Tomas Mraz [Tue, 9 Apr 2024 12:12:22 +0000 (14:12 +0200)]
Prepare for release of 3.3.0
Reviewed-by: Richard Levitte <levitte@openssl.org>
Release: yes
Tomas Mraz [Tue, 9 Apr 2024 12:12:14 +0000 (14:12 +0200)]
make update
Reviewed-by: Richard Levitte <levitte@openssl.org>
Release: yes
Tomas Mraz [Tue, 9 Apr 2024 12:09:20 +0000 (14:09 +0200)]
Copyright year updates
Reviewed-by: Richard Levitte <levitte@openssl.org>
Release: yes
Matt Caswell [Fri, 15 Jul 2022 12:26:33 +0000 (13:26 +0100)]
Add a test for session cache overflow
Test sessions behave as we expect even in the case that an overflow
occurs when adding a new session into the session cache.
Related to CVE-2024-2511
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24042)
(cherry picked from commit
4a3e8f08306c64366318e26162ae0a0eb7b1a006)
Matt Caswell [Fri, 15 Mar 2024 17:58:42 +0000 (17:58 +0000)]
Hardening around not_resumable sessions
Make sure we can't inadvertently use a not_resumable session
Related to CVE-2024-2511
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24042)
(cherry picked from commit
21df7f04f6c4a560b4de56d10e1e58958c7e566d)
Matt Caswell [Tue, 5 Mar 2024 16:01:20 +0000 (16:01 +0000)]
Add a CHANGES.md/NEWS.md entry for the unbounded memory growth bug
Related to CVE-2024-2511
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24042)
(cherry picked from commit
03c4b0eab6dcbb59e3f58baad634be8fc798c103)
Matt Caswell [Tue, 5 Mar 2024 15:43:53 +0000 (15:43 +0000)]
Fix unconstrained session cache growth in TLSv1.3
In TLSv1.3 we create a new session object for each ticket that we send.
We do this by duplicating the original session. If SSL_OP_NO_TICKET is in
use then the new session will be added to the session cache. However, if
early data is not in use (and therefore anti-replay protection is being
used), then multiple threads could be resuming from the same session
simultaneously. If this happens and a problem occurs on one of the threads,
then the original session object could be marked as not_resumable. When we
duplicate the session object this not_resumable status gets copied into the
new session object. The new session object is then added to the session
cache even though it is not_resumable.
Subsequently, another bug means that the session_id_length is set to 0 for
sessions that are marked as not_resumable - even though that session is
still in the cache. Once this happens the session can never be removed from
the cache. When that object gets to be the session cache tail object the
cache never shrinks again and grows indefinitely.
CVE-2024-2511
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24042)
(cherry picked from commit
7984fa683e9dfac0cad50ef2a9d5a13330222044)
Matt Caswell [Tue, 5 Mar 2024 15:35:51 +0000 (15:35 +0000)]
Extend the multi_resume test for simultaneous resumptions
Test what happens if the same session gets resumed multiple times at the
same time - and one of them gets marked as not_resumable.
Related to CVE-2024-2511
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24042)
(cherry picked from commit
cfeaf33a26c53c526128df96db2d2ec105b43aec)
Matt Caswell [Mon, 4 Mar 2024 13:45:23 +0000 (13:45 +0000)]
Add a test for session cache handling
Repeatedly create sessions to be added to the cache and ensure we never
exceed the expected size.
Related to CVE-2024-2511
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24042)
(cherry picked from commit
0447cd690f86ce52ff760d55d6064ea0d08656bf)
Randall S. Becker [Sat, 30 Mar 2024 22:28:02 +0000 (22:28 +0000)]
NonStop: Do not call sleep() with a 0 value
This change ensures that sleep(0) is not invoked to cause unexpected
duplicate thread context switches when _REENTRANT is specified.
