Skip to main content
swh:1:snp:dc2a5002442a00b1c0eda7c65d04ea7455e166cd
sort by:
RevisionAuthorDateMessageCommit Date
a5170a8 erbsland-dev10 September 2024, 19:24:59 UTCAdd Missing Error Messages for AES-OCB Tag Length Validation Related to #8331 Addressing found issues by adding specific error messages to improve feedback when tag length checks fail for the `EVP_CTRL_AEAD_SET_TAG` parameter in the AES-OCB algorithm. - Added PROV_R_INVALID_TAG_LENGTH error to indicate when the current tag length exceeds the maximum tag length of the algorithm. - Added `PROV_R_INVALID_TAG_LENGTH` error to indicate when the current tag length in the context does not match a custom tag length provided as a parameter. - Added `ERR_R_PASSED_INVALID_ARGUMENT` error to handle cases where an invalid pointer is passed in encryption mode. Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25425) (cherry picked from commit 645edf50f0274448174d9739543bf01b1708b2f5)13 September 2024, 08:13:16 UTC
5cd025c Gerd Hoffmann09 September 2024, 15:09:34 UTCfix small footprint builds on arm Building with '-D OPENSSL_SMALL_FOOTPRINT' for aarch64 fails due to 'gcm_ghash_4bit' being undeclared. Fix that by not setting the function pointer when building with OPENSSL_SMALL_FOOTPRINT, matching openssl behavior on x86. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25419) (cherry picked from commit 2a53df6947e195ac08bc04c9d2fec1fed977668f)11 September 2024, 23:11:08 UTC
fd055dd Michael Baentsch15 July 2024, 04:54:48 UTCdocument provider dependency handling Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24884) (cherry picked from commit e8498dc6455fc36f70dc3a0ca1ef82b34c088a90)11 September 2024, 07:33:58 UTC
ee582bf Tomas Mraz04 September 2024, 09:34:12 UTCReduce footprint of Windows CI Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Hugo Landau <hlandau@devever.net> (Merged from https://github.com/openssl/openssl/pull/25378) (cherry picked from commit a4954ea01a5665df2963d0e8e7d86997793c37c6)10 September 2024, 14:37:38 UTC
b60dff8 Tomas Mraz04 September 2024, 07:27:52 UTCAdd Windows build with enable-fips no-thread-pool no-quic Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Hugo Landau <hlandau@devever.net> (Merged from https://github.com/openssl/openssl/pull/25378) (cherry picked from commit ecab977464be75bc8b24e10e88d19b629fe6e0d4)10 September 2024, 14:37:37 UTC
11e0405 Tomas Mraz04 September 2024, 07:27:28 UTCFix no-thread-pool build on Windows thread/arch/thread_win.c must be included into libcrypto as rcu depends on ossl_crypto_mutex implementation on Windows. Fixes #25337 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Hugo Landau <hlandau@devever.net> (Merged from https://github.com/openssl/openssl/pull/25378) (cherry picked from commit f0fd24d5f39a6363f6cf66dae760154a3bad7014)10 September 2024, 14:37:36 UTC
0b5dd20 Matt Caswell08 August 2024, 15:12:11 UTCAdd a test for the nonce-type sigopt Check that using the nonce-type sigopt via the dgst app works correctly Based on the reproducer from #25012 Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25057) (cherry picked from commit c9e36a8221517c0083695a567c11e0c2208e1f8d)09 September 2024, 07:52:46 UTC
5a3d158 Matt Caswell31 July 2024, 13:24:12 UTCDon't restrict the ECDSA settable ctx params unnecessarily We just allow all possible settables all the time. Some things like the digest name can't actually be changed in some circumstances - but we already have checks for those things. It's still possible to pass a digest of the same name to one that's already been set for example. Fixes #25012 Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25057) (cherry picked from commit d244abb6515c3f1c68975c5d62417aff03f488b5)09 September 2024, 07:52:45 UTC
86bb434 Matt Caswell31 July 2024, 13:08:40 UTCComplain about a missing digest when doing deterministic ECDSA We need a digest for the none when doing deterministic ECDSA. Give a better error message if one hasn't been supplied. See openssl/openssl#25012 Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25057) (cherry picked from commit 8cc0a97d60f4b77def4df9fee41740ffb2fb5563)09 September 2024, 07:52:44 UTC
9985b9b XZ-X22 July 2024, 05:38:00 UTCrehash.c: handle possible null pointer returned by OPENSSL_strdup Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24980) (cherry picked from commit a5cd06f7fff3b4484946812191097b5e080b7610)09 September 2024, 07:20:53 UTC
70140f7 erbsland-dev28 August 2024, 19:54:12 UTCAdd note for non-interactive use of `s_client` Fixes #8018 Documented the potential issue of premature connection closure in non-interactive environments, such as cron jobs, when using `s_client`. Added guidance on using the `-ign_eof` option and input redirection to ensure proper handling of `stdin` and completion of TLS session data exchange. Highlight potential issues with the `-ign_eof` flag and provide solutions for graceful disconnection in SMTP and HTTP/1.1 scenarios to avoid indefinite hangs. Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25311) (cherry picked from commit 26521fdcf4047d6b6c5a7cf14ac34323a6197266)09 September 2024, 07:15:50 UTC
