd409df888020dc353b65ac291361829cc4131d5bc86c9fcb3 crypto/evp/mac
546d83abecf8973e2d872102a03bde5a46552909fa9e7d1402e1464a27453801 crypto/evp/p_lib.c
3b4228b92eebd04616ecc3ee58684095313dd5ffd1b43cf698a7d6c202cb4622 crypto/evp/pmeth_check.c
1f0e9e94e9b0ad322956521b438b78d44cfcd8eb974e8921d05f9e21ba1c05cf crypto/evp/pmeth_gn.c
76511fba789089a50ef87774817a5482c33633a76a94ecf7b6e8eb915585575d crypto/evp/pmeth_lib.c
59af1ebff5870b531d1e007979ba59ced21c58a5fa481d2a8b24e9e1eb635bd5 crypto/evp/pmeth_lib.c
53058617c153a7676e7ca18c98c23df867a93087d67935907076f3c5bd65c15e crypto/evp/signature.c
f2acfb82aac20251d05a9c252cc6c282bd44e43feac4ac2e0faf68b9a38aef57 crypto/ex_data.c
1c8389c5d49616d491978f0f2b2a54ba82d805ec41c8f75c67853216953cf46a crypto/ffc/ffc_backend.c
@ -254,12 +254,12 @@ abba788a11469f5c01c766fdac64eccd4fb598b2d4d9a12efb086ae87009acb8 crypto/o_str.c
c698d5166d091d6bb6e9df3c211fe1cc916fd43a26ec844f28f547cd708f9c55 crypto/param_build.c
2a0f272dd553b698e8c6fa57962694ebd6064cb03fe26a60df529205568d315d crypto/param_build_set.c
0e4a5388a92fabbe5a540176c0b4c5ce258b78dc9168ecc2e805352a06aaf0ba crypto/params.c
4fda13f6af05d80b0ab89ec4f5813c274a21a9b4565be958a02d006236cef05c crypto/params_dup.c
9121f614b65e471ddf944192015c8d19c34032629cfc284ebcc277469a9164dd crypto/params_dup.c
b6cbfc8791b31587f32a3f9e4c117549793528ebddc34a361bad1ad8cf8d4c42 crypto/params_from_text.c
97cb7414dc2f165d5849ee3b46cdfff0afb067729435d9c01a747e0ca41e230c crypto/ppccap.c
3ca43596a7528dec8ff9d1a3cd0d68b62640f84b1d6a8b5e4842cfd0be1133ad crypto/ppccpuid.pl
b4d34272a0bd1fbe6562022bf7ea6259b6a5a021a48222d415be47ef5ef2a905 crypto/property/defn_cache.c
c3709986fd2ab18f3c6136d8dd7705a4538986aa789ceafe770c3a376db3c569 crypto/property/property.c
9b5fbefe6b18f665b44f79d1d08a977b484064a9fba46506ed8e812e581e9d97 crypto/property/property.c
66da4f28d408133fb544b14aeb9ad4913e7c5c67e2826e53f0dc5bf4d8fada26 crypto/property/property_local.h
b0b382ce829192d2537561cfb0fb5c7afb04305f321f7b3c91441b4ba99b9c92 crypto/property/property_parse.c
a7cefda6a117550e2c76e0f307565ce1e11640b11ba10c80e469a837fd1212a3 crypto/property/property_query.c
@ -344,11 +344,11 @@ c50c584c55e56347bb43aca4b796b5344d70daece3061f586b79c871c21f5d1a crypto/sparse_
8da78169fa8c09dc3c29c9bf1602b22e88c5eac4815e274ba1864c166e31584b crypto/stack/stack.c
7b4efa594d8d1f3ecbf4605cf54f72fb296a3b1d951bdc69e415aaa08f34e5c8 crypto/threads_lib.c
a41ae93a755e2ec89b3cb5b4932e2b508fdda92ace2e025a2650a6da0e9e972c crypto/threads_none.c
3729e2bd36f945808b578e0d89fac0fcb3114e4fc9381614bcbd8a9869991716 crypto/threads_pthread.c
0a085bd6a70d449c79783c7b11383ae427df28a19fd4651571003306079bb72f crypto/threads_pthread.c
f82715745b668297d71b66d05e6bfc3c817bf80bd967c0f33ca7ffbb6e347645 crypto/threads_win.c
fd6c27cf7c6b5449b17f2b725f4203c4c10207f1973db09fd41571efe5de08fd crypto/x86_64cpuid.pl
bbec287bb9bf35379885f8f8998b7fd9e8fc22efee9e1b299109af0f33a7ee16 crypto/x86cpuid.pl
acbb841170d4d3eb91d969be1c0e4973b1babfd5fcd76440b0628f509f82fd76 e_os.h
