https://github.com/openssl/openssl
- HEAD
- refs/heads/OpenSSL-engine-0_9_6-stable
- refs/heads/OpenSSL-fips-0_9_7-stable
- refs/heads/OpenSSL-fips-0_9_8-stable
- refs/heads/OpenSSL-fips-1_2-stable
- refs/heads/OpenSSL-fips-2_0-dev
- refs/heads/OpenSSL-fips-2_0-stable
- refs/heads/OpenSSL-fips2-0_9_7-stable
- refs/heads/OpenSSL_0_9_6-stable
- refs/heads/OpenSSL_0_9_7-stable
- refs/heads/OpenSSL_0_9_8-stable
- refs/heads/OpenSSL_0_9_8fg-stable
- refs/heads/OpenSSL_1_0_0-stable
- refs/heads/OpenSSL_1_0_1-stable
- refs/heads/OpenSSL_1_0_2-stable
- refs/heads/OpenSSL_1_1_0-stable
- refs/heads/OpenSSL_1_1_1-stable
- refs/heads/SSLeay
- refs/heads/feature/dtls-1.3
- refs/heads/feature/quic-server
- refs/heads/master
- refs/heads/openssl-3.0
- refs/heads/openssl-3.1
- refs/heads/openssl-3.2
- refs/heads/openssl-3.3
- refs/heads/tls1.3-draft-18
- refs/heads/tls1.3-draft-19
- refs/tags/AFTER_COMPAQ_PATCH
- refs/tags/BEFORE_COMPAQ_PATCH
- refs/tags/BEFORE_engine
- refs/tags/BEN_FIPS_TEST_1
- refs/tags/BEN_FIPS_TEST_2
- refs/tags/BEN_FIPS_TEST_3
- refs/tags/BEN_FIPS_TEST_4
- refs/tags/BEN_FIPS_TEST_5
- refs/tags/BEN_FIPS_TEST_6
- refs/tags/BEN_FIPS_TEST_7
- refs/tags/BEN_FIPS_TEST_8
- refs/tags/FIPS_098_TEST_1
- refs/tags/FIPS_098_TEST_2
- refs/tags/FIPS_098_TEST_3
- refs/tags/FIPS_098_TEST_4
- refs/tags/FIPS_098_TEST_5
- refs/tags/FIPS_098_TEST_6
- refs/tags/FIPS_098_TEST_7
- refs/tags/FIPS_098_TEST_8
- refs/tags/FIPS_TEST_10
- refs/tags/FIPS_TEST_9
- refs/tags/LEVITTE_after_const
- refs/tags/LEVITTE_before_const
- refs/tags/OpenSSL-engine-0_9_6
- refs/tags/OpenSSL-engine-0_9_6-beta1
- refs/tags/OpenSSL-engine-0_9_6-beta2
- refs/tags/OpenSSL-engine-0_9_6-beta3
- refs/tags/OpenSSL-engine-0_9_6a
- refs/tags/OpenSSL-engine-0_9_6a-beta1
- refs/tags/OpenSSL-engine-0_9_6a-beta2
- refs/tags/OpenSSL-engine-0_9_6a-beta3
- refs/tags/OpenSSL-engine-0_9_6b
- refs/tags/OpenSSL-engine-0_9_6c
- refs/tags/OpenSSL-engine-0_9_6d
- refs/tags/OpenSSL-engine-0_9_6d-beta1
- refs/tags/OpenSSL-engine-0_9_6e
- refs/tags/OpenSSL-engine-0_9_6f
- refs/tags/OpenSSL-engine-0_9_6g
- refs/tags/OpenSSL-engine-0_9_6h
- refs/tags/OpenSSL-engine-0_9_6i
- refs/tags/OpenSSL-engine-0_9_6j
- refs/tags/OpenSSL-engine-0_9_6k
- refs/tags/OpenSSL-engine-0_9_6l
- refs/tags/OpenSSL-engine-0_9_6m
- refs/tags/OpenSSL-fips-1_2_0
- refs/tags/OpenSSL-fips-1_2_1
- refs/tags/OpenSSL-fips-1_2_2
- refs/tags/OpenSSL-fips-1_2_3
- refs/tags/OpenSSL-fips-2_0
- refs/tags/OpenSSL-fips-2_0-pl1
- refs/tags/OpenSSL-fips-2_0-rc1
- refs/tags/OpenSSL-fips-2_0-rc2
- refs/tags/OpenSSL-fips-2_0-rc3
- refs/tags/OpenSSL-fips-2_0-rc4
- refs/tags/OpenSSL-fips-2_0-rc5
- refs/tags/OpenSSL-fips-2_0-rc6
- refs/tags/OpenSSL-fips-2_0-rc7
- refs/tags/OpenSSL-fips-2_0-rc8
- refs/tags/OpenSSL-fips-2_0-rc9
- refs/tags/OpenSSL-fips-2_0_1
- refs/tags/OpenSSL_0_9_1c
- refs/tags/OpenSSL_0_9_2b
- refs/tags/OpenSSL_0_9_3
- refs/tags/OpenSSL_0_9_3a
- refs/tags/OpenSSL_0_9_3beta1
- refs/tags/OpenSSL_0_9_3beta2
- refs/tags/OpenSSL_0_9_4
- refs/tags/OpenSSL_0_9_5
- refs/tags/OpenSSL_0_9_5a
- refs/tags/OpenSSL_0_9_5a-beta1
- refs/tags/OpenSSL_0_9_5a-beta2
- refs/tags/OpenSSL_0_9_5beta1
- refs/tags/OpenSSL_0_9_5beta2
- refs/tags/OpenSSL_0_9_6
- refs/tags/OpenSSL_0_9_6-beta1
- refs/tags/OpenSSL_0_9_6-beta2
- refs/tags/OpenSSL_0_9_6-beta3
- refs/tags/OpenSSL_0_9_6a
- refs/tags/OpenSSL_0_9_6a-beta1
- refs/tags/OpenSSL_0_9_6a-beta2
- refs/tags/OpenSSL_0_9_6a-beta3
- refs/tags/OpenSSL_0_9_6b
- refs/tags/OpenSSL_0_9_6c
- refs/tags/OpenSSL_0_9_6d
- refs/tags/OpenSSL_0_9_6d-beta1
- refs/tags/OpenSSL_0_9_6e
- refs/tags/OpenSSL_0_9_6f
- refs/tags/OpenSSL_0_9_6g
- refs/tags/OpenSSL_0_9_6h
- refs/tags/OpenSSL_0_9_6i
- refs/tags/OpenSSL_0_9_6j
- refs/tags/OpenSSL_0_9_6k
- refs/tags/OpenSSL_0_9_6l
- refs/tags/OpenSSL_0_9_6m
- refs/tags/OpenSSL_0_9_7
- refs/tags/OpenSSL_0_9_7-beta1
- refs/tags/OpenSSL_0_9_7-beta2
- refs/tags/OpenSSL_0_9_7-beta3
- refs/tags/OpenSSL_0_9_7-beta4
- refs/tags/OpenSSL_0_9_7-beta5
- refs/tags/OpenSSL_0_9_7-beta6
- refs/tags/OpenSSL_0_9_7a
- refs/tags/OpenSSL_0_9_7b
- refs/tags/OpenSSL_0_9_7c
- refs/tags/OpenSSL_0_9_7d
- refs/tags/OpenSSL_0_9_7e
- refs/tags/OpenSSL_0_9_7f
- refs/tags/OpenSSL_0_9_7g
- refs/tags/OpenSSL_0_9_7h
- refs/tags/OpenSSL_0_9_7i
- refs/tags/OpenSSL_0_9_7j
- refs/tags/OpenSSL_0_9_7k
- refs/tags/OpenSSL_0_9_7l
- refs/tags/OpenSSL_0_9_7m
- refs/tags/OpenSSL_0_9_8
- refs/tags/OpenSSL_0_9_8-beta1
- refs/tags/OpenSSL_0_9_8-beta2
- refs/tags/OpenSSL_0_9_8-beta3
- refs/tags/OpenSSL_0_9_8-beta4
- refs/tags/OpenSSL_0_9_8-beta5
- refs/tags/OpenSSL_0_9_8-beta6
- refs/tags/OpenSSL_0_9_8a
- refs/tags/OpenSSL_0_9_8b
- refs/tags/OpenSSL_0_9_8c
- refs/tags/OpenSSL_0_9_8d
- refs/tags/OpenSSL_0_9_8e
- refs/tags/OpenSSL_0_9_8f
- refs/tags/OpenSSL_0_9_8g
- refs/tags/OpenSSL_0_9_8h
- refs/tags/OpenSSL_0_9_8i
- refs/tags/OpenSSL_0_9_8j
- refs/tags/OpenSSL_0_9_8k
- refs/tags/OpenSSL_0_9_8l
- refs/tags/OpenSSL_0_9_8m
- refs/tags/OpenSSL_0_9_8m-beta1
- refs/tags/OpenSSL_0_9_8n
- refs/tags/OpenSSL_0_9_8o
- refs/tags/OpenSSL_0_9_8p
- refs/tags/OpenSSL_0_9_8q
- refs/tags/OpenSSL_0_9_8r
- refs/tags/OpenSSL_0_9_8s
- refs/tags/OpenSSL_0_9_8t
- refs/tags/OpenSSL_0_9_8u
- refs/tags/OpenSSL_0_9_8v
- refs/tags/OpenSSL_0_9_8w
- refs/tags/OpenSSL_0_9_8x
- refs/tags/OpenSSL_1_0_0
- refs/tags/OpenSSL_1_0_0-beta1
- refs/tags/OpenSSL_1_0_0-beta2
- refs/tags/OpenSSL_1_0_0-beta3
- refs/tags/OpenSSL_1_0_0-beta4
- refs/tags/OpenSSL_1_0_0-beta5
- refs/tags/OpenSSL_1_0_0a
- refs/tags/OpenSSL_1_0_0b
- refs/tags/OpenSSL_1_0_0c
- refs/tags/OpenSSL_1_0_0d
- refs/tags/OpenSSL_1_0_0e
- refs/tags/OpenSSL_1_0_0f
- refs/tags/OpenSSL_1_0_0g
- refs/tags/OpenSSL_1_0_0h
- refs/tags/OpenSSL_1_0_0i
- refs/tags/OpenSSL_1_0_0j
- refs/tags/OpenSSL_1_0_1
- refs/tags/OpenSSL_1_0_1-beta1
- refs/tags/OpenSSL_1_0_1-beta2
- refs/tags/OpenSSL_1_0_1-beta3
- refs/tags/OpenSSL_1_0_1a
- refs/tags/OpenSSL_1_0_1b
- refs/tags/OpenSSL_1_0_1c
- refs/tags/OpenSSL_FIPS_1_0
- refs/tags/SSLeay_0_8_1b
- refs/tags/SSLeay_0_9_0b
- refs/tags/SSLeay_0_9_1b
- refs/tags/STATE_after_zlib
- refs/tags/STATE_before_zlib
- refs/tags/rsaref
- openssl-3.3.0-beta1
- openssl-3.3.0-alpha1
- openssl-3.3.0
- openssl-3.2.1
- openssl-3.2.0-beta1
- openssl-3.2.0-alpha2
- openssl-3.2.0-alpha1
- openssl-3.2.0
- openssl-3.1.5
- openssl-3.1.4
- openssl-3.1.3
- openssl-3.1.2
- openssl-3.1.1
- openssl-3.1.0-beta1
- openssl-3.1.0-alpha1
- openssl-3.1.0
- openssl-3.0.9
- openssl-3.0.8
- openssl-3.0.7
- openssl-3.0.6
- openssl-3.0.5
- openssl-3.0.4
- openssl-3.0.3
- openssl-3.0.2