6b56f09 erbsland-dev01 September 2024, 20:55:12 UTCRefactor Password Variables to Use `const char[]` Arrays - Converted password declaration from `char*` to `const char[]`. - Updated `memcpy` and `return` statements accordingly to use `sizeof` instead of predefined lengths. - Renamed `key_password` into `weak_password` to match test name. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25330) (cherry picked from commit d52e92f835d8f64e207747cefe12cd1fc0423326)09 September 2024, 07:03:00 UTC
8f3bac8 erbsland-dev30 August 2024, 14:35:38 UTCRefactor Callback Tests for Improved Memory Management Refactor the callback test code to replace global variables with local structures, enhancing memory management and reducing reliance on redundant cleanup logic. Using a local struct containing a magic number and result flag to ensure the correct handling of user data and to verify that the callback function is invoked at least once during the test. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25330) (cherry picked from commit 9808ccc53f066f5aedcd6ea847f790ea64e72e76)09 September 2024, 07:02:59 UTC
cd0fb16 erbsland-dev30 August 2024, 08:56:58 UTCFix Edge Cases in Password Callback Handling Fixes #8441: Modify the password callback handling to reserve one byte in the buffer for a null terminator, ensuring compatibility with legacy behavior that puts a terminating null byte at the end. Additionally, validate the length returned by the callback to ensure it does not exceed the given buffer size. If the returned length is too large, the process now stops gracefully with an appropriate error, enhancing robustness by preventing crashes from out-of-bounds access. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25330) (cherry picked from commit 5387b71acb833f1f635ab4a20ced0863747ef5c1)09 September 2024, 07:02:58 UTC
baa80a4 erbsland-dev29 August 2024, 21:08:46 UTCAdd test for BIO password callback functionality Related to #8441 This commit introduces a test suite for the password callback mechanism used when reading or writing encrypted and PEM or DER encoded keys via a BIO in OpenSSL. The test is designed to cover various edge cases, particularly focusing on scenarios where the password callback might return unexpected or malformed data from user code. By simulating different callback behaviors, including negative returns, zero-length passwords, passwords that exactly fill the buffer and wrongly reported lengths. Also testing for the correct behaviour of binary passwords that contain a null byte in the middle. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25330) (cherry picked from commit fa6ae88a47a37678e8f8567ec2622bef515ac286)09 September 2024, 07:02:55 UTC
def6af3 Zhiqing Xie25 July 2024, 02:25:01 UTCFix compile err when building VC-CLANG-WIN64-CLANGASM-ARM target The error happens with MSVC v143,C++ Clang Compiler for Windows(16.0.5) Error is "brackets expression not supported on this target" in libcrypto-shlib-bsaes-armv8.obj.asm Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25293) (cherry picked from commit d20cf21b20559b3974a9dcadfe79bb047bfaab16)06 September 2024, 12:15:28 UTC
8547c32 dependabot[bot]29 August 2024, 17:50:32 UTCDependabot update CLA: trivial (deps): Bump actions/setup-python Bumps [actions/setup-python](https://github.com/actions/setup-python) from 5.1.1 to 5.2.0. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](https://github.com/actions/setup-python/compare/v5.1.1...v5.2.0) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25328) (cherry picked from commit 8af4c02ea952ca387691c4a077c260ba045fe285)05 September 2024, 16:13:18 UTC
4c6c68b dependabot[bot]04 September 2024, 17:07:36 UTCDependabot update CLA: trivial (deps): bump actions/download-artifact Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 4.1.7 to 4.1.8. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](https://github.com/actions/download-artifact/compare/v4.1.7...v4.1.8) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25385) (cherry picked from commit 65e32c6867bb0a3905f07dfd5edb484e65269eb9)05 September 2024, 16:08:40 UTC
94a0fcc PIums04 September 2024, 02:37:11 UTCargon2: Fixed an thread availability error string Correctly display the number of requested threads and the number of available threads. CLA: trivial Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25375) (cherry picked from commit 60725f8511fc96043f1ee5cbbe81c3fce2b2c828)05 September 2024, 15:34:46 UTC
392ea49 Pablo Rodríguez30 August 2024, 14:56:03 UTCblank line required to display code in `openssl-ts.pod.in` CLA:trivial Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25338) (cherry picked from commit 6fd9bc65689cf62854797927121a580bed1565c4)05 September 2024, 15:27:23 UTC
6077519 Alessandro Chitarrini29 August 2024, 10:59:54 UTCFix inaccurate comment about default nonce length in demos/cipher/aesccm.c Fixes #25270 CLA: trivial Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25318) (cherry picked from commit f2b7a00fbb372b0ea32f2cfea865ab407641b1fa)05 September 2024, 15:25:06 UTC
cde9516 Zhihao Yuan27 August 2024, 01:48:36 UTCRecycle the TLS key that holds thread_event_handler Fixes #25278 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25300) (cherry picked from commit 36840ab577d547a35cbc7c72396dc7931712eb6e)05 September 2024, 15:20:26 UTC
cddcd4c erbsland-dev22 July 2024, 08:26:17 UTCClarify EVP_CipherUpdate() authenticated bytes behavior Fixes #8310: Document that the number of authenticated bytes returned by EVP_CipherUpdate() varies with the cipher used. Mention that stream ciphers like ChaCha20 can handle 1 byte at a time, while OCB mode requires processing data one block at a time. Ensure it's clear that passing unpadded data in one call is safe. Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24961) (cherry picked from commit d15077d336e4b6144f8a5fdb0c1bb58ca9d3552f)05 September 2024, 15:14:56 UTC
