Skip to main content
swh:1:snp:dc2a5002442a00b1c0eda7c65d04ea7455e166cd
sort by:
RevisionAuthorDateMessageCommit Date
db2ac4f Tomas Mraz04 June 2024, 12:53:04 UTCPrepare for release of 3.3.1 Reviewed-by: Neil Horman <nhorman@openssl.org> Release: yes04 June 2024, 12:53:04 UTC
70d6e09 Tomas Mraz04 June 2024, 12:53:01 UTCmake update Reviewed-by: Neil Horman <nhorman@openssl.org> Release: yes04 June 2024, 12:53:01 UTC
ecb03cd Tomas Mraz04 June 2024, 12:50:58 UTCCopyright year updates Reviewed-by: Neil Horman <nhorman@openssl.org> Release: yes04 June 2024, 12:50:58 UTC
c81e950 Randall S. Becker22 May 2024, 23:34:45 UTCDisable 70-test_quic_multistream.t when building with PUT threads. The test recipe includes a TEST_skip when OpenSSL is built with _PUT_MODEL_ based on design assumptions for QUIC and incompatibility with PUT wrapper methods. Fixes: #24442 Fixes: #24431 Signed-off-by: Randall S. Becker <randall.becker@nexbridge.ca> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24468) (cherry picked from commit 0e2567d7293d3204de66acca0ed55bda4f0c0768)04 June 2024, 12:46:49 UTC
6152b08 Tomas Mraz03 June 2024, 14:46:41 UTCUpdate CHANGES.md and NEWS.md for the upcoming release Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/24549)03 June 2024, 14:50:31 UTC
f7833b0 Ruslan Baratov29 May 2024, 00:36:53 UTC[Docs] SSL_*_use will increment reference counter Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24520) (cherry picked from commit 0c73d65eeae9086c37149f4a512946040c8c2af3)30 May 2024, 17:01:41 UTC
05b3970 shridhar kalavagunta27 May 2024, 23:43:51 UTCcmp_hdr_test.c: Fix leaks in error cases Fixes #24475 Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24511) (cherry picked from commit 0986e128ff258d482cab712aa617a533db5588ea)30 May 2024, 16:44:19 UTC
28c92a1 Gerd Hoffmann22 May 2024, 11:11:09 UTCuefi: move variables Fixes "unused variable" warnings with OPENSSL_SYS_UEFI. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24459) (cherry picked from commit 7bc10f6ce2f91714d39a0410bfc545d79913e343)30 May 2024, 16:38:39 UTC
cab6b8b Gerd Hoffmann22 May 2024, 08:18:52 UTCuefi: add typedef for uintptr_t Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24459) (cherry picked from commit 7b33501a74ec2db4e54ddcd751dd42ded32bfd5b)30 May 2024, 16:38:38 UTC
717f5dd Richard Levitte23 May 2024, 05:54:27 UTCVMS: Redefine _XOPEN_SOURCE_EXTENDED with the value 1 Some versions if the VMS C system header files seem to require this. Fixes #24466 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from https://github.com/openssl/openssl/pull/24470) (cherry picked from commit f6b307d860832d3a76be20a693b92a71c83a3055)29 May 2024, 14:08:30 UTC
94a672e Amir Mohammadi22 May 2024, 16:18:51 UTCFix potential memory leak in test_bad_dtls Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24464) (cherry picked from commit abe05fda8bdbfb35de7420cab31d5e459fabc874)29 May 2024, 12:34:27 UTC
52bd95e Michael Baentsch27 May 2024, 06:12:31 UTCUpdate configurable sigalgs documentation for providers also adding to SignatureAlgorithms section Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from https://github.com/openssl/openssl/pull/24499) (cherry picked from commit 90e7c12f1b238ed714786fafc26d05b59a63752b)29 May 2024, 07:39:29 UTC
3ea20ce sanumesh27 May 2024, 10:00:00 UTCthreads_pthread.c: change inline to ossl_inline Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24502) (cherry picked from commit 36ba419286843bcaeb497b3451540ab7587cf9d2)28 May 2024, 15:19:49 UTC
bfde2d0 Nek Saikou24 May 2024, 10:45:01 UTCecstresstest.c: Fix memory leak on error Fixes #24476 CLA: trivial Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24488) (cherry picked from commit 434e7f7cb4259f8c8c1463fd38fe723b3efca887)28 May 2024, 13:55:53 UTC
9c5ccb6 Matt Caswell26 April 2024, 12:58:29 UTCFurther extend the SSL_free_buffers testing We extend the testing to test what happens when pipelining is in use. Follow on from CVE-2024-4741 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24395) (cherry picked from commit c1bd38a003fa19fd0d8ade85e1bbc20d8ae59dab)28 May 2024, 12:37:28 UTC
359b18d Matt Caswell26 April 2024, 10:05:52 UTCMove the ability to load the dasync engine into ssltestlib.c The sslapitest has a helper function to load the dasync engine which is useful for testing pipelining. We would like to have the same facility from sslbuffertest, so we move the function to the common location ssltestlib.c Follow on from CVE-2024-4741 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24395) (cherry picked from commit 05752478df623a9ddf849f897b630c1e0728cb7c)28 May 2024, 12:37:27 UTC
84e0230 Matt Caswell25 April 2024, 08:34:16 UTCExtend the SSL_free_buffers testing Test that attempting to free the buffers at points where they should not be freed works as expected. Follow on from CVE-2024-4741 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24395) (cherry picked from commit 566f3069169b9fab4fbb23da98c3c91730dd5209)28 May 2024, 12:37:27 UTC
d9dd9af Matt Caswell23 April 2024, 15:36:11 UTCSet rl->packet to NULL after we've finished using it In order to ensure we do not have a UAF we reset the rl->packet pointer to NULL after we free it. Follow on from CVE-2024-4741 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24395) (cherry picked from commit bfb8128190632092b3a66465838b87b469455cec)28 May 2024, 12:37:27 UTC
e509313 Matt Caswell23 April 2024, 15:34:46 UTCOnly free the read buffers if we're not using them If we're part way through processing a record, or the application has not released all the records then we should not free our buffer because they are still needed. CVE-2024-4741 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24395) (cherry picked from commit 38690cab18de88198f46478565fab423cf534efa)28 May 2024, 12:37:27 UTC