4a61cecc1d1d547cb414404c73efe71cac8ab7885a03780a55c3ff8a74b1de26 e_os.h
249a0e58e9692920eddc1ada2ac772a0cfd749cfbf618f2f5da08280df545d8f include/crypto/aes_platform.h
8c6f308c1ca774e6127e325c3b80511dbcdc99631f032694d8db53a5c02364ee include/crypto/asn1_dsa.h
3bded0eaa7ccdebd0b4217b7fdb82676d5c0762a88aca462dbceaef851fafa99 include/crypto/bn.h
@ -373,7 +373,7 @@ f326212c978576c5346c89ae0336c2428594494b54054f6045b1f1038bfbc004 include/crypto
7676b02824b2d68df6bddeb251e9b8a8fa2e35a95dad9a7ebeca53f9ab8d2dad include/crypto/sparse_array.h
7ad02c7de77304c3b298deeb038ab2550cf8b2bce03021994477c6c43dbcf86e include/crypto/types.h
782a83d4e489fd865e2768a20bfa31e78c2071fd0ceeb9eb077276ae2bcc6590 include/internal/bio.h
8e984890c7c62cdd6356963f034831831f7167c65096cb4d23bc765d84d2c598 include/internal/constant_time.h
c64d5338564a30577c86347d99763f1a3321ec12a65c7d61298ea78a3f136a83 include/internal/constant_time.h
c5bb97f654984130c8b44c09a52395bce0b22985d5dbc9c4d9377d86283f11f8 include/internal/core.h
0b572801dfb8a41cc239e3439f8097a0ad11bbdf5d54811d10ceba3175cf2f17 include/internal/cryptlib.h
9571cfd3d5666749084b354a6d65adee443deeb5713a58c098c7b03bc69dbc63 include/internal/deprecated.h
@ -542,7 +542,7 @@ bb67eaa7a98494ca938726f9218213870fc97dd87b56bda950626cc794baf20b providers/impl
c4b1cb143de15acc396ce2e03fdd165defd25ebc831de9cdfacf408ea883c666 providers/implementations/ciphers/ciphercommon_local.h
39b47b6ef9d71852964c26e07ef0e9b23f04c7493b1b16ba7c3dba7074b6b70d providers/implementations/digests/digestcommon.c
80551b53302d95faea257df3edbdbd02d48427ce42da2c4335f998456400d057 providers/implementations/digests/sha2_prov.c
de342d04be6af69037922d5c97bdc40c0c27f6740636e72786a765d0d8ad9173 providers/implementations/digests/sha3_prov.c
52608810d317b4cfe358d5a668369f834f845bc5f82e475d7ecaae5ca0144293 providers/implementations/digests/sha3_prov.c
b5f94d597df72ca58486c59b2a70b4057d13f09528f861ed41a84b7125b54a82 providers/implementations/exchange/dh_exch.c
9c46dc0d859875fcc0bc3d61a7b610cd3520b1bf63718775c1124f54a1fe5f24 providers/implementations/exchange/ecdh_exch.c
9bf87b8429398a6465c7e9f749a33b84974303a458736b56f3359b30726d3969 providers/implementations/exchange/ecx_exch.c
@ -557,7 +557,7 @@ b9a61ce951c1904d8315b1bb26c0ab0aaadb47e71d4ead5df0a891608c728c4b providers/impl
c95ce5498e724b9b3d58e3c2f4723e7e3e4beb07f9bea9422e43182cbadb43af providers/implementations/include/prov/macsignature.h
29d1a112b799e1f45fdf8bcee8361c2ed67428c250c1cdf408a9fbb7ebf4cce1 providers/implementations/include/prov/names.h
2187713b446d8b6d24ee986748b941ac3e24292c71e07ff9fb53a33021decdda providers/implementations/include/prov/seeding.h
6091dd22e716fbe6c7c94524cdee6ad4432a572f2d3c4d360dcafafa3902d692 providers/implementations/kdfs/hkdf.c
9d84007b7d13c70ceef8709ba8c92bfffa894aabfe1802993f33f1268c18aab0 providers/implementations/kdfs/hkdf.c
a62e3af09f5af84dcf36f951ba4ac90ca1694adaf3747126186020b155f94186 providers/implementations/kdfs/kbkdf.c
e0644e727aacfea4da3cf2c4d2602d7ef0626ebb760b6467432ffd54d5fbb24d providers/implementations/kdfs/pbkdf2.c