02d4c0c Georgi Valkov03 September 2024, 07:13:34 UTCthreads_win: fix improper cast to long * instead of LONG * InterlockedExchangeAdd expects arguments of type LONG *, LONG but the int arguments were improperly cast to long *, long Note: - LONG is always 32 bit - long is 32 bit on Win32 VC x86/x64 and MingW-W64 - long is 64 bit on cygwin64 Signed-off-by: Georgi Valkov <gvalkov@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25360) (cherry picked from commit b0ed90cc30a573acb9b27186babc616be482afcb)05 September 2024, 15:12:09 UTC
cb04533 Daniel Gustafsson12 July 2024, 18:49:16 UTCFix memleak in rsa_cms_sign error path If the call to X509_ALGOR_set0 fails then the allocated ASN1_STRING variable passed as parameter leaks. Fix by explicitly freeing like how all other codepaths with X509_ALGOR_set0 do. Fixes #22680 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24868) (cherry picked from commit 5efc57caf229748fd4f85b05463f96b11679100d)05 September 2024, 15:05:24 UTC
7c01bb2 Tomas Mraz04 September 2024, 15:17:29 UTCCI: Update upload-artifact action to be compatible The download-artifact action was updated to 4.x and the upload-artifact must be kept in sync. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25383) (cherry picked from commit c4a5d70d98cf57434cd4f7a1ae890a2e3d09c434)04 September 2024, 15:29:47 UTC
e02f618 dependabot[bot]03 September 2024, 22:45:53 UTCbuild(deps): bump actions/download-artifact in /.github/workflows Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 3 to 4.1.7. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](https://github.com/actions/download-artifact/compare/v3...v4.1.7) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> CLA: trivial Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25374) (cherry picked from commit 2a6305dfcd89632b69e49f8b3efe98b7e0daa1aa)04 September 2024, 06:49:17 UTC
894dba8 Tomas Mraz03 September 2024, 12:52:50 UTCPrepare for 3.2.4 Reviewed-by: Neil Horman <nhorman@openssl.org> Release: yes03 September 2024, 12:52:50 UTC
45fda76 Tomas Mraz03 September 2024, 12:52:35 UTCPrepare for release of 3.2.3 Reviewed-by: Neil Horman <nhorman@openssl.org> Release: yes03 September 2024, 12:52:35 UTC
9f45e48 Tomas Mraz03 September 2024, 12:52:32 UTCmake update Reviewed-by: Neil Horman <nhorman@openssl.org> Release: yes03 September 2024, 12:52:32 UTC
5fca53d Tomas Mraz03 September 2024, 12:50:21 UTCCopyright year updates Reviewed-by: Neil Horman <nhorman@openssl.org> Release: yes03 September 2024, 12:50:21 UTC
0c3d66a Tomas Mraz03 September 2024, 10:24:58 UTCAdd CVE-2024-5535 to CHANGES and NEWS Reviewed-by: Neil Horman <nhorman@openssl.org> Release: yes03 September 2024, 12:26:35 UTC
c96817e Viktor Dukhovni10 July 2024, 09:50:57 UTCUpdated CHANGES and NEWS for CVE-2024-6119 fix Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (cherry picked from commit cf384d35aa7142cc3b5de19f64d3972e77d3ff74)03 September 2024, 10:07:00 UTC
05f360d Viktor Dukhovni19 June 2024, 11:04:11 UTCAvoid type errors in EAI-related name check logic. The incorrectly typed data is read only, used in a compare operation, so neither remote code execution, nor memory content disclosure were possible. However, applications performing certificate name checks were vulnerable to denial of service. The GENERAL_TYPE data type is a union, and we must take care to access the correct member, based on `gen->type`, not all the member fields have the same structure, and a segfault is possible if the wrong member field is read. The code in question was lightly refactored with the intent to make it more obviously correct. Fixes CVE-2024-6119 Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (cherry picked from commit 0890cd13d40fbc98f655f3974f466769caa83680)03 September 2024, 10:03:19 UTC
9349642 Pauli30 August 2024, 01:43:29 UTCendecode_test.c: Fix !fips v3.0.0 check The fips_provider_version_* functions return true if the FIPS provider isn't loaded. This is somewhat counterintuitive and the fix in #25327 neglected this nuance resulting in not running the SM2 tests when the FIPS provider wasn't being loaded. Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25331) (cherry picked from commit c6c6af18ea5f8dd7aa2bd54b63fcb813ee6c2394)30 August 2024, 09:43:29 UTC
d6be134 Tomas Mraz29 August 2024, 16:42:14 UTCendecode_test.c: Avoid running the SM2 tests with 3.0.0 FIPS provider Fixes #25326 Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25327) (cherry picked from commit 0b97a5505efa8833bb7b8cabae45894ad6d910a2)29 August 2024, 17:46:07 UTC
19a54fe Viktor Dukhovni28 August 2024, 10:36:09 UTCCheck for excess data in CertificateVerify As reported by Alicja Kario, we ignored excess bytes after the signature payload in TLS CertificateVerify Messages. These should not be present. Fixes: #25298 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25302) (cherry picked from commit b4e4bf29ba3c67662c60ceed9afa2dd301e93273)29 August 2024, 17:32:21 UTC