f84622c Randall S. Becker20 May 2024, 22:23:04 UTCAdded an explicit yield (OP_SLEEP) to QUIC testing for cooperative threading. Fixes: #24442 Signed-off-by: Randall S. Becker <randall.becker@nexbridge.ca> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from https://github.com/openssl/openssl/pull/24443) (cherry picked from commit b9e084f139c53ce133e66aba2f523c680141c0e6)22 May 2024, 15:29:46 UTC
67a92c5 Ruslan Baratov18 May 2024, 15:34:19 UTC[Docs] Default value for verification flags is 'SSL_VERIFY_NONE' Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24435) (cherry picked from commit a73e07dbb7df4795c4ec537f19516b541fb8dd3c)22 May 2024, 13:13:25 UTC
bc73967 Hongren Zheng16 May 2024, 08:41:25 UTCfips provider: explicitly setup cpuid when initializing Fixes: #23979 Previously fips module relied on OPENSSL_cpuid_setup being used as constructor by the linker to correctly setup the capability vector, either via .section .init (for x86_64) or via __attribute__((constructor)). This would make ld.so call OPENSSL_cpuid_setup before the init function for fips module. However, this early constructing behavior has several disadvantages: 1. Not all platform/toolchain supports such behavior 2. Initialisation sequence is not well defined, and some function might not be initialized when cpuid_setup is called 3. Implicit path is hard to maintain and debug Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24419) (cherry picked from commit a192b2439c0207ce1b04ba6137329b68f9e23680)20 May 2024, 08:15:49 UTC
52313d3 shridhar kalavagunta30 April 2024, 01:59:57 UTCFix mem leak in threadpool_test.c Fixes #24104 Added a goto label for cleanup. Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24412) (cherry picked from commit 4dbd4925dfc61d93df678df607504f62b0ac3dcc)20 May 2024, 08:12:19 UTC
9baa68b James Muir16 May 2024, 02:07:58 UTCFix typo in CONTRIBUTING.md CLA: trivial Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24413) (cherry picked from commit 45f5d51b72a262bf85c4461fbded91485ce6b9da)17 May 2024, 07:10:19 UTC
53ea064 Tomas Mraz08 May 2024, 13:23:45 UTCCheck DSA parameters for excessive sizes before validating This avoids overly long computation of various validation checks. Fixes CVE-2024-4603 Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/24346) (cherry picked from commit 85ccbab216da245cf9a6503dd327072f21950d9b)16 May 2024, 13:45:07 UTC
2613ccc DominikN05 April 2024, 21:06:41 UTCUpdate openssl-smime.pod.in Remove duplicate entries for -nocerts and -noattr CLA:trivial Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24052) (cherry picked from commit 5a0c92cf093b4f0aa65f4fdbff88d7bdc83491f3)15 May 2024, 11:29:12 UTC
2f3d849 Ruslan Baratov12 May 2024, 08:33:59 UTC[Docs] 'SSL_CTX_set_cert_store' ownership of 'store' Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24375) (cherry picked from commit 987baef4fa54d268d7eaa93837a56398409698a1)15 May 2024, 10:22:57 UTC
c54efee Liu-Ermeng08 January 2024, 04:01:29 UTCfix sm2 encryption implementation bug. According to the "GB/T 32918.4-2016" section 6.1 encryption, step A5: If result of the "KDF" is all zeros, we should go back to the begin(step A1). section 7.1 decryption, step B4: If result of the "KDF" is all zeros, we should raise error and exit. Signed-off-by: Liu-Ermeng <liuermeng2@huawei.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23210) (cherry picked from commit 170620675dfd74f34bdcf8aba71dffeb07f3d533)15 May 2024, 09:17:42 UTC
843d42b Tomas Mraz09 May 2024, 08:48:56 UTCsslapitest.c: With fips skip tests depending on X25519 and X448 Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/24347) (cherry picked from commit f6e469808501f52c7e8f8679d6c3290cf1c258b3)14 May 2024, 16:12:03 UTC
fa30357 Tomas Mraz10 May 2024, 12:50:46 UTC90-test_sslapi.t: Fix execution of sslapitest with fips provider Default configuration of the fips provider for tests is pedantic which means that sslapitest was not fully executed with fips provider. The ems check must be switched off for full execution. Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/24347) (cherry picked from commit d2af5e4c946afb59d3512b440642f0da775d198f)14 May 2024, 16:12:01 UTC
32ca45d Tomas Mraz17 April 2024, 16:05:35 UTCtest/ssl-tests: Avoid depending on X25519 and X448 being fips approved Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/24348)14 May 2024, 16:03:39 UTC
b727850 Tomas Mraz08 May 2024, 14:13:30 UTCquicapitest.c: Make test_ssl_trace to be insensitive to fips changes Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/24348)14 May 2024, 16:03:39 UTC
f7cbc2d irosay10 May 2024, 16:37:52 UTCRelease pkey_ctx on initialization failure CLA: trivial Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24366) (cherry picked from commit 3e9d933882407a0792dc3466ba9a0d53d40677a7)14 May 2024, 15:59:08 UTC
1c4bd5d naaysayer02 March 2024, 09:35:35 UTCapps/pkcs12: Not writing the private key file until the import password is verified Fixes #904 CLA: trivial Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23729) (cherry picked from commit f5462572a1873482ce38646cbf00dfc483f02068)14 May 2024, 13:37:30 UTC
3ea11a8 Jacob Champion06 May 2024, 16:50:11 UTCAdd reason codes with the correct offset for two alerts Fixes #24300. The current values of SSL_R_NO_APPLICATION_PROTOCOL and SSL_R_PSK_IDENTITY_NOT_FOUND don't allow for a correct lookup of the corresponding reason strings. CLA: trivial Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24351) (cherry picked from commit a401aaf9ed6eb34842cdedfcc35448bdc4174df3)14 May 2024, 13:27:42 UTC
