Git log: commit 1763595a818c8f3d062d72ef9d043a08e1cfbcd1
Author: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Date: Sun Oct 27 15:19:56 2024 +0100
Prepare 3.3.2-2
Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
commit 317e408e2f8332babdc86ad4f96a672c69825542
Author: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Date: Sun Oct 27 15:19:38 2024 +0100
Add fix for CVE-2024-9143
Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
commit bac3340b094ef77469805e4a161c315bc3a5f5e6
Author: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Date: Tue Sep 3 21:43:30 2024 +0200
Prepare 3.3.2-1.
Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
commit 46fb178b51763c6728abf3c42ebc772843f22ef8
Author: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Date: Tue Sep 3 21:43:08 2024 +0200
Add Changelog for 3.3.2
Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
commit eab3c5da627c8c9a07dec074384fa7269354a5bf
Author: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Date: Tue Sep 3 21:38:31 2024 +0200
Drop applied patches.
Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
commit 83673ece32c828f3d47a1997f468e8bee8938a88
Merge: b9d1079c4f e5b1130972
Author: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Date: Tue Sep 3 21:36:07 2024 +0200
Update upstream source from tag 'upstream/3.3.2'
Update to upstream version '3.3.2'
with Debian dir 49f0b59a18f90c727e7d129bb439215fa469203c
commit e5b1130972b47f19ed2633f506f3a8b841a57fa2
Author: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Date: Tue Sep 3 21:36:07 2024 +0200
New upstream version 3.3.2
commit b9d1079c4fd2baaa00fe9655567d35952eae76cb
Author: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Date: Tue Sep 3 21:31:20 2024 +0200
Update signing-key.asc.
Update as per https://openssl-library.org/source/:
| The current releases are signed by the OpenSSL key with fingerprint BA54
| 73A2 B058 7B07 FB27 CF2D 2160 94DF D0CB 81EF.
Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
commit 32486891e636da98b7b48c4b6543db286998f631
Author: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Date: Thu Aug 15 23:39:53 2024 +0200
d: Update watch file after site rework.
The archives have also been moved to github.
Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
commit fb7fab9fa6f4869eaa8fbb97e0d593159f03ffe4
Author: Tomas Mraz <tomas@openssl.org>
Date: Tue Sep 3 14:46:38 2024 +0200
Prepare for release of 3.3.2
Reviewed-by: Neil Horman <nhorman@openssl.org>
Release: yes
commit da50885982a2f137ef74743a5da234507100e887
Author: Tomas Mraz <tomas@openssl.org>
Date: Tue Sep 3 14:46:36 2024 +0200
make update
Reviewed-by: Neil Horman <nhorman@openssl.org>
Release: yes
commit 96782e34ddf480d10ca4781cabbd2a7d4feff982
Author: Tomas Mraz <tomas@openssl.org>
Date: Tue Sep 3 14:44:27 2024 +0200
Copyright year updates
Reviewed-by: Neil Horman <nhorman@openssl.org>
Release: yes
commit fd319679ce007791c8b8b4eff214d80e5ce88c0b
Author: Tomas Mraz <tomas@openssl.org>
Date: Tue Sep 3 12:24:58 2024 +0200
Add CVE-2024-5535 to CHANGES and NEWS
Reviewed-by: Neil Horman <nhorman@openssl.org>
Release: yes
(cherry picked from commit abcb0f83d060eb816503a6a36959ce8498a24111)
commit cf384d35aa7142cc3b5de19f64d3972e77d3ff74
Author: Viktor Dukhovni <viktor@openssl.org>
Date: Wed Jul 10 19:50:57 2024 +1000
Updated CHANGES and NEWS for CVE-2024-6119 fix
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
commit 7dfcee2cd2a63b2c64b9b4b0850be64cb695b0a0
Author: Viktor Dukhovni <viktor@openssl.org>
Date: Wed Jun 19 21:04:11 2024 +1000
Avoid type errors in EAI-related name check logic.