2ae3b71 Clemens Lang28 August 2024, 15:18:03 UTCdoc: Document properties param for Argon2 KDF The Argon2 KDF uses OSSL_KDF_PARAM_PROPERTIES to fetch implementations of blake2bmac and blake2b512 if ctx->mac and ctx->md are NULL. This isn't documented in the manpage, so users that might, for example, want to fetch an instance of Argon2 with the -fips property query to obtain a working Argon2 KDF even though the default property query requires fips=yes are left wondering why this fails. Fortunately, EVP_KDF(3)/PARAMETERS already explains what the properties are used for, so we really just need to add a single line. Signed-off-by: Clemens Lang <cllang@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25306) (cherry picked from commit 6772c2ab1bc5f12dd800247cd6800c45c2c0bf6e)29 August 2024, 17:20:36 UTC
90d40ba Jamie Cui22 August 2024, 03:41:50 UTCFix decoder error on SM2 private key Added sm2 testcases to endecode_test.c. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25266) (cherry picked from commit 25bd0c77bfa7e8127faafda2b082432ea58f9570)29 August 2024, 13:29:39 UTC
17cb182 slontis21 August 2024, 23:09:14 UTCFIPS: Change fips tests to use SHA2 for corruption test. Fixes cross testing with OpenSSL 3.4 with removed SHA1 from the self tests. Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25262) (cherry picked from commit 06179b4be0e5617455924f02830a43b85d154c1a)23 August 2024, 08:28:49 UTC
cfbe6c0 Bernd Edlinger27 October 2023, 10:05:05 UTCFix error handling in OBJ_add_object This fixes the possible memory leak in OBJ_add_object when a pre-existing object is replaced by a new one, with identical NID, OID, and/or short/long name. We do not try to delete any orphans, but only mark them as type == -1, because the previously returned pointers from OBJ_nid2obj/OBJ_nid2sn/OBJ_nid2ln may be cached by applications and can thus not be cleaned up before the application terminates. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22534) (cherry picked from commit e91384d5b0547bf797e2b44976f142d146c4e650)21 August 2024, 13:54:03 UTC
c17c57b FdaSilvaYY18 July 2024, 21:33:49 UTCapps: add missing entry to tls extension label list noticed by @sftcd Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25111) (cherry picked from commit 4688f9b821525b255e0ff22f376fee93c2f9dc8e)21 August 2024, 13:43:48 UTC
0ac063c FdaSilvaYY20 February 2021, 23:04:07 UTCFix '--strict-warnings' build breakage due to a missing const. Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25111) (cherry picked from commit ef4df981aecfc6c3cdc1585a1c07b199db711ec1)21 August 2024, 13:43:24 UTC
f0eabb6 Jiasheng Jiang06 August 2024, 19:18:34 UTCtest/provider_test.c: Add OSSL_PROVIDER_unload() to avoid memory leak Add OSSL_PROVIDER_unload() when OSSL_PROVIDER_add_builtin() fails to avoid memory leak. Fixes: 5442611dff ("Add a test for OSSL_LIB_CTX_new_child()") Signed-off-by: Jiasheng Jiang <jiashengjiangcool@outlook.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25109) (cherry picked from commit 55662b674543c9385600bc9b7c46277ef69b4dba)21 August 2024, 13:39:50 UTC
0a46178 Jiasheng Jiang06 August 2024, 18:42:06 UTCtest/provider_fallback_test.c: Add OSSL_PROVIDER_unload() to avoid memory leak Add OSSL_PROVIDER_unload() when test_provider() fails to avoid memory leak. Fixes: f995e5bdcd ("TEST: Add provider_fallback_test, to test aspects of fallback providers") Signed-off-by: Jiasheng Jiang <jiashengjiangcool@outlook.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25108) (cherry picked from commit 6e8a1031ed11af9645769f9e019db9f032a220b8)21 August 2024, 13:37:56 UTC
f90748d Hubert Kario26 July 2024, 14:25:42 UTCLink to the place where signature options are defined ca man page: link to section Signed-off-by: Hubert Kario <hkario@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25011) (cherry picked from commit 1985ba60bba272d5780c498461f2b1171f10aa21)20 August 2024, 09:56:17 UTC
22c7593 Tomas Mraz19 August 2024, 09:34:27 UTCExplicitly include e_os.h for close() Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25229) (cherry picked from commit 0c0c6954bf4fa7b56e21e1393c9e5e5d55c1b2d6)19 August 2024, 10:28:03 UTC
f37e075 Pauli18 August 2024, 22:31:15 UTCtest: add a default greeting to avoid printing a null pointer. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Yang <kaishen.yy@antfin.com> (Merged from https://github.com/openssl/openssl/pull/25221) (cherry picked from commit 34877dbcd467efb4e2dbf45d2fcb44c5a4b4926a)19 August 2024, 09:21:44 UTC
283960b shridhar kalavagunta04 August 2024, 21:04:53 UTCRAND_write_file(): Avoid potential file descriptor leak If fdopen() call fails we need to close the fd. Also return early as this is most likely some fatal error. Fixes #25064 Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25081) (cherry picked from commit d6048344398ec75996fee1f465abb61ab3aa377e)19 August 2024, 09:13:15 UTC
4cf3cbe Bernd Edlinger12 March 2024, 19:04:56 UTCFix unpredictible refcount handling of d2i functions The passed in reference of a ref-counted object is free'd by d2i functions in the error handling. However if it is not the last reference, the in/out reference variable is not set to null here. This makes it impossible for the caller to handle the error correctly, because there are numerous cases where the passed in reference is free'd and set to null, while in other cases, where the passed in reference is not free'd, the reference is left untouched. Therefore the passed in reference must be set to NULL even when it was not the last reference. Fixes #23713 Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22809) (cherry picked from commit d550d2aae531c6fa2e10b1a30d2acdf373663889)16 August 2024, 08:09:06 UTC