Fixes: #24009
Signed-off-by: Randall S. Becker <randall.becker@nexbridge.ca>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24012)
Richard Levitte [Sat, 30 Mar 2024 11:52:50 +0000 (12:52 +0100)]
Diverse small VMS build fixups
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24008)
Dmitry Misharov [Wed, 3 Apr 2024 11:47:39 +0000 (13:47 +0200)]
downgrade upload-artifact action to v3
GitHub Enterpise Server is not compatible with upload-artifact@v4+.
https://github.com/actions/upload-artifact/tree/v4
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24029)
(cherry picked from commit
089271601a1d085f33ef7b7d8c3b6879045be370)
Tomas Mraz [Tue, 2 Apr 2024 16:47:26 +0000 (18:47 +0200)]
openssl-crl(1): The -verify option is implied by -CA* options
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/24024)
(cherry picked from commit
a16f2e7651b22ee992bb0c279e25164b519c1e80)
Tomas Mraz [Tue, 2 Apr 2024 14:43:27 +0000 (16:43 +0200)]
DEFINE_STACK_OF.pod: Fix prototypes of sk_TYPE_free/zero()
They take non-const STACK_OF(TYPE)* argument.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24023)
(cherry picked from commit
e898c367312c3ab6eb5eaac9b4be768f0d2e4b0e)
slontis [Mon, 18 Mar 2024 00:46:12 +0000 (11:46 +1100)]
Add 'documentation policy' link to CONTRIBUTING guide.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23875)
(cherry picked from commit
e817766c0f46f371fabe344fba60d13afcfc3da9)
slontis [Thu, 14 Mar 2024 05:11:40 +0000 (16:11 +1100)]
Update Documentation for EVP_DigestSign, EVP_DigestVerify.
Fixes #23075
In OpenSSL 3.2 EVP_DigestSign and EVP_DigestVerify
were changed so that a flag is set once these functions
do a one-shot sign or verify operation. This PR updates the
documentation to match the behaviour.
Investigations showed that prior to 3.2 different key
type behaved differently if multiple calls were done.
By accident X25519 and X448 would produce the same signature,
but ECDSA and RSA remembered the digest state between calls,
so the signature was different when multiple calls were done.
Because of this undefined behaviour something needed to be done,
so keeping the 'only allow it to be called once' behaviour
seems a reasonable approach.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23834)
(cherry picked from commit
5e908e6068708c89da7b5591cc65ff4b3d3135d2)
Job Snijders [Tue, 27 Feb 2024 19:14:32 +0000 (19:14 +0000)]
Align 'openssl req' string_mask docs to how the software really works
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23699)
(cherry picked from commit
2410cb42e62c3be69dcf1aad1bdf1eb0233b670f)
Tomas Mraz [Wed, 3 Apr 2024 10:41:21 +0000 (12:41 +0200)]
Workaround the relocation truncated to fit problem on m68k builds
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/24028)
(cherry picked from commit
81b7aa7186bf48fa5c2eaf0c7fe3bd05880e4dbb)
Alex Bozarth [Mon, 20 Nov 2023 21:20:31 +0000 (15:20 -0600)]
Allow provider sigalgs in SignatureAlgorithms conf
Though support for provider-based signature algorithms was added in
ee58915 this functionality did not work with the SignatureAlgorithms
configuration command. If SignatureAlgorithms is set then the provider
sigalgs are not used and instead it used the default value.
This PR adds a check against the provider-base sigalg list when parsing
the SignatureAlgorithms value.
Based-on-patch-by: Martin Schmatz <mrt@zurich.ibm.com>
Fixes #22761
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/22779)
(cherry picked from commit
4169d58c855718d90424fd5da632cf2f2b46e691)
Hugo Landau [Mon, 1 Apr 2024 08:03:20 +0000 (09:03 +0100)]
BIO_s_connect: Do not set keepalive on dgram sockets
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24015)
(cherry picked from commit
56736800224eff5783e314fd334c047224081c58)
Vladimir Kotal [Wed, 27 Mar 2024 09:51:22 +0000 (10:51 +0100)]
Document change of -verify behavior in crl and req apps
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23983)
(cherry picked from commit
15585af97ec682182f40f815741e66f1ec40f941)
Bernd Edlinger [Thu, 8 Feb 2024 21:44:33 +0000 (22:44 +0100)]
Remove handling of NULL sig param in ossl_ecdsa_deterministic_sign
The handling of sig=NULL was broken in this function, but since it
is only used internally and was never called with sig=NULL, it is
better to return an error in that case.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23529)
(cherry picked from commit
294782f3b5c4b81d682e6e8608bb6e851177494d)
Bernd Edlinger [Thu, 8 Feb 2024 21:21:55 +0000 (22:21 +0100)]
Fix handling of NULL sig parameter in ECDSA_sign and similar
The problem is, that it almost works to pass sig=NULL to the
ECDSA_sign, ECDSA_sign_ex and DSA_sign, to compute the necessary
space for the resulting signature.