- openssl-3.0.13
- openssl-3.0.12
- openssl-3.0.11
- openssl-3.0.10
- openssl-3.0.1
- openssl-3.0.0-beta2
- openssl-3.0.0-beta1
- openssl-3.0.0-alpha9
- openssl-3.0.0-alpha8
- openssl-3.0.0-alpha7
- openssl-3.0.0-alpha6
- openssl-3.0.0-alpha5
- openssl-3.0.0-alpha4
- openssl-3.0.0-alpha3
- openssl-3.0.0-alpha2
- openssl-3.0.0-alpha17
- openssl-3.0.0-alpha16
- openssl-3.0.0-alpha15
- openssl-3.0.0-alpha14
- openssl-3.0.0-alpha13
- openssl-3.0.0-alpha12
- openssl-3.0.0-alpha11
- openssl-3.0.0-alpha10
- openssl-3.0.0-alpha1
- openssl-3.0.0
- master-pre-reformat
- master-pre-auto-reformat
- master-post-reformat
- master-post-auto-reformat
- OpenSSL_1_1_1w
- OpenSSL_1_1_1v
- OpenSSL_1_1_1u
- OpenSSL_1_1_1t
- OpenSSL_1_1_1s
- OpenSSL_1_1_1r
- OpenSSL_1_1_1q
- OpenSSL_1_1_1p
- OpenSSL_1_1_1o
- OpenSSL_1_1_1n
- OpenSSL_1_1_1m
- OpenSSL_1_1_1l
- OpenSSL_1_1_1k
- OpenSSL_1_1_1j
- OpenSSL_1_1_1i
- OpenSSL_1_1_1h
- OpenSSL_1_1_1g
- OpenSSL_1_1_1f
- OpenSSL_1_1_1e
- OpenSSL_1_1_1d
- OpenSSL_1_1_1c
- OpenSSL_1_1_1b
- OpenSSL_1_1_1a
- OpenSSL_1_1_1-pre9
- OpenSSL_1_1_1-pre8
- OpenSSL_1_1_1-pre7
- OpenSSL_1_1_1-pre6
- OpenSSL_1_1_1-pre5
- OpenSSL_1_1_1-pre4
- OpenSSL_1_1_1-pre3
- OpenSSL_1_1_1-pre2
- OpenSSL_1_1_1-pre1
- OpenSSL_1_1_1
- OpenSSL_1_1_0l
- OpenSSL_1_1_0k
- OpenSSL_1_1_0j
- OpenSSL_1_1_0i
- OpenSSL_1_1_0h
- OpenSSL_1_1_0g
- OpenSSL_1_1_0f
- OpenSSL_1_1_0e
- OpenSSL_1_1_0d
- OpenSSL_1_1_0c
- OpenSSL_1_1_0b
- OpenSSL_1_1_0a
- OpenSSL_1_1_0-pre6
- OpenSSL_1_1_0-pre5
- OpenSSL_1_1_0-pre4
- OpenSSL_1_1_0-pre3
- OpenSSL_1_1_0-pre2
- OpenSSL_1_1_0-pre1
- OpenSSL_1_1_0
- OpenSSL_1_0_2u
- OpenSSL_1_0_2t
- OpenSSL_1_0_2s
- OpenSSL_1_0_2r
- OpenSSL_1_0_2q
- OpenSSL_1_0_2p
- OpenSSL_1_0_2o
- OpenSSL_1_0_2n
- OpenSSL_1_0_2m
- OpenSSL_1_0_2l
- OpenSSL_1_0_2k
- OpenSSL_1_0_2j
- OpenSSL_1_0_2i
- OpenSSL_1_0_2h
- OpenSSL_1_0_2g
- OpenSSL_1_0_2f
- OpenSSL_1_0_2e
- OpenSSL_1_0_2d
- OpenSSL_1_0_2c
- OpenSSL_1_0_2b
- OpenSSL_1_0_2a
- OpenSSL_1_0_2-pre-reformat
- OpenSSL_1_0_2-pre-auto-reformat
- OpenSSL_1_0_2-post-reformat
- OpenSSL_1_0_2-post-auto-reformat
- OpenSSL_1_0_2-beta3
- OpenSSL_1_0_2-beta2
- OpenSSL_1_0_2-beta1
- OpenSSL_1_0_2
- OpenSSL_1_0_1u
- OpenSSL_1_0_1t
- OpenSSL_1_0_1s
- OpenSSL_1_0_1r
- OpenSSL_1_0_1q
- OpenSSL_1_0_1p
- OpenSSL_1_0_1o
- OpenSSL_1_0_1n
- OpenSSL_1_0_1m
- OpenSSL_1_0_1l
- OpenSSL_1_0_1k
- OpenSSL_1_0_1j
- OpenSSL_1_0_1i
- OpenSSL_1_0_1h
- OpenSSL_1_0_1g
- OpenSSL_1_0_1f
- OpenSSL_1_0_1e
- OpenSSL_1_0_1d
- OpenSSL_1_0_1-pre-reformat
- OpenSSL_1_0_1-pre-auto-reformat
- OpenSSL_1_0_1-post-reformat
- OpenSSL_1_0_1-post-auto-reformat
- OpenSSL_1_0_0t
- OpenSSL_1_0_0s
- OpenSSL_1_0_0r
- OpenSSL_1_0_0q
- OpenSSL_1_0_0p
- OpenSSL_1_0_0o
- OpenSSL_1_0_0n
- OpenSSL_1_0_0m
- OpenSSL_1_0_0l
- OpenSSL_1_0_0k
- OpenSSL_1_0_0-pre-reformat
- OpenSSL_1_0_0-pre-auto-reformat
- OpenSSL_1_0_0-post-reformat
- OpenSSL_1_0_0-post-auto-reformat
- OpenSSL_0_9_8zh
- OpenSSL_0_9_8zg
- OpenSSL_0_9_8zf
- OpenSSL_0_9_8ze
- OpenSSL_0_9_8zd
- OpenSSL_0_9_8zc
- OpenSSL_0_9_8zb
- OpenSSL_0_9_8za
- OpenSSL_0_9_8y
- OpenSSL_0_9_8-pre-reformat
- OpenSSL_0_9_8-pre-auto-reformat
- OpenSSL_0_9_8-post-reformat
- OpenSSL_0_9_8-post-auto-reformat
- OpenSSL-fips-2_0_9
- OpenSSL-fips-2_0_8
- OpenSSL-fips-2_0_7
- OpenSSL-fips-2_0_6
- OpenSSL-fips-2_0_5
- OpenSSL-fips-2_0_4
- OpenSSL-fips-2_0_3
- OpenSSL-fips-2_0_2
- OpenSSL-fips-2_0_16
- OpenSSL-fips-2_0_15
- OpenSSL-fips-2_0_14
- OpenSSL-fips-2_0_13
- OpenSSL-fips-2_0_12
- OpenSSL-fips-2_0_11
- OpenSSL-fips-2_0_10
Take a new snapshot of a software origin
If the archived software origin currently browsed is not synchronized with its upstream version (for instance when new commits have been issued), you can explicitly request Software Heritage to take a new snapshot of it.
Use the form below to proceed. Once a request has been submitted and accepted, it will be processed as soon as possible. You can then check its processing state by visiting this dedicated page.Processing "take a new snapshot" request ...
Permalinks
To reference or cite the objects present in the Software Heritage archive, permalinks based on SoftWare Hash IDentifiers (SWHIDs) must be used.
Select below a type of object currently browsed in order to display its associated SWHID and permalink.
Revision | Author | Date | Message | Commit Date |
---|---|---|---|---|
264ff64 | shridhar kalavagunta | 21 April 2024, 23:48:33 UTC | Invoke tear_down when exiting test_encode_tls_sct() prematurely Fixes #24121 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24222) | 23 April 2024, 09:33:42 UTC |
5454ef7 | Logan Upchurch | 19 April 2024, 13:38:31 UTC | crypto/threads_pthread.c: Fix typos found by codespell CLA: trivial Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24206) | 23 April 2024, 09:26:29 UTC |
9816127 | Hubert Kario | 16 April 2024, 12:57:21 UTC | Be more explicit about RSAES-PKCS#1v1.5 error handling And add a note how to perform side-channel free error stack handling. Signed-off-by: Hubert Kario <hkario@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24159) | 22 April 2024, 13:56:40 UTC |
972ee92 | Tim Perry | 16 April 2024, 13:40:21 UTC | Use empty renegotiate extension instead of SCSV for TLS > 1.0 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24161) | 22 April 2024, 12:23:28 UTC |
6ee369c | Neil Horman | 19 April 2024, 14:17:54 UTC | Fix missing NULL check in prov_config_test coverity-1596500 caught a missing null check. We should never hit it as the test harness always sets the environment variable, but lets add the check for safety Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24208) | 22 April 2024, 11:15:59 UTC |
fc9649f | Rajeev Ranjan | 25 March 2024, 13:00:58 UTC | fix sending error when no root CA cert update available Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24169) | 22 April 2024, 06:28:25 UTC |
6594baf | slontis | 05 April 2024, 04:32:23 UTC | Fix migration guide mappings for i2o/o2i_ECPublicKey Fixes #23854 Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24041) | 19 April 2024, 18:16:28 UTC |
24d16d3 | Neil Horman | 15 April 2024, 20:56:29 UTC | Make rcu_thread_key context-aware Currently, rcu has a global bit of data, the CRYPTO_THREAD_LOCAL object to store per thread data. This works in some cases, but fails in FIPS, becuase it contains its own copy of the global key. So 1) Make the rcu_thr_key a per-context variable, and force ossl_rcu_lock_new to be context aware 2) Store a pointer to the context in the lock object 3) Use the context to get the global thread key on read/write lock 4) Use ossl_thread_start_init to properly register a cleanup on thread exit 5) Fix up missed calls to OSSL_thread_stop() in our tests Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24162) | 19 April 2024, 13:22:53 UTC |
