https://github.com/openssl/openssl
- HEAD
- refs/heads/OpenSSL-engine-0_9_6-stable
- refs/heads/OpenSSL-fips-0_9_7-stable
- refs/heads/OpenSSL-fips-0_9_8-stable
- refs/heads/OpenSSL-fips-1_2-stable
- refs/heads/OpenSSL-fips-2_0-dev
- refs/heads/OpenSSL-fips-2_0-stable
- refs/heads/OpenSSL-fips2-0_9_7-stable
- refs/heads/OpenSSL_0_9_6-stable
- refs/heads/OpenSSL_0_9_7-stable
- refs/heads/OpenSSL_0_9_8-stable
- refs/heads/OpenSSL_0_9_8fg-stable
- refs/heads/OpenSSL_1_0_0-stable
- refs/heads/OpenSSL_1_0_1-stable
- refs/heads/OpenSSL_1_0_2-stable
- refs/heads/OpenSSL_1_1_0-stable
- refs/heads/OpenSSL_1_1_1-stable
- refs/heads/SSLeay
- refs/heads/feature/dtls-1.3
- refs/heads/feature/ech
- refs/heads/feature/quic-server
- refs/heads/master
- refs/heads/openssl-3.0
- refs/heads/openssl-3.1
- refs/heads/openssl-3.2
- refs/heads/openssl-3.3
- refs/heads/tls1.3-draft-18
- refs/heads/tls1.3-draft-19
- refs/tags/AFTER_COMPAQ_PATCH
- refs/tags/BEFORE_COMPAQ_PATCH
- refs/tags/BEFORE_engine
- refs/tags/BEN_FIPS_TEST_1
- refs/tags/BEN_FIPS_TEST_2
- refs/tags/BEN_FIPS_TEST_3
- refs/tags/BEN_FIPS_TEST_4
- refs/tags/BEN_FIPS_TEST_5
- refs/tags/BEN_FIPS_TEST_6
- refs/tags/BEN_FIPS_TEST_7
- refs/tags/BEN_FIPS_TEST_8
- refs/tags/FIPS_098_TEST_1
- refs/tags/FIPS_098_TEST_2
- refs/tags/FIPS_098_TEST_3
- refs/tags/FIPS_098_TEST_4
- refs/tags/FIPS_098_TEST_5
- refs/tags/FIPS_098_TEST_6
- refs/tags/FIPS_098_TEST_7
- refs/tags/FIPS_098_TEST_8
- refs/tags/FIPS_TEST_10
- refs/tags/FIPS_TEST_9
- refs/tags/LEVITTE_after_const
- refs/tags/LEVITTE_before_const
- refs/tags/OpenSSL-engine-0_9_6
- refs/tags/OpenSSL-engine-0_9_6-beta1
- refs/tags/OpenSSL-engine-0_9_6-beta2
- refs/tags/OpenSSL-engine-0_9_6-beta3
- refs/tags/OpenSSL-engine-0_9_6a
- refs/tags/OpenSSL-engine-0_9_6a-beta1
- refs/tags/OpenSSL-engine-0_9_6a-beta2
- refs/tags/OpenSSL-engine-0_9_6a-beta3
- refs/tags/OpenSSL-engine-0_9_6b
- refs/tags/OpenSSL-engine-0_9_6c
- refs/tags/OpenSSL-engine-0_9_6d
- refs/tags/OpenSSL-engine-0_9_6d-beta1
- refs/tags/OpenSSL-engine-0_9_6e
- refs/tags/OpenSSL-engine-0_9_6f
- refs/tags/OpenSSL-engine-0_9_6g
- refs/tags/OpenSSL-engine-0_9_6h
- refs/tags/OpenSSL-engine-0_9_6i
- refs/tags/OpenSSL-engine-0_9_6j
- refs/tags/OpenSSL-engine-0_9_6k
- refs/tags/OpenSSL-engine-0_9_6l
- refs/tags/OpenSSL-engine-0_9_6m
- refs/tags/OpenSSL-fips-1_2_0
- refs/tags/OpenSSL-fips-1_2_1
- refs/tags/OpenSSL-fips-1_2_2
- refs/tags/OpenSSL-fips-1_2_3
- refs/tags/OpenSSL-fips-2_0
- refs/tags/OpenSSL-fips-2_0-pl1
- refs/tags/OpenSSL-fips-2_0-rc1
- refs/tags/OpenSSL-fips-2_0-rc2
- refs/tags/OpenSSL-fips-2_0-rc3
- refs/tags/OpenSSL-fips-2_0-rc4
- refs/tags/OpenSSL-fips-2_0-rc5
- refs/tags/OpenSSL-fips-2_0-rc6
- refs/tags/OpenSSL-fips-2_0-rc7
- refs/tags/OpenSSL-fips-2_0-rc8
- refs/tags/OpenSSL-fips-2_0-rc9
- refs/tags/OpenSSL-fips-2_0_1
- refs/tags/OpenSSL_0_9_1c
- refs/tags/OpenSSL_0_9_2b
- refs/tags/OpenSSL_0_9_3
- refs/tags/OpenSSL_0_9_3a
- refs/tags/OpenSSL_0_9_3beta1
- refs/tags/OpenSSL_0_9_3beta2
- refs/tags/OpenSSL_0_9_4
- refs/tags/OpenSSL_0_9_5
- refs/tags/OpenSSL_0_9_5a
- refs/tags/OpenSSL_0_9_5a-beta1
- refs/tags/OpenSSL_0_9_5a-beta2
- refs/tags/OpenSSL_0_9_5beta1
- refs/tags/OpenSSL_0_9_5beta2
- refs/tags/OpenSSL_0_9_6
- refs/tags/OpenSSL_0_9_6-beta1
- refs/tags/OpenSSL_0_9_6-beta2
- refs/tags/OpenSSL_0_9_6-beta3
- refs/tags/OpenSSL_0_9_6a
- refs/tags/OpenSSL_0_9_6a-beta1
- refs/tags/OpenSSL_0_9_6a-beta2
- refs/tags/OpenSSL_0_9_6a-beta3
- refs/tags/OpenSSL_0_9_6b
- refs/tags/OpenSSL_0_9_6c
- refs/tags/OpenSSL_0_9_6d
- refs/tags/OpenSSL_0_9_6d-beta1
- refs/tags/OpenSSL_0_9_6e
- refs/tags/OpenSSL_0_9_6f
- refs/tags/OpenSSL_0_9_6g
- refs/tags/OpenSSL_0_9_6h
- refs/tags/OpenSSL_0_9_6i
- refs/tags/OpenSSL_0_9_6j
- refs/tags/OpenSSL_0_9_6k
- refs/tags/OpenSSL_0_9_6l
- refs/tags/OpenSSL_0_9_6m
- refs/tags/OpenSSL_0_9_7
- refs/tags/OpenSSL_0_9_7-beta1
- refs/tags/OpenSSL_0_9_7-beta2
- refs/tags/OpenSSL_0_9_7-beta3
- refs/tags/OpenSSL_0_9_7-beta4
- refs/tags/OpenSSL_0_9_7-beta5
- refs/tags/OpenSSL_0_9_7-beta6
- refs/tags/OpenSSL_0_9_7a
- refs/tags/OpenSSL_0_9_7b
- refs/tags/OpenSSL_0_9_7c
- refs/tags/OpenSSL_0_9_7d
- refs/tags/OpenSSL_0_9_7e
- refs/tags/OpenSSL_0_9_7f
- refs/tags/OpenSSL_0_9_7g
- refs/tags/OpenSSL_0_9_7h
- refs/tags/OpenSSL_0_9_7i
- refs/tags/OpenSSL_0_9_7j
- refs/tags/OpenSSL_0_9_7k
- refs/tags/OpenSSL_0_9_7l
- refs/tags/OpenSSL_0_9_7m
- refs/tags/OpenSSL_0_9_8
- refs/tags/OpenSSL_0_9_8-beta1
- refs/tags/OpenSSL_0_9_8-beta2
- refs/tags/OpenSSL_0_9_8-beta3
- refs/tags/OpenSSL_0_9_8-beta4
- refs/tags/OpenSSL_0_9_8-beta5
- refs/tags/OpenSSL_0_9_8-beta6
- refs/tags/OpenSSL_0_9_8a
- refs/tags/OpenSSL_0_9_8b
- refs/tags/OpenSSL_0_9_8c
- refs/tags/OpenSSL_0_9_8d
- refs/tags/OpenSSL_0_9_8e
- refs/tags/OpenSSL_0_9_8f
- refs/tags/OpenSSL_0_9_8g
- refs/tags/OpenSSL_0_9_8h
- refs/tags/OpenSSL_0_9_8i
- refs/tags/OpenSSL_0_9_8j
- refs/tags/OpenSSL_0_9_8k
- refs/tags/OpenSSL_0_9_8l
- refs/tags/OpenSSL_0_9_8m
- refs/tags/OpenSSL_0_9_8m-beta1
- refs/tags/OpenSSL_0_9_8n
- refs/tags/OpenSSL_0_9_8o
- refs/tags/OpenSSL_0_9_8p
- refs/tags/OpenSSL_0_9_8q
- refs/tags/OpenSSL_0_9_8r
- refs/tags/OpenSSL_0_9_8s
- refs/tags/OpenSSL_0_9_8t
- refs/tags/OpenSSL_0_9_8u
- refs/tags/OpenSSL_0_9_8v
- refs/tags/OpenSSL_0_9_8w
- refs/tags/OpenSSL_0_9_8x
- refs/tags/OpenSSL_1_0_0
- refs/tags/OpenSSL_1_0_0-beta1
- refs/tags/OpenSSL_1_0_0-beta2
- refs/tags/OpenSSL_1_0_0-beta3
- refs/tags/OpenSSL_1_0_0-beta4
- refs/tags/OpenSSL_1_0_0-beta5
- refs/tags/OpenSSL_1_0_0a
- refs/tags/OpenSSL_1_0_0b
- refs/tags/OpenSSL_1_0_0c
- refs/tags/OpenSSL_1_0_0d
- refs/tags/OpenSSL_1_0_0e
- refs/tags/OpenSSL_1_0_0f
- refs/tags/OpenSSL_1_0_0g
- refs/tags/OpenSSL_1_0_0h
- refs/tags/OpenSSL_1_0_0i
- refs/tags/OpenSSL_1_0_0j
- refs/tags/OpenSSL_1_0_1
- refs/tags/OpenSSL_1_0_1-beta1
- refs/tags/OpenSSL_1_0_1-beta2
- refs/tags/OpenSSL_1_0_1-beta3
- refs/tags/OpenSSL_1_0_1a
- refs/tags/OpenSSL_1_0_1b
- refs/tags/OpenSSL_1_0_1c
- refs/tags/OpenSSL_FIPS_1_0
- refs/tags/SSLeay_0_8_1b
- refs/tags/SSLeay_0_9_0b
- refs/tags/SSLeay_0_9_1b
- refs/tags/STATE_after_zlib
- refs/tags/STATE_before_zlib
- refs/tags/rsaref
- openssl-3.3.1
- openssl-3.3.0-beta1
- openssl-3.3.0-alpha1
- openssl-3.3.0
- openssl-3.2.2
- openssl-3.2.1
- openssl-3.2.0-beta1
- openssl-3.2.0-alpha2
- openssl-3.2.0-alpha1
- openssl-3.2.0
- openssl-3.1.6
- openssl-3.1.5
- openssl-3.1.4
- openssl-3.1.3
- openssl-3.1.2
- openssl-3.1.1
- openssl-3.1.0-beta1
- openssl-3.1.0-alpha1
- openssl-3.1.0
- openssl-3.0.9
- openssl-3.0.8
- openssl-3.0.7
- openssl-3.0.6
- openssl-3.0.5
- openssl-3.0.4
- openssl-3.0.3
- openssl-3.0.2
- openssl-3.0.14
- openssl-3.0.13
- openssl-3.0.12
- openssl-3.0.11
- openssl-3.0.10
- openssl-3.0.1
- openssl-3.0.0-beta2
- openssl-3.0.0-beta1
- openssl-3.0.0-alpha9