But since the ECDSA signature is non-deterministic
(except when ECDSA_sign_setup/ECDSA_sign_ex are used)
the resulting length may be different when the API is called again.
This can easily cause random memory corruption.
Several internal APIs had the same issue, but since they are
never called with sig=NULL, it is better to make them return an
error in that case, instead of making the code more complex.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23529)
(cherry picked from commit
1fa2bf9b1885d2e87524421fea5041d40149cffa)
Bernd Edlinger [Fri, 23 Feb 2024 09:32:14 +0000 (10:32 +0100)]
Fix openssl req with -addext subjectAltName=dirName
The syntax check of the -addext fails because the
X509V3_CTX is used to lookup the referenced section,
but the wrong configuration file is used, where only
a default section with all passed in -addext lines is available.
Thus it was not possible to use the subjectAltName=dirName:section
as an -addext parameter. Probably other extensions as well.
This change affects only the syntax check, the real extension
was already created with correct parameters.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23669)
(cherry picked from commit
387418893e45e588d1cbd4222549b5113437c9ab)
dependabot[bot] [Tue, 26 Mar 2024 17:39:00 +0000 (17:39 +0000)]
Bump actions/setup-python from 5.0.0 to 5.1.0
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 5.0.0 to 5.1.0.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](https://github.com/actions/setup-python/compare/v5.0.0...v5.1.0)
---
updated-dependencies:
- dependency-name: actions/setup-python
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
CLA: trivial
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23977)
(cherry picked from commit
de85587911dcd41dc3546b348acf9c9f15dd7c3d)
Simo Sorce [Thu, 21 Mar 2024 14:00:52 +0000 (10:00 -0400)]
Explicitly state what -keys does
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/23919)
(cherry picked from commit
693c479a2ca671e0dfca8d1ad14e789169b982ff)
Matt Caswell [Fri, 29 Mar 2024 14:07:40 +0000 (14:07 +0000)]
Prepare for 3.3 beta 2
Reviewed-by: Neil Horman <nhorman@openssl.org>
Release: yes
Matt Caswell [Fri, 29 Mar 2024 14:07:20 +0000 (14:07 +0000)]
Prepare for release of 3.3 beta 1
Reviewed-by: Neil Horman <nhorman@openssl.org>
Release: yes
Matt Caswell [Fri, 29 Mar 2024 14:07:20 +0000 (14:07 +0000)]
make update
Reviewed-by: Neil Horman <nhorman@openssl.org>
Release: yes
Matt Caswell [Fri, 29 Mar 2024 14:05:51 +0000 (14:05 +0000)]
Copyright year updates
Reviewed-by: Neil Horman <nhorman@openssl.org>
Release: yes
Matt Caswell [Thu, 28 Mar 2024 15:27:52 +0000 (15:27 +0000)]
Update CHANGES.md and NEWS.md with changes that have occurred since 3.2
Release: yes
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23998)
Neil Horman [Mon, 25 Mar 2024 13:18:27 +0000 (09:18 -0400)]
Fix threadstest wrapping again
Stochastic failures in the RCU test on MACOSX are occuring. Due to beta
release, disabling this test on MACOSX until post 3.3 release
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23967)
(cherry picked from commit
1967539e212c17139dc810096da987c8100b1ba2)
Tomas Mraz [Tue, 26 Mar 2024 10:53:53 +0000 (11:53 +0100)]
Update gost-engine submodule to fix the CI
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/23773)
(cherry picked from commit
e7d5d61b66ee5a1d0827b3c92dc4d484fb9c91fe)
Vladimir Kotal [Thu, 7 Mar 2024 16:00:07 +0000 (17:00 +0100)]
apps/req,crl: exit with 1 on verification failure
Fixes #23771
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/23773)
(cherry picked from commit
6af739b79ba50bd42ac8934747ab5c8b996f16b6)
Viliam Lejčík [Mon, 19 Feb 2024 20:39:05 +0000 (21:39 +0100)]
Add NULL check before accessing PKCS7 encrypted algorithm
Printing content of an invalid test certificate causes application crash, because of NULL dereference:
user@user:~/openssl$ openssl pkcs12 -in test/recipes/80-test_pkcs12_data/bad2.p12 -passin pass: -info
MAC: sha256, Iteration 2048
MAC length: 32, salt length: 8
PKCS7 Encrypted data: Segmentation fault (core dumped)
Added test cases for pkcs12 bad certificates
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23632)
(cherry picked from commit
a4cbffcd8998180b98bb9f7ce6065ed37d079d8b)
Jiasheng Jiang [Thu, 21 Mar 2024 20:22:01 +0000 (20:22 +0000)]
Replace size_t with int and add the check for the EVP_MD_get_size()
Replace the type of "digest_size" with int to avoid implicit conversion when it is assigned by EVP_MD_get_size().