5bc941f Georgi Valkov03 May 2024, 04:51:08 UTCthreads_win: fix build error with VS2010 VC 2010 or earlier compilers do not support static inline. To work around this problem, we can use the ossl_inline macro. Fixes: crypto\threads_win.c(171) : error C2054: expected '(' to follow 'inline' crypto\threads_win.c(172) : error C2085: 'get_hold_current_qp' : not in formal parameter list crypto\threads_win.c(172) : error C2143: syntax error : missing ';' before '{' crypto\threads_win.c(228) : warning C4013: 'get_hold_current_qp' undefined; assuming extern returning int crypto\threads_win.c(228) : warning C4047: '=' : 'rcu_qp *' differs in levels of indirection from 'int' Signed-off-by: Georgi Valkov <gvalkov@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24370) (cherry picked from commit d8dd1dfdf5cf2343f6afd43dad4ce37045218624)14 May 2024, 13:26:03 UTC
a8d884e Daiki Ueno13 May 2024, 00:07:57 UTCdoc: Fix description of EVP_CIPHER_CTX_dup This fixes a couple of copy and paste error from EVP_MD_CTX_dup, where: EVP_CIPHER_CTX_dup is useful to avoid multiple EVP_CIPHER_fetch (instead of EVP_MD_fetch) and returns EVP_CIPHER_CTX (instead of EVP_MD_CTX). Signed-off-by: Daiki Ueno <dueno@redhat.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/24376) (cherry picked from commit 7860bca22c404cfd763ae2648d708d5cc4df6c2f)14 May 2024, 07:28:52 UTC
9ba96a5 Georgi Valkov04 May 2024, 08:24:08 UTCquic_multistream_test: fix undefined symbol snprintf with VS2010 As snprintf is not available everywhere, use BIO_snprintf instead. Fixes: IF EXIST test\quic_multistream_test.exe.manifest DEL /F /Q test\quic_multistream_test.exe.manifest "link" /nologo /debug setargv.obj /subsystem:console /opt:ref /nologo /debug @V:\_tmp\nm4.tmp quic_multistream_test-bin-quic_multistream_test.obj : error LNK2019: unresolved external symbol _snprintf referenced in function _helper_init test\quic_multistream_test.exe : fatal error LNK1120: 1 unresolved externals NMAKE : fatal error U1077: '"E:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\BIN\link.EXE"' : return code '0x460' Signed-off-by: Georgi Valkov <gvalkov@gmail.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24369) (cherry picked from commit c02f952b48927af9fc4e991d7ead89a4cd1636bc)14 May 2024, 07:07:15 UTC
8702320 Hongren Zheng26 April 2024, 06:03:43 UTCImplement riscv_vlen_asm for riscv32 riscvcap.c: undefined reference to 'riscv_vlen_asm' Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24270) (cherry picked from commit 87314d24c4f025df1ebf47dc527cc8a96bef354a)10 May 2024, 15:03:14 UTC
d03e5fa Tomas Mraz12 April 2024, 09:16:17 UTCtls_provider_init(): Rename prov_ctx to xor_prov_ctx to clarify Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from https://github.com/openssl/openssl/pull/24103) (cherry picked from commit 3de3d481b269e9831d0b9abd3598b262647ae050)10 May 2024, 11:55:24 UTC
e65b97f Tomas Mraz11 April 2024, 08:05:04 UTCtls_provider_init(): Fix leaks in error cases Fixes #24101 Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from https://github.com/openssl/openssl/pull/24103) (cherry picked from commit 2a5d733e64f009f758163da852f1e7fee6aea0a2)10 May 2024, 11:55:23 UTC
7f07d43 dependabot[bot]08 May 2024, 17:11:38 UTCDependabot update: Bump coverallsapp/github-action CLA: trivial (deps): Bump coverallsapp/github-action Bumps [coverallsapp/github-action](https://github.com/coverallsapp/github-action) from 2.2.3 to 2.3.0. - [Release notes](https://github.com/coverallsapp/github-action/releases) - [Commits](https://github.com/coverallsapp/github-action/compare/v2.2.3...v2.3.0) --- updated-dependencies: - dependency-name: coverallsapp/github-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24350) (cherry picked from commit 13d37d8f7557ee7935032ea832eab3e3c5540158)09 May 2024, 07:38:30 UTC
351f06e Viktor Dukhovni27 March 2024, 22:15:29 UTCAvoid memory leak in x509_test error path Fixes #23897 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23991) (cherry picked from commit 7cbca5a6d6e792c75c414e1f3fb22e2afae67988)08 May 2024, 08:54:17 UTC
c42c63d Huiyue Xu09 November 2023, 02:54:02 UTCAdd linux-arm64ilp32-clang target While clang 15 config target by '--target', not cannot support '-mabi=ilp32', so add the linux-arm64ilp32-clang target. Signed-off-by: Huiyue Xu <xuhuiyue@huawei.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22666) (cherry picked from commit 69bd5e4fff8ac9bf4dc3ed6fd87b5a5858edbb01)07 May 2024, 09:49:21 UTC
bc3e414 Neil Horman02 February 2024, 13:10:32 UTCFix potential divide by zero error Coverity caught the following issues: 1591477 1591475 1591473 1591470 all of which are simmilar, in that they catch potential divide by zero in double values. It can't actually happen since the the threads which increment these counters don't exit until they reach non-zero values, but its easy to add the checks, so lets do that to ensure that we don't change something in the future that causes it. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from https://github.com/openssl/openssl/pull/24337)06 May 2024, 14:17:23 UTC
27504de Neil Horman02 February 2024, 13:20:50 UTCCoverity found the following issues: 1591471 1591474 1591476 which pertain to memory leaks in the conf_mod code If an error is encountered after the module STACK_OF is duplicated or created in the new_modules variable, we need to remember to free it in the error path Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from https://github.com/openssl/openssl/pull/24337)06 May 2024, 14:17:14 UTC
287165f Matt Caswell01 May 2024, 10:23:57 UTCFix undefined behaviour in the event of a zero length session id Don't attempt to memcpy a NULL pointer if the length is 0. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24309) (cherry picked from commit 97c6489b39c966c6e5169b9b92ec5fa9a35c7ba3)06 May 2024, 08:45:19 UTC
5cd8608 Matt Caswell30 April 2024, 14:35:42 UTCDocument the SSL_set_session_secret_cb() function This function is only useful for EAP-FAST, but was previously undocumented. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24309) (cherry picked from commit aecaaccaf93c4b36dd830accf08f2175059c5782)06 May 2024, 08:45:18 UTC