- openssl-3.0.0-alpha8
- openssl-3.0.0-alpha7
- openssl-3.0.0-alpha6
- openssl-3.0.0-alpha5
- openssl-3.0.0-alpha4
- openssl-3.0.0-alpha3
- openssl-3.0.0-alpha2
- openssl-3.0.0-alpha17
- openssl-3.0.0-alpha16
- openssl-3.0.0-alpha15
- openssl-3.0.0-alpha14
- openssl-3.0.0-alpha13
- openssl-3.0.0-alpha12
- openssl-3.0.0-alpha11
- openssl-3.0.0-alpha10
- openssl-3.0.0-alpha1
- openssl-3.0.0
- master-pre-reformat
- master-pre-auto-reformat
- master-post-reformat
- master-post-auto-reformat
- OpenSSL_1_1_1w
- OpenSSL_1_1_1v
- OpenSSL_1_1_1u
- OpenSSL_1_1_1t
- OpenSSL_1_1_1s
- OpenSSL_1_1_1r
- OpenSSL_1_1_1q
- OpenSSL_1_1_1p
- OpenSSL_1_1_1o
- OpenSSL_1_1_1n
- OpenSSL_1_1_1m
- OpenSSL_1_1_1l
- OpenSSL_1_1_1k
- OpenSSL_1_1_1j
- OpenSSL_1_1_1i
- OpenSSL_1_1_1h
- OpenSSL_1_1_1g
- OpenSSL_1_1_1f
- OpenSSL_1_1_1e
- OpenSSL_1_1_1d
- OpenSSL_1_1_1c
- OpenSSL_1_1_1b
- OpenSSL_1_1_1a
- OpenSSL_1_1_1-pre9
- OpenSSL_1_1_1-pre8
- OpenSSL_1_1_1-pre7
- OpenSSL_1_1_1-pre6
- OpenSSL_1_1_1-pre5
- OpenSSL_1_1_1-pre4
- OpenSSL_1_1_1-pre3
- OpenSSL_1_1_1-pre2
- OpenSSL_1_1_1-pre1
- OpenSSL_1_1_1
- OpenSSL_1_1_0l
- OpenSSL_1_1_0k
- OpenSSL_1_1_0j
- OpenSSL_1_1_0i
- OpenSSL_1_1_0h
- OpenSSL_1_1_0g
- OpenSSL_1_1_0f
- OpenSSL_1_1_0e
- OpenSSL_1_1_0d
- OpenSSL_1_1_0c
- OpenSSL_1_1_0b
- OpenSSL_1_1_0a
- OpenSSL_1_1_0-pre6
- OpenSSL_1_1_0-pre5
- OpenSSL_1_1_0-pre4
- OpenSSL_1_1_0-pre3
- OpenSSL_1_1_0-pre2
- OpenSSL_1_1_0-pre1
- OpenSSL_1_1_0
- OpenSSL_1_0_2u
- OpenSSL_1_0_2t
- OpenSSL_1_0_2s
- OpenSSL_1_0_2r
- OpenSSL_1_0_2q
- OpenSSL_1_0_2p
- OpenSSL_1_0_2o
- OpenSSL_1_0_2n
- OpenSSL_1_0_2m
- OpenSSL_1_0_2l
- OpenSSL_1_0_2k
- OpenSSL_1_0_2j
- OpenSSL_1_0_2i
- OpenSSL_1_0_2h
- OpenSSL_1_0_2g
- OpenSSL_1_0_2f
- OpenSSL_1_0_2e
- OpenSSL_1_0_2d
- OpenSSL_1_0_2c
- OpenSSL_1_0_2b
- OpenSSL_1_0_2a
- OpenSSL_1_0_2-pre-reformat
- OpenSSL_1_0_2-pre-auto-reformat
- OpenSSL_1_0_2-post-reformat
- OpenSSL_1_0_2-post-auto-reformat
- OpenSSL_1_0_2-beta3
- OpenSSL_1_0_2-beta2
- OpenSSL_1_0_2-beta1
- OpenSSL_1_0_2
- OpenSSL_1_0_1u
- OpenSSL_1_0_1t
- OpenSSL_1_0_1s
- OpenSSL_1_0_1r
- OpenSSL_1_0_1q
- OpenSSL_1_0_1p
- OpenSSL_1_0_1o
- OpenSSL_1_0_1n
- OpenSSL_1_0_1m
- OpenSSL_1_0_1l
- OpenSSL_1_0_1k
- OpenSSL_1_0_1j
- OpenSSL_1_0_1i
- OpenSSL_1_0_1h
- OpenSSL_1_0_1g
- OpenSSL_1_0_1f
- OpenSSL_1_0_1e
- OpenSSL_1_0_1d
- OpenSSL_1_0_1-pre-reformat
- OpenSSL_1_0_1-pre-auto-reformat
- OpenSSL_1_0_1-post-reformat
- OpenSSL_1_0_1-post-auto-reformat
- OpenSSL_1_0_0t
- OpenSSL_1_0_0s
- OpenSSL_1_0_0r
- OpenSSL_1_0_0q
- OpenSSL_1_0_0p
- OpenSSL_1_0_0o
- OpenSSL_1_0_0n
- OpenSSL_1_0_0m
- OpenSSL_1_0_0l
- OpenSSL_1_0_0k
- OpenSSL_1_0_0-pre-reformat
- OpenSSL_1_0_0-pre-auto-reformat
- OpenSSL_1_0_0-post-reformat
- OpenSSL_1_0_0-post-auto-reformat
- OpenSSL_0_9_8zh
- OpenSSL_0_9_8zg
- OpenSSL_0_9_8zf
- OpenSSL_0_9_8ze
- OpenSSL_0_9_8zd
- OpenSSL_0_9_8zc
- OpenSSL_0_9_8zb
- OpenSSL_0_9_8za
- OpenSSL_0_9_8y
- OpenSSL_0_9_8-pre-reformat
- OpenSSL_0_9_8-pre-auto-reformat
- OpenSSL_0_9_8-post-reformat
- OpenSSL_0_9_8-post-auto-reformat
- OpenSSL-fips-2_0_9
- OpenSSL-fips-2_0_8
- OpenSSL-fips-2_0_7
- OpenSSL-fips-2_0_6
- OpenSSL-fips-2_0_5
- OpenSSL-fips-2_0_4
- OpenSSL-fips-2_0_3
- OpenSSL-fips-2_0_2
- OpenSSL-fips-2_0_16
- OpenSSL-fips-2_0_15
- OpenSSL-fips-2_0_14
- OpenSSL-fips-2_0_13
- OpenSSL-fips-2_0_12
- OpenSSL-fips-2_0_11
- OpenSSL-fips-2_0_10
Take a new snapshot of a software origin
If the archived software origin currently browsed is not synchronized with its upstream version (for instance when new commits have been issued), you can explicitly request Software Heritage to take a new snapshot of it.
Use the form below to proceed. Once a request has been submitted and accepted, it will be processed as soon as possible. You can then check its processing state by visiting this dedicated page.
Processing "take a new snapshot" request ...
Permalinks
To reference or cite the objects present in the Software Heritage archive, permalinks based on SoftWare Hash IDentifiers (SWHIDs) must be used.
Select below a type of object currently browsed in order to display its associated SWHID and permalink.
| Revision | Author | Date | Message | Commit Date |
|---|---|---|---|---|
| 99e6624 | Matt Caswell | 30 January 2024, 13:22:11 UTC | Prepare for release of 3.1.5 Reviewed-by: Richard Levitte <levitte@openssl.org> Release: yes | 30 January 2024, 13:22:11 UTC |
| bb57e3b | Matt Caswell | 30 January 2024, 13:22:11 UTC | make update Reviewed-by: Richard Levitte <levitte@openssl.org> Release: yes | 30 January 2024, 13:22:11 UTC |
| 31625a6 | Matt Caswell | 30 January 2024, 13:20:46 UTC | Copyright year updates Reviewed-by: Richard Levitte <levitte@openssl.org> Release: yes | 30 January 2024, 13:20:46 UTC |
| 6782406 | Matt Caswell | 29 January 2024, 16:19:24 UTC | Update CHANGES.md and NEWS.md for new release Reviewed-by: Tomas Mraz <tomas@openssl.org> Release: yes (Merged from https://github.com/openssl/openssl/pull/23423) | 30 January 2024, 12:57:51 UTC |
| 024731b | Richard Levitte | 23 January 2024, 12:17:31 UTC | Have OSSL_PARAM_allocate_from_text() fail on odd number of hex digits The failure would be caught later on, so this went unnoticed, until someone tried with just one hex digit, which was simply ignored. Fixes #23373 Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23374) (cherry picked from commit ea6268cfceaba24328d66bd14bfc97c4fac14a58) | 25 January 2024, 15:37:43 UTC |
| febb086 | Matt Caswell | 19 January 2024, 14:32:18 UTC | Add some tests for various PKCS12 files with NULL ContentInfo PKCS7 ContentInfo fields held within a PKCS12 file can be NULL, even if the type has been set to a valid value. CVE-2024-0727 is a result of OpenSSL attempting to dereference the NULL pointer as a result of this. We add test for various instances of this problem. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23362) | 25 January 2024, 15:31:57 UTC |
| d135eea | Matt Caswell | 19 January 2024, 11:28:58 UTC | Add NULL checks where ContentInfo data can be NULL PKCS12 structures contain PKCS7 ContentInfo fields. These fields are optional and can be NULL even if the "type" is a valid value. OpenSSL was not properly accounting for this and a NULL dereference can occur causing a crash. CVE-2024-0727 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23362) | 25 January 2024, 15:31:57 UTC |