Moreover, add the check for the "digest_size".
Fixes: 29ce1066bc ("Update the demos/README file because it is really old. New demos should provide best practice for API use. Add demonstration for computing a SHA3-512 digest - digest/EVP_MD_demo")
Signed-off-by: Jiasheng Jiang <jiasheng@purdue.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23924)
(cherry picked from commit
87e747000fef07c9ec43877bc5e9f2ca34f76a3b)
Jiasheng Jiang [Thu, 21 Mar 2024 19:55:34 +0000 (19:55 +0000)]
Replace unsigned with int
Replace the type of "digest_length" with int to avoid implicit conversion when it is assigned by EVP_MD_get_size().
Otherwise, it may pass the following check and cause the integer overflow error when EVP_MD_get_size() returns negative numbers.
Signed-off-by: Jiasheng Jiang <jiasheng@purdue.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23922)
(cherry picked from commit
f13ddaab69def0b453b75a8f2deb80e1f1634f42)
sashan [Fri, 22 Mar 2024 14:19:53 +0000 (15:19 +0100)]
fix demos/sslecho/main.c so it builds on OpenBSD too
trying to build `demos/sslecho/main.c` shipped by current openssl
fails with error as follows:
```
cc -I../../include -g -Wall -c -o main.o main.c
main.c:35:24: error: variable has incomplete type 'struct sockaddr_in'
struct sockaddr_in addr;
^
main.c:35:12: note: forward declaration of 'struct sockaddr_in'
struct sockaddr_in addr;
^
main.c:46:32: error: use of undeclared identifier 'INADDR_ANY'
addr.sin_addr.s_addr = INADDR_ANY;
^
main.c:152:24: error: variable has incomplete type 'struct sockaddr_in'
struct sockaddr_in addr;
^
main.c:152:12: note: forward declaration of 'struct sockaddr_in'
struct sockaddr_in addr;
^
3 errors generated.
gmake: *** [<builtin>: main.o] Error 1
```
including `netinet/in.h` fixes the build
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23936)
(cherry picked from commit
01eaf203856bfbb63051f8ecf56eae2d21132496)
Randall S. Becker [Thu, 21 Mar 2024 21:16:11 +0000 (21:16 +0000)]
Correct OSSL_sleep for NonStop PUT model by introducing sleep().
This fix also removes SPT model support as it was previously deprecated.
Upcoming threading models on the platform should be supportable without change
to this method.