22f1a8f Bernd Edlinger24 November 2023, 06:02:35 UTCExtend test case for reused PEM_ASN1_read_bio This is related to #22780, simply add test cases for the different failure modes of PEM_ASN1_read_bio. Depending on whether the PEM or the DER format is valid or not, the passed in CRL may be deleted ot not, therefore a statement like this: reused_crl = PEM_read_bio_X509_CRL(b, &reused_crl, NULL, NULL); must be avoided, because it can create memory leaks. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22809) (cherry picked from commit 83951a9979784ffa701e945b86f2f0bc2caead8e)16 August 2024, 08:09:05 UTC
d2a4566 Andreas Treichel18 May 2024, 06:27:46 UTCapps/cms.c, apps/smime.c: Fix -crlfeol help messages CLA: trivial Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24434) (cherry picked from commit 0813ffee2fe6d1a4fe4ec04b7b18fe91cc74a34c)15 August 2024, 17:46:18 UTC
fb9cf32 Shih-Yi Chen07 August 2024, 21:33:53 UTCUpdate krb5 to latest master to pick up CVE fixes CLA: trivial Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25131) (cherry picked from commit 099a71b48b6e1f27f39b2905fb67f2afaefd9171)14 August 2024, 15:58:05 UTC
462d296 Pauli08 August 2024, 00:55:15 UTCtest: add FIPS provider version checks for 3.4 compatibility Tests that are changed by #25020 mandate updates to older test suite data to pass because the FIPS provider's behaviour changes in 3.4. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/25133) (cherry picked from commit 0793071efaa7f61828b555128587db48c5d24962)10 August 2024, 06:33:03 UTC
48e7b18 Neil Horman26 July 2024, 15:01:05 UTClimit bignums to 128 bytes Keep us from spinning forever doing huge amounts of math in the fuzzer Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from https://github.com/openssl/openssl/pull/25013) (cherry picked from commit f0768376e1639d12a328745ef69c90d584138074)09 August 2024, 12:28:38 UTC
67c6330 JulieDzeze119 April 2024, 21:50:19 UTCUpdate BN_add.pod documentation so it is consistent with header declarations CLA: trivial Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24215) (cherry picked from commit e77eb1dc0be75c98c53c932c861dd52e8896cc13)07 August 2024, 17:56:55 UTC
40617be Tomas Mraz05 August 2024, 13:08:39 UTCrsa_pss_compute_saltlen(): Avoid integer overflows and check MD and RSA sizes Fixes Coverity 1604651 Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/25085) (cherry picked from commit 217e215e99dd526ad2e6f83601449742d1d03d6a)07 August 2024, 17:42:08 UTC
3fa1b82 Tomas Mraz05 August 2024, 12:49:52 UTCdo_print_ex(): Avoid possible integer overflow Fixes Coverity 1604657 Fixes openssl/project#780 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from https://github.com/openssl/openssl/pull/25084) (cherry picked from commit e3e15e77f14cc4026fd456cc8a2b5190b2d79610)07 August 2024, 17:39:45 UTC
2bdf202 Tomas Mraz01 August 2024, 17:36:00 UTCDo not implicitly start connection with SSL_handle_events() Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (cherry picked from commit ca1d2db291530a827555b40974ed81efb91c2d19) Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25082)07 August 2024, 17:37:37 UTC
a714f3d Tomas Mraz01 August 2024, 17:14:16 UTCReturn infinity time from SSL_get_event_timeout when the connection is not started Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (cherry picked from commit b1f4aebb74192afb197487bf6f4998fbb87cd1c1) Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25082)07 August 2024, 17:37:37 UTC
8ffdb16 Tomas Mraz01 August 2024, 15:17:42 UTCDo not falsely start the connection through SSL_pending()/_has_pending() Fixes #25054 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (cherry picked from commit b7f93c7fcb37c81b88895c3e8d22ad69c2576cd4) Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25082)07 August 2024, 17:37:37 UTC
b0f0b24 Dimitri Papadopoulos21 July 2024, 09:37:03 UTCFix typos found by codespell in openssl-3.3 doc Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Paul Yang <kaishen.yy@antfin.com> (Merged from https://github.com/openssl/openssl/pull/24950) (cherry picked from commit 4b86dbb596c179b519dfb7ceb7e1d223556442c5)07 August 2024, 17:08:44 UTC
e9ed59a Andrew Dinh02 August 2024, 14:01:12 UTCUse parent directory instead of index.html Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25073) (cherry picked from commit 5854b764a762598b662a5166be8d0030af06c1c0)07 August 2024, 09:13:15 UTC
a4fad64 Andrew Dinh02 August 2024, 13:58:13 UTCUpdate links in CONTRIBUTING.md Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25073) (cherry picked from commit ad3d57d27141c09fe07ef39c49af5afe69c59383)07 August 2024, 09:13:14 UTC
493408b Andrew Dinh02 August 2024, 13:54:13 UTCFix some small typos Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25073) (cherry picked from commit d0a49eea4a8bb50f7d2269bac390a0ce2cddeb1f)07 August 2024, 09:13:12 UTC
77e7a47 Marc Brooks30 July 2024, 20:29:34 UTCFree fetched digest in show_digests Fixes #24892 Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25046) (cherry picked from commit 871c534d39efecc2087da0fd24ff72e2712031a4)01 August 2024, 09:38:10 UTC