| 9601413 | Bernd Edlinger | 22 January 2024, 15:02:59 UTC | Fix a possible memory leak in req_main if the private key is output to stdout using the HARNESS_OSSL_PREFIX, out is a stack of BIOs and must therefore free'd using BIO_free_all. Steps to reproduce: $ HARNESS_OSSL_PREFIX=x OPENSSL_CONF=apps/openssl.cnf util/shlib_wrap.sh apps/openssl req -new -keyout - -passout pass: </dev/null [...] Direct leak of 128 byte(s) in 1 object(s) allocated from: #0 0x7f6f692b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69 #1 0x7f6f686eda00 in CRYPTO_malloc crypto/mem.c:202 #2 0x7f6f686edba0 in CRYPTO_zalloc crypto/mem.c:222 #3 0x7f6f68471bdf in BIO_new_ex crypto/bio/bio_lib.c:83 #4 0x7f6f68491a8f in BIO_new_fp crypto/bio/bss_file.c:95 #5 0x555c5f58b378 in dup_bio_out apps/lib/apps.c:3014 #6 0x555c5f58f9ac in bio_open_default_ apps/lib/apps.c:3175 #7 0x555c5f58f9ac in bio_open_default apps/lib/apps.c:3203 #8 0x555c5f528537 in req_main apps/req.c:683 #9 0x555c5f50e315 in do_cmd apps/openssl.c:426 #10 0x555c5f4c5575 in main apps/openssl.c:307 #11 0x7f6f680461c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 SUMMARY: AddressSanitizer: 128 byte(s) leaked in 1 allocation(s). Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23365) (cherry picked from commit ff78d94b131d7bb3b761509d3ce0dd864b1420e3) | 24 January 2024, 10:55:04 UTC |
| d39776d | Tomas Mraz | 08 January 2024, 13:13:49 UTC | ci.yml: Replace actions-rs/toolchain@v1 with dtolnay/rust-toolchain actions-rs/toolchain is unmaintained and generates warnings Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23232) (cherry picked from commit cd5911a6b300453eefb4b6d9d797c9d1cdefb956) | 23 January 2024, 17:22:34 UTC |
| cf00085 | Tomas Mraz | 19 January 2024, 09:59:03 UTC | tlsfuzzer.sh: Use python3 Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/23342) (cherry picked from commit 15f479e25f9591a2749fabb436dcdfb9304c5c7b) | 23 January 2024, 17:10:31 UTC |
| b8405af | Tomas Mraz | 18 January 2024, 15:32:33 UTC | tlsfuzzer.sh: Make it more informative on errors Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/23342) (cherry picked from commit 825b7cb16e0624d81421441949e843e9876c81f9) | 23 January 2024, 17:10:30 UTC |
| 0b6ea32 | Tomas Mraz | 05 January 2024, 10:22:28 UTC | tlsfuzzer.sh: Run openssl version on the built app and not system one Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/23342) (cherry picked from commit 150b3b18dfde317621a6bf26acfe0d06193e52fd) | 23 January 2024, 17:10:28 UTC |
| 2c18e43 | Tomas Mraz | 03 January 2024, 11:36:10 UTC | gost_engine.sh: Set OPENSSL_ENGINES_DIR Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/23342) (cherry picked from commit 017c7cf2bb5f5461071d9e992eb3206c34a69c2c) | 23 January 2024, 17:10:26 UTC |
| 90b3757 | shashankmca80 | 13 January 2024, 12:46:25 UTC | Uninitialized array variable array"key" is uninitialized and it is being read directly in function SipHash_Init() as per the below statements making a way for the garbage values : uint64_t k0 = U8TO64_LE(k); uint64_t k1 = U8TO64_LE(k + 8); CLA: trivial Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23298) (cherry picked from commit a0826b184eed2dccc56cdf80e3e0bc061cc89ddc) | 19 January 2024, 13:05:10 UTC |
| b7275c5 | Matt Caswell | 15 January 2024, 08:55:48 UTC | Document SSL_R_UNEXPECTED_EOF_WHILE_READING Also document that it is ok to use this for control flow decisions. Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23327) | 19 January 2024, 13:01:52 UTC |
| bc2fe90 | Dr. David von Oheimb | 14 December 2023, 11:48:33 UTC | X509_dup.pod: add caveat that extra data is not copied and hints, e.g., to use X509_up_ref() instead Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23043) (cherry picked from commit 66adaf2b31bb51e00ffad784f60bdf195e5dd736) | 18 January 2024, 13:18:18 UTC |
| 9847bc9 | Kevin Jerebica | 16 January 2024, 15:30:26 UTC | Add a deprecation warning for a function in docs The function in question is SSL_get_peer_certificate() CLA: trivial Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23315) (cherry picked from commit 3e938453be47751d50917e25b8f7334b482844b3) | 18 January 2024, 09:45:20 UTC |
| 9ff9706 | lan1120 | 13 December 2023, 11:02:29 UTC | Check whether the pubkey exists in ossl_ecx_key_dup Signed-off-by: lan1120 <lanming@huawei.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22984) (cherry picked from commit aac531e5daa2edec5d47e702a7f115cf77fe07f9) | 16 January 2024, 10:29:50 UTC |
| fc82a8f | Frederik Wedel-Heinen | 12 January 2024, 09:14:43 UTC | Error in s_server when -rev option is used with dtls. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23278) (cherry picked from commit 575117efe1e0eb8073c2d26ae3dff8926be00591) | 15 January 2024, 15:34:49 UTC |
| 3a665e4 | Tomas Mraz | 09 January 2024, 17:08:22 UTC | Add CHANGES.md and NEWS.md entries for CVE-2023-6237 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23243) (cherry picked from commit 38b2508f638787842750aec9a75745e1d8786743) | 15 January 2024, 09:57:18 UTC |
| a830f55 | Tomas Mraz | 22 December 2023, 15:25:56 UTC | Limit the execution time of RSA public key check Fixes CVE-2023-6237 If a large and incorrect RSA public key is checked with EVP_PKEY_public_check() the computation could take very long time due to no limit being applied to the RSA public key size and unnecessarily high number of Miller-Rabin algorithm rounds used for non-primality check of the modulus. Now the keys larger than 16384 bits (OPENSSL_RSA_MAX_MODULUS_BITS) will fail the check with RSA_R_MODULUS_TOO_LARGE error reason. Also the number of Miller-Rabin rounds was set to 5. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23243) (cherry picked from commit e09fc1d746a4fd15bb5c3d7bbbab950aadd005db) | 15 January 2024, 09:55:30 UTC |
| 60dc128 | Drokov Pavel | 12 January 2024, 07:10:17 UTC | Fix arithmetic expression overflow If the value of a->length is large (>= 2^12), then an integer overflow will occur for the signed type, which according to the C standard is UB. CLA: trivial Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23274) (cherry picked from commit 486ab0fb003d05f89620662260486d31bd3faa8c) | 15 January 2024, 09:50:07 UTC |
| 29463f1 | Richard Levitte | 04 January 2024, 11:42:05 UTC | Add test/recipes/15-test_gensm2.t, to test SM2 key generation results Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22529) (cherry picked from commit d4d9b57530b2ecdca6b4263b5841b42c820e5275) | 12 January 2024, 10:08:37 UTC |
| 7c93d2e | Richard Levitte | 27 October 2023, 07:01:19 UTC | Fix the encoding of SM2 keys OpenSSL's encoding of SM2 keys used the SM2 OID for the algorithm OID where an AlgorithmIdentifier is encoded (for encoding into the structures PrivateKeyInfo and SubjectPublicKeyInfo). Such keys should be encoded as ECC keys. Fixes #22184 Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22529) (cherry picked from commit 1d490694dfa790d8e47f8f2ea62ea1d9b1251179) | 12 January 2024, 10:08:29 UTC |