9919027 Matt Caswell30 April 2024, 13:31:26 UTCSet the server sig algs before calling the session_secret_cb Setting the server sig algs sets up the certificate "s3->tmp.valid_flags". These are needed when calling ssl3_choose_cipher() which can happen immediately after calling the session_secret_cb Fixes #24213 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24309) (cherry picked from commit 91c7ab27cebe4e6f6a6376e0a691736a2534fdd0)06 May 2024, 08:45:17 UTC
5cb2a8f Matt Caswell29 April 2024, 15:58:24 UTCAdd a test for the session_secret_cb Ensure that if a session_secret_cb is being used that a connection can be successfully made Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24309) (cherry picked from commit c8dddc61d49f84d1667de97e9548f07ccc92dddf)06 May 2024, 08:45:15 UTC
168e49b Jiasheng Jiang01 May 2024, 20:03:13 UTCtest/threadstest.c: Add checks for CRYPTO_THREAD_lock_new() Add checks for the return value of CRYPTO_THREAD_lock_new() in order to avoid Null pointer dereference. Fixes: 5f8b812931 ("Add locking to atomic operations in rw/rcu tests") Fixes: d0e1a0ae70 ("RCU lock implementation") Fixes: 71a04cfca0 ("Implement new multi-threading API") Signed-off-by: Jiasheng Jiang <jiasheng@purdue.edu> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24313) (cherry picked from commit 327261c076b8468382e1effea14d79446cc22b4d)06 May 2024, 08:26:18 UTC
12d40c9 Bernd Edlinger07 September 2023, 16:05:44 UTCFix error handling in CMS_EncryptedData_encrypt That caused several memory leaks in case of error. Also when the CMS object that is created by CMS_EncryptedData_encrypt is not used in the normal way, but instead just deleted by CMS_ContentInfo_free some memory was lost. Fixes #21985 Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22031) (cherry picked from commit 6d2a01cdfb56fdb8ea5d5dd417724e6906c8b8e2)06 May 2024, 08:13:40 UTC
375447b Tomas Mraz30 April 2024, 09:46:26 UTCCorrect top for EC/DSA nonces if BN_DEBUG is on Otherwise following operations would bail out in bn_check_top(). Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24265) (cherry picked from commit a380ae85be287045b1eaa64d23942101a426c080)02 May 2024, 07:23:09 UTC
d39f574 Tomas Mraz25 April 2024, 18:18:51 UTCAdjust FIPS EC/DSA self test data for different nonce generation Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24265) (cherry picked from commit 8a1f65468064e39f65ef4918c62db73a9eef80e4)02 May 2024, 07:23:08 UTC
1c3286a Tomas Mraz29 April 2024, 15:56:01 UTCRename BN_generate_dsa_nonce() to ossl_bn_gen_dsa_nonce_fixed_top() And create a new BN_generate_dsa_nonce() that corrects the BIGNUM top. We do this to avoid leaking fixed top numbers via the public API. Also add a slight optimization in ossl_bn_gen_dsa_nonce_fixed_top() and make it LE/BE agnostic. Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24265) (cherry picked from commit 9c85f6cd2d6debe5ef6ef475ff4bf17e0985f7a2)02 May 2024, 07:23:07 UTC
d99332f Tomas Mraz25 April 2024, 17:26:08 UTCAdd ossl_bn_priv_rand_range_fixed_top() and use it for EC/DSA Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24265) (cherry picked from commit 13b3ca5c998e6db4f7251a56c43541cb1a422bd0)02 May 2024, 07:23:06 UTC
2c1c0aa Tomas Mraz25 April 2024, 13:35:36 UTCMake ossl_gen_deterministic_nonce_rfc6979() constant time Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24265) (cherry picked from commit 2d285fa873028f6cff9484a0cdf690fe05d7fb16)02 May 2024, 07:23:04 UTC
86ce09a Tomas Mraz11 April 2024, 11:10:09 UTCMake BN_generate_dsa_nonce() constant time and non-biased Co-authored-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24265) (cherry picked from commit d7d1bdcb6aa3d5000bf7f5ebc5518be5c91fd5a5)02 May 2024, 07:23:01 UTC
85a9708 sapph2c30 April 2024, 00:26:54 UTCFixed typos in EVP_PKEY_decrypt.pod and RSA_public_encrypt.pod CLA: trivial Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24304) (cherry picked from commit f4601b6de709a89120c86ad825b70f65b332deed)01 May 2024, 13:18:34 UTC
91d5fd5 Matt Caswell25 March 2024, 12:32:17 UTCFix intermittent sslapitest early data related failures Early data is time sensitive. We have an approx 8 second allowance between writing the early data and reading it. If we exceed that time tests will fail. This can sometimes (rarely) occur in normal CI operation. We can try and detect this and just ignore the result of such test failures if the test has taken too long. We assume anything over 7 seconds is too long. This is a partial fix for #22605 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23966) (cherry picked from commit 1848c561ec39a9ea91ff1bf740a554be274f98b0)01 May 2024, 07:52:05 UTC
eb3b903 Matt Caswell25 March 2024, 11:53:35 UTCUse OSSL_TIME instead of using arithmetic directly on time_t We have functions for adding/subtracting time. We should use them. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23966) (cherry picked from commit afb6ce0d0f5b8e88f8b4f420aba0a8e59f58934f)01 May 2024, 07:52:05 UTC
bbae0c9 Robert Schulze29 April 2024, 11:27:07 UTCFix race for X509 store found by thread sanitizer The following issue was found in automatic tests with thread sanitizer builds in ClickHouse (which uses OpenSSL 3.2.1) [0]. The first stack [1] does proper locking (function 'x509_store_add', x509_lu.c) but in the second stack [2], function 'get_cert_by_subject_ex' (by_dir.b) forgets to lock when calling 'sk_X509_OBJECT_is_sorted'. [0] https://github.com/ClickHouse/ClickHouse/issues/63049 [1] WARNING: ThreadSanitizer: data race (pid=1870) Write of size 4 at 0x7b08003d6810 by thread T552 (mutexes: write M0, write M1, write M2, write M3): #0 OPENSSL_sk_insert build_docker/./contrib/openssl/crypto/stack/stack.c:280:16 (clickhouse+0x203ad7e4) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b) #1 OPENSSL_sk_push build_docker/./contrib/openssl/crypto/stack/stack.c:401:12 (clickhouse+0x203ad7e4) #2 x509_store_add build_docker/./contrib/openssl/crypto/x509/x509_lu.c:419:17 (clickhouse+0x203d4a52) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b) #3 