a08a145d | 22-Oct-2024 |
Dimitri John Ledkov |
github: add fips configuration, with legacy transitions turned off Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.c
github: add fips configuration, with legacy transitions turned off Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25762)
show more ...
|
9d70bba1 | 22-Oct-2024 |
Dimitri John Ledkov |
fips no-des: compile out TDES KAT FIPS provider correctly supports no-des build time option and doesn't advertise DES related algorithms. However KAT test for DES is still attempted
fips no-des: compile out TDES KAT FIPS provider correctly supports no-des build time option and doesn't advertise DES related algorithms. However KAT test for DES is still attempted to be executed and fails. This prevents configuring FIPS provider without legacy behaviour as defined in SP 800-131Arev2. Also see #25761 internal docs. Fix `enable-fips no-des` build option, and add a daily checker for "legacy-free" (as much as currently feasible) FIPS configuration. Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25762)
show more ...
|
fc0e7946 | 22-Oct-2024 |
Frederik Wedel-Heinen |
tls_common.c: Align the calculation of maximal alignment value In tls_setup_write_buffer() and tls_setup_read_buffer() the calculation is different. Make them the same. Fixes #2
tls_common.c: Align the calculation of maximal alignment value In tls_setup_write_buffer() and tls_setup_read_buffer() the calculation is different. Make them the same. Fixes #25746 Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25764)
show more ...
|
3d3bb26a | 05-Oct-2024 |
Alexandr Nedvedicky |
Do not confuse TAP::Parser by mixing up stderr with stdout. This avoids false psotivie failures on FreeBSD-CI which suffers most from this issue. Fixes #23992 Reviewed-
Do not confuse TAP::Parser by mixing up stderr with stdout. This avoids false psotivie failures on FreeBSD-CI which suffers most from this issue. Fixes #23992 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/25613)
show more ...
|
76783a82 | 16-Oct-2024 |
Kurt Roeckx |
Dependabot: no longer set an "approval: otc review pending" label The label doesn't exist anymore. Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgr
Dependabot: no longer set an "approval: otc review pending" label The label doesn't exist anymore. Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25706)
show more ...
|
c5795689 | 16-Oct-2024 |
Tomas Mraz |
Fix missing sendmmsg/recvmmsg on AIX This at least fixes the build failures on AIX Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.or
Fix missing sendmmsg/recvmmsg on AIX This at least fixes the build failures on AIX Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25704)
show more ...
|
72d3e9ba | 09-Oct-2024 |
Dr. David von Oheimb |
TRACE: automatically respect disabled categories by fixing OSSL_trace_begin() to return NULL when given category is not enabled Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
TRACE: automatically respect disabled categories by fixing OSSL_trace_begin() to return NULL when given category is not enabled Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25652)
show more ...
|
e8d96359 | 08-Oct-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix memory leaks in ossl_quic_calculate_retry_integrity_tag() Fixes #25625 Several error paths return 0 directly instead of going to err to clean up the objects. CLA: t
Fix memory leaks in ossl_quic_calculate_retry_integrity_tag() Fixes #25625 Several error paths return 0 directly instead of going to err to clean up the objects. CLA: trivial Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25636)
show more ...
|
37aa1143 | 07-Oct-2024 |
Michael Baentsch <57787676+baentsch@users.noreply.github.com> |
Improve documentation about duplicate algorithm registrations Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Da
Improve documentation about duplicate algorithm registrations Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25624)
show more ...
|
f928304a | 26-Sep-2024 |
Ingo Franzki |
s390x: Don't probe crypto cards for ME/CRT offloading during initialization Probing for crypto cards during initialization by issuing an ioctl to the zcrypt device driver can cause a lot
s390x: Don't probe crypto cards for ME/CRT offloading during initialization Probing for crypto cards during initialization by issuing an ioctl to the zcrypt device driver can cause a lot of traffic and overhead, because it runs for each and every application that uses OpenSSL, regardless if that application will later perform ME or CRT operations or not. Fix this by performing no probing during initialization, but detect the crypto card availability only at the first ME/CRT operation that is subject to be offloaded. If the ioctl returns ENODEV, then no suitable crypto card is available in the system, and we disable further offloading attempts by setting flag OPENSSL_s390xcex_nodev to 1. Setting the global flag OPENSSL_s390xcex_nodev in case of ENODEV is intentionally not made in a thread save manner, because the only thing that could happen is that another thread, that misses the flag update, also issues an ioctl and gets ENODEV as well. The file descriptor is not closed in such error cases, because this could cause raise conditions where we would close a foreign file if the same file descriptor got reused by another thread. The file descriptor is finally closed during termination by the atexit handler. In case the ioctl returns ENOTTY then this indicates that the file descriptor was closed (e.g. by a sandbox), but in the meantime the same file descriptor has been reused for another file. Do not use the file descriptor anymore, and also do not close it during termination. Fixes: https://github.com/openssl/openssl/commit/79040cf29e011c21789563d74da626b7465a0540 Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25576)
show more ...