| d521c94 | Neil Horman | 07 December 2023, 21:56:39 UTC | Fix NULL pointer deref when parsing the stable section When parsing the stable section of a config such as this: openssl_conf = openssl_init [openssl_init] stbl_section = mstbl [mstbl] id-tc26 = min Can lead to a SIGSEGV, as the parsing code doesnt recognize min as a proper section name without a trailing colon to associate it with a value. As a result the stack of configuration values has an entry with a null value in it, which leads to the SIGSEGV in do_tcreate when we attempt to pass NULL to strtoul. Fix it by skipping any entry in the config name/value list that has a null value, prior to passing it to stroul Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22988) (cherry picked from commit 0981c20f8efa68bf9d68d7715280f83812c19a7e) | 12 January 2024, 09:39:06 UTC |
| 9d47024 | Holger Dengler | 04 January 2024, 18:25:08 UTC | Add tests for re-using cipher contexts Add test case for re-using a cipher context with the same key, iv and cipher. It detects, if the hardware-specific cipher context is reset correctly, like reported in issue #23175. This test has encrypt and decrypt iterations for cfb128 and ofb128. All iteations use the same key, iv and plaintext. Signed-off-by: Holger Dengler <dengler@linux.ibm.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23201) (cherry picked from commit 3cb1b51dddf4deaf5e3886b827f3245d81670bc7) | 12 January 2024, 09:35:47 UTC |
| c944c06 | Holger Dengler | 05 January 2024, 13:16:53 UTC | Fix partial block encryption in cfb and ofb for s390x (legacy) Use the number of processed bytes information (num) from the generic cipher context for the partial block handling in cfb and ofb also in s390x-legacy code. For more details see 4df92c1a14 ("Fix partial block encryption in cfb and ofb for s390x"). Signed-off-by: Holger Dengler <dengler@linux.ibm.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23201) (cherry picked from commit f9ccd209c3d121668c51a992613c698f2a774cb3) | 12 January 2024, 09:35:46 UTC |
| aa24651 | Holger Dengler | 04 January 2024, 08:37:39 UTC | Fix partial block encryption in cfb and ofb for s390x Use the number of processed bytes information (num) from the generic cipher context for the partial block handling in cfb and ofb, instead of keep this information in the s390x-specific part of the cipher context. The information in the generic context is reset properly, even if the context is re-initialized without resetting the key or iv. Fixes: #23175 Signed-off-by: Holger Dengler <dengler@linux.ibm.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23201) (cherry picked from commit 576a3572bebf6115df1c03527114cbf74d06f861) | 12 January 2024, 09:35:45 UTC |
| 0a12aba | Neil Horman | 08 January 2024, 19:29:52 UTC | Update Docs for EVP_MAC For GMAC/CMAC, its not possible to re-init the algorithm without explicitly passing an OSSL_MAC_PARAM_IV to each init call, as it is not possible to extract the IV value from the prior init call (be it explicitly passed or auto generated). As such, document the fact that re-initalization requires passing an IV parameter Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23235) (cherry picked from commit 7c1d533a512181b13de3bc0b7fa2fd8c481032d3) | 11 January 2024, 10:12:42 UTC |
| 6969bf4 | sashan | 08 January 2024, 21:53:42 UTC | evp_fetch.c: Check meth_id instead of name_id Fixes #23226 Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23238) (cherry picked from commit da840c3775f52fc9766c654b5ad6ee031ffc9fd9) | 11 January 2024, 09:26:55 UTC |
| 0d3775c | Bernd Edlinger | 09 January 2024, 14:05:30 UTC | Fix a similar memory leak in SXNET_add_id_INTEGER Even in the good case there was memory leak here. Add a simple test case to have at least some test coverage. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23234) (cherry picked from commit 398011848468c7e8e481b295f7904afc30934217) | 10 January 2024, 17:16:19 UTC |
| 5339f54 | Bernd Edlinger | 08 January 2024, 14:31:32 UTC | Fix a possible memory leak in sxnet_v2i When a subsequent call to SXNET_add_id_asc fails e.g. because user is a string larger than 64 char or the zone is a duplicate zone id, or the zone is not an integer, a memory leak may be the result. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23234) (cherry picked from commit 0151e772195fc03cce0f12e5e266e51dc15243a0) | 10 January 2024, 17:14:37 UTC |
| bee1e83 | Tomas Mraz | 04 January 2024, 09:32:32 UTC | Add CHANGES.md and NEWS.md entries for CVE-2023-6129 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23200) (cherry picked from commit 858c7bc210a406cc7f891ac2aed78692d2e02937) | 09 January 2024, 14:48:38 UTC |
| f3fc580 | Rohan McLure | 04 January 2024, 09:25:50 UTC | poly1305-ppc.pl: Fix vector register clobbering Fixes CVE-2023-6129 The POLY1305 MAC (message authentication code) implementation in OpenSSL for PowerPC CPUs saves the the contents of vector registers in different order than they are restored. Thus the contents of some of these vector registers is corrupted when returning to the caller. The vulnerable code is used only on newer PowerPC processors supporting the PowerISA 2.07 instructions. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23200) (cherry picked from commit 8d847a3ffd4f0b17ee33962cf69c36224925b34f) | 09 January 2024, 14:46:39 UTC |
| 0108860 | Tomas Mraz | 05 January 2024, 10:01:34 UTC | Avoid memory leak if SXNET_add_id_INTEGER() fails Fixes Coverity 1560046 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23211) (cherry picked from commit 7054fc1ca3945342777f588fba43b77f669509ad) | 08 January 2024, 12:52:24 UTC |
| 5802de9 | Tomas Mraz | 05 January 2024, 16:29:20 UTC | Add missing sm4_ccm_dupctx() and sm4_gcm_dupctx() Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23217) | 08 January 2024, 11:04:07 UTC |
| 143a091 | Richard Levitte | 20 December 2023, 07:25:22 UTC | VMS: Add the missing -p32 and -p64 variants for x86_64 The pointer size support is already in the code, and is present for all other supported hardwares. Fixes #22899 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/23081) (cherry picked from commit a43f253d586279b5d96fffcaf1b26c7a2b0dd938) | 08 January 2024, 06:25:01 UTC |
| d2c2050 | Richard Levitte | 18 December 2023, 11:49:08 UTC | Fix VMS installation - update vmsconfig.pm for consistency An effort was made to update the VMS installation data to align with configuration data. This touched the script templates in VMS/, but didn't update the generation of vmsconfig.pm to match... and also missed a spot. This change adds the missing updates Ref: https://github.com/openssl/openssl/pull/16842 Fixes #22899 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/23081) (cherry picked from commit 4058e121cbc6818235b0dcb618e636ce3c4d1f2f) | 08 January 2024, 06:25:01 UTC |