Fixes: #23923
Fixes: #23927
Fixes: #23928
Signed-off-by: Randall S. Becker <randall.becker@nexbridge.ca>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23926)
(cherry picked from commit
4a9e48f727ce7ad924c53a55b301e426d7e43863)
Yavor Georgiev [Tue, 5 Mar 2024 18:10:03 +0000 (19:10 +0100)]
Don’t use the recvmmsg dgram method on Android <5
recvmmsg and sendmmsg were only added to Android’s C library in version 5, starting with API Level 21.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23754)
(cherry picked from commit
24109dca5a793d58c68a346db5b21746079ec317)
olszomal [Thu, 21 Mar 2024 10:10:04 +0000 (11:10 +0100)]
Fixed a typo and grammar in openssl-ts.pod
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23913)
(cherry picked from commit
f1c14f1853d2df94e339208eed1df823c2238389)
Dmitry Misharov [Fri, 22 Mar 2024 11:01:53 +0000 (12:01 +0100)]
fix uploading artifacts for paramertrized jobs
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23933)
(cherry picked from commit
395ab201a7f99ebe2b1598890c9a43081867d226)
Neil Horman [Tue, 5 Mar 2024 19:22:28 +0000 (14:22 -0500)]
Make counters in rcu/rw threads torture test 64 bit
Its possible in some conditions for the rw/rcu torture tests to wrap the
counter, leading to false positive failures, make them 64 bits to avoid
this
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23724)
(cherry picked from commit
b50c174ee3b11f916285046d52574ba653745083)
Dmitry Misharov [Fri, 1 Mar 2024 15:59:07 +0000 (16:59 +0100)]
Add M1 macOS runner to some workflows
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23724)
(cherry picked from commit
ada9d8c785cce8e75a88675622dd5ec79e9aa6d7)
Jakov Smolić [Tue, 5 Mar 2024 15:43:11 +0000 (16:43 +0100)]
riscv: Fix remaining asm checks
There are additional asm checks which don't check for OPENSSL_CPUID_OBJ
causing the build to still fail on riscv [1], so fix them in the same
manner as
ff279597692f9f19dca5b147944d3d96f2e109f8
[1] https://bugs.gentoo.org/923956
Fixes: https://github.com/openssl/openssl/issues/22871
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23752)
Matt Hauck [Fri, 15 Mar 2024 01:25:11 +0000 (18:25 -0700)]
Update FIPS hmac key documentation
The documentation is slightly incorrect about the FIPS hmac key.
CLA: trivial
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23846)
(cherry picked from commit
53ef123f48d402aff7c27f8ec15191cb1cde4105)
Hugo Landau [Mon, 12 Feb 2024 13:17:01 +0000 (13:17 +0000)]
Move artifact upload code into the shell script
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23551)
(cherry picked from commit
9abcf116962e9a117717c751de93846f11da16cd)
Hugo Landau [Mon, 12 Feb 2024 11:29:14 +0000 (11:29 +0000)]
Experimental support for uploading qlog artifacts
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23551)
(cherry picked from commit
f2db70962cacc2602bc614d51e0610085c99e999)
Richard Levitte [Wed, 20 Mar 2024 12:10:06 +0000 (13:10 +0100)]
Prepare for 3.3 alpha 2
Reviewed-by: Neil Horman <nhorman@openssl.org>
Release: yes
Richard Levitte [Wed, 20 Mar 2024 12:09:34 +0000 (13:09 +0100)]
Prepare for release of 3.3 alpha 1
Reviewed-by: Neil Horman <nhorman@openssl.org>
Release: yes
Richard Levitte [Wed, 20 Mar 2024 12:09:28 +0000 (13:09 +0100)]
make update
Reviewed-by: Neil Horman <nhorman@openssl.org>
Release: yes
Richard Levitte [Wed, 20 Mar 2024 12:07:54 +0000 (13:07 +0100)]
Copyright year updates
Reviewed-by: Neil Horman <nhorman@openssl.org>
Release: yes
Matt Caswell [Wed, 13 Mar 2024 15:19:43 +0000 (15:19 +0000)]
Fix unbounded memory growth when using no-cached-fetch
When OpenSSL has been compiled with no-cached-fetch we do not cache
algorithms fetched from a provider. When we export an EVP_PKEY to a
provider we cache the details of that export in the operation cache for
that EVP_PKEY. Amoung the details we cache is the EVP_KEYMGMT that we used
for the export. When we come to reuse the key in the same provider that
we have previously exported the key to, we check the operation cache for
the cached key data. However because the EVP_KEYMGMT instance was not
cached then instance will be different every time and we were not
recognising that we had already exported the key to the provider.
This causes us to re-export the key to the same provider everytime the key
is used. Since this consumes memory we end up with unbounded memory growth.
The fix is to be more intelligent about recognising that we have already
exported key data to a given provider even if the EVP_KEYMGMT instance is
different.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/23841)
Bernd Edlinger [Sun, 10 Mar 2024 12:15:55 +0000 (13:15 +0100)]
Try to fix intermittent CI failures in quic_multistream test
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23807)
Alexandr Nedvedicky [Thu, 14 Mar 2024 08:53:56 +0000 (09:53 +0100)]
plug potential memory leak in error code path
Function `module_add()` may leak stack of modules when
it fails to initialize newly added module.