|
e1886edf | 15-Oct-2024 |
Michael Baentsch <57787676+baentsch@users.noreply.github.com> |
work around oqsprovider out-of-source build bug Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <ppzgs1@gmail.co
work around oqsprovider out-of-source build bug Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from https://github.com/openssl/openssl/pull/25702)
show more ...
|
8bcf4880 | 15-Oct-2024 |
Michael Baentsch <57787676+baentsch@users.noreply.github.com> |
Updated oqsprovider to v0.7.0 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged fro
Updated oqsprovider to v0.7.0 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from https://github.com/openssl/openssl/pull/25702)
show more ...
|
36254fda | 18-Oct-2024 |
Tomas Mraz |
Add CHANGES.md and NEWS.md entries for CVE-2024-9143 Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Bernd Edlinger <b
Add CHANGES.md and NEWS.md entries for CVE-2024-9143 Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/25734) (cherry picked from commit 233034bc5a294b26d37186dc68d7d6d8357d889a)
show more ...
|
1f0cb850 | 18-Oct-2024 |
Tomas Mraz |
ecdh_cofactor_derive_test(): Skip the test if the curve is not supported It will not be supported if the fips provider was built with no-ec2m. Fixes #25729 Reviewed-by: Tim
ecdh_cofactor_derive_test(): Skip the test if the curve is not supported It will not be supported if the fips provider was built with no-ec2m. Fixes #25729 Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25731)
show more ...
|
dfc5ba8a | 18-Oct-2024 |
Tomas Mraz |
run-checker-merge.yml: Combine no-ec2m with enable-fips This can reveal more errors than just no-ec2m. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <ppzgs1@g
run-checker-merge.yml: Combine no-ec2m with enable-fips This can reveal more errors than just no-ec2m. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25731)
show more ...
|
e84878a7 | 17-Oct-2024 |
Dmitry Misharov |
update logo Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25725) |
51921b87 | 08-Oct-2024 |
Michael Baentsch <57787676+baentsch@users.noreply.github.com> |
first cut at KEM & key management skeletons Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.or
first cut at KEM & key management skeletons Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25640)
show more ...
|
00776cba | 10-Oct-2024 |
Ondrej Moris |
ci: re-organize external tests Signed-off-by: Ondrej Moris <omoris@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
ci: re-organize external tests Signed-off-by: Ondrej Moris <omoris@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25587)
show more ...
|
7832374f | 10-Oct-2024 |
Ondrej Moris |
test: clean-up README-external documentation Signed-off-by: Ondrej Moris <omoris@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@op
test: clean-up README-external documentation Signed-off-by: Ondrej Moris <omoris@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25587)
show more ...
|
e9af1eaa | 25-Sep-2024 |
Ondrej Moris |
test: Add external test for pkcs11-provider Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/ope
test: Add external test for pkcs11-provider Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25587)
show more ...
|
144b9ebc | 29-Aug-2024 |
Alicja Kario |
add test coverage for #25298 Add test coverage for issue #25298, clean up the json file so it uses consistent indentation Signed-off-by: Alicja Kario <hkario@redhat.com>
add test coverage for #25298 Add test coverage for issue #25298, clean up the json file so it uses consistent indentation Signed-off-by: Alicja Kario <hkario@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Hugo Landau <hlandau@devever.net> (Merged from https://github.com/openssl/openssl/pull/25329)
show more ...
|
bb221d36 | 29-Aug-2024 |
Alicja Kario |
update tlsfuzzer to new version Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> R
update tlsfuzzer to new version Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Hugo Landau <hlandau@devever.net> (Merged from https://github.com/openssl/openssl/pull/25329)
show more ...
|
5b29c71a | 09-Oct-2024 |
Neil Horman |
updating comments in test recipie Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Hugo Landau <hlandau@devever.net> Revie
updating comments in test recipie Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Hugo Landau <hlandau@devever.net> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25297)
show more ...
|
5dffe6af | 09-Oct-2024 |
Neil Horman |
updating docs to reflect security risks for SSLKEYLOGFILE Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Hugo Landau <hlanda
updating docs to reflect security risks for SSLKEYLOGFILE Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Hugo Landau <hlandau@devever.net> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25297)
show more ...
|
6f7273a9 | 08-Oct-2024 |
Neil Horman |
Convert keylogging in response to comments 1) Convert failures in keylog setup to trace messages for a warning-like mechanism 2) Convert sslkeylogfile_cb to be a flag used to
Convert keylogging in response to comments 1) Convert failures in keylog setup to trace messages for a warning-like mechanism 2) Convert sslkeylogfile_cb to be a flag used to determine making a direct call to the internal logging function Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Hugo Landau <hlandau@devever.net> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25297)
show more ...
|