faa4a10 | Richard Levitte | 17 April 2024, 09:31:31 UTC | OSSL_STORE: Add reference docs for the built-in Windows store implementation Fixes openssl/project#422 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24170) | 19 April 2024, 12:20:58 UTC |
8574fa5 | Enji Cooper | 18 April 2024, 04:10:15 UTC | openssl fipsinstall: fix cosmetic wart This change makes the message on failure consistent with the message on success by trimming a single space in the error message. CLA: trivial Signed-off-by: Enji Cooper <yaneurabeya@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from https://github.com/openssl/openssl/pull/24180) | 19 April 2024, 08:35:38 UTC |
0977eac | Tomas Mraz | 17 April 2024, 16:05:35 UTC | Adjust tests that were depending on X25519 and X448 in fips Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from https://github.com/openssl/openssl/pull/24099) | 19 April 2024, 08:32:27 UTC |
fccd161 | Dimitri John Ledkov | 17 April 2024, 07:04:59 UTC | Exclude X25519 and X448 from capabilities advertised by FIPS provider Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24099) | 19 April 2024, 08:32:27 UTC |
52ca560 | Tomas Mraz | 11 April 2024, 06:57:51 UTC | Make X25519 and X448 FIPS unapproved Partially fixes: #22105 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from https://github.com/openssl/openssl/pull/24099) | 19 April 2024, 08:32:27 UTC |
4e3c1e6 | Neil Horman | 05 April 2024, 13:06:10 UTC | Fix up path generation to use OPENSSL_MODULES Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24025) | 18 April 2024, 16:38:56 UTC |
b80fed3 | Neil Horman | 04 April 2024, 19:39:17 UTC | Update modulepath test for provider config to skip if not present If the p_test.so library isn't present, don't run the test Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24025) | 18 April 2024, 16:38:39 UTC |
91a77cb | Neil Horman | 03 April 2024, 19:18:33 UTC | Add test for OSSL_PROVIDER_load with module path set Ensure that, with the modulepath setting set in a config field, that we are able to load a provider from the path relative to OPENSSL_MODULES Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24025) | 18 April 2024, 16:38:39 UTC |
bc95959 | Neil Horman | 02 April 2024, 19:02:51 UTC | set module path from template Modules that aren't activated at conf load time don't seem to set the module path from the template leading to load failures. Make sure to set that Fixes #24020 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24025) | 18 April 2024, 16:38:39 UTC |
c3542b2 | Hugo Landau | 12 April 2024, 06:58:24 UTC | QUIC TXP: Fix reserve calculations for PING frames Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24122) | 18 April 2024, 15:42:26 UTC |
1692e0d | Viktor Dukhovni | 15 April 2024, 02:04:21 UTC | Fix fragile explicit cert date tests. The tests used localtime to format "today's" date, but then extracted a GMT date from the cert. The comparison breaks when run late in the evening west of UTC, or early in the AM hours east of UTC. Also took care of case when test runs at stroke of midnight, by accepting either the "today" before the cert creation, or the "today" after, should they be different. Fixes fragile tests in #21716 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24139) | 18 April 2024, 12:20:54 UTC |
4174f26 | rlvkleinhenz | 14 April 2024, 19:42:13 UTC | Update provider-compatibility.yml Documentation Change: Line 34 Changed 'utl' to 'url' to correctly reflect the variables used in the releases in this file. CLA: trivial Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24164) | 18 April 2024, 11:33:06 UTC |
35950ce | Dwiczz | 16 April 2024, 17:12:51 UTC | Updated list formatting, added hyperlinks, modernized syntax Updated list formatting to allow for easier readability, Added/adjusted hyperlinks, modernized command substitution syntax CLA: trivial Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/24165) | 18 April 2024, 09:02:29 UTC |
e1fd043 | Richard Levitte | 16 April 2024, 09:48:52 UTC | .ctags.d is previous, include it in our tarballs This is a simple change of .gitattributes, so our tarballs continue to be a reproducible output of a util/mktar.sh (i.e. git archive with no other funny business). Fixes #24090 Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24156) | 17 April 2024, 16:41:59 UTC |
da8b630 | Jerry Shih | 09 March 2024, 07:03:56 UTC | Use scalar ALU and vector ALU together for chacha20 stream cipher Fixes #24070 Use scalar ALU for 1 chacha block with rvv ALU simultaneously. The tail elements(non-multiple of block length) will be handled by the scalar logic. Use rvv path if the input length > chacha_block_size. And we have about 1.2x improvement comparing with the original code. Reviewed-by: Hongren Zheng <i@zenithal.me> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24097) | 17 April 2024, 14:55:03 UTC |
96939f1 | Yangyu Chen | 14 April 2024, 15:33:58 UTC | poly1305.c: fix typo on POLY1305_BLOCK_SIZE no code change Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24136) | 17 April 2024, 07:41:14 UTC |
25391ac | Theo Buehler | 01 March 2024, 07:07:42 UTC | Unable to run asm code on OpenBSD (amd64) In order to get asm code running on OpenBSD we must place all constants into .rodata sections. davidben@ also pointed out we need to adjust `x86_64-xlate.pl` perlasm script to adjust read-olny sections for various flavors (OSes). Those changes were cherry-picked from boringssl. closes #23312 Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23997) | 17 April 2024, 07:38:06 UTC |
fc807a0 | Alexandr Nedvedicky | 11 April 2024, 07:06:47 UTC | extend x86_64-xlate.pl perlasm so it can handle .rodata sections properly For nasm/masm assembler flavors the xlate script must make sure the code won't land in .rodata section along the data. For masm we also need to introduce an .align option which can be passed along section header. It's hint for masm to align rodata/rdata section properly. Also macos-x flavor requires small tweak to emit proper section header for its assembler style. Changes for masm flavor are based on SEGMENT description [1] in MASM reference manual. Changes for nasm flavor are based on nasm 2.14 manual chapter 7 [2]. Details behind macos-x changes can be found in 'Overview of the Mach-O Executable Format' [3] [1] https://learn.microsoft.com/en-us/cpp/assembler/masm/segment?view=msvc-170 [2] https://nasm.us/xdoc/2.14rc0/html/nasmdoc7.html [3] https://developer.apple.com/library/archive/documentation/Performance/Conceptual/CodeFootprint/Articles/MachOOverview.html Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23997) | 17 April 2024, 07:33:57 UTC |