The incorrectly typed data is read only, used in a compare operation, so
neither remote code execution, nor memory content disclosure were possible.
However, applications performing certificate name checks were vulnerable to
denial of service.
The GENERAL_TYPE data type is a union, and we must take care to access the
correct member, based on `gen->type`, not all the member fields have the same
structure, and a segfault is possible if the wrong member field is read.
The code in question was lightly refactored with the intent to make it more
obviously correct.
Fixes CVE-2024-6119
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(cherry picked from commit 0890cd13d40fbc98f655f3974f466769caa83680)
commit ff35957337cdb1b68478fc5d1e77a2fc7e5be012
Author: Pauli <ppzgs1@gmail.com>
Date: Fri Aug 30 11:43:29 2024 +1000
endecode_test.c: Fix !fips v3.0.0 check
The fips_provider_version_* functions return true if the FIPS provider isn't
loaded. This is somewhat counterintuitive and the fix in #25327 neglected
this nuance resulting in not running the SM2 tests when the FIPS provider
wasn't being loaded.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25331)
(cherry picked from commit c6c6af18ea5f8dd7aa2bd54b63fcb813ee6c2394)
commit 5673de461ae4b5a81f7ecd38103f3467585912bc
Author: Richard Levitte <levitte@openssl.org>
Date: Wed Aug 28 18:52:39 2024 +0200
exporters for pkg-config: align with the changes for CMake
The latest CMake exporter changes reworked the the variables in builddata.pm
and installdata.pm. Unfortunately, the pkg-config exporter templates were
forgotten in that effort.
Fixes #25299
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25308)
(cherry picked from commit 15b748496faeebb3b6d8021049bccc93903ee322)
commit d197788f4a9f4d68508bbc92d48a3f1bbe1b8f1c
Author: Tomas Mraz <tomas@openssl.org>
Date: Thu Aug 29 18:42:14 2024 +0200
endecode_test.c: Avoid running the SM2 tests with 3.0.0 FIPS provider
Fixes #25326
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25327)
(cherry picked from commit 0b97a5505efa8833bb7b8cabae45894ad6d910a2)
commit 7d90a42eef47af7aac25abbf1769c1ef2e4babe3
Author: Viktor Dukhovni <openssl-users@dukhovni.org>
Date: Wed Aug 28 20:36:09 2024 +1000
Check for excess data in CertificateVerify
As reported by Alicja Kario, we ignored excess bytes after the
signature payload in TLS CertificateVerify Messages. These
should not be present.
Fixes: #25298
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25302)
(cherry picked from commit b4e4bf29ba3c67662c60ceed9afa2dd301e93273)
commit 589286efca5ab637ae29ef7f3522dc85ee080d55
Author: Clemens Lang <cllang@redhat.com>
Date: Wed Aug 28 17:18:03 2024 +0200
doc: Document properties param for Argon2 KDF
The Argon2 KDF uses OSSL_KDF_PARAM_PROPERTIES to fetch implementations
of blake2bmac and blake2b512 if ctx->mac and ctx->md are NULL. This
isn't documented in the manpage, so users that might, for example, want
to fetch an instance of Argon2 with the -fips property query to obtain
a working Argon2 KDF even though the default property query requires
fips=yes are left wondering why this fails.
Fortunately, EVP_KDF(3)/PARAMETERS already explains what the properties
are used for, so we really just need to add a single line.
