QLOG: Fix indentation

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23598)

QUIC: Define error code for stateless reset

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pul

QUIC: Define error code for stateless reset

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23598)

show more ...

QUIC: Add documentation for QUIC error codes

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pu

QUIC: Add documentation for QUIC error codes

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23598)

show more ...

QUIC: Uniform changes for QUIC error code definitions rename

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/op

QUIC: Uniform changes for QUIC error code definitions rename

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23598)

show more ...

QUIC: Make QUIC transport error codes public

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pu

QUIC: Make QUIC transport error codes public

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23598)

show more ...

Dont run the self-hosted workflows when not available

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/o

Dont run the self-hosted workflows when not available

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23678)

show more ...

Gate setting of ipi_spec_dst on not building for freebsd

some variants of FreeBSD (notably Dells OneFS) implement IP_PKTINFO
partially, and as such the build breaks for those variants.

Gate setting of ipi_spec_dst on not building for freebsd

some variants of FreeBSD (notably Dells OneFS) implement IP_PKTINFO
partially, and as such the build breaks for those variants.
specifically, it supports IP_PKTINFO, but the in_pktinfo struct has no
defined ipi_spec_dst field. Work around this by gating the setting of
that variable on not building for FreeBSD

Fixes #23739

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23753)

show more ...

interop tests: Fedora 39 config, simplify updates

Imitating Fedora 39 configuration in openssl.cnf with
SECLEVEL lowered to 0 in order to be able to run
TLS 1.3 tests with TLS_AES_12

interop tests: Fedora 39 config, simplify updates

Imitating Fedora 39 configuration in openssl.cnf with
SECLEVEL lowered to 0 in order to be able to run
TLS 1.3 tests with TLS_AES_128_CCM_8_SHA256.

In order to make updating smoother, check out specific tag rather
than the branch. This way, "old" tests can be fetched until PR
pointing to "new" tests is merged, so backwards-incompatible
changes can be done when needed.

Files specific for openssl upstream moved to separate
directory.

CLA: trivial

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23747)

show more ...

Fix a memory leak