X509_STORE_add_cert build_docker/./contrib/openssl/crypto/x509/x509_lu.c:432:10 (clickhouse+0x203d48a2) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b) #4 X509_load_cert_file_ex build_docker/./contrib/openssl/crypto/x509/by_file.c:127:18 (clickhouse+0x203b74e6) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b) #5 get_cert_by_subject_ex build_docker/./contrib/openssl/crypto/x509/by_dir.c:333:22 (clickhouse+0x203b684c) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b) #6 X509_LOOKUP_by_subject_ex build_docker/./contrib/openssl/crypto/x509/x509_lu.c:105:16 (clickhouse+0x203d46ec) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b) #7 ossl_x509_store_ctx_get_by_subject build_docker/./contrib/openssl/crypto/x509/x509_lu.c:360:17 (clickhouse+0x203d46ec) #8 X509_STORE_CTX_get1_issuer build_docker/./contrib/openssl/crypto/x509/x509_lu.c:782:10 (clickhouse+0x203d56cb) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b) #9 get1_trusted_issuer build_docker/./contrib/openssl/crypto/x509/x509_vfy.c:3194:10 (clickhouse+0x203db4a9) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b) #10 build_chain build_docker/./contrib/openssl/crypto/x509/x509_vfy.c:3324:40 (clickhouse+0x203db4a9) #11 verify_chain build_docker/./contrib/openssl/crypto/x509/x509_vfy.c:240:15 (clickhouse+0x203dbe27) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b) #12 x509_verify_x509 build_docker/./contrib/openssl/crypto/x509/x509_vfy.c:358 (clickhouse+0x203d7fd8) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b) #13 X509_verify_cert build_docker/./contrib/openssl/crypto/x509/x509_vfy.c:293:56 (clickhouse+0x203d8215) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b) #14 ssl_verify_internal build_docker/./contrib/openssl/ssl/ssl_cert.c:496:13 (clickhouse+0x2019a2a4) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b) #15 ssl_verify_cert_chain build_docker/./contrib/openssl/ssl/ssl_cert.c:543:12 (clickhouse+0x2019a402) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b) #16 tls_post_process_server_certificate build_docker/./contrib/openssl/ssl/statem/statem_clnt.c:2072:9 (clickhouse+0x20227658) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b) #17 ossl_statem_client_post_process_message build_docker/./contrib/openssl/ssl/statem/statem_clnt.c:1159:16 (clickhouse+0x202272ee) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b) #18 read_state_machine build_docker/./contrib/openssl/ssl/statem/statem.c:712:35 (clickhouse+0x2021e96d) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b) #19 state_machine build_docker/./contrib/openssl/ssl/statem/statem.c:478:21 (clickhouse+0x2021e96d) #20 ossl_statem_connect build_docker/./contrib/openssl/ssl/statem/statem.c:297:12 (clickhouse+0x2021ddce) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b) #21 SSL_do_handshake build_docker/./contrib/openssl/ssl/ssl_lib.c:4746:19 (clickhouse+0x201a5781) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b) #22 SSL_connect build_docker/./contrib/openssl/ssl/ssl_lib.c:2208:12 (clickhouse+0x201a5893) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b) #23 Poco::Net::SecureSocketImpl::connectSSL(bool) build_docker/./base/poco/NetSSL_OpenSSL/src/SecureSocketImpl.cpp:206:11 (clickhouse+0x1d179567) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b) [2] Previous read of size 4 at 0x7b08003d6810 by thread T553 (mutexes: write M4, write M5, write M6): #0 OPENSSL_sk_is_sorted build_docker/./contrib/openssl/crypto/stack/stack.c:490:33 (clickhouse+0x203adcff) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b) #1 get_cert_by_subject_ex build_docker/./contrib/openssl/crypto/x509/by_dir.c:423:10 (clickhouse+0x203b6d8f) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b) #2 X509_LOOKUP_by_subject_ex build_docker/./contrib/openssl/crypto/x509/x509_lu.c:105:16 (clickhouse+0x203d46ec) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b) #3 ossl_x509_store_ctx_get_by_subject build_docker/./contrib/openssl/crypto/x509/x509_lu.c:360:17 (clickhouse+0x203d46ec) #4 X509_STORE_CTX_get1_issuer build_docker/./contrib/openssl/crypto/x509/x509_lu.c:782:10 (clickhouse+0x203d56cb) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b) #5 get1_trusted_issuer build_docker/./contrib/openssl/crypto/x509/x509_vfy.c:3194:10 (clickhouse+0x203db4a9) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b) #6 build_chain build_docker/./contrib/openssl/crypto/x509/x509_vfy.c:3324:40 (clickhouse+0x203db4a9) #7 verify_chain build_docker/./contrib/openssl/crypto/x509/x509_vfy.c:240:15 (clickhouse+0x203dbe27) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b) #8 x509_verify_x509 build_docker/./contrib/openssl/crypto/x509/x509_vfy.c:358 (clickhouse+0x203d7fd8) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b) #9 X509_verify_cert build_docker/./contrib/openssl/crypto/x509/x509_vfy.c:293:56 (clickhouse+0x203d8215) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b) #10 ssl_verify_internal build_docker/./contrib/openssl/ssl/ssl_cert.c:496:13 (clickhouse+0x2019a2a4) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b) #11 ssl_verify_cert_chain build_docker/./contrib/openssl/ssl/ssl_cert.c:543:12 (clickhouse+0x2019a402) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b) #12 tls_post_process_server_certificate build_docker/./contrib/openssl/ssl/statem/statem_clnt.c:2072:9 (clickhouse+0x20227658) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b) #13 ossl_statem_client_post_process_message build_docker/./contrib/openssl/ssl/statem/statem_clnt.c:1159:16 (clickhouse+0x202272ee) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b) #14 read_state_machine build_docker/./contrib/openssl/ssl/statem/statem.c:712:35 (clickhouse+0x2021e96d) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b) #15 state_machine build_docker/./contrib/openssl/ssl/statem/statem.c:478:21 (clickhouse+0x2021e96d) #16 ossl_statem_connect build_docker/./contrib/openssl/ssl/statem/statem.c:297:12 (clickhouse+0x2021ddce) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b) #17 SSL_do_handshake build_docker/./contrib/openssl/ssl/ssl_lib.c:4746:19 (clickhouse+0x201a5781) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b) #18 SSL_connect build_docker/./contrib/openssl/ssl/ssl_lib.c:2208:12 (clickhouse+0x201a5893) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b) #19 Poco::Net::SecureSocketImpl::connectSSL(bool) build_docker/./base/poco/NetSSL_OpenSSL/src/SecureSocketImpl.cpp:206:11 (clickhouse+0x1d179567) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b) CLA: trivial Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24295) (cherry picked from commit af75373eeab6040aba243dd7629fb6f8244f2f5d)30 April 2024, 15:22:39 UTC