8d8a014 | Tomas Mraz | 12 April 2024, 13:37:58 UTC | fuzz/decoder.c: Limit the EVP_PKEY_param_check on DHX keys as well Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24126) | 17 April 2024, 07:30:11 UTC |
14bed67 | Viktor Dukhovni | 14 April 2024, 23:43:30 UTC | Define KU_ constants via corresponding X509v3_KU_ Also wrap X509v3_KU_UNDEF in `#ifndef OPENSSL_NO_DEPRECATED_3_4`. Fixes #22955 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24138) | 17 April 2024, 07:09:25 UTC |
299996f | trinity-1686a | 15 April 2024, 09:13:14 UTC | Handle empty param in EVP_PKEY_CTX_add1_hkdf_info Fixes #24130 The regression was introduced in PR #23456. Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24141) | 17 April 2024, 06:52:51 UTC |
c062403 | Alexandr Nedvedicky | 26 January 2024, 07:05:47 UTC | OpenSSL 3.2.0, QUIC, macOS, error 56 on connected UDP socket current `translate_msg()` function attempts to set `->msg_name` (and `->msg_namelen`) with `BIO`'s peer name (connection destination) regardless if underlying socket is connected or not. Such implementation uncovers differences in socket implementation between various OSes. As we have learned hard way `sendmsg()` and `sendmmsg()` on `OpenBSD` and (`MacOS` too) fail to send messages with `->msg_name` being set on connected socket. In such case the caller receives `EISCON` errro. I think `translate_msg()` caller should provide a hint to indicate whether we deal with connected (or un-connected) socket. For connected sockets the peer's name should not be set/filled by `translate_msg()`. On the other hand if socket is un-connected, then `translate_msg()` must populate `->msg_name` and `->msg_namelen` members. The caller can use `getpeername(2)` to see if socket is connected. If `getpeername()` succeeds then we must be dealing with connected socket and `translate_msg()` must not set `->msg_name` and `->msg_namelen` members. If `getpeername(2)` fails, then `translate_msg()` must provide peer's name (destination address) in `->msg_name` and set `->msg_namelen` accordingly. The propposed fix introduces `is_connected()` function, which applies `getpeername()` to socket bound to `BIO` instance. The `dgram_sendmmsg()` uses `is_connected()` as a hint for `translate_msg()` function, so msghdr gets initialized with respect to socket state. The change also modifies existing `test/quic_client_test.c` so it also covers the case of connected socket. To keep things simple we can introduce optional argument `connect_first` to `./quic_client_test` function. Without `connect_first` the test run as usual. With `connect_first` the test creates and connects socket first. Then it passes such socket to `BIO` sub-system to perform `QUIC` connect test as usual. Fixes #23251 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23396) | 16 April 2024, 14:36:57 UTC |
4ffef97 | Richard Levitte | 08 April 2024, 13:14:40 UTC | doc/fingerprints.txt: Add the future OpenSSL release key This will be used for future releases Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24063) | 16 April 2024, 14:18:21 UTC |
a02077d | Richard Levitte | 12 April 2024, 08:03:21 UTC | crypto/threads_pthread.c: refactor all atomics fallbacks for type safety The atomics fallbacks were using 'void *' as a generic transport for all possible scalar and pointer types, with the hypothesis that a pointer is as large as the largest possible scalar type that we would use. Then enters the use of uint64_t, which is larger than a pointer on any 32-bit system (or any system that has 32-bit pointer configurations). We could of course choose a larger type as a generic transport. However, that only pushes the problem forward in time... and it's still a hack. It's therefore safer to reimplement the fallbacks per type that atomics are used for, and deal with missing per type fallbacks when the need arrises in the future. For test build purposes, the macro USE_ATOMIC_FALLBACKS is introduced. If OpenSSL is configured with '-DUSE_ATOMIC_FALLBACKS', the fallbacks will be used, unconditionally. Fixes #24096 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24123) | 16 April 2024, 07:18:01 UTC |
81f3934 | Richard Levitte | 11 April 2024, 15:10:38 UTC | crypto/threads_pthread.c: Cleanup misaligned preprocessor directives Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24123) | 16 April 2024, 07:18:01 UTC |
3c0bb68 | Neil Horman | 11 April 2024, 20:19:01 UTC | Remove repetitive words Signed-off-by: fanqiaojun <fanqiaojun@yeah.net> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24128) | 16 April 2024, 07:07:05 UTC |
bd73e1e | afshinpir | 28 February 2024, 03:58:03 UTC | Adding missing NULL pointer check CLA: trivial In the provider store API, it is not necessary to provide both open and attach method at the same time and providing at least one of them is enough. Adding some null pointer checks to prevent exceptions in case of not providing both methods at the same time. Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23703) | 15 April 2024, 08:29:14 UTC |
993c240 | Tomas Mraz | 11 April 2024, 15:49:53 UTC | list_provider_info(): Fix leak on error Fixes #24110 Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from https://github.com/openssl/openssl/pull/24117) | 15 April 2024, 07:09:32 UTC |
d4188f2 | Neil Horman | 11 April 2024, 20:19:01 UTC | Augment README.md in top level to indicate Makefile presence Note that they are available but only meant as a guide to self building, and are not used expressly to build as part of the overall openssl build Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/24047) | 12 April 2024, 12:02:20 UTC |
693071c | Neil Horman | 11 April 2024, 19:45:34 UTC | disable http3 demo on windows The external nghttp3 library seems to have a linking issue on windows (several missing symbols). Disable that build in windows for now until its fixed Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/24047) | 12 April 2024, 12:02:20 UTC |
6195c08 | Neil Horman | 07 April 2024, 13:12:54 UTC | make addr_len the right sign in sslecho cygwin caught a signedness difference in this pointer. Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/24047) | 12 April 2024, 12:02:20 UTC |