c0778565abff112c0c5257329a7750ec4605e62f26cc36851fa1fbee6e03c70c providers/implementations/kdfs/pbkdf2.h
@ -571,9 +571,9 @@ abe2b0f3711eaa34846e155cffc9242e4051c45de896f747afd5ac9d87f637dc providers/impl
9316fc619e8d8a1d841aa0936fc62c28eb2b4c60cc6c9b2d64b72f8641f28abb providers/implementations/keymgmt/dsa_kmgmt.c
9bc88451d3ae110c7a108ee73d3b3b6bda801ec3494d2dfb9c9970b85c2d34fe providers/implementations/keymgmt/ec_kmgmt.c
258ae17bb2dd87ed1511a8eb3fe99eed9b77f5c2f757215ff6b3d0e8791fc251 providers/implementations/keymgmt/ec_kmgmt_imexport.inc
d0c67b7fbddd51dcfebd96bf99794ca3bc437d50974ebcd56968fb8dd3627b0f providers/implementations/keymgmt/ecx_kmgmt.c
5f76cf9d17e14f471f90ebadcd94fca654c806f4356b84d5b9363e8be4599bcb providers/implementations/keymgmt/ecx_kmgmt.c
053a2be39a87f50b877ebdbbf799cf5faf8b2de33b04311d819d212ee1ea329b providers/implementations/keymgmt/kdf_legacy_kmgmt.c
37e2f9f904eeabf94b1e4152b67ac236f872aa78dd7e47bf0de1b8f50ac19b6c providers/implementations/keymgmt/mac_legacy_kmgmt.c
e0450f253ca54624587046edd28f071f55bf3088847dc8a4de79491079ad475d providers/implementations/keymgmt/mac_legacy_kmgmt.c
19f22fc70a6321441e56d5bd4aab3d01d52d17069d4e4b5cefce0f411ecece75 providers/implementations/keymgmt/rsa_kmgmt.c
5eb96ea2df635cf79c5aeccae270fbe896b5e6384a5b3e4b187ce8c10fe8dfc7 providers/implementations/macs/cmac_prov.c
e69aa06f8f3c6f5a26702b9f44a844b8589b99dc0ee590953a29e8b9ef10acbe providers/implementations/macs/gmac_prov.c
@ -581,11 +581,11 @@ e69aa06f8f3c6f5a26702b9f44a844b8589b99dc0ee590953a29e8b9ef10acbe providers/impl
8640b63fd8325aaf8f7128d6cc448d9af448a65bf51a8978075467d33a67944e providers/implementations/macs/kmac_prov.c
bf30274dd6b528ae913984775bd8f29c6c48c0ef06d464d0f738217727b7aa5c providers/implementations/rands/crngt.c
f9457255fc57ef5739aa2584e535195e38cc947e31fd044d28d64c28c8a946ce providers/implementations/rands/drbg.c
7e8fa6333845778474ed1313a66867512512372c9397f699a8f68fa6d5fc05fa providers/implementations/rands/drbg_ctr.c
42e895fe255d90f9135eada30466811e3909ea4fd07fb968435dc5feee94ebf8 providers/implementations/rands/drbg_ctr.c
8337994f4bc95e421d6d2833bb4481ad9d84deb3913d0faec6e1791ea372a793 providers/implementations/rands/drbg_hash.c
1f040090f596f88cb64d6eb89109a8b75e66caee113708fb59335ad2547027fc providers/implementations/rands/drbg_hmac.c
7a1b8516f891f25f3dc07ffe0455200f20d3a1f0345a917f00c7d9afe900bb0a providers/implementations/rands/drbg_local.h
04339b66c10017229ef368cb48077f58a252ebfda9ab12b9f919e4149b1036ed providers/implementations/rands/test_rng.c
66c0a91e23ae4275cc3f5daa8437d1c0addd10ca2e8aefab4573d606c5ba27ba providers/implementations/rands/test_rng.c
cafb9e6f54ad15889fcebddac6df61336bff7d78936f7de3bb5aab8aee5728d2 providers/implementations/signature/dsa_sig.c
a30dc6308de0ca33406e7ce909f3bcf7580fb84d863b0976b275839f866258df providers/implementations/signature/ecdsa_sig.c
09647b736980ac3c762f1e7c10cbfee78e2c6ab327ac62e5039968cea034ff3b providers/implementations/signature/eddsa_sig.c