Signed-off-by: Clemens Lang <cllang@redhat.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25306)
(cherry picked from commit 6772c2ab1bc5f12dd800247cd6800c45c2c0bf6e)
commit ba01343c9efd7d53e3f8fd24750fa7749e5c1d6a
Author: Jamie Cui <jamie.cui@outlook.com>
Date: Thu Aug 22 11:41:50 2024 +0800
Fix decoder error on SM2 private key
Added sm2 testcases to endecode_test.c.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25266)
(cherry picked from commit 25bd0c77bfa7e8127faafda2b082432ea58f9570)
commit 7a122cafc1415e1f182fd58b36708b5a08fb8550
Author: Richard Levitte <levitte@openssl.org>
Date: Wed Jul 17 18:23:57 2024 +0200
fix: for exporters to work for build config, there may be two include dirs
For CMake / pkg-config configuration files to be used for an uninstalled
build, the include directory in the build directory isn't enough, if that
one is separate from the source directory. The include directory in the
source directory must be accounted for too.
This includes some lighter refactoring of util/mkinstallvars.pl, with the
result that almost all variables in builddata.pm and installdata.pm have
become arrays, even though unnecessarily for most of them; it was simpler
that way. The CMake / pkg-config templates are adapted accordingly.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24918)
(cherry picked from commit accd835f8d6ed946eb540a3e2e82f9723093f094)
commit 27b00ac152a1d6940b9838f81b6daefdfcd84dbe
Author: Richard Levitte <levitte@openssl.org>
Date: Wed Jul 17 11:09:11 2024 +0200
fix: exporters/cmake/OpenSSLConfig.cmake.in to work for build config
This template file is made to make both:
1. OpenSSLConfig.cmake (CMake config used when building a CMake package
against an uninstalled OpenSSL build)
2. exporters/OpenSSLConfig.cmake (CMake config that's to be installed
alongside OpenSSL, and is used when building a CMake package against
an OpenSSL installation).
Variant 1 was unfortunately getting the internal '_ossl_prefix' variable
wrong, which is due to how the perl snippet builds the command(s) to figure
out its value. That needed some correction.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24918)
(cherry picked from commit a82d9e572cc757e4fa50d484bfbb7115f2d027dd)
commit 81259299499e81d0b3850e09c9366aa67c65b07c
Author: slontis <shane.lontis@oracle.com>
Date: Thu Aug 22 09:09:14 2024 +1000
FIPS: Change fips tests to use SHA2 for corruption test.
Fixes cross testing with OpenSSL 3.4 with removed SHA1 from the self
tests.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25262)
(cherry picked from commit 06179b4be0e5617455924f02830a43b85d154c1a)
commit 2e966354956e55825331f61bf98976ffe60e4332
Author: Bernd Edlinger <bernd.edlinger@hotmail.de>
Date: Fri Oct 27 12:05:05 2023 +0200
Fix error handling in OBJ_add_object
This fixes the possible memory leak in OBJ_add_object
when a pre-existing object is replaced by a new one,
with identical NID, OID, and/or short/long name.
We do not try to delete any orphans, but only mark
them as type == -1, because the previously returned
pointers from OBJ_nid2obj/OBJ_nid2sn/OBJ_nid2ln
may be cached by applications and can thus not
be cleaned up before the application terminates.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22534)
(cherry picked from commit e91384d5b0547bf797e2b44976f142d146c4e650)
commit 4688f9b821525b255e0ff22f376fee93c2f9dc8e
Author: FdaSilvaYY <fdasilvayy@gmail.com>
Date: Thu Jul 18 23:33:49 2024 +0200
apps: add missing entry to tls extension label list
noticed by @sftcd
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25111)
commit ef4df981aecfc6c3cdc1585a1c07b199db711ec1
Author: FdaSilvaYY <fdasilvayy@gmail.com>
Date: Sun Feb 21 00:04:07 2021 +0100
Fix '--strict-warnings' build breakage
... due to a missing const.
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25111)
commit 606fdff98a2eaafad257fe66193921b9222bdeba
Author: Jiasheng Jiang <jiashengjiangcool@outlook.com>
Date: Tue Aug 6 19:18:34 2024 +0000
test/provider_test.c: Add OSSL_PROVIDER_unload() to avoid memory leak
Add OSSL_PROVIDER_unload() when OSSL_PROVIDER_add_builtin() fails to avoid memory leak.