| 856d4c6 | Neil Horman | 03 January 2024, 18:47:05 UTC | cleanse stack variable in kdf_pbkdf1_do_derive kdf_pbkdf1_do_derive stores key derivation information in a stack variable, which is left uncleansed prior to returning. Ensure that the stack information is zeroed prior to return to avoid potential leaks of key information Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23194) (cherry picked from commit 5963aa8c196d7c5a940a979299a07418527932af) | 05 January 2024, 19:41:18 UTC |
| a693d69 | Neil Horman | 02 January 2024, 20:48:00 UTC | Validate config options during x509 extension creation There are several points during x509 extension creation which rely on configuration options which may have been incorrectly parsed due to invalid settings. Preform a value check for null in those locations to avoid various crashes/undefined behaviors Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23183) (cherry picked from commit bac7e687d71b124b09ad6ad3e15be9b38c08a1ba) | 05 January 2024, 19:01:13 UTC |
| 7043f69 | Neil Horman | 15 December 2023, 19:35:04 UTC | fixup! Adding interop tests Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22726) (cherry picked from commit b062a3c552bf283319dede3437598f1747730053) | 05 January 2024, 18:05:41 UTC |
| 715f48a | Neil Horman | 14 November 2023, 11:01:51 UTC | Adding interop tests Fedora has some fairly nice interoperability tests that we can leverage to build a PR and test it against gnutls and nss libraries. This commit adds the interop-tests.yml ci job to do that work, and run the interop tests from beaker. Fixes #20685 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22726) (cherry picked from commit 83783dd16e767483020e5b2dc3b1c0ac26520917) | 05 January 2024, 18:05:13 UTC |
| 6020045 | Neil Horman | 19 December 2023, 11:15:39 UTC | Update workflow to use GITHUB_WORKSPACE It was pointed out the GITHUB_WORKSPACE points to the container path of the workspace, so we can use it instead of hardcoding the __w/openssl/openssl path Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22726) (cherry picked from commit 638ad52ae53ece2e870984430493e454f75d048a) | 05 January 2024, 18:04:41 UTC |
| bd270ea | Neil Horman | 14 November 2023, 11:01:51 UTC | Adding interop tests Fedora has some fairly nice interoperability tests that we can leverage to build a PR and test it against gnutls and nss libraries. This commit adds the interop-tests.yml ci job to do that work, and run the interop tests from beaker. Fixes #20685 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22726) (cherry picked from commit 337eb99c8474ed380f3aa6fbd6b2a4ab5d39aa26) | 05 January 2024, 18:04:14 UTC |
| 780b38c | Neil Horman | 12 September 2023, 21:09:06 UTC | Fix a key repointing in various ciphers In the dupctx fixups I missed a pointer that needed to be repointed to the surrounding structures AES_KEY structure for the sm4/aes/aria ccm/gcm variants. This caused a colliding use of the key and possible use after free issues. Fixes #22076 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23102) (cherry picked from commit 0398bc20080de037a8433fe81cfdef3ba0ec9d4c) | 05 January 2024, 16:15:45 UTC |
| 291796b | Neil Horman | 01 September 2023, 17:47:15 UTC | Add dupctx support to rc4_hmac_md5 algo Pretty straightforward, just clone the requested context, no pointers to fixup Fixes #21887 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23102) (cherry picked from commit f9163efe96e218adeae2a0dc6a4cbef568f395ee) | 05 January 2024, 16:15:44 UTC |
| 1aa0746 | Neil Horman | 01 September 2023, 17:22:03 UTC | implement dupctx for chacha20_poly1305 Same as chacha20 in the last commit, just clone the ctx and its underlying tlsmac array if its allocated Fixes #21887 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23102) (cherry picked from commit e7ef50c3e3b670a476aa0e864da5b5cc874b3528) | 05 January 2024, 16:15:43 UTC |
| 51036a4 | Neil Horman | 01 September 2023, 15:28:33 UTC | implement dupctx for aes_WRAP methods create a dupctx method for aes_WRAP implementations of all sizes Fixes #21887 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23102) (cherry picked from commit a5bea0a8d423c7e52052d903b99f75034e78cecf) | 05 January 2024, 16:15:42 UTC |
| 766628d | Neil Horman | 01 September 2023, 13:10:35 UTC | Add dupctx support to aead ciphers Add dupctx method support to to ciphers implemented with IMPLEMENT_aead_cipher This includes: aes-<kbits>-gcm aria-<kbits>-ccm aria-<kbits>-gcm Fixes #21887 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23102) (cherry picked from commit 879a853a1dc968fb010e5bf17d2e8888acc70742) | 05 January 2024, 16:15:40 UTC |
| edb18a7 | Neil Horman | 29 August 2023, 19:42:48 UTC | make inability to dup/clone ciphers an error There should be no reason that a cipher can't be duplicated Fixes #21887 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23102) (cherry picked from commit 58a6aa0c9fe6abad996f45c6b452983035db7105) | 05 January 2024, 16:15:38 UTC |
| 63256ca | Dmitry Misharov | 04 January 2024, 13:19:10 UTC | fix buildtest job runner Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23203) | 05 January 2024, 16:08:17 UTC |
| 8632c09 | Dr. David von Oheimb | 01 August 2022, 14:35:42 UTC | add missing doc of X509_REQ_get_extensions() and X509_REQ_add_extensions{,_nid}() Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (cherry picked from commit 47dc828c6b652feb9cef5b0e4186d010986f197c) Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/23190) | 05 January 2024, 11:41:15 UTC |
| 1a51185 | Matt Caswell | 03 January 2024, 11:03:03 UTC | Clarify the PKCS12 docs Issue #23151 asks a question about the meaning of the PKCS12 documentation. This PR attempts to clarify how friendlyName and localKeyID are added to the PKCS12 structure. Fixes #23151 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/23188) (cherry picked from commit 3348713ad390372ba5a0a0f98b46b2f637475e47) | 04 January 2024, 16:43:43 UTC |
| 5801393 | Neil Horman | 01 January 2024, 14:25:03 UTC | cleanse stack variable in blake2[b|s] finalization If the output of a blake2[b|s] digest isn't a multipl of 8, then a stack buffer is used to compute the final output, which is left un-zeroed prior to return, allowing the potential leak of key data. Ensure that, if the stack variable is used, it gets cleared prior to return. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23173) (cherry picked from commit 8b9cf1bc2c3085b6e9493a057209ffd0bddf48a6) | 03 January 2024, 17:56:28 UTC |
| 0b36386 | Neil Horman | 01 January 2024, 16:53:50 UTC | validate requested key length in kdf_pbkdf1_do_derive When using pbkdf1 key deriviation, it is possible to request a key length larger than the maximum digest size a given digest can produce, leading to a read of random stack memory. fix it by returning an error if the requested key size n is larger than the EVP_MD_size of the digest Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23174) (cherry picked from commit 8d89050f0f676b429043fd5445e5a570d54ad225) | 03 January 2024, 15:20:46 UTC |