51ab19e Tomas Mraz19 July 2024, 10:24:47 UTCevp_get_digest/cipherbyname_ex(): Try to fetch if not found If the name is not found in namemap, we need to try to fetch the algorithm and query the namemap again. Fixes #19338 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/24940) (cherry picked from commit 454ca902c7d5337249172b38efc5e4fd63f483f4)31 July 2024, 09:26:16 UTC
6b6e516 Tomas Mraz18 July 2024, 09:01:00 UTCAvoid leaking *ba_ret on reconnections Also fixes Coverity 1604639 There is no point in checking ba_ret as it can never be NULL. Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from https://github.com/openssl/openssl/pull/24931) (cherry picked from commit 4fa9d1f40fc85d8c70c93168dc812217db349359)31 July 2024, 09:23:45 UTC
607e186 jasper-smit-servicenow18 July 2024, 07:45:22 UTCUpdate X509V3_get_d2i.pod returned pointer needs to be freed CLA: trivial Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Todd Short <todd.short@me.com> (Merged from https://github.com/openssl/openssl/pull/24927) (cherry picked from commit a4fd94851261c55f9ad020bf22d4f29bda0b58be) (cherry picked from commit 12c38af865a0a60c98f6b63de5be4b8ce2d1ace5)21 July 2024, 16:43:17 UTC
a3bfc4f Tomas Mraz18 July 2024, 08:48:58 UTCi2d_name_canon(): Check overflow in len accumulation Fixes Coverity 1604638 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Todd Short <todd.short@me.com> (Merged from https://github.com/openssl/openssl/pull/24930) (cherry picked from commit b2deefb9d262f0f9eae6964006df98c2fa24daac) (cherry picked from commit dd744cd19b3ff2bdc320c8a77b5c32ff543eaeb3)21 July 2024, 16:30:34 UTC
1a869a6 Georgi Valkov19 July 2024, 10:24:27 UTCgitignore: add .DS_Store macOS creates .DS_Store files all over the place while browsing directories. Add it to the list of ignored files. Signed-off-by: Georgi Valkov <gvalkov@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from https://github.com/openssl/openssl/pull/24942) (cherry picked from commit 10c36d2f8d81a6f2b9a75f914fe094300835ba01) (cherry picked from commit 97b2aa49e504e49a8862b89c65eb54e143395f1d)21 July 2024, 16:15:39 UTC
ff5c70d Tomas Mraz24 October 2023, 07:27:23 UTCAllow short reads in asn1_d2i_read_bio() Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from https://github.com/openssl/openssl/pull/22486) (cherry picked from commit 202ef97edc8e5561a6f4db28919d5ed73d411cc7)18 July 2024, 17:06:27 UTC
4ef8753 erbsland-dev14 July 2024, 17:14:49 UTCImprove clarity and readability of password input documentation Fixed #7310: Enhanced existing documentation for password input methods - Refined descriptions for password input methods: `file:`, `fd:`, and `stdin` - Enhanced readability and consistency in the instructions - Clarified handling of multiple lines in read files. - Clarified that `fd:` is not supported on Windows. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24878) (cherry picked from commit 0d4663ca6a91eb5eeb7bbe24a3b5a7cbee9e0fad)18 July 2024, 17:03:41 UTC
ff9c48b Tomas Mraz09 July 2024, 15:58:47 UTCEVP_PKEY-DH.pod: Clarify the manpage in regards to DH and DHX types Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/24819) (cherry picked from commit cf3d65b8664f11904ad34f21fe78a6694f23ae62)17 July 2024, 14:39:22 UTC
9f1c127 Tomas Mraz09 July 2024, 07:17:05 UTCDocument that DH and DHX key types cannot be used together in KEX Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/24819) (cherry picked from commit 45611a8a8962c06e1d7ba0e5c00974da17e9c37a)17 July 2024, 14:39:20 UTC
7209a6b Neil Horman15 July 2024, 18:30:16 UTCFix coverity-1604666 Coverity recently flaged an error in which the return value for EVP_MD_get_size wasn't checked for negative values prior to use, which can cause underflow later in the function. Just add the check and error out if get_size returns an error. Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24896) (cherry picked from commit 22e08c7cdc596d4f16749811d1022fb8b07a8e41)17 July 2024, 14:31:32 UTC
ed96c0d Neil Horman15 July 2024, 19:59:14 UTCFix coverity-1604665 Coverity issued an error in the opt_uintmax code, detecting a potential overflow on a cast to ossl_intmax_t Looks like it was just a typo, casting m from uintmax_t to ossl_intmax_t Fix it by correcting the cast to be ossl_uintmax_t, as would be expected Theres also some conditionals that seem like they should be removed, but I'll save that for later, as there may be some corner cases in which ossl_uintmax_t isn't equal in size to uintmax_t..maybe. Fixes openssl/private#567 Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24897) (cherry picked from commit a753547eefc9739f341824a0cb0642afe7a06fcc)17 July 2024, 07:51:02 UTC
ae79bf7 Pauli15 July 2024, 04:53:54 UTCUnit test for switching from KMAC to other MAC in kbkdf. Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24883) (cherry picked from commit 90c3db9e6a2bfbc1086d6d4b90d4fc7c7e565b93)17 July 2024, 04:15:46 UTC
eadf691 Pauli15 July 2024, 03:26:50 UTCFix kbkdf bug if MAC is set to KMAC and then something else A context that is set to KMAC sets the is_kmac flag and this cannot be reset. So a user that does kbkdf using KMAC and then wants to use HMAC or CMAC will experience a failure. Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24883) (cherry picked from commit f35fc4f184fa8a2088cd16648c4017fa321d6712)17 July 2024, 04:15:45 UTC
