Document extensibility of -groups parameter via providers

Also add brainpool curves

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org

Document extensibility of -groups parameter via providers

Also add brainpool curves

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25821)

show more ...

Remove two unused union members from struct x509_object_st.

CLA: trivial

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from h

Remove two unused union members from struct x509_object_st.

CLA: trivial

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25826)

show more ...

Use correct alerts for some cert comp errors

Fixes #25471

Signed-off-by: Todd Short <todd.short@me.com>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas

Use correct alerts for some cert comp errors

Fixes #25471

Signed-off-by: Todd Short <todd.short@me.com>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25845)

show more ...

Support DEFAULT keyword and '-' prefix in SSL_CTX_set1_groups_list()

Fixes #25790

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(M

Support DEFAULT keyword and '-' prefix in SSL_CTX_set1_groups_list()

Fixes #25790

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25813)

show more ...

APPS/pkeyutl: strengthen error message on too long sign/verify input

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https:

APPS/pkeyutl: strengthen error message on too long sign/verify input

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22910)

show more ...

APPS/pkeyutl: -digest implies -rawin and can only be used with -sign and -verify

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged

APPS/pkeyutl: -digest implies -rawin and can only be used with -sign and -verify

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22910)

show more ...

APPS/pkeyutl: improve -rawin usability (implied by Ed25519 and Ed448) and doc

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged fr

APPS/pkeyutl: improve -rawin usability (implied by Ed25519 and Ed448) and doc

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22910)

show more ...

CHANGES.md: re-word 'app' to 'command' and 'apps' to 'commands' for consistency

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged

CHANGES.md: re-word 'app' to 'command' and 'apps' to 'commands' for consistency

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22910)

show more ...

apps/speed.c: Fix the benchmarking for AEAD ciphers

Fixed the benchmarking for the evp aead interface for ccm, gcm, ocb, and siv,
where decryption fails when executing
`openssl speed

apps/speed.c: Fix the benchmarking for AEAD ciphers

Fixed the benchmarking for the evp aead interface for ccm, gcm, ocb, and siv,
where decryption fails when executing
`openssl speed -evp aes-128-ccm -decrypt` and
`openssl speed -evp aes-128-gcm -decrypt`.

Related issues are [24686](https://github.com/openssl/openssl/issues/24686)
and [24250](https://github.com/openssl/openssl/issues/24250).
Now both encryption and decryption, with or without AAD, executes correctly
without issues.

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25823)

show more ...

apps: Change default cipher to aes-256-cbc for req, cms and smime apps

Update `CHANGES.md` and `NEWS.md`; remove `no-des` guard from req, cms,
and smime apps

Update MAN pages fo

apps: Change default cipher to aes-256-cbc for req, cms and smime apps

Update `CHANGES.md` and `NEWS.md`; remove `no-des` guard from req, cms,
and smime apps

Update MAN pages for default cipher; fix styling by removing braces around single statements

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25839)

show more ...

Fix incorrect openssl-smime doc sample command for encrypt

Original documented sample command causes error. PEM recipient cert argument needs to go last.

CLA: trivial

Revie

Fix incorrect openssl-smime doc sample command for encrypt

Original documented sample command causes error. PEM recipient cert argument needs to go last.

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25829)

show more ...

speed.c: Check for 0 block size

Although this cannot really happen check for 0 block size
to avoid division by 0.

Fixes Coverity 1633936

Reviewed-by: Paul Dale <ppzgs1@

speed.c: Check for 0 block size

Although this cannot really happen check for 0 block size
to avoid division by 0.

Fixes Coverity 1633936

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25822)

show more ...

Fix potential memory leak in OSSL_HPKE_CTX_new()

ctx->propq is a duplicated string, but the error code does not free
the duplicated string's memory. If e.g. EVP_CIPHER_fetch() fails then

Fix potential memory leak in OSSL_HPKE_CTX_new()

ctx->propq is a duplicated string, but the error code does not free
the duplicated string's memory. If e.g. EVP_CIPHER_fetch() fails then
we can leak the string's memory.

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25812)

show more ...

test: Add test cases for req -cipher option

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/open

test: Add test cases for req -cipher option

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25796)

show more ...

req: Add -cipher option to specify private key encryption cipher

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://gi

req: Add -cipher option to specify private key encryption cipher

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25796)

show more ...

Remove sslkeylog file setup from quic-hq-interop

Now that libcrypto supports the user of SSLKEYLOGFILE, the interop demo
attempts to open the same file based on the same env variable.

Remove sslkeylog file setup from quic-hq-interop

Now that libcrypto supports the user of SSLKEYLOGFILE, the interop demo
attempts to open the same file based on the same env variable.

The hq-interop-demo code can just be removed, and it fixes the open
failure when both libcrypto and hq-interop attempt to open and write the
same file, which is causing the nightly failure

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25819)

show more ...

fix: util/check-format-commit.sh - fix ending check

Look at the end result instead of the file name it's stored in

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by:

fix: util/check-format-commit.sh - fix ending check

Look at the end result instead of the file name it's stored in

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25810)

show more ...

output negotiated TLS1.3 group

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25808)

speed.c: Check block size before running EVP_Cipher_loop()

Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tom Cosgrove <tom.

speed.c: Check block size before running EVP_Cipher_loop()

Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/25792)

show more ...

test_speed: Explicitly test the crashing command line on sparc

Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tom Cosgrove <

test_speed: Explicitly test the crashing command line on sparc

Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/25792)

show more ...

Fix builds on riscv64 using musl

Some environments using musl are reported to have the hwprobe.h include
file but not have the __NR_riscv_hwprobe define.

Fixes #25772

R

Fix builds on riscv64 using musl

Some environments using musl are reported to have the hwprobe.h include
file but not have the __NR_riscv_hwprobe define.

Fixes #25772

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/25787)

show more ...

Fix ambiguous output of Signature Algorithms

Signature Algorithms are printed in a SIG+HASH format.
In some cases this is ambiguous like brainpool and RSA-PSS.
And the name of ed2551

Fix ambiguous output of Signature Algorithms

Signature Algorithms are printed in a SIG+HASH format.
In some cases this is ambiguous like brainpool and RSA-PSS.
And the name of ed25519 and ed448 must be spelled in lower case,
so that the output can be used as a -sigalgs parameter value.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25797)

show more ...

check-format-commit.sh: various improvements; check unstaged changes on empty commit range

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(M

check-format-commit.sh: various improvements; check unstaged changes on empty commit range

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25666)

show more ...

check-format-commit.sh: make awk patterns more robust for MacOS and certain flavors of Linux

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>

check-format-commit.sh: make awk patterns more robust for MacOS and certain flavors of Linux

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25666)

show more ...

Dependabot update

CLA: trivial

(deps): Bump actions/setup-python

Bumps [actions/setup-python](https://github.com/actions/setup-python) from 5.2.0 to 5.3.0.
- [Release n

Dependabot update

CLA: trivial

(deps): Bump actions/setup-python

Bumps [actions/setup-python](https://github.com/actions/setup-python) from 5.2.0 to 5.3.0.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](https://github.com/actions/setup-python/compare/v5.2.0...v5.3.0)

---
updated-dependencies:
- dependency-name: actions/setup-python
dependency-type: direct:production
update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25795)

show more ...