| c739d76 | rilysh | 29 December 2023, 07:30:56 UTC | provider-keymgmt.pod: fix typo Fix a typo from asymmmetric to asymmetric CLA: trivial Reviewed-by: Paul Yang <kaishen.yy@antfin.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23164) (cherry picked from commit cf8fea86f73c4606f132133cb34c07f8dad42482) | 03 January 2024, 12:14:57 UTC |
| 9ee889f | slontis | 08 November 2023, 06:14:44 UTC | Add missing documentation for X509_ATTRIBUTE related functions. Partial fix for #8026 Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22656) (cherry picked from commit f1f0731ddf6cb31d62a2c0f406b009ae9817ed7f) | 03 January 2024, 11:55:17 UTC |
| 41dd0e0 | Tomas Mraz | 13 December 2023, 11:21:04 UTC | Allow duplicate CMS attributes Fixes regression introduced with https://github.com/openssl/openssl/pull/21505 Fixes #22266 Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23029) (cherry picked from commit d7e707cb4983a35b1a265c6042da410d829f3b19) | 03 January 2024, 11:46:16 UTC |
| ec29062 | Neil Horman | 20 December 2023, 15:01:17 UTC | gate calling of evp_method_id on having a non-zero name id If a name is passed to EVP_<OBJ>_fetch of the form: name1:name2:name3 The names are parsed on the separator ':' and added to the store, but during the lookup in inner_evp_generic_fetch, the subsequent search of the store uses the full name1:name2:name3 string, which fails lookup, and causes subsequent assertion failures in evp_method_id. instead catch the failure in inner_evp_generic_fetch and return an error code if the name_id against a colon separated list of names fails. This provides a graceful error return path without asserts, and leaves room for a future feature in which such formatted names can be parsed and searched for iteratively Add a simple test to verify that providing a colon separated name results in an error indicating an invalid lookup. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from https://github.com/openssl/openssl/pull/23110) (cherry picked from commit 94be985cbcc1f0a5cf4f172d4a8d06c5c623122b) | 01 January 2024, 18:26:50 UTC |
| a936d94 | James Muir | 16 December 2023, 02:21:46 UTC | doc: fix "the a" typos (and other things nearby) Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/23068) (cherry picked from commit aa3347ba9d670a747b46974ce46f2ed9ecb38662) | 29 December 2023, 10:44:40 UTC |
| 8b16502 | slontis | 17 February 2023, 00:00:50 UTC | Add missing settable entry OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST_PROPS for RSA asym Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20319) (cherry picked from commit 26183614ed1dc03f509f26839b8a465684ca0f84) | 29 December 2023, 09:42:27 UTC |
| 959be4f | slontis | 16 February 2023, 23:54:58 UTC | Limit RSA-OAEP related functions to RSA keys only Make EVP_PKEY_CTX_set_rsa_oaep_md() and EVP_PKEY_CTX_get_rsa_oaep_md_name() only work for RSA keys. Since these calls use "digest" as a OSSL_PARAM, they should not work for other key types. Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20319) (cherry picked from commit 0c3eb31b55d3c1544e4e044c2e3c939655bac93d) | 29 December 2023, 09:42:26 UTC |
| d4da0b5 | slontis | 16 February 2023, 23:51:59 UTC | Fix memleak in rsa_cms_decrypt If a call to EVP_PKEY_CTX_set_rsa_mgf1_md() fails then the caller needs to free the label. Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20319) (cherry picked from commit d32dd65053431ee744d213b336b9a03a035807e6) | 29 December 2023, 09:42:25 UTC |
| f685ca3 | Gopal Sharma | 19 December 2023, 06:14:42 UTC | Fixed windows compilation issue Fixed - Windows compilation issue - unbale to find correct definitions of _InterlockedExchangeAdd. Issue number - https://github.com/openssl/openssl/issues/21080 CLA: trivial Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23087) (cherry picked from commit aa50768bf6d0a987028175c4a3cac8a142b15941) | 22 December 2023, 13:15:14 UTC |
| a26635e | Bernd Edlinger | 10 December 2023, 14:07:08 UTC | Fix a possible memory leak in dh_cms_encrypt Add a missing check of the return code of X509_ALGOR_set0, otherwise the ASN1_STRING object wrap_str may be leaked. Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22998) | 22 December 2023, 12:45:37 UTC |
| 9c24066 | Tomas Mraz | 13 December 2023, 09:06:59 UTC | AES: Document that the XTS, SIV, WRAP modes do not support streaming Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/23028) (cherry picked from commit 8f0f814d791e0825b96c30494594de619da3e5a5) | 22 December 2023, 12:43:34 UTC |
| dd073c4 | Neil Horman | 30 November 2023, 19:28:09 UTC | Detect and prevent recursive config parsing If a malformed config file is provided such as the following: openssl_conf = openssl_init [openssl_init] providers = provider_sect [provider_sect] = provider_sect The config parsing library will crash overflowing the stack, as it recursively parses the same provider_sect ad nauseum. Prevent this by maintaing a list of visited nodes as we recurse through referenced sections, and erroring out in the event we visit any given section node more than once. Note, adding the test for this revealed that our diagnostic code inadvertently pops recorded errors off the error stack because provider_conf_load returns success even in the event that a configuration parse failed. The call path to provider_conf_load has been updated in this commit to address that shortcoming, allowing recorded errors to be visibile to calling applications. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22898) (cherry picked from commit 682fd21afb5428b5716e62eaefb09a7419f9cfd7) | 22 December 2023, 10:37:06 UTC |
| f74cd0b | dependabot[bot] | 19 December 2023, 18:00:12 UTC | Bump actions/setup-python from 4.7.1 to 5.0.0 Bumps [actions/setup-python](https://github.com/actions/setup-python) from 4.7.1 to 5.0.0. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](https://github.com/actions/setup-python/compare/v4.7.1...v5.0.0) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> CLA: trivial Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22963) (cherry picked from commit 51c85496dc227f277adbe0748d596e07d9a34bc2) | 20 December 2023, 10:44:19 UTC |
| 493d6c9 | Bernd Edlinger | 10 December 2023, 14:21:19 UTC | Fix a possible memory leak in ossl_x509_algor_md_to_mgf1 Add a missing check of the return code of X509_ALGOR_set0. otherwise a memory leak may occur. Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22999) | 19 December 2023, 17:33:03 UTC |