2
deps/openssl/openssl/providers/fips.checksum vendored
View File

@ -1 +1 @@
01b31117f96429fe4c8efbf7f4f10ef32efa2b11c69851fd227e4194db116b6f providers/fips-sources.checksums
0cbed2adf7acee36e3ef1906e6de0946b423cc9354c878e54bcbc7a363aeec0d providers/fips-sources.checksums

10
deps/openssl/openssl/providers/implementations/ciphers/cipher_aes_gcm_hw_armv8.inc vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -15,10 +15,8 @@
size_t armv8_aes_gcm_encrypt(const unsigned char *in, unsigned char *out, size_t len,
const void *key, unsigned char ivec[16], u64 *Xi)
{
size_t align_bytes = 0;
align_bytes = len - len % 16;
AES_KEY *aes_key = (AES_KEY *)key;
size_t align_bytes = len - len % 16;
switch(aes_key->rounds) {
case 10:
@ -37,10 +35,8 @@ size_t armv8_aes_gcm_encrypt(const unsigned char *in, unsigned char *out, size_t
size_t armv8_aes_gcm_decrypt(const unsigned char *in, unsigned char *out, size_t len,
const void *key, unsigned char ivec[16], u64 *Xi)
{
size_t align_bytes = 0;
align_bytes = len - len % 16;
AES_KEY *aes_key = (AES_KEY *)key;
size_t align_bytes = len - len % 16;
switch(aes_key->rounds) {
case 10:

20
deps/openssl/openssl/providers/implementations/ciphers/cipher_chacha20_poly1305.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -32,7 +32,7 @@ static OSSL_FUNC_cipher_set_ctx_params_fn chacha20_poly1305_set_ctx_params;
static OSSL_FUNC_cipher_cipher_fn chacha20_poly1305_cipher;
static OSSL_FUNC_cipher_final_fn chacha20_poly1305_final;
static OSSL_FUNC_cipher_gettable_ctx_params_fn chacha20_poly1305_gettable_ctx_params;
#define chacha20_poly1305_settable_ctx_params ossl_cipher_aead_settable_ctx_params
static OSSL_FUNC_cipher_settable_ctx_params_fn chacha20_poly1305_settable_ctx_params;
#define chacha20_poly1305_gettable_params ossl_cipher_generic_gettable_params
#define chacha20_poly1305_update chacha20_poly1305_cipher
@ -158,6 +158,21 @@ static const OSSL_PARAM *chacha20_poly1305_gettable_ctx_params
return chacha20_poly1305_known_gettable_ctx_params;
}
static const OSSL_PARAM chacha20_poly1305_known_settable_ctx_params[] = {
OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_KEYLEN, NULL),
OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_IVLEN, NULL),
OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0),
OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_AAD, NULL, 0),
OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_IV_FIXED, NULL, 0),
OSSL_PARAM_END
};
static const OSSL_PARAM *chacha20_poly1305_settable_ctx_params(
ossl_unused void *cctx, ossl_unused void *provctx
)
{
return chacha20_poly1305_known_settable_ctx_params;
}
static int chacha20_poly1305_set_ctx_params(void *vctx,
const OSSL_PARAM params[])
{
@ -238,7 +253,6 @@ static int chacha20_poly1305_set_ctx_params(void *vctx,
return 0;
}
}
/* ignore OSSL_CIPHER_PARAM_AEAD_MAC_KEY */
return 1;
}