d65c1de leerubin1328 April 2024, 21:50:32 UTCess_lib.c: Changed ERR_LIB_CMS to ERR_LIB_ESS This fixes an incorrect error message. Fixes #24224 CLA: trivial Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24290) (cherry picked from commit 2d29a8a7e8ef42050d2b08ca8cec9e4d9f0a0bb7)30 April 2024, 07:22:01 UTC
6de46a0 Daniel McCarney21 March 2024, 19:41:11 UTCdoc: clarify SSL_CIPHER_description allocation Previously the documentation for `SSL_CIPHER_description` said: > If buf is provided, it must be at least 128 bytes, otherwise a buffer > will be allocated using OPENSSL_malloc(). In reality, `OPENSSL_malloc` is only invoked if the provided `buf` argument is `NULL`. If the `buf` arg is not `NULL`, but smaller than 128 bytes, the function returns `NULL` without attempting to allocate a new buffer for the description. This commit adjusts the documentation to better describe the implemented behaviour. CLA: trivial Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23921) (cherry picked from commit 6a4a714045415be6720f4165c4d70a0ff229a26a)29 April 2024, 09:07:24 UTC
d0b039a Dmitry Misharov25 April 2024, 12:53:26 UTCarchive artifacts before upload Some CI jobs produce a significant amount artifacts and it takes a lot of time to upload them into GitHub artifacts storage. It will be much faster to upload only one archive with artifacts. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24264) (cherry picked from commit 58ffcbbdc3302a35cea317aeee6b76987907ee60)29 April 2024, 08:35:06 UTC
8a5a6a1 Michael Baentsch25 April 2024, 07:05:07 UTCupdated to oqs-provider 0.6.0 Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24261) (cherry picked from commit 7b1829fa37922a37ef9259fc1bc4038829e4fd73)29 April 2024, 08:29:48 UTC
6bd3d18 Tomas Mraz22 March 2024, 15:11:42 UTC82-test_ocsp_cert_chain.t: kill -HUP the server after client quits This ensures even if the connection for some reason fails, the server will terminate and the test won't get stuck. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/23857) (cherry picked from commit f4fcc21fdccfde90bda6f8a94d7f4e07f947e38f)29 April 2024, 08:26:35 UTC
0f438e9 Tomas Mraz15 March 2024, 14:33:01 UTC82-test_ocsp_cert_chain.t: Terminate the server after 1 connection Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/23857) (cherry picked from commit 7054412ea8bb49d9522c3dd99982e41bf08c3ef7)29 April 2024, 08:26:33 UTC
b4604d5 Takehiko Yokota24 April 2024, 09:03:59 UTCAdd an Apple privacy info file for OpenSSL Added PrivacyInfo.xcprivacy to os-dep/Apple/ dir. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24260) (cherry picked from commit bde66e828dd2869d02225e4aab01d0983f242ae3)26 April 2024, 12:02:44 UTC
5d52b1a Tomas Mraz16 February 2024, 15:24:49 UTCUpdate perl-actions/install-with-cpanm version in CI Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/23613) (cherry picked from commit 599bc929baa3c5496342641e028e4c482aed7449)24 April 2024, 15:58:18 UTC
aee4db3 Randall S. Becker19 April 2024, 22:15:10 UTCRemove all references to FLOSS for NonStop Builds. FLOSS is no longer a dependency for NonStop as of the deprecation of the SPT thread model builds. Fixes: #24214 Signed-off-by: Randall S. Becker <randall.becker@nexbridge.ca> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24217) (cherry picked from commit 0339382abad578ccb3989799ea2fb99dfb2d099b)24 April 2024, 07:35:54 UTC
8f56d06 shridhar kalavagunta21 April 2024, 23:48:33 UTCInvoke tear_down when exiting test_encode_tls_sct() prematurely Fixes #24121 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24222) (cherry picked from commit 264ff64b9443e60c7c93af0ced2b22fdf622d179)23 April 2024, 09:35:01 UTC
50a8198 Hubert Kario16 April 2024, 12:57:21 UTCBe more explicit about RSAES-PKCS#1v1.5 error handling And add a note how to perform side-channel free error stack handling. Signed-off-by: Hubert Kario <hkario@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24159) (cherry picked from commit 98161274636dca12e3bfafab7d2d2ac28f4d7c30)22 April 2024, 13:57:37 UTC
a24739f Neil Horman19 April 2024, 14:17:54 UTCFix missing NULL check in prov_config_test coverity-1596500 caught a missing null check. We should never hit it as the test harness always sets the environment variable, but lets add the check for safety Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24208) (cherry picked from commit 6ee369cd6ec751c03879da56178e75e2691e08cb)22 April 2024, 11:17:27 UTC
8ffc172 Rajeev Ranjan25 March 2024, 13:00:58 UTCfix sending error when no root CA cert update available Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24169) (cherry picked from commit fc9649f61a8ac5f980da6807214fcbbbae1c45aa)22 April 2024, 06:31:46 UTC
e5b1c72 slontis05 April 2024, 04:32:23 UTCFix migration guide mappings for i2o/o2i_ECPublicKey Fixes #23854 Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24041) (cherry picked from commit 6594baf6457c64f6fce3ec60cb2617f75d98d159)19 April 2024, 18:31:04 UTC