Fixes: 5442611dff ("Add a test for OSSL_LIB_CTX_new_child()")
Signed-off-by: Jiasheng Jiang <jiashengjiangcool@outlook.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25109)
(cherry picked from commit 55662b674543c9385600bc9b7c46277ef69b4dba)
commit 2bec15e92ea2b57e5e8c474f524989177c2cdd27
Author: Jiasheng Jiang <jiashengjiangcool@outlook.com>
Date: Tue Aug 6 18:42:06 2024 +0000
test/provider_fallback_test.c: Add OSSL_PROVIDER_unload() to avoid memory leak
Add OSSL_PROVIDER_unload() when test_provider() fails to avoid memory leak.
Fixes: f995e5bdcd ("TEST: Add provider_fallback_test, to test aspects of
fallback providers")
Signed-off-by: Jiasheng Jiang <jiashengjiangcool@outlook.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25108)
(cherry picked from commit 6e8a1031ed11af9645769f9e019db9f032a220b8)
commit 092854de7db51c3958e3941e105bf2f2a68d5cba
Author: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Date: Tue Aug 20 23:37:24 2024 +0200
d: Correct closed bug number.
Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
commit 75064528af6a8b831df84591a330f13196c04c69
Author: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Date: Tue Aug 20 22:34:36 2024 +0200
d: Type in changelog.
Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
commit ed16083728a0ab73b87cef58e23ea5490e6e73cc
Author: Hubert Kario <hkario@redhat.com>
Date: Fri Jul 26 16:25:42 2024 +0200
Link to the place where signature options are defined
ca man page: link to section
Signed-off-by: Hubert Kario <hkario@redhat.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25011)
(cherry picked from commit 1985ba60bba272d5780c498461f2b1171f10aa21)
commit ca21a1deb1348195244ac5a6b4508f43e8a2b418
Author: Tomas Mraz <tomas@openssl.org>
Date: Mon Aug 19 11:34:27 2024 +0200
Explicitly include e_os.h for close()
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25229)
(cherry picked from commit 0c0c6954bf4fa7b56e21e1393c9e5e5d55c1b2d6)
commit fce17ad57d22820dfe01f57084d28fe515f6425c
Author: Pauli <ppzgs1@gmail.com>
Date: Mon Aug 19 08:31:15 2024 +1000
test: add a default greeting to avoid printing a null pointer.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
(Merged from https://github.com/openssl/openssl/pull/25221)
(cherry picked from commit 34877dbcd467efb4e2dbf45d2fcb44c5a4b4926a)
commit 8372c752b8365e7f82041d9ad0e63adcf584b8b7
Author: shridhar kalavagunta <coolshrid@hotmail.com>
Date: Sun Aug 4 16:04:53 2024 -0500
RAND_write_file(): Avoid potential file descriptor leak
If fdopen() call fails we need to close the fd. Also
return early as this is most likely some fatal error.
Fixes #25064
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25081)
(cherry picked from commit d6048344398ec75996fee1f465abb61ab3aa377e)
commit 9577662515c30910595882e6c15d7d8295fb485c
Author: Bernd Edlinger <bernd.edlinger@hotmail.de>
Date: Tue Mar 12 20:04:56 2024 +0100
Fix unpredictible refcount handling of d2i functions
The passed in reference of a ref-counted object
is free'd by d2i functions in the error handling.
However if it is not the last reference, the
in/out reference variable is not set to null here.
This makes it impossible for the caller to handle
the error correctly, because there are numerous
cases where the passed in reference is free'd
and set to null, while in other cases, where the
passed in reference is not free'd, the reference
is left untouched.
Therefore the passed in reference must be set
to NULL even when it was not the last reference.