4
deps/openssl/openssl/providers/implementations/digests/sha3_prov.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -19,7 +19,7 @@
#include "prov/implementations.h"
#define SHA3_FLAGS PROV_DIGEST_FLAG_ALGID_ABSENT
#define SHAKE_FLAGS PROV_DIGEST_FLAG_XOF
#define SHAKE_FLAGS (PROV_DIGEST_FLAG_XOF | PROV_DIGEST_FLAG_ALGID_ABSENT)
#define KMAC_FLAGS PROV_DIGEST_FLAG_XOF
/*

14
deps/openssl/openssl/providers/implementations/kdfs/hkdf.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2016-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -233,13 +233,11 @@ static int hkdf_common_set_ctx_params(KDF_HKDF *ctx, const OSSL_PARAM params[])
}
if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SALT)) != NULL) {
if (p->data_size != 0 && p->data != NULL) {
OPENSSL_free(ctx->salt);
ctx->salt = NULL;
if (!OSSL_PARAM_get_octet_string(p, (void **)&ctx->salt, 0,
&ctx->salt_len))
return 0;
}
OPENSSL_free(ctx->salt);
ctx->salt = NULL;
if (!OSSL_PARAM_get_octet_string(p, (void **)&ctx->salt, 0,
&ctx->salt_len))
return 0;
}
return 1;

9
deps/openssl/openssl/providers/implementations/keymgmt/ecx_kmgmt.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2020-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -344,7 +344,6 @@ static const OSSL_PARAM ecx_gettable_params[] = {
OSSL_PARAM_int(OSSL_PKEY_PARAM_BITS, NULL),
OSSL_PARAM_int(OSSL_PKEY_PARAM_SECURITY_BITS, NULL),
OSSL_PARAM_int(OSSL_PKEY_PARAM_MAX_SIZE, NULL),
OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_MANDATORY_DIGEST, NULL, 0),
OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY, NULL, 0),
ECX_KEY_TYPES(),
OSSL_PARAM_END
@ -354,6 +353,7 @@ static const OSSL_PARAM ed_gettable_params[] = {
OSSL_PARAM_int(OSSL_PKEY_PARAM_BITS, NULL),
OSSL_PARAM_int(OSSL_PKEY_PARAM_SECURITY_BITS, NULL),
OSSL_PARAM_int(OSSL_PKEY_PARAM_MAX_SIZE, NULL),
OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_MANDATORY_DIGEST, NULL, 0),
ECX_KEY_TYPES(),
OSSL_PARAM_END
};
@ -485,6 +485,8 @@ static void *ecx_gen_init(void *provctx, int selection,
gctx->libctx = libctx;
gctx->type = type;
gctx->selection = selection;
} else {
return NULL;
}
if (!ecx_gen_set_params(gctx, params)) {
ecx_gen_cleanup(gctx);
@ -694,6 +696,9 @@ static void ecx_gen_cleanup(void *genctx)
{
struct ecx_gen_ctx *gctx = genctx;
if (gctx == NULL)
return;
OPENSSL_free(gctx->propq);
OPENSSL_free(gctx);
}