793a405 | Neil Horman | 07 April 2024, 12:42:51 UTC | Replace getline with fgets in sslecho demo Windows doesn't support getline, so we need to use fgets here Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/24047) | 12 April 2024, 12:02:20 UTC |
4ad6e54 | Neil Horman | 06 April 2024, 22:28:57 UTC | dont include unistd.h on windows for sslecho Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/24047) | 12 April 2024, 12:02:20 UTC |
3b56cd4 | Neil Horman | 06 April 2024, 20:30:50 UTC | Don't include unistd.h in sconnect for windows The platform doesn't support it Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/24047) | 12 April 2024, 12:02:20 UTC |
7acdd77 | Neil Horman | 06 April 2024, 19:01:48 UTC | Fix signal handling in saccept for windows Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/24047) | 12 April 2024, 12:02:19 UTC |
f2f13cf | Neil Horman | 06 April 2024, 14:16:50 UTC | Fix warnings found by clang in CI Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/24047) | 12 April 2024, 12:02:19 UTC |
44f05de | Neil Horman | 06 April 2024, 03:02:11 UTC | Enable demos in select builds Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/24047) | 12 April 2024, 12:02:19 UTC |
7a7fbeb | Neil Horman | 06 April 2024, 02:20:54 UTC | fix all the warnings in our demos and make them enableable Fix up the warnings in the demos and make them configurable with enable-demos Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/24047) | 12 April 2024, 12:02:19 UTC |
2000281 | Neil Horman | 05 April 2024, 20:19:01 UTC | Convert demos to primary build system Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/24047) | 12 April 2024, 12:02:19 UTC |
875db35 | Tomas Mraz | 11 April 2024, 07:27:47 UTC | ossl_provider_new(): Fix memory leak on error Fixes #24095 Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24100) | 12 April 2024, 08:58:38 UTC |
682ed1b | Tomas Mraz | 11 April 2024, 07:40:18 UTC | make_addressPrefix(): Fix a memory leak in error case Fixes #24098 Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24102) | 12 April 2024, 08:56:28 UTC |
8e5918f | Neil Horman | 10 April 2024, 12:28:43 UTC | Fix duplicate mutex allocation in threads_win.c Creating an rcu lock does a double allocation of the underlying mutex. Not sure how asan didn't catch this, but we clearly have a duplicate line here Fixes #24085 Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24086) | 11 April 2024, 16:22:33 UTC |
491bbb4 | Richard Levitte | 10 April 2024, 08:18:46 UTC | VMS: Move defining _XOPEN_SOURCE and _XOPEN_SOURCE_EXTENDED to config target For all other platforms that need these macros defined, that's how it's done, so we have VMS follow suit. That avoids a crash between in source definitions and command line definitions on some other platforms. Fixes #24075 Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24083) (cherry picked from commit 7f04bb065d9d948d049ef1ef1bd4062cb7831392) | 11 April 2024, 11:06:49 UTC |
2fd6c12 | Oleg Bulatov | 09 April 2024, 22:17:35 UTC | crypto/provider_core.c: Allocate activatecnt_lock CRYPTO_atomic_add has a lock as a parameter, which is often ignored, but in some cases (for example, when BROKEN_CLANG_ATOMICS is defined) it is required. There is no easy way to determine if the lock is needed or not. The current logic looks like this: if defined(OPENSSL_THREADS) && !defined(CRYPTO_TDEBUG) && !defined(OPENSSL_SYS_WINDOWS) if defined(__GNUC__) && defined(__ATOMIC_ACQ_REL) && !defined(BROKEN_CLANG_ATOMICS) - It works without the lock, but in general the need for the lock depends on __atomic_is_lock_free results elif defined(__sun) && (defined(__SunOS_5_10) || defined(__SunOS_5_11)) - The lock is not needed (unless ret is NULL, which should never happen?) else - The lock is required endif else - The lock is not needed endif Adding such conditions outside of crypto.h is error-prone, so it is better to always allocate the lock, otherwise CRYPTO_atomic_add may silently fail. Fixes #23376. CLA: trivial Fixes: fc570b2605 ("Avoid taking a write lock in ossl_provider_doall_activated()") Signed-off-by: Oleg Bulatov <oleg@bulatov.me> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24081) | 11 April 2024, 08:07:28 UTC |
8cd3f34 | Hugo Landau | 29 March 2024, 14:51:35 UTC | Change approach to SSL_pending API Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24040) (cherry picked from commit 5a13d35f243be66f6ad914aefe99fb708812dff1) | 10 April 2024, 13:49:00 UTC |
da01235 | Hugo Landau | 28 March 2024, 09:00:13 UTC | QUIC APL: Revise SSL_pending and SSL_has_pending handling for s_client compat Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24040) (cherry picked from commit 7c33eb1e7fd3248ad29c172b5b4c0658a7be3adc) | 10 April 2024, 13:48:35 UTC |
26dd6ba | Hugo Landau | 28 March 2024, 08:58:50 UTC | QUIC QSM: Add function to determine if data is waiting Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24040) (cherry picked from commit 3c2bc702eb9287b84e8584ad427e72da0ab21ec1) | 10 April 2024, 13:48:25 UTC |
60f6968 | Dimitri John Ledkov | 09 April 2024, 01:59:03 UTC | test: fix 20-test_dgst.t to use hexkey Currently 20-test_dgst.t calls a quite bogus command: $ openssl dgst -sha256 -hmac -macopt hexkey:FFFF test/data.bin test/data.bin hexkey:FFFF: No such file or directory HMAC-SHA2-256(test/data.bin)= b6727b7bb251dfa65846e0a8223bdd57d244aa6d7e312cb906d8e21f2dee3a57 HMAC-SHA2-256(test/data.bin)= b6727b7bb251dfa65846e0a8223bdd57d244aa6d7e312cb906d8e21f2dee3a57 805B632D4A730000:error:80000002:system library:file_ctrl:No such file or directory:crypto/bio/bss_file.c:297:calling fopen(hexkey:FFF, r) 805B632D4A730000:error:10080002:BIO routines:file_ctrl:system lib:crypto/bio/bss_file.c:300: Does not check status code, discards stderr, and verifies the checksums as per above. Note that the checksum is for the HMAC key "-macopt", and `hexkey:FFFF` is attempted to be opened as a file. See HMAC values for key `-macopt` and `hexkey:FFFF` using `openssl-mac`: $ openssl mac -digest SHA256 -macopt hexkey:$(printf '%s' '-macopt' | xxd -p -u) -in ./test/data.bin HMAC B6727B7BB251DFA65846E0A8223BDD57D244AA6D7E312CB906D8E21F2DEE3A57 $ openssl mac -digest SHA256 -macopt hexkey:FFFF -in ./test/data.bin HMAC 7C02D4A17D2560A5BB6763EDBF33F3A34F415398F8F2E07F04B83FFD7C087DAE Fix this test case to actually use HMAC with hexkey:FFFF as intended. Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@surgut.co.uk> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from https://github.com/openssl/openssl/pull/24068) | 10 April 2024, 07:33:56 UTC |