Fixes #23713
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22809)
(cherry picked from commit d550d2aae531c6fa2e10b1a30d2acdf373663889)
commit ebb35f19fbdf61cce0f13f7af8a7238aec0d1dd3
Author: Bernd Edlinger <bernd.edlinger@hotmail.de>
Date: Fri Nov 24 07:02:35 2023 +0100
Extend test case for reused PEM_ASN1_read_bio
This is related to #22780, simply add test cases
for the different failure modes of PEM_ASN1_read_bio.
Depending on whether the PEM or the DER format is valid or not,
the passed in CRL may be deleted ot not, therefore a statement
like this:
reused_crl = PEM_read_bio_X509_CRL(b, &reused_crl, NULL, NULL);
must be avoided, because it can create memory leaks.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22809)
(cherry picked from commit 83951a9979784ffa701e945b86f2f0bc2caead8e)
commit 523f8c53110ed8d16e8841302a7832d79bc24250
Author: Andreas Treichel <gmblar@gmail.com>
Date: Sat May 18 08:27:46 2024 +0200
apps/cms.c, apps/smime.c: Fix -crlfeol help messages
CLA: trivial
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24434)
(cherry picked from commit 0813ffee2fe6d1a4fe4ec04b7b18fe91cc74a34c)
commit 3cc839608d9ea07d4734b8cdfb771d75d9e9034b
Author: David Benjamin <davidben@google.com>
Date: Thu Mar 7 23:38:58 2024 -0500
Fix SSL_CTX_set1_groups documentation on preference orders
The documentation currently describes SSL_CTX_set1_groups as a
preference order, but this does not match the typical interpretation of
"preference order" in OpenSSL and TLS. Typically, an application can
order more secure options ahead of less secure ones and pick up TLS's
usual downgrade protection guarantees.
TLS 1.3 servers need to balance an additional consideration: some
options will perform worse than others due to key share prediction. The
prototypical selection procedure is to first select the set of more
secure options, then select the most performant among those.
OpenSSL follows this procedure, but it *unconditionally* treats all
configured curves as equivalent security. Per discussion on GitHub,
OpenSSL's position is that this is an intended behavior.
While not supported by built-in providers, OpenSSL now documents that
external providers can extend the group list and CHANGES.md explicitly
cites post-quantum as a use case. With post-quantum providers, it's
unlikely that application developers actually wanted options to be
equivalent security. To avoid security vulnerabilities arising from
mismatched expectations, update the documentation to clarify the server
behavior.
Per the OTC decision in
https://github.com/openssl/openssl/issues/22203#issuecomment-1744465829,
this documentation fix should be backported to stable branches.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23776)
(cherry picked from commit 2ec4e9501423cdc886c5a300b4f8bb249a3df4da)
commit 49e50c6e333c20c18210d6dfbdb27e37e4e5515a
Author: Shih-Yi Chen <shihyic@nvidia.com>
Date: Wed Aug 7 21:33:53 2024 +0000
Update krb5 to latest master to pick up CVE fixes
CLA: trivial
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25131)
(cherry picked from commit 099a71b48b6e1f27f39b2905fb67f2afaefd9171)
commit 0793071efaa7f61828b555128587db48c5d24962
Author: Pauli <ppzgs1@gmail.com>
Date: Thu Aug 8 10:55:15 2024 +1000
test: add FIPS provider version checks for 3.4 compatibility
Tests that are changed by #25020 mandate updates to older test suite data to
pass because the FIPS provider's behaviour changes in 3.4.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25133)
commit 2113294c8c5cb84ae3534f9d9457433a6a33d9e1
Author: Neil Horman <nhorman@openssl.org>
Date: Fri Jul 26 11:01:05 2024 -0400
limit bignums to 128 bytes