3
deps/openssl/openssl/providers/implementations/keymgmt/mac_legacy_kmgmt.c vendored
View File

@ -527,6 +527,9 @@ static void mac_gen_cleanup(void *genctx)
{
struct mac_gen_ctx *gctx = genctx;
if (gctx == NULL)
return;
OPENSSL_secure_clear_free(gctx->priv_key, gctx->priv_key_len);
ossl_prov_cipher_reset(&gctx->cipher);
OPENSSL_free(gctx);

5
deps/openssl/openssl/providers/implementations/rands/drbg_ctr.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 2011-2024 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2011-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -20,6 +20,7 @@
#include "prov/providercommon.h"
#include "prov/provider_ctx.h"
#include "drbg_local.h"
#include "internal/cryptlib.h"
static OSSL_FUNC_rand_newctx_fn drbg_ctr_new_wrapper;
static OSSL_FUNC_rand_freectx_fn drbg_ctr_free;
@ -80,6 +81,8 @@ static void ctr_XOR(PROV_DRBG_CTR *ctr, const unsigned char *in, size_t inlen)
* are XORing. So just process however much input we have.
*/
n = inlen < ctr->keylen ? inlen : ctr->keylen;
if (!ossl_assert(n <= sizeof(ctr->K)))
return;
for (i = 0; i < n; i++)
ctr->K[i] ^= in[i];
if (inlen <= ctr->keylen)

10
deps/openssl/openssl/providers/implementations/rands/test_rng.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2020-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -125,16 +125,18 @@ static int test_rng_reseed(ossl_unused void *vtest,
static size_t test_rng_nonce(void *vtest, unsigned char *out,
unsigned int strength,
ossl_unused size_t min_noncelen,
ossl_unused size_t max_noncelen)
size_t max_noncelen)
{
PROV_TEST_RNG *t = (PROV_TEST_RNG *)vtest;
size_t i;
if (t->nonce == NULL || strength > t->strength)
return 0;
i = t->nonce_len > max_noncelen ? max_noncelen : t->nonce_len;
if (out != NULL)
memcpy(out, t->nonce, t->nonce_len);
return t->nonce_len;
memcpy(out, t->nonce, i);
return i;
}
static int test_rng_get_ctx_params(void *vtest, OSSL_PARAM params[])

13
deps/openssl/openssl/ssl/record/rec_layer_d1.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 2005-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2005-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -606,6 +606,17 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
#endif
s->shutdown |= SSL_RECEIVED_SHUTDOWN;
return 0;
} else if (alert_descr == SSL_AD_NO_RENEGOTIATION) {
/*
* This is a warning but we receive it if we requested
* renegotiation and the peer denied it. Terminate with a fatal
* alert because if the application tried to renegotiate it
* presumably had a good reason and expects it to succeed. In
* the future we might have a renegotiation where we don't care
* if the peer refused it where we carry on.
*/
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_NO_RENEGOTIATION);
return -1;
}
} else if (alert_level == SSL3_AL_FATAL) {
s->rwstate = SSL_NOTHING;

8
deps/openssl/openssl/ssl/record/rec_layer_s3.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -1613,10 +1613,10 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
/*
* This is a warning but we receive it if we requested
* renegotiation and the peer denied it. Terminate with a fatal
* alert because if application tried to renegotiate it
* alert because if the application tried to renegotiate it
* presumably had a good reason and expects it to succeed. In
* future we might have a renegotiation where we don't care if
* the peer refused it where we carry on.
* the future we might have a renegotiation where we don't care
* if the peer refused it where we carry on.
*/
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_NO_RENEGOTIATION);
return -1;