b0dd54f erbsland-dev15 July 2024, 15:07:52 UTCAdd tests for long configuration lines with backslashes Introduce new test files to verify behavior with config lines longer than 512 characters containing backslashes. Updated test plan to include these new test scenarios. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24890) (cherry picked from commit 2dd74d3acb9425251a2028504f07623bd97bfe87)16 July 2024, 19:33:20 UTC
5c06b04 erbsland-dev15 July 2024, 10:16:09 UTCFix line continuation check in config parser Fixes #8038: Previously, line continuation logic did not account for the 'again' flag, which could cause incorrect removal of a backslash character in the middle of a line. This fix ensures that line continuation is correctly handled only when 'again' is false, thus improving the reliability of the configuration parser. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24890) (cherry picked from commit f54e4bc51b78c10dc99a61c087861ee2c11d7a41)16 July 2024, 19:33:19 UTC
5bff33b erbsland-dev15 July 2024, 08:50:37 UTCClarify in-place encryption behavior in documentation Fixes #7941: Update the `EVP_EncryptUpdate` documentation to specify that in-place encryption is guaranteed only if the context does not contain incomplete data from previous operations. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24887) (cherry picked from commit f692ceeedcd104407b7672c67d62d6f86f8ac182)16 July 2024, 17:43:15 UTC
6ba2f4d Neil Horman12 July 2024, 13:38:52 UTCSet down_load factor on hash table when culling items in doall oss-fuzz noted this issue: https://oss-fuzz.com/testcase-detail/5363002606419968 Which reports a heap buffer overflow during ossl_method_cache_flush_some Its occuring because we delete items from the hash table while inside its doall iterator The iterator in lhash.c does a reverse traversal of all buckets in the hash table, and at some point a removal during an iteration leads to the hash table shrinking, by calling contract. When that happens, the bucket index becomes no longer valid, and if the index we are on is large, it exceeds the length of the list, leading to an out of band reference, and the heap buffer overflow report. Fix it by preventing contractions from happening during the iteration, but setting the down_load factor to 0, and restoring it to its initial value after the iteration is done Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from https://github.com/openssl/openssl/pull/24867) (cherry picked from commit 01753c09bbfdffcefd555b4c21e50e68af346129)16 July 2024, 11:33:17 UTC
18df810 Matt Caswell12 July 2024, 08:16:36 UTCFix a copy & paste error in the EVP_RAND docs The "max_request" string is defined via the OSSL_RAND_PARAM_MAX_REQUEST macro. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24863) (cherry picked from commit 5c6975bd44dce4bb342b7bc130de5aaefbe2c35b)15 July 2024, 20:50:36 UTC
b575d31 Daniel Gustafsson12 July 2024, 10:08:04 UTCRearrange code examples in docs for clarity The introduction of a deprecation notice between the header include line and the function prototypes left the inclusion in the previous block. Move the #include to after the deprecation notice to ensure that the headers is included together with the corresponding MDX_y* functions. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24864) (cherry picked from commit b33f2697d953ac5dbadbe99d4110fe907b215ad8)15 July 2024, 16:32:20 UTC
6b35dc2 Matt Caswell11 July 2024, 14:49:21 UTCFix a minor typo in the documentation of RAND_set_seed_source_type() Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from https://github.com/openssl/openssl/pull/24858) (cherry picked from commit e8c7febc8f1b0ef9e5b62b0944748d2830b1a0b4)12 July 2024, 16:09:06 UTC
66cbca4 erbsland-dev11 July 2024, 12:02:53 UTCDocument Internal EVP_MD_CTX_ Flags Add documentation for the internal flags `EVP_MD_CTX_FLAG_CLEANED` and `EVP_MD_CTX_FLAG_REUSE`, explicitly stating that these flags are for internal use only and must not be used in user code. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24829) (cherry picked from commit b74646b627ade4ff801914d45a7733af2ebf4b5f)12 July 2024, 13:59:15 UTC
8cacf1c Dmitry Misharov10 July 2024, 12:51:04 UTCdeploy docs.openssl.org on doc changes Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24839) (cherry picked from commit 8b591dceeff52965dbde14a0e455c5d3548a2609)12 July 2024, 08:59:39 UTC
8120fb0 sashan27 June 2024, 14:31:41 UTCEVP_DigestUpdate(): Check if ctx->update is set The issue has been discovered by libFuzzer running on provider target. There are currently three distinct reports which are addressed by code change here. https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=69236#c1 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=69243#c1 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=69261#c1 the issue has been introduced with openssl 3.0. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24753) (cherry picked from commit ad33d62396b7e9db04fdf060481ced394d391688)11 July 2024, 19:49:23 UTC
1b475c1 dependabot[bot]10 July 2024, 17:07:01 UTCDependabot update CLA: trivial (deps): Bump actions/setup-python Bumps [actions/setup-python](https://github.com/actions/setup-python) from 5.1.0 to 5.1.1. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](https://github.com/actions/setup-python/compare/v5.1.0...v5.1.1) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24843) (cherry picked from commit 00163371fa502df62465163185a9a434574d6746)11 July 2024, 07:54:27 UTC