Keep us from spinning forever doing huge amounts of math in the fuzzer
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25013)
(cherry picked from commit f0768376e1639d12a328745ef69c90d584138074)
commit 6200b9cb794a7251202b4f3eec37deb722349f86
Author: JulieDzeze1 <jd1230@g.rit.edu>
Date: Fri Apr 19 17:50:19 2024 -0400
Update BN_add.pod documentation so it is consistent with header declarations
CLA: trivial
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24215)
(cherry picked from commit e77eb1dc0be75c98c53c932c861dd52e8896cc13)
commit 7ec7337e1a28d8f4629d7cdd8dad0b3ffd53b8b4
Author: Tomas Mraz <tomas@openssl.org>
Date: Mon Aug 5 15:08:39 2024 +0200
rsa_pss_compute_saltlen(): Avoid integer overflows and check MD and RSA sizes
Fixes Coverity 1604651
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25085)
(cherry picked from commit 217e215e99dd526ad2e6f83601449742d1d03d6a)
commit 57230b0d75eb5bdfdfaacea879011304d757b1c4
Author: Tomas Mraz <tomas@openssl.org>
Date: Mon Aug 5 14:49:52 2024 +0200
do_print_ex(): Avoid possible integer overflow
Fixes Coverity 1604657
Fixes openssl/project#780
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25084)
(cherry picked from commit e3e15e77f14cc4026fd456cc8a2b5190b2d79610)
commit 4b86dbb596c179b519dfb7ceb7e1d223556442c5
Author: Dimitri Papadopoulos <3234522+DimitriPapadopoulos@users.noreply.github.com>
Date: Sun Jul 21 11:37:03 2024 +0200
Fix typos found by codespell in openssl-3.3 doc
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
(Merged from https://github.com/openssl/openssl/pull/24950)
commit 550edcf927a51e1d8fbe916565c5def220a17659
Author: Andrew Dinh <andrewd@openssl.org>
Date: Fri Aug 2 21:01:12 2024 +0700
Use parent directory instead of index.html
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25073)
(cherry picked from commit 5854b764a762598b662a5166be8d0030af06c1c0)
commit df6f1a7cc5cf6d099a2d5ae3247d77e4a9e8d32b
Author: Andrew Dinh <andrewd@openssl.org>
Date: Fri Aug 2 20:58:13 2024 +0700
Update links in CONTRIBUTING.md
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25073)
(cherry picked from commit ad3d57d27141c09fe07ef39c49af5afe69c59383)
commit c55b947a38ee7986294963016cfc4b00bf7186f5
Author: Andrew Dinh <andrewd@openssl.org>
Date: Fri Aug 2 20:54:13 2024 +0700
Fix some small typos
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25073)
(cherry picked from commit d0a49eea4a8bb50f7d2269bac390a0ce2cddeb1f)
commit 2f1bc7eaff0239ab709ddff171595bea5f1451ac
Author: Tomas Mraz <tomas@openssl.org>
Date: Thu Aug 1 19:36:00 2024 +0200
Do not implicitly start connection with SSL_handle_events() or SSL_poll()
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25069)
(cherry picked from commit ca1d2db291530a827555b40974ed81efb91c2d19)
commit d927ff632491b55f736879c4c5108b103aa3fe46
Author: Tomas Mraz <tomas@openssl.org>
Date: Thu Aug 1 19:14:16 2024 +0200
Return infinity time from SSL_get_event_timeout when the connection is not started
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25069)
(cherry picked from commit b1f4aebb74192afb197487bf6f4998fbb87cd1c1)
commit 82f4f0f0593dc37b83a5335fbc5cda305ff20d0e
Author: Tomas Mraz <tomas@openssl.org>
Date: Thu Aug 1 17:17:42 2024 +0200
Do not falsely start the connection through SSL_pending()/_has_pending()
Fixes #25054
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25069)
(cherry picked from commit b7f93c7fcb37c81b88895c3e8d22ad69c2576cd4)
commit 293650d33069276446b286ad856cfb9854ea83e4
Author: Richard Levitte <levitte@openssl.org>
Date: Sun Jul 28 10:47:08 2024 +0200
fix: util/mkinstallvars.pl mistreated LDLIBS on Unix (and Windows)
Don't do comma separation on those platforms.