9
deps/openssl/openssl/ssl/s3_lib.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
* Copyright 2005 Nokia. All rights reserved.
*
@ -4820,7 +4820,10 @@ int ssl_derive(SSL *s, EVP_PKEY *privkey, EVP_PKEY *pubkey, int gensecret)
}
if (EVP_PKEY_derive(pctx, pms, &pmslen) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
/*
* the public key was probably a weak key
*/
SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
goto err;
}
@ -4923,7 +4926,7 @@ int ssl_encapsulate(SSL *s, EVP_PKEY *pubkey,
}
if (EVP_PKEY_encapsulate(pctx, ct, &ctlen, pms, &pmslen) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
goto err;
}

11
deps/openssl/openssl/ssl/ssl_cert.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
@ -812,16 +812,17 @@ static int add_uris_recursive(STACK_OF(X509_NAME) *stack,
OSSL_STORE_CTX *ctx = NULL;
X509 *x = NULL;
X509_NAME *xn = NULL;
OSSL_STORE_INFO *info = NULL;
if ((ctx = OSSL_STORE_open(uri, NULL, NULL, NULL, NULL)) == NULL)
goto err;
while (!OSSL_STORE_eof(ctx) && !OSSL_STORE_error(ctx)) {
OSSL_STORE_INFO *info = OSSL_STORE_load(ctx);
int infotype = info == 0 ? 0 : OSSL_STORE_INFO_get_type(info);
int infotype;
if (info == NULL)
if ((info = OSSL_STORE_load(ctx)) == NULL)
continue;
infotype = OSSL_STORE_INFO_get_type(info);
if (infotype == OSSL_STORE_INFO_NAME) {
/*
@ -846,6 +847,7 @@ static int add_uris_recursive(STACK_OF(X509_NAME) *stack,
}
OSSL_STORE_INFO_free(info);
info = NULL;
}
ERR_clear_error();
@ -853,6 +855,7 @@ static int add_uris_recursive(STACK_OF(X509_NAME) *stack,
err:
ok = 0;
OSSL_STORE_INFO_free(info);
done:
OSSL_STORE_close(ctx);

5
deps/openssl/openssl/ssl/ssl_sess.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2005 Nokia. All rights reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
@ -612,6 +612,8 @@ int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello)
SSL_TICKET_STATUS r;
if (SSL_IS_TLS13(s)) {
SSL_SESSION_free(s->session);
s->session = NULL;
/*
* By default we will send a new ticket. This can be overridden in the
* ticket processing.
@ -624,6 +626,7 @@ int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello)
hello->pre_proc_exts, NULL, 0))
return -1;
/* If we resumed, s->session will now be set */
ret = s->session;
} else {
/* sets s->ext.ticket_expected */

18
deps/openssl/openssl/ssl/statem/extensions_srvr.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2016-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -275,7 +275,13 @@ int tls_parse_ctos_sig_algs_cert(SSL *s, PACKET *pkt,
return 0;
}
if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 1)) {
/*
* We use this routine on both clients and servers, and when clients
* get asked for PHA we need to always save the sigalgs regardless
* of whether it was a resumption or not.
*/
if ((!s->server || (s->server && !s->hit))
&& !tls1_save_sigalgs(s, &supported_sig_algs, 1)) {
SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
return 0;
}
@ -294,7 +300,13 @@ int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
return 0;
}
if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 0)) {
/*
* We use this routine on both clients and servers, and when clients
* get asked for PHA we need to always save the sigalgs regardless
* of whether it was a resumption or not.
*/
if ((!s->server || (s->server && !s->hit))
&& !tls1_save_sigalgs(s, &supported_sig_algs, 0)) {
SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
return 0;
}