4523cbe Richard Levitte17 April 2024, 09:31:31 UTCOSSL_STORE: Add reference docs for the built-in Windows store implementation Fixes openssl/project#422 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24170) (cherry picked from commit faa4a10ebe5095765262c0e3c711fca08026c3d4)19 April 2024, 12:21:26 UTC
7701ca4 Neil Horman05 April 2024, 13:06:10 UTCFix up path generation to use OPENSSL_MODULES Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24025) (cherry picked from commit 4e3c1e6206251c59855362d6d2edab4621c31dec)18 April 2024, 16:39:49 UTC
3630199 Neil Horman04 April 2024, 19:39:17 UTCUpdate modulepath test for provider config to skip if not present If the p_test.so library isn't present, don't run the test Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24025) (cherry picked from commit b80fed3f27ebe156b17246f7c12c5178cbe6834e)18 April 2024, 16:39:48 UTC
a15b30e Neil Horman03 April 2024, 19:18:33 UTCAdd test for OSSL_PROVIDER_load with module path set Ensure that, with the modulepath setting set in a config field, that we are able to load a provider from the path relative to OPENSSL_MODULES Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24025) (cherry picked from commit 91a77cbf66c575345cf1eab31717e8edafcd1633)18 April 2024, 16:39:48 UTC
bad44ba Neil Horman02 April 2024, 19:02:51 UTCset module path from template Modules that aren't activated at conf load time don't seem to set the module path from the template leading to load failures. Make sure to set that Fixes #24020 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24025) (cherry picked from commit bc9595963a45e28e6a8b2de45a6719c252bd3a3d)18 April 2024, 16:39:46 UTC
942fdf9 Hugo Landau12 April 2024, 06:58:24 UTCQUIC TXP: Fix reserve calculations for PING frames Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24122) (cherry picked from commit c3542b22fa3f14d7b6c970d4b2c38a737d6ed8a4)18 April 2024, 15:42:49 UTC
4a7a7b7 Richard Levitte16 April 2024, 09:48:52 UTC.ctags.d is previous, include it in our tarballs This is a simple change of .gitattributes, so our tarballs continue to be a reproducible output of a util/mktar.sh (i.e. git archive with no other funny business). Fixes #24090 Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24156) (cherry picked from commit e1fd043ad7fa865a8ef9160c892b49a098d23c71)17 April 2024, 16:44:48 UTC
df4bc0f Jerry Shih09 March 2024, 07:03:56 UTCUse scalar ALU and vector ALU together for chacha20 stream cipher Fixes #24070 Use scalar ALU for 1 chacha block with rvv ALU simultaneously. The tail elements(non-multiple of block length) will be handled by the scalar logic. Use rvv path if the input length > chacha_block_size. And we have about 1.2x improvement comparing with the original code. Reviewed-by: Hongren Zheng <i@zenithal.me> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24097) (cherry picked from commit da8b6308bd7ad5b7c779aa2d9123bf5faacaec7f)17 April 2024, 14:55:46 UTC
20c6924 Tomas Mraz12 April 2024, 13:37:58 UTCfuzz/decoder.c: Limit the EVP_PKEY_param_check on DHX keys as well Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24126) (cherry picked from commit 8d8a0144303374f69f73fc944dd55c68600d15e5)17 April 2024, 07:30:39 UTC
1c95d96 trinity-1686a15 April 2024, 09:13:14 UTCHandle empty param in EVP_PKEY_CTX_add1_hkdf_info Fixes #24130 The regression was introduced in PR #23456. Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24141) (cherry picked from commit 299996fb1fcd76eeadfd547958de2a1b822f37f5)17 April 2024, 06:53:21 UTC
dfeaa1a Alexandr Nedvedicky26 January 2024, 07:05:47 UTCOpenSSL 3.2.0, QUIC, macOS, error 56 on connected UDP socket current `translate_msg()` function attempts to set `->msg_name` (and `->msg_namelen`) with `BIO`'s peer name (connection destination) regardless if underlying socket is connected or not. Such implementation uncovers differences in socket implementation between various OSes. As we have learned hard way `sendmsg()` and `sendmmsg()` on `OpenBSD` and (`MacOS` too) fail to send messages with `->msg_name` being set on connected socket. In such case the caller receives `EISCON` errro. I think `translate_msg()` caller should provide a hint to indicate whether we deal with connected (or un-connected) socket. For connected sockets the peer's name should not be set/filled by `translate_msg()`. On the other hand if socket is un-connected, then `translate_msg()` must populate `->msg_name` and `->msg_namelen` members. The caller can use `getpeername(2)` to see if socket is connected. If `getpeername()` succeeds then we must be dealing with connected socket and `translate_msg()` must not set `->msg_name` and `->msg_namelen` members. If `getpeername(2)` fails, then `translate_msg()` must provide peer's name (destination address) in `->msg_name` and set `->msg_namelen` accordingly. The propposed fix introduces `is_connected()` function, which applies `getpeername()` to socket bound to `BIO` instance. The `dgram_sendmmsg()` uses `is_connected()` as a hint for `translate_msg()` function, so msghdr gets initialized with respect to socket state. The change also modifies existing `test/quic_client_test.c` so it also covers the case of connected socket. To keep things simple we can introduce optional argument `connect_first` to `./quic_client_test` function. Without `connect_first` the test run as usual. With `connect_first` the test creates and connects socket first. Then it passes such socket to `BIO` sub-system to perform `QUIC` connect test as usual. Fixes #23251 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23396) (cherry picked from commit c062403abd71550057b3647b01cc8af4cc2fc18c)16 April 2024, 14:37:18 UTC
0052d29 Richard Levitte08 April 2024, 13:14:40 UTCdoc/fingerprints.txt: Add the future OpenSSL release key This will be used for future releases Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24063) (cherry picked from commit 4ffef97d3755a0425d5d72680daebfa07383b05c)16 April 2024, 14:20:52 UTC