| 201711c | Tomas Mraz | 11 December 2023, 14:19:47 UTC | Fix provider compatibility check crash in evp_test EVP_MAC_CTX_get_mac_size() cannot be called on older unfixed versions before EVP_MAC_init(). Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/23008) | 19 December 2023, 12:22:13 UTC |
| da3d09e | Bernd Edlinger | 18 December 2023, 20:38:22 UTC | Fix no-des failure in test_cms The newly introduced test case do not work when configured with no-des, fix that by choosing -aes128 as cipher. Fixes ffed597882ba ("cms: avoid intermittent test failure") Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23086) (cherry picked from commit 5b4f4474b2562c4422193e1719461a0ef5cbc3e5) | 19 December 2023, 12:19:19 UTC |
| b80cee9 | Tomas Mraz | 19 December 2023, 11:11:51 UTC | ci.yml: Fix bad conflict fix in backported patch Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23090) | 19 December 2023, 11:27:18 UTC |
| 2b44ec7 | Tomas Mraz | 14 December 2023, 17:33:57 UTC | Consolidate raising errors in SSL_CONF_cmd() Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/23048) (cherry picked from commit 430dcbd0463573fece704263648cc15e891c3d49) | 19 December 2023, 11:06:48 UTC |
| 9a30178 | Tomas Mraz | 14 December 2023, 15:37:58 UTC | Test that incorrect entry in the ssl section is not fatal The following entries should be still applied. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/23048) (cherry picked from commit 17b4277d9ac6665e9b53a6270949418154cab2dc) | 19 December 2023, 11:06:47 UTC |
| a438e52 | Tomas Mraz | 14 December 2023, 15:26:21 UTC | Always apply all configuration settings from the ssl section Even if some configuration entry is incorrect, do not skip the remaining ones. Fixes #20789 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/23048) (cherry picked from commit 69c067ffbc2c02295e20c90e557b6fcb2f7da69c) | 19 December 2023, 11:06:46 UTC |
| 733daf9 | Dmitry Misharov | 14 December 2023, 12:36:04 UTC | run Windows GitHub CI workflow on self-hosted runners Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23042) (cherry picked from commit ce42b72cb1ca2ba8669bc28a70ed9dca28b7a551) | 19 December 2023, 10:22:24 UTC |
| 89fa9d3 | Dmitry Misharov | 14 December 2023, 11:29:23 UTC | run GitHub CI workflow on self-hosted runners Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23042) (cherry picked from commit 834a2d7088a042a4f8f95fa2b8327fd388556151) | 19 December 2023, 10:21:47 UTC |
| b749573 | Dmitry Misharov | 14 December 2023, 10:09:15 UTC | run Cross Compiles workflow on self-hosted runner Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23042) (cherry picked from commit 625287bc80129deedab7484ee4c0ac112ae874a0) | 19 December 2023, 10:14:36 UTC |
| b1b3cb9 | James Muir | 14 December 2023, 19:14:37 UTC | cms: avoid intermittent test failure If you decrypt a random input using RSAES-PKCS-v1_5, then there is a non-negligible chance that the result will look like a valid plaintext (that is why RSAES-PKCS-v1_5 shouldn't be used anymore). This was the cause of an intermittent failure in a test that did a cms-encrypt operation targetting multiple recipients. The failure happened during key-only decrypt. The recipient decrypts every RSA ciphertext -- only one is supposed to decrypt successfully, which would reveal the right content-key. Occassionally, more than one decrypted successfully. Update the test by specifying the recipient cert in the decrypt op (this avoids looping over all RSA ciphertexts). Add a new test to get coverage for key-only decrypt, but use RSA-OAEP during the encrypt op. Fixes https://github.com/openssl/project/issues/380 Testing: $ make TESTS='test_cms' test Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23055) (cherry picked from commit ffed597882baf2f07274e7eaa8f3c4fa9fa74ac1) | 18 December 2023, 11:21:18 UTC |
| d4d8fcf | Xi Ruoyao | 12 December 2023, 19:36:48 UTC | Define L_ENDIAN for linux64-loongarch64 In commit d7c0fc5b1a7b5cb2219f8d89a861f3879582fc16 we removed L_ENDIAN definition for guessed linux64-loongarch64 as it had caused an inconsistency between configurations with and without explicit specifying linux64-loongarch64. Now add it back to the proper location. Unlike MIPS or RISC-V, LoongArch is always little-endian [1]. By the way, change "LOONGARCH" to "LoongArch" in a comment as LOONGARCH should only appear in the identifiers of macros, constants, etc. [1]:https://loongson.github.io/LoongArch-Documentation/LoongArch-Vol1-EN.html#endian Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23064) (cherry picked from commit e1002c84725a64b6a097f3155dc6851b57f7ba8e) | 18 December 2023, 10:54:35 UTC |
| f6452eb | dependabot[bot] | 18 December 2023, 09:58:53 UTC | Bump actions/upload-artifact from 3 to 4 Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3 to 4. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/v3...v4) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> CLA: trivial Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23053) (cherry picked from commit 1ee0560f43a38d3a2de6c2cd2cacb0879c75cf46) | 18 December 2023, 10:01:37 UTC |
| 78df776 | Dmitry Kobets | 15 December 2023, 04:12:43 UTC | Fix instructions for running tests on Windows In the command `nmake TEST='foo' test`, on Windows the runner will look for test `'foo'` and complain about the test not being found (due to the extraneous single quotes), whereas with `nmake TEST="foo" test`, the test `foo` will be correctly found. CLA: trivial Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23059) (cherry picked from commit cf424d1da05b3cd928c97596af08e260429b308c) | 18 December 2023, 09:48:38 UTC |
| b516449 | Hugo Landau | 11 December 2023, 07:57:54 UTC | LHASH: Document down_load functions Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23032) (cherry picked from commit f8c75e053569cdcbf0d39620e28b4044f1be04f1) | 15 December 2023, 11:46:19 UTC |
| 72c56a0 | Hugo Landau | 08 December 2023, 10:14:27 UTC | LHASH: Fix documentation for doall-delete hazards Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23032) (cherry picked from commit e91f21193c1b11de775e65b4e209a9fed67a41c1) | 15 December 2023, 11:46:16 UTC |
| 703e856 | Neil Horman | 05 December 2023, 20:24:20 UTC | Harden asn1 oid loader to invalid inputs In the event that a config file contains this sequence: ======= openssl_conf = openssl_init config_diagnostics = 1 [openssl_init] oid_section = oids [oids] testoid1 = 1.2.3.4.1 testoid2 = A Very Long OID Name, 1.2.3.4.2 testoid3 = ,1.2.3.4.3 ====== The leading comma in testoid3 can cause a heap buffer overflow, as the parsing code will move the string pointer back 1 character, thereby pointing to an invalid memory space correct the parser to detect this condition and handle it by treating it as if the comma doesn't exist (i.e. an empty long oid name) (cherry picked from commit a552c23c6502592c1b3c67d93dd7e5ffbe958aa4) Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23034) (cherry picked from commit d802bfbf80bab00123a4a6209f255852b3a10207) | 15 December 2023, 11:40:38 UTC |