25
deps/openssl/openssl/ssl/statem/statem_lib.c vendored
View File

@ -1,5 +1,5 @@
/*
* Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
@ -1967,23 +1967,24 @@ int ssl_choose_client_version(SSL *s, int version, RAW_EXTENSION *extensions)
real_max = ver_max;
/* Check for downgrades */
if (s->version == TLS1_2_VERSION && real_max > s->version) {
if (memcmp(tls12downgrade,
if (!SSL_IS_DTLS(s) && real_max > s->version) {
/* Signal applies to all versions */
if (memcmp(tls11downgrade,
s->s3.server_random + SSL3_RANDOM_SIZE
- sizeof(tls12downgrade),
sizeof(tls12downgrade)) == 0) {
- sizeof(tls11downgrade),
sizeof(tls11downgrade)) == 0) {
s->version = origv;
SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
SSL_R_INAPPROPRIATE_FALLBACK);
return 0;
}
} else if (!SSL_IS_DTLS(s)
&& s->version < TLS1_2_VERSION
&& real_max > s->version) {
if (memcmp(tls11downgrade,
s->s3.server_random + SSL3_RANDOM_SIZE
- sizeof(tls11downgrade),
sizeof(tls11downgrade)) == 0) {
/* Only when accepting TLS1.3 */
if (real_max == TLS1_3_VERSION
&& memcmp(tls12downgrade,
s->s3.server_random + SSL3_RANDOM_SIZE
- sizeof(tls12downgrade),
sizeof(tls12downgrade)) == 0) {
s->version = origv;
SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
SSL_R_INAPPROPRIATE_FALLBACK);

8
deps/openssl/openssl/tools/c_rehash.in vendored
View File

@ -1,7 +1,7 @@
#!{- $config{HASHBANGPERL} -}
{- use OpenSSL::Util; -}
# {- join("\n# ", @autowarntext) -}
# Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 1999-2025 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@ -63,10 +63,10 @@ if (defined(&Cwd::getcwd)) {
my $path_delim = ($pwd =~ /^[a-z]\:/i) ? ';' : ':';
$ENV{PATH} = "$prefix/bin" . ($ENV{PATH} ? $path_delim . $ENV{PATH} : "");
if (! -x $openssl) {
if (!(-f $openssl && -x $openssl)) {
my $found = 0;
foreach (split /$path_delim/, $ENV{PATH}) {
if (-x "$_/$openssl") {
if (-f "$_/$openssl" && -x "$_/$openssl") {
$found = 1;
$openssl = "$_/$openssl";
last;
@ -88,7 +88,7 @@ if (@ARGV) {
if (-d $dirlist[0]) {
chdir $dirlist[0];
$openssl="$pwd/$openssl" if (!-x $openssl);
$openssl="$pwd/$openssl" if (!(-f $openssl && -x $openssl));
chdir $pwd;
}

39
deps/openssl/openssl/util/wrap.pl.in vendored
View File

@ -18,6 +18,38 @@ BEGIN {
OpenSSL::Util->import();
}
sub quote_cmd_win32 {
my $cmd = "";
foreach my $arg (@_) {
if ($arg =~ m{\A[\w,-./@]+\z}) {
$cmd .= $arg . q{ };;
} else {
$cmd .= q{"} . quote_arg_win32($arg) . q{" };
}
}
return substr($cmd, 0, -1);
}
sub quote_arg_win32 {
my ($arg) = @_;
my $val = "";
pos($arg) = 0;
while (1) {
return $val if (pos($arg) == length($arg));
if ($arg =~ m{\G((?:(?>[\\]*)[^"\\]+)+)}ogc) {
$val .= $1;
} elsif ($arg =~ m{\G"}ogc) {
$val .= qq{\\"};
} elsif ($arg =~ m{\G((?>[\\]+)(?="|\z))}ogc) {
$val .= qq{\\} x (2 * length($1));
} else {
die sprintf("Internal error quoting: '%s'\n", $arg);
}
}
}
my $there = canonpath(catdir(dirname($0), updir()));
my $std_engines = catdir($there, 'engines');
my $std_providers = catdir($there, 'providers');
@ -60,7 +92,12 @@ if ($^O eq 'VMS') {
# The exec() statement on MSWin32 doesn't seem to give back the exit code
# from the call, so we resort to using system() instead.
my $waitcode = system @cmd;
my $waitcode;
if ($^O eq 'MSWin32') {
$waitcode = system(quote_cmd_win32(@cmd));
} else {
$waitcode = system @cmd;
}
# According to documentation, -1 means that system() couldn't run the command,
# otherwise, the value is similar to the Unix wait() status value