8cecc55 Richard Levitte12 April 2024, 08:03:21 UTCcrypto/threads_pthread.c: refactor all atomics fallbacks for type safety The atomics fallbacks were using 'void *' as a generic transport for all possible scalar and pointer types, with the hypothesis that a pointer is as large as the largest possible scalar type that we would use. Then enters the use of uint64_t, which is larger than a pointer on any 32-bit system (or any system that has 32-bit pointer configurations). We could of course choose a larger type as a generic transport. However, that only pushes the problem forward in time... and it's still a hack. It's therefore safer to reimplement the fallbacks per type that atomics are used for, and deal with missing per type fallbacks when the need arrises in the future. For test build purposes, the macro USE_ATOMIC_FALLBACKS is introduced. If OpenSSL is configured with '-DUSE_ATOMIC_FALLBACKS', the fallbacks will be used, unconditionally. Fixes #24096 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24123) (cherry picked from commit a02077d4d7aeb0c99cc88cdfc7c131e48f98c4de)16 April 2024, 07:18:45 UTC
6d1963b Richard Levitte11 April 2024, 15:10:38 UTCcrypto/threads_pthread.c: Cleanup misaligned preprocessor directives Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24123) (cherry picked from commit 81f393498b333534111e320a33e3b244db06bbe9)16 April 2024, 07:18:43 UTC
af187d8 afshinpir28 February 2024, 03:58:03 UTCAdding missing NULL pointer check CLA: trivial In the provider store API, it is not necessary to provide both open and attach method at the same time and providing at least one of them is enough. Adding some null pointer checks to prevent exceptions in case of not providing both methods at the same time. Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23703) (cherry picked from commit bd73e1e62c4103e0faffb79cb3d34a2a92a95439)15 April 2024, 08:29:34 UTC
656b171 Tomas Mraz11 April 2024, 15:49:53 UTClist_provider_info(): Fix leak on error Fixes #24110 Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from https://github.com/openssl/openssl/pull/24117) (cherry picked from commit 993c2407d04956ffdf9b32cf0a7e4938ace816dc)15 April 2024, 07:10:56 UTC
c6a784a Tomas Mraz11 April 2024, 07:27:47 UTCossl_provider_new(): Fix memory leak on error Fixes #24095 Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24100) (cherry picked from commit 875db35ac63beb0e5a3d520743fa55ad2e5ccd1d)12 April 2024, 09:01:51 UTC
bfa293c Tomas Mraz11 April 2024, 07:40:18 UTCmake_addressPrefix(): Fix a memory leak in error case Fixes #24098 Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24102) (cherry picked from commit 682ed1b86ebe97036ab37897d528343d0e4def69)12 April 2024, 08:57:16 UTC
6637d7d Neil Horman10 April 2024, 12:28:43 UTCFix duplicate mutex allocation in threads_win.c Creating an rcu lock does a double allocation of the underlying mutex. Not sure how asan didn't catch this, but we clearly have a duplicate line here Fixes #24085 Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24086) (cherry picked from commit 8e5918fb8eb90289a0c89f6a4c6d623ecf49cf43)11 April 2024, 18:00:36 UTC
7f04bb0 Richard Levitte10 April 2024, 08:18:46 UTCVMS: Move defining _XOPEN_SOURCE and _XOPEN_SOURCE_EXTENDED to config target For all other platforms that need these macros defined, that's how it's done, so we have VMS follow suit. That avoids a crash between in source definitions and command line definitions on some other platforms. Fixes #24075 Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24083)11 April 2024, 11:03:53 UTC
7a0d437 Neil Horman29 March 2024, 15:39:12 UTCAdd locking to atomic operations in rw/rcu tests I neglected to add locks to the calls to CRYPTO_atomic_add in these test, which on newer compilers is fine, as atomic operations are defined. However on older compilers the __ATOMIC_ACQ_REL definition is missing causing these function to be implemented using an rwlock, which when NULL causes the locks to fail. Fix this my creating the lock and using them appropriately Fixes #24000 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from https://github.com/openssl/openssl/pull/24001) (cherry picked from commit 5f8b812931e5da24df08913c05ff8e4f4494f014)11 April 2024, 08:42:49 UTC
e661fbc Oleg Bulatov09 April 2024, 22:17:35 UTCcrypto/provider_core.c: Allocate activatecnt_lock CRYPTO_atomic_add has a lock as a parameter, which is often ignored, but in some cases (for example, when BROKEN_CLANG_ATOMICS is defined) it is required. There is no easy way to determine if the lock is needed or not. The current logic looks like this: if defined(OPENSSL_THREADS) && !defined(CRYPTO_TDEBUG) && !defined(OPENSSL_SYS_WINDOWS) if defined(__GNUC__) && defined(__ATOMIC_ACQ_REL) && !defined(BROKEN_CLANG_ATOMICS) - It works without the lock, but in general the need for the lock depends on __atomic_is_lock_free results elif defined(__sun) && (defined(__SunOS_5_10) || defined(__SunOS_5_11)) - The lock is not needed (unless ret is NULL, which should never happen?) else - The lock is required endif else - The lock is not needed endif Adding such conditions outside of crypto.h is error-prone, so it is better to always allocate the lock, otherwise CRYPTO_atomic_add may silently fail. Fixes #23376. CLA: trivial Fixes: fc570b2605 ("Avoid taking a write lock in ossl_provider_doall_activated()") Signed-off-by: Oleg Bulatov <oleg@bulatov.me> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24081) (cherry picked from commit 2fd6c12e85ec7558cbdee08033f822c42ee0f5d4)11 April 2024, 08:07:52 UTC
5a13d35 Hugo Landau29 March 2024, 14:51:35 UTCChange approach to SSL_pending API Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24040)10 April 2024, 13:47:24 UTC
c79e0e7 Hugo Landau28 March 2024, 09:15:21 UTCQUIC APL: Fix default stream creation on server side Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24040)10 April 2024, 13:47:06 UTC
back to top