4a86845 Neil Horman08 July 2024, 12:32:29 UTCAdd a style-check workflow Add a CI job that evaluates style issues, restricted only to lines changed for the affected files in a given commit Also provide a mechanism to waive those style issues. by applying the style:exempted label to a PR, the checks are still run (its nice to see what they are regardless), but the test will pass CI regardless of weather any issues are found. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/24806) (cherry picked from commit fc22d74c53720d14f99fd880b767d8a3e4986ae2)10 July 2024, 12:33:15 UTC
ab0c60d Neil Horman08 July 2024, 12:30:49 UTCAdd a check-format-commit.sh script Add a wrapper script to check-format.pl, which is capable of analyzing commits rather than just a file. for a provided commit this script: 1) runs check-format.pl on the files changed in the provided commit 2) filters the output of check-format.pl, only producing lines that match ranges of changed lines in those files Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/24806) (cherry picked from commit acae12eb781658479b4fb3fee6334fd14a3c2739)10 July 2024, 12:33:14 UTC
dc38fc5 erbsland-dev08 July 2024, 10:35:55 UTCEnhance documentation for `BN_mask_bits()` Fixes #5537 Added a note that the error check for `BN_mask_bits()` depends on the internal representation that depends on the platform's word size. Included a reference to the `BN_num_bits()` function for precise bit checking. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24812) (cherry picked from commit 2a45839778955ffcab01918f10544d46e42f9a5b)10 July 2024, 09:50:34 UTC
10318d0 olszomal08 July 2024, 09:50:35 UTCClarify supported curves in the s_client/s_server documentation Mention that supported curves (aka groups) include named EC parameters as well as X25519 and X448 or FFDHE groups. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24774) (cherry picked from commit 775188702574dcd6cc53b7a9d3501a639c146121)10 July 2024, 07:37:09 UTC
7f3fd99 Neil Horman02 July 2024, 18:27:42 UTCread lock store on ossl_method_store_do_all Theres a data race between ossl_method_store_insert and ossl_method_store_do_all, as the latter doesn't take the property lock before iterating. However, we can't lock in do_all, as the call stack in several cases later attempts to take the write lock. The choices to fix it are I think: 1) add an argument to indicate to ossl_method_store_do_all weather to take the read or write lock when doing iterations, and add an is_locked api to the ossl_property_[read|write] lock family so that subsequent callers can determine if they need to take a lock or not 2) Clone the algs sparse array in ossl_method_store_do_all and use the clone to iterate with no lock held, ensuring that updates to the parent copy of the sparse array are left untoucheTheres a data race between ossl_method_store_insert and ossl_method_store_do_all, as the latter doesn't take the property lock before iterating. I think method (2), while being a bit more expensive, is probably the far less invasive way to go here Fixes #24672 Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24782) (cherry picked from commit d8def79838cd0d5e7c21d217aa26edb5229f0ab4)09 July 2024, 09:28:26 UTC
32e52d4 Radek Krejci21 March 2024, 12:19:23 UTCAvoid NULL pointer dereference Function readbuffer_gets() misses some of the initial checks of its arguments. Not checking them can lead to a later NULL pointer dereferences. The checks are now unified with the checks in readbuffer_read() function. CLA: trivial Fixes #23915 Signed-off-by: Radek Krejci <radek.krejci@oracle.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23918) (cherry picked from commit c215d75f94fcaa598817e739221f33b71b53fb39)08 July 2024, 19:56:12 UTC
c3db0c2 Dr. David von Oheimb06 July 2024, 15:55:25 UTCcheck_format.pl: fix detection of 'if' with single stmt in braces without 'else' Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24805) (cherry picked from commit f35c0894130e34ff46a429f4373c14ca98437405)08 July 2024, 16:45:38 UTC
f68bd6f Bernd Edlinger14 November 2023, 01:55:36 UTCFix possible double-free in pkcs7 add_attribute function The problem is the ownership of the input parameter value is transfered to the X509_ATTRIBUTE object attr, as soon as X509_ATTRIBUTE_create succeeds, but when an error happens after that point there is no way to get the ownership back to the caller, which is necessary to fullfill the API contract. Fixed that by moving the call to X509_ATTRIBUTE_create to the end of the function, and make sure that no errors are possible after that point. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22721) (cherry picked from commit 82a13a1f5053462f826bfb90061f0f77e3cc98a5)08 July 2024, 10:26:17 UTC
14b3955 Dr. David von Oheimb21 June 2024, 06:11:03 UTCCMP app: fix combination of -certout and -chainout with equal filename argument This backports commit 5aec3f4a72604d76970581f1ea445b331beda608 of PR #24267 to 3.2 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24696)06 July 2024, 14:22:13 UTC
e3cedc5 Tomas Mraz02 July 2024, 13:36:03 UTCfuzz/decoder.c: Lower the limits on key checks These checks still take too long time on clusterfuzz so they are longer than the timeout limit. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/24781) (cherry picked from commit 29696af689df734cae05181d85ee04470c3839d3)05 July 2024, 11:57:00 UTC
back to top