Fixes #24986
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25018)
(cherry picked from commit 0beef0ba00f7864b7367899d859509a99237fcf0)
commit eb0df1395964d29a028b5c21bc8670577890f8d8
Author: Marc Brooks <IDisposable@gmail.com>
Date: Tue Jul 30 15:29:34 2024 -0500
Free fetched digest in show_digests
Fixes #24892
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25046)
(cherry picked from commit 871c534d39efecc2087da0fd24ff72e2712031a4)
commit 422a13fb5cd668cdc4c1eebce8accb4d25c3d8eb
Author: Tomas Mraz <tomas@openssl.org>
Date: Fri Jul 19 12:24:47 2024 +0200
evp_get_digest/cipherbyname_ex(): Try to fetch if not found
If the name is not found in namemap, we need
to try to fetch the algorithm and query the
namemap again.
Fixes #19338
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/24940)
(cherry picked from commit 454ca902c7d5337249172b38efc5e4fd63f483f4)
commit d4ed29730c296a41c720e84ea66af0c05593d6e6
Author: Tomas Mraz <tomas@openssl.org>
Date: Thu Jul 18 11:01:00 2024 +0200
Avoid leaking *ba_ret on reconnections
Also fixes Coverity 1604639
There is no point in checking ba_ret as it can never be NULL.
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24931)
(cherry picked from commit 4fa9d1f40fc85d8c70c93168dc812217db349359)
commit 12c38af865a0a60c98f6b63de5be4b8ce2d1ace5
Author: jasper-smit-servicenow <jasper.smit@servicenow.com>
Date: Thu Jul 18 09:45:22 2024 +0200
Update X509V3_get_d2i.pod returned pointer needs to be freed
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/24927)
(cherry picked from commit a4fd94851261c55f9ad020bf22d4f29bda0b58be)
commit dd744cd19b3ff2bdc320c8a77b5c32ff543eaeb3
Author: Tomas Mraz <tomas@openssl.org>
Date: Thu Jul 18 10:48:58 2024 +0200
i2d_name_canon(): Check overflow in len accumulation
Fixes Coverity 1604638
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/24930)
(cherry picked from commit b2deefb9d262f0f9eae6964006df98c2fa24daac)
commit 97b2aa49e504e49a8862b89c65eb54e143395f1d
Author: Georgi Valkov <gvalkov@gmail.com>
Date: Fri Jul 19 13:24:27 2024 +0300
gitignore: add .DS_Store
macOS creates .DS_Store files all over the place while browsing
directories. Add it to the list of ignored files.
Signed-off-by: Georgi Valkov <gvalkov@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/24942)
(cherry picked from commit 10c36d2f8d81a6f2b9a75f914fe094300835ba01)
commit 03781fb4b396061b81836e7e4f0be4122d316994
Author: Tomas Mraz <tomas@openssl.org>
Date: Tue Oct 24 09:27:23 2023 +0200
Allow short reads in asn1_d2i_read_bio()
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/22486)
(cherry picked from commit 202ef97edc8e5561a6f4db28919d5ed73d411cc7)
commit 71c28b527e348304995800ae6e12c58133163222
Author: erbsland-dev <github@erbsland.dev>
Date: Sun Jul 14 19:14:49 2024 +0200
Improve clarity and readability of password input documentation
Fixed #7310: Enhanced existing documentation for password input methods
- Refined descriptions for password input methods: `file:`, `fd:`, and `stdin`
- Enhanced readability and consistency in the instructions
- Clarified handling of multiple lines in read files.
- Clarified that `fd:` is not supported on Windows.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24878)
(cherry picked from commit 0d4663ca6a91eb5eeb7bbe24a3b5a7cbee9e0fad)