| 45d80b4 | Dr. David von Oheimb | 02 December 2023, 14:54:27 UTC | CONTRIBUTING.md: add reference to util/check-format.pl and fix several nits Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22911) (cherry picked from commit 260d97229c467d17934ca3e2e0455b1b5c0994a6) | 13 December 2023, 17:22:21 UTC |
| 54e25c5 | James Muir | 07 December 2023, 15:23:49 UTC | doc: fix list display in man page "=over 1" is too small. Use "=over 2" so that list items are displayed correctly in the generated man-page. You can check the man-page using the following command: cd doc && pod2man man3/OSSL_PARAM_int.pod | man /dev/stdin Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/22974) (cherry picked from commit 7f4bf1857321d2a2ebcbbb2742946a965e463b79) | 13 December 2023, 10:04:43 UTC |
| 3fcaf6b | fangming.fang | 07 December 2023, 06:17:51 UTC | Enable BTI feature for md5 on aarch64 Fixes: #22959 Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22971) (cherry picked from commit ad347c9ff0fd93bdd2fa2085611c65b88e94829f) | 13 December 2023, 09:45:15 UTC |
| d41b267 | James Muir | 06 December 2023, 21:49:11 UTC | ossl-params: check length returned by strlen() In param_build.c, the functions OSSL_PARAM_BLD_push_utf8_string() and OSSL_PARAM_BLD_push_utf8_ptr() use strlen() to compute the length of the string when bsize is zero. However, the size_t returned by strlen() might be too large (it is stored in an intermediate "int"), so check for that. There are analogous functions in params.c, but they do not use an intermediate "int" to store the size_t returned by strlen(). So there is some inconsistency between the implementations. Credit to Viktor D and Tomas M for spotting these missing checks. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22967) (cherry picked from commit d4d6694aa710c9970410a6836070daa6486a0ac0) | 12 December 2023, 18:58:38 UTC |
| c2fa969 | Dr. David von Oheimb | 27 October 2023, 06:58:48 UTC | provider-storemgmt.pod: fix nits (unclosed '<' around name) Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22942) (cherry picked from commit a149e8e108263718daede1858d2855d68dde5652) | 12 December 2023, 18:52:34 UTC |
| a9c4bb0 | Bernd Edlinger | 03 December 2023, 10:41:51 UTC | Fix a possible memleak in opt_verify The ASN1_OBJECT otmp was leaked if X509_VERIFY_PARAM_add0_policy fails. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22922) (cherry picked from commit d6688e45fa2f987f3ffd324e19922468beee5ddc) | 12 December 2023, 18:50:54 UTC |
| fd741c6 | Bernd Edlinger | 03 December 2023, 10:29:52 UTC | Fix a possible memleak in apps/rehash.c The OPENSSL_DIR_end was missing in case of error. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22920) (cherry picked from commit 01709fcb8b609cfc47e277d20492c333bafb113e) | 12 December 2023, 18:49:23 UTC |
| 03e6213 | Bernd Edlinger | 03 December 2023, 10:34:37 UTC | Fix a possible memleak in smime_main Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22919) (cherry picked from commit ba4d833f6e24a83bc3e74ba55f52d8916b70fb59) | 12 December 2023, 18:47:40 UTC |
| dfe3207 | Bernd Edlinger | 03 December 2023, 10:24:18 UTC | Fix a possible memleak in cms_main Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22918) (cherry picked from commit 3457a550c64ab8009c7cd0175675ac140cab33c2) | 12 December 2023, 18:45:50 UTC |
| ed5f9ce | Matt Caswell | 29 November 2023, 11:45:12 UTC | Don't attempt to set provider params on an ENGINE based cipher If an ENGINE has been loaded after the SSL_CTX has been created then the cipher we have cached might be provider based, but the cipher we actually end up using might not be. Don't try to set provider params on a cipher that is actually ENGINE based. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from https://github.com/openssl/openssl/pull/22865) | 12 December 2023, 16:18:56 UTC |
| dda9208 | Matt Caswell | 29 November 2023, 11:30:07 UTC | Add a test for late loading of an ENGINE in TLS Confirm that using an ENGINE works as expected with TLS even if it is loaded late (after construction of the SSL_CTX). (cherry picked from commit a9c97da4910648790387d035afb12963158778fb) Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from https://github.com/openssl/openssl/pull/22865) | 12 December 2023, 16:18:56 UTC |
| 54c7f92 | Matt Caswell | 06 December 2023, 12:51:34 UTC | Add a test case for OSSL_HTTP_parse_url Ensure we test the case where the port value is empty in the URL. Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/22961) (cherry picked from commit a36d10dfb7e77614c8d3da602ff3800a2e9f4989) | 12 December 2023, 16:13:01 UTC |
| f437288 | Matt Caswell | 06 December 2023, 11:51:01 UTC | Fix some invalid use of sscanf sscanf can return -1 on an empty input string. We need to appropriately handle such an invalid case. The instance in OSSL_HTTP_parse_url could cause an uninitialised read of sizeof(unsigned int) bytes (typically 4). In many cases this uninit read will immediately fail on the following check (i.e. if the read value >65535). If the top 2 bytes of a 4 byte unsigned int are zero then the value will be <=65535 and the uninitialised value will be returned to the caller and could represent arbitrary data on the application stack. The OpenSSL security team has assessed this issue and consider it to be a bug only (i.e. not a CVE). Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/22961) (cherry picked from commit 322517d817ecb5c1a3a8b0e7e038fa146857b4d4) | 12 December 2023, 16:13:01 UTC |
| 601be4b | Matt Caswell | 06 December 2023, 11:19:24 UTC | Extend the test of BN_GF2m_mod_inv Test that input value of 1 for p is treated as an error Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from https://github.com/openssl/openssl/pull/22960) (cherry picked from commit b83c719ecb884f609ade7ad7f52bd5e09737585b) | 12 December 2023, 16:11:52 UTC |
| bde8227 | Matt Caswell | 06 December 2023, 11:09:53 UTC | Avoid an infinite loop in BN_GF2m_mod_inv If p is set to 1 when calling BN_GF2m_mod_inv then an infinite loop will result. Calling this function set 1 when applications call this directly is a non-sensical value - so this would be considered a bug in the caller. It does not seem possible to cause OpenSSL internal callers of BN_GF2m_mod_inv to call it with a value of 1. So, for the above reasons, this is not considered a security issue. Reported by Bing Shi. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from https://github.com/openssl/openssl/pull/22960) (cherry picked from commit 9c1b8f17ce2471ca37ee3936d07aed29aab10975) | 12 December 2023, 16:11:52 UTC |