Fixes #23835
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23836)
Tomas Mraz [Fri, 15 Mar 2024 10:28:42 +0000 (11:28 +0100)]
Raise the AFL_MAP_SIZE to accommodate future growth
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23851)
Tomas Mraz [Fri, 15 Mar 2024 10:27:41 +0000 (11:27 +0100)]
82-test_ocsp_cert_chain.t: Just ignore unrecognized lines in server output
There might be warnings from AFL fuzz checker
or other warnings that we do not care about.
For success it is just required that cert_status: ocsp response sent:
is present.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23851)
Alexandr Nedvedicky [Thu, 14 Mar 2024 09:40:06 +0000 (10:40 +0100)]
Minor docfix for OSSL_HTTP_REQ_CTX_set_max_response_hdr_lines(3)
Also removal of duplicate assignment and addition of comment
in test/http_test.c
Follow up change to PR #23781
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23837)
Tomas Mraz [Thu, 14 Mar 2024 17:58:00 +0000 (18:58 +0100)]
Set AFL_MAP_SIZE to avoid crash in the AFL CI job
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23843)
Tomas Mraz [Wed, 14 Feb 2024 11:45:15 +0000 (12:45 +0100)]
Add a test using the bandwidth limit filter
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23588)
Tomas Mraz [Mon, 5 Feb 2024 15:03:15 +0000 (16:03 +0100)]
Add support for bandwidth limitation in noisydgram BIO filter
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23588)
Tomas Mraz [Fri, 19 Jan 2024 14:06:45 +0000 (15:06 +0100)]
bio_f_noisy_dgram_filter(): Fix typo
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23588)
Shakti Shah [Tue, 30 Jan 2024 18:56:32 +0000 (00:26 +0530)]
SSL_add_dir_cert_subjects_to_stack(): Documented return values
In the man page for SSL_add_dir_cert_subjects_to_stack(), the functions
returning int have undocumented return values.
Fixes #23171
Signed-off-by: Shakti Shah <shaktishah33@gmail.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23433)
Job Snijders [Mon, 29 Jan 2024 20:40:32 +0000 (20:40 +0000)]
Add Content Type OID for id-ct-rpkiSignedPrefixList
References: draft-ietf-sidrops-rpki-prefixlist
Title: "A profile for Signed Prefix Lists for Use in the Resource Public Key Infrastructure (RPKI)"
OID assigned under 'SMI Security for S/MIME CMS Content Type (1.2.840.113549.1.9.16.1)'
https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#security-smime-1
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23426)
Tomas Mraz [Thu, 8 Feb 2024 16:19:19 +0000 (17:19 +0100)]
apps/x509.c: No warning reading from stdin if redirected
Fixes #22893
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23526)
Neil Horman [Thu, 14 Mar 2024 16:04:17 +0000 (12:04 -0400)]
Fix ASLR to be smaller during asan/tsan/ubsan runs
Recently asan/tsan/ubsan runs have been failing randomly. It appears
that a recent runner update may have led to the Address Space Layout
Randomization setting in the linux kernel of ubuntu-latest runner
getting set to too high a value (it defaults to 30). Such a setting
leads to the possibility that a given application will have memory
mapped to an address space that the sanitizer code typically uses to do
its job. Lowering this value allows a/t/ubsan to work consistently
again
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23842)
Frederik Wedel-Heinen [Wed, 13 Mar 2024 09:17:37 +0000 (10:17 +0100)]
Avoid a memcpy in dtls_get_reassembled_message()
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23828)
Vladimirs Ambrosovs [Tue, 12 Mar 2024 16:23:55 +0000 (18:23 +0200)]
Fix dasync_rsa_decrypt to call EVP_PKEY_meth_get_decrypt
Signed-off-by: Vladimirs Ambrosovs <rodriguez.twister@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23825)
Joachim Vandersmissen [Tue, 5 Mar 2024 01:16:23 +0000 (19:16 -0600)]
Implement KAT for KBKDF with KMAC128
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23745)
sharad3001 [Mon, 11 Mar 2024 10:19:01 +0000 (15:49 +0530)]
Update tls13ccstest.c, removal of deadcode
tst has been already checked for invalid value in the start of the function with switch statement.
Checked again here, so removed deadcode
CLA: trivial
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23813)
Frederik Wedel-Heinen [Wed, 14 Feb 2024 09:09:55 +0000 (10:09 +0100)]
Add fuzzing for DTLS
Update the fuzz corpora submodule with the DTLS fuzz corpus.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23585)
James Muir [Wed, 20 Dec 2023 05:15:17 +0000 (00:15 -0500)]
s_server: test ocsp with "-cert_chain"
Add a test to exercise the use of s_server with "-cert_chain" to
construct an ocsp request.
This new functionality was added in PR #22192.
Testing:
make V=1 TESTS='test_ocsp_cert_chain' test
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23101)
Alexandr Nedvedicky [Fri, 8 Mar 2024 10:21:18 +0000 (11:21 +0100)]
Limit the number of http headers when receiving the http response
Change introduces a default limit on HTTP headers we expect to receive
from server to 256. If limit is exceeded http client library indicates
HTTP_R_RESPONSE_TOO_MANY_HDRLINES error. Application can use
OSSL_HTTP_REQ_CTX_set_max_response_hdr_lines() to change default.
Setting limit to 0 implies no limit (current behavior).
Fixes #22264
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23781)
Jiasheng Jiang [Wed, 6 Mar 2024 16:08:06 +0000 (16:08 +0000)]
Add check for xor_get_aid()
Add check for the return value of xor_get_aid() in order to avoid NULL pointer deference.
For example, "algor" could be NULL if the allocation of X509_ALGOR_new() fails. As a result, i2d_X509_ALGOR() will return 0 and "ctx->aid" will be an invalid value NULL.
Fixes: f4ed6eed2c ("SSL_set1_groups_list(): Fix memory corruption with 40 groups and more")
Signed-off-by: Jiasheng Jiang <jiasheng@purdue.edu>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23764)
olszomal [Thu, 8 Feb 2024 13:30:22 +0000 (14:30 +0100)]
Improve the documentation on -cert_chain and -status_verbose options
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22192)
olszomal [Fri, 5 Jan 2024 12:41:59 +0000 (13:41 +0100)]
Use the untrusted certificate chain to create a valid certificate ID for OCSP_request
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22192)
谭九鼎 [Sun, 10 Mar 2024 02:18:05 +0000 (02:18 +0000)]
Doc: fix style
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23805)
Jiasheng Jiang [Mon, 4 Mar 2024 17:34:02 +0000 (17:34 +0000)]
PKCS7: Remove one of the duplicate checks
There are two consecutive identical checks "if (i <= 0)".
We can remove one of them to make the code clear.
CLA: trivial
Signed-off-by: Jiasheng Jiang <jiasheng@purdue.edu>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23741)
Aarni Koskela [Tue, 5 Mar 2024 10:52:34 +0000 (12:52 +0200)]
Add reformatting commit to .git-blame-ignore-revs
CLA: trivial
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23748)
slontis [Tue, 27 Feb 2024 02:34:49 +0000 (13:34 +1100)]
Make the generated params_idx.c file deterministic if run multiple
times.
Fixes #23672
There are many name/value pairs currently that have duplicate names e.g.
'CAPABILITY_TLS_GROUP_MAX_TLS' => "tls-max-tls",
'CAPABILITY_TLS_SIGALG_MAX_TLS' => "tls-max-tls",
Stripping the .pm file down to just the above entries and running
multiple times gives different results for the produce_decoder.
On multiple runs any iterations over the unordered hash table keys using
foreach my $name (keys %params) results in a different order on multiple
runs. Because of this the mapping from the hash 'value' back to the
'key' will be different.
Note that the code also uses another mechanism in places that uses
"name1" => "value"
"name2" => "*name1"
Rather than fix all the strings the change done was to sort the keys. If
we were to chose to fix the strings then the perl code should be changed
to detect duplicates.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/23688)
Alexandr Nedvedicky [Fri, 1 Mar 2024 07:25:19 +0000 (08:25 +0100)]
FAQ.md should be removed
the page the link refers to does not exist.
Anyone objects to delete file?
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23719)
slontis [Mon, 4 Mar 2024 02:08:08 +0000 (13:08 +1100)]
Fix BIO_get_new_index() to return an error when it is exhausted.
Fixes #23655
BIO_get_new_index() returns a range of 129..255.
It is set to BIO_TYPE_START (128) initially and is incremented on each
call.
>= 256 is reserved for the class type flags (BIO_TYPE_DESCRIPTOR) so it
should error if it reaches the upper bound.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23732)
Neil Horman [Fri, 8 Mar 2024 20:06:33 +0000 (15:06 -0500)]
Bring SSL_group_to_name docs in line with API definition
docs say the SSL object in this function is const, but the api doesn't
qualify it as such. Adjust the docs to match the definition
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23785)
Hugo Landau [Wed, 14 Feb 2024 09:26:37 +0000 (09:26 +0000)]
Add CHANGES
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23584)
Hugo Landau [Wed, 14 Feb 2024 09:09:54 +0000 (09:09 +0000)]
QUIC MULTISTREAM TEST: Test write buffer statistics queries
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23584)
Hugo Landau [Wed, 14 Feb 2024 08:44:36 +0000 (08:44 +0000)]
QUIC: Add stream write buffer queries
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23584)
Bernd Edlinger [Wed, 28 Feb 2024 06:14:08 +0000 (07:14 +0100)]
Try to fix intermittent CI failures in sslapitest
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/23705)
Hugo Landau [Thu, 15 Feb 2024 09:23:56 +0000 (09:23 +0000)]
QLOG: Fix indentation
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23598)
Hugo Landau [Thu, 15 Feb 2024 09:14:41 +0000 (09:14 +0000)]
QUIC: Define error code for stateless reset
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23598)
Hugo Landau [Thu, 15 Feb 2024 09:03:26 +0000 (09:03 +0000)]
QUIC: Add documentation for QUIC error codes
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23598)
Hugo Landau [Thu, 15 Feb 2024 08:55:36 +0000 (08:55 +0000)]
QUIC: Uniform changes for QUIC error code definitions rename
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23598)
Hugo Landau [Thu, 15 Feb 2024 08:55:24 +0000 (08:55 +0000)]
QUIC: Make QUIC transport error codes public
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23598)
Bernd Edlinger [Fri, 23 Feb 2024 11:04:38 +0000 (12:04 +0100)]
Dont run the self-hosted workflows when not available
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23678)
Neil Horman [Tue, 5 Mar 2024 15:56:35 +0000 (10:56 -0500)]
Gate setting of ipi_spec_dst on not building for freebsd
some variants of FreeBSD (notably Dells OneFS) implement IP_PKTINFO
partially, and as such the build breaks for those variants.
specifically, it supports IP_PKTINFO, but the in_pktinfo struct has no
defined ipi_spec_dst field. Work around this by gating the setting of
that variable on not building for FreeBSD
Fixes #23739
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23753)
Stanislav Zidek [Fri, 1 Mar 2024 14:33:30 +0000 (15:33 +0100)]
interop tests: Fedora 39 config, simplify updates
Imitating Fedora 39 configuration in openssl.cnf with
SECLEVEL lowered to 0 in order to be able to run
TLS 1.3 tests with TLS_AES_128_CCM_8_SHA256.
In order to make updating smoother, check out specific tag rather
than the branch. This way, "old" tests can be fetched until PR
pointing to "new" tests is merged, so backwards-incompatible
changes can be done when needed.
Files specific for openssl upstream moved to separate
directory.
CLA: trivial
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23747)
Dmitry Belyavskiy [Tue, 27 Feb 2024 14:22:58 +0000 (15:22 +0100)]
Fix a memory leak on successful load of CRL
Fixes #23693
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23695)
Hugo Landau [Mon, 4 Mar 2024 22:56:45 +0000 (22:56 +0000)]
QUIC QLOG: Fix ANSI
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23744)
Hugo Landau [Mon, 4 Mar 2024 22:55:51 +0000 (22:55 +0000)]
QUIC QLOG: Fix use of sprintf
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23744)
Hugo Landau [Mon, 4 Mar 2024 22:49:54 +0000 (22:49 +0000)]
Enable qlog support by default
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23744)
Tomas Mraz [Thu, 14 Dec 2023 17:04:58 +0000 (18:04 +0100)]
Document that unknown groups and sigalgs marked with ? are ignored
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/23050)