27005ce | Tomas Mraz | 05 April 2024, 14:31:05 UTC | Document that private and pairwise checks are not bounded by key size Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/24049) | 10 April 2024, 07:28:59 UTC |
9fc61ba | Tomas Mraz | 05 April 2024, 14:29:53 UTC | fuzz/decoder.c: Limit the key sizes on which checks are run In particular the DH safe prime check will be limited to 8192 bits and the private and pairwise checks are limited to 16384 bits on any key types. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/24049) | 10 April 2024, 07:28:59 UTC |
c89baf8 | olszomal | 04 April 2024, 09:34:33 UTC | Fix socket descriptor checks on Windows Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24035) | 10 April 2024, 07:25:23 UTC |
15eb7b6 | Dimitri Papadopoulos | 14 February 2024, 09:03:05 UTC | Fix typos found by codespell Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24013) | 10 April 2024, 07:24:15 UTC |
9b87c5a | Hubert Kario | 27 March 2024, 16:44:42 UTC | man EVP_PKEY_CTX_set_params: document params is a list Signed-off-by: Hubert Kario <hkario@redhat.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23986) | 10 April 2024, 07:22:48 UTC |
88c74fe | Tom Cosgrove | 26 March 2024, 13:18:00 UTC | aarch64: fix BTI in bsaes assembly code Change-Id: I63f0fb2af5eb9cea515dec96485325f8efd50511 Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/23982) | 10 April 2024, 07:20:12 UTC |
f5b5a35 | Neil Horman | 26 March 2024, 13:59:14 UTC | Ensure proper memory barriers around ossl_rcu_deref/ossl_rcu_assign_ptr Since the addition of macos14 M1 runners in our CI jobs we've been seeing periodic random failures in the test_threads CI job. Specifically we've seen instances in which the shared pointer in the test (which points to a monotonically incrementing uint64_t went backwards. From taking a look at the disassembled code in the failing case, we see that __atomic_load_n when emitted in clang 15 looks like this 0000000100120488 <_ossl_rcu_uptr_deref>: 100120488: f8bfc000 ldapr x0, [x0] 10012048c: d65f03c0 ret Notably, when compiling with gcc on the same system we get this output instead: 0000000100120488 <_ossl_rcu_uptr_deref>: 100120488: f8bfc000 ldar x0, [x0] 10012048c: d65f03c0 ret Checking the arm docs for the difference between ldar and ldapr: https://developer.arm.com/documentation/ddi0602/2023-09/Base-Instructions/LDAPR--Load-Acquire-RCpc-Register- https://developer.arm.com/documentation/dui0802/b/A64-Data-Transfer-Instructions/LDAR It seems that the ldar instruction provides a global cpu fence, not completing until all writes in a given cpus writeback queue have completed Conversely, the ldapr instruction attmpts to achieve performance improvements by honoring the Local Ordering register available in the system coprocessor, only flushing writes in the same address region as other cpus on the system. I believe that on M1 virtualized cpus the ldapr is not properly ordering writes, leading to an out of order read, despite the needed fencing. I've opened an issue with apple on this here: https://developer.apple.com/forums/thread/749530 I believe that it is not safe to issue an ldapr instruction unless the programmer knows that the Local order registers are properly configured for use on the system. So to fix it I'm proposing with this patch that we, in the event that: 1) __APPLE__ is defined AND 2) __clang__ is defined AND 3) __aarch64__ is defined during the build, that we override the ATOMIC_LOAD_N macro in the rcu code such that it uses a custom function with inline assembly to emit the ldar instruction rather than the ldapr instruction. The above conditions should get us to where this is only used on more recent MAC cpus, and only in the case where the affected clang compiler emits the offending instruction. I've run this patch 10 times in our CI and failed to reproduce the issue, whereas previously I could trigger it within 5 runs routinely. Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23974) | 10 April 2024, 07:18:07 UTC |
65fe3e8 | Tomas Mraz | 08 April 2024, 15:29:51 UTC | Downgrade also the download-artifact action It has to have the same version as upload-artifact. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from https://github.com/openssl/openssl/pull/24065) | 10 April 2024, 07:10:45 UTC |
309c7ff | Jiasheng Jiang | 25 March 2024, 16:54:55 UTC | ffc/ffc_params_generate.c: Add the check for the EVP_MD_get_size() Add the check for the EVP_MD_get_size() to avoid invalid negative numbers. Fixes: 4f2271d58a ("Add ACVP fips module tests") Signed-off-by: Jiasheng Jiang <jiasheng@purdue.edu> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23970) | 09 April 2024, 18:47:47 UTC |
f5fde94 | Jiasheng Jiang | 23 March 2024, 16:09:01 UTC | ts/ts_rsp_sign.c: Add the check for the EVP_MD_CTX_get_size() Add the check for the return value of EVP_MD_CTX_get_size() to avoid invalid negative numbers. Fixes: c7235be6e3 ("RFC 3161 compliant time stamp request creation, response generation and response verification.") Signed-off-by: Jiasheng Jiang <jiasheng@purdue.edu> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23960) | 09 April 2024, 18:47:00 UTC |
f4174b6 | Jiasheng Jiang | 22 March 2024, 22:12:50 UTC | signature/dsa_sig.c: Add checks for the EVP_MD_get_size() Add checks for the EVP_MD_get_size() to avoid integer overflow and then explicitly cast from int to size_t. Fixes: 45a845e40b ("Add EVP_DigestSign/EVP_DigestVerify support for DSA") Signed-off-by: Jiasheng Jiang <jiasheng@purdue.edu> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23948) | 09 April 2024, 18:45:26 UTC |
df0ee35 | Jiasheng Jiang | 22 March 2024, 20:49:27 UTC | signature/ecdsa_sig.c: Add checks for the EVP_MD_get_size() Add checks for the EVP_MD_get_size() to avoid integer overflow and then explicitly cast from int to size_t. Fixes: edd3b7a309 ("Add ECDSA to providers") Signed-off-by: Jiasheng Jiang <jiasheng@purdue.edu> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23947) | 09 April 2024, 18:44:17 UTC |
4feb4a2 | Neil Horman | 19 March 2024, 08:52:57 UTC | Add docs noting requirements for SM2 signing Reviewed-by: Paul Yang <kaishen.yy@antfin.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23887) | 09 April 2024, 18:41:15 UTC |
d6a8ade | Neil Horman | 18 March 2024, 18:59:32 UTC | Add check for public key presence on sm2 signing SM2 requires that the public EC_POINT be present in a key when signing. If its not there we crash on a NULL pointer. Add a check to ensure that its present, and raise an error if its not Reviewed-by: Paul Yang <kaishen.yy@antfin.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23887) | 09 April 2024, 18:38:58 UTC |
beb8217 | Jiasheng Jiang | 16 March 2024, 21:27:14 UTC | APPS: Add missing OPENSSL_free() and combine the error handler Add the OPENSSL_free() in the error handler to release the "*md_value" allocated by app_malloc(). To make the code clear and avoid possible future errors, combine the error handler in the "err" tag. Then, we only need to use "goto err" instead of releasing the memory separately. Since the EVP_MD_get_size() may return negative numbers when an error occurs, create_query() may fail to catch the error since it only considers 0 as an error code. Therefore, unifying the error codes of create_digest() from non-positive numbers to 0 is better, which also benefits future programming. Fixes: c7235be ("RFC 3161 compliant time stamp request creation, response generation and response verification.") Signed-off-by: Jiasheng Jiang <jiasheng@purdue.edu> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/23873) | 09 April 2024, 18:34:50 UTC |
b3be6cc | Tom Cosgrove | 26 February 2024, 17:14:48 UTC | Fix "Error finalizing cipher loop" when running openssl speed -evp -decrypt When using CCM, openssl speed uses the loop function EVP_Update_loop_ccm() which sets a (fake) tag when decrypting. When using -aead (which benchmarks a different sequence than normal, to be comparable to TLS operation), the loop function EVP_Update_loop_aead() is used, which also sets a tag when decrypting. However, when using defaults, the loop function EVP_Update_loop() is used, which does not set a tag on decryption, leading to "Error finalizing cipher loop". To fix this, set a fake tag value if we're doing decryption on an AEAD cipher in EVP_Update_loop(). We don't check the return value: this shouldn't really be able to fail, and if it does, the following EVP_DecryptUpdate() is almost certain to fail, so that can catch it. The decryption is certain to fail (well, almost certain, but with a very low probability of success), but this is no worse than at present. This minimal change means that future benchmarking data should be comparable to previous benchmarking data. (This is benchmarking code: don't write real apps like this!) Fixes #23657 Change-Id: Id581cf30503c1eb766464e315b1f33914040dcf7 Reviewed-by: Paul Yang <kaishen.yy@antfin.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23757) | 09 April 2024, 18:27:39 UTC |
6b56668 | Todd Short | 02 February 2024, 04:09:38 UTC | Fix EVP_PKEY_CTX_add1_hkdf_info() behavior Fix #23448 `EVP_PKEY_CTX_add1_hkdf_info()` behaves like a `set1` function. Fix the setting of the parameter in the params code. Update the TLS_PRF code to also use the params code. Add tests. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23456) | 09 April 2024, 18:19:07 UTC |
56e4d11 | slontis | 02 December 2023, 23:09:46 UTC | Add demo for ECDH key exchange Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22916) | 09 April 2024, 18:15:31 UTC |
8120223 | Stephan Wurm | 09 August 2023, 07:07:46 UTC | apps: ca,req,x509: Add explicit start and end dates options - Added options `-not_before` (start date) and `-not-after` (end date) for explicit setting of the validity period of a certificate in the apps `ca`, `req` and `x509` - The new options accept time strings or "today" - In app `ca`, use the new options as aliases of the already existing options `-startdate` and `-enddate` - When used in apps `req` and `x509`, the end date must be >= the start date, in app `ca` end date < start date is also accepted - In any case, `-not-after` overrides the `-days` option - Added helper function `check_cert_time_string` to validate given certificate time strings - Use the new helper function in apps `ca`, `req` and `x509` - Moved redundant code for time string checking into `set_cert_times` helper function. - Added tests for explicit start and end dates in apps `req` and `x509` - test: Added auxiliary functions for parsing fields from `-text` formatted output to `tconversion.pl` - CHANGES: Added to new section 3.4 Signed-off-by: Stephan Wurm <atomisirsi@gsklan.de> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/21716) | 09 April 2024, 18:13:31 UTC |
4514e02 | slontis | 08 April 2024, 07:12:58 UTC | Check range of RSA plaintext and ciphertext when using no padding. Fixes #24051 RSA with 'no padding' corresponds to RSAEP/RSADP. The code was not checking the lower bounds. The bounds are specified in SP800-56Br2, section 7.1.1.1 and 7.1.2.1 Note that RFC8017 expresses the range in a sentence using the word between, and there is some ambiguity in this. The upper bounds have change to match the definition in SP800. Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24061) | 09 April 2024, 12:30:43 UTC |
496bc12 | Matt Caswell | 29 March 2024, 14:05:51 UTC | Copyright year updates Reviewed-by: Neil Horman <nhorman@openssl.org> Release: yes (cherry picked from commit 3764f200f9d44622faa8ac1b15d2f3eb7c39e473) Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24034) | 09 April 2024, 11:43:27 UTC |
b646179 | Richard Levitte | 20 March 2024, 12:07:54 UTC | Copyright year updates Reviewed-by: Neil Horman <nhorman@openssl.org> Release: yes (cherry picked from commit 0ce7d1f355c1240653e320a3f6f8109c1f05f8c0) Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24034) | 09 April 2024, 11:43:26 UTC |
111a8fd | Tomas Mraz | 04 April 2024, 09:08:19 UTC | Sync libcrypto.num and libssl.num with 3.3 branch Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24034) | 09 April 2024, 11:43:26 UTC |
eb33768 | Tomas Mraz | 04 April 2024, 09:06:53 UTC | Sync CHANGES.md and NEWS.md with 3.3 branch Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24034) | 09 April 2024, 11:43:26 UTC |
6497059 | Tomas Mraz | 04 April 2024, 08:57:43 UTC | Update the version to 3.4.0-dev Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24034) | 09 April 2024, 11:43:26 UTC |
4a3e8f0 | Matt Caswell | 15 July 2022, 12:26:33 UTC | Add a test for session cache overflow Test sessions behave as we expect even in the case that an overflow occurs when adding a new session into the session cache. Related to CVE-2024-2511 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24042) | 08 April 2024, 10:06:25 UTC |
21df7f0 | Matt Caswell | 15 March 2024, 17:58:42 UTC | Hardening around not_resumable sessions Make sure we can't inadvertently use a not_resumable session Related to CVE-2024-2511 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24042) | 08 April 2024, 10:06:25 UTC |
03c4b0e | Matt Caswell | 05 March 2024, 16:01:20 UTC | Add a CHANGES.md/NEWS.md entry for the unbounded memory growth bug Related to CVE-2024-2511 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24042) | 08 April 2024, 10:06:25 UTC |
7984fa6 | Matt Caswell | 05 March 2024, 15:43:53 UTC | Fix unconstrained session cache growth in TLSv1.3 In TLSv1.3 we create a new session object for each ticket that we send. We do this by duplicating the original session. If SSL_OP_NO_TICKET is in use then the new session will be added to the session cache. However, if early data is not in use (and therefore anti-replay protection is being used), then multiple threads could be resuming from the same session simultaneously. If this happens and a problem occurs on one of the threads, then the original session object could be marked as not_resumable. When we duplicate the session object this not_resumable status gets copied into the new session object. The new session object is then added to the session cache even though it is not_resumable. Subsequently, another bug means that the session_id_length is set to 0 for sessions that are marked as not_resumable - even though that session is still in the cache. Once this happens the session can never be removed from the cache. When that object gets to be the session cache tail object the cache never shrinks again and grows indefinitely. CVE-2024-2511 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24042) | 08 April 2024, 10:06:25 UTC |
cfeaf33 | Matt Caswell | 05 March 2024, 15:35:51 UTC | Extend the multi_resume test for simultaneous resumptions Test what happens if the same session gets resumed multiple times at the same time - and one of them gets marked as not_resumable. Related to CVE-2024-2511 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24042) | 08 April 2024, 10:06:25 UTC |
0447cd6 | Matt Caswell | 04 March 2024, 13:45:23 UTC | Add a test for session cache handling Repeatedly create sessions to be added to the cache and ensure we never exceed the expected size. Related to CVE-2024-2511 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24042) | 08 April 2024, 10:06:04 UTC |
e7f1afe | Jiangning Liu | 21 March 2024, 23:52:28 UTC | Enable SHA3 unrolling and EOR3 optimization for Ampere Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23929) | 08 April 2024, 09:54:29 UTC |
0d2a5f6 | Randall S. Becker | 30 March 2024, 22:28:02 UTC | NonStop: Do not call sleep() with a 0 value This change ensures that sleep(0) is not invoked to cause unexpected duplicate thread context switches when _REENTRANT is specified. Fixes: #24009 Signed-off-by: Randall S. Becker <randall.becker@nexbridge.ca> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24012) (cherry picked from commit c89fe574493f438dd0e94bb9a89227e4ca84c0b7) | 05 April 2024, 14:07:47 UTC |
a19553c | Richard Levitte | 30 March 2024, 11:52:50 UTC | Diverse small VMS build fixups Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24008) (cherry picked from commit 1a4b029af51ba6128a37959796381ca5b8b7ac00) | 04 April 2024, 16:16:05 UTC |
0892716 | Dmitry Misharov | 03 April 2024, 11:47:39 UTC | downgrade upload-artifact action to v3 GitHub Enterpise Server is not compatible with upload-artifact@v4+. https://github.com/actions/upload-artifact/tree/v4 Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24029) | 04 April 2024, 15:48:43 UTC |
a16f2e7 | Tomas Mraz | 02 April 2024, 16:47:26 UTC | openssl-crl(1): The -verify option is implied by -CA* options Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Todd Short <todd.short@me.com> (Merged from https://github.com/openssl/openssl/pull/24024) | 04 April 2024, 15:45:26 UTC |
e898c36 | Tomas Mraz | 02 April 2024, 14:43:27 UTC | DEFINE_STACK_OF.pod: Fix prototypes of sk_TYPE_free/zero() They take non-const STACK_OF(TYPE)* argument. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from https://github.com/openssl/openssl/pull/24023) | 04 April 2024, 08:46:51 UTC |
84756fe | Kurt Roeckx | 20 March 2024, 09:00:42 UTC | Fix syntax of dependabot.yml Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23899) | 04 April 2024, 06:47:08 UTC |
9aad59c | Warner Losh | 18 March 2024, 18:23:08 UTC | posix_async: FreeBSD also defines {make|swap|get|set}context FreeBSD also defines {make|swap|get|set}context for backward compatibility, despite also exposing POSIX_VERSION 200809L in FreeBSD 15-current. Note: There's no fallback for POSIX_VERSION 200809 without these routines, so maybe that should be a #error? CLA: Trivial Sponsored by: Netflix Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23885) | 04 April 2024, 06:45:13 UTC |
de8e79e | Tomas Mraz | 15 March 2024, 16:18:46 UTC | Add design document about handing some MAX defines Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/23883) | 04 April 2024, 06:43:53 UTC |
e817766 | slontis | 18 March 2024, 00:46:12 UTC | Add 'documentation policy' link to CONTRIBUTING guide. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23875) | 04 April 2024, 06:41:40 UTC |
5e908e6 | slontis | 14 March 2024, 05:11:40 UTC | Update Documentation for EVP_DigestSign, EVP_DigestVerify. Fixes #23075 In OpenSSL 3.2 EVP_DigestSign and EVP_DigestVerify were changed so that a flag is set once these functions do a one-shot sign or verify operation. This PR updates the documentation to match the behaviour. Investigations showed that prior to 3.2 different key type behaved differently if multiple calls were done. By accident X25519 and X448 would produce the same signature, but ECDSA and RSA remembered the digest state between calls, so the signature was different when multiple calls were done. Because of this undefined behaviour something needed to be done, so keeping the 'only allow it to be called once' behaviour seems a reasonable approach. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23834) | 04 April 2024, 06:39:38 UTC |
2410cb4 | Job Snijders | 27 February 2024, 19:14:32 UTC | Align 'openssl req' string_mask docs to how the software really works Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23699) | 04 April 2024, 06:35:41 UTC |
5962c71 | willmafh | 24 February 2024, 09:34:25 UTC | typo fix CLA: trivial Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23675) | 04 April 2024, 06:34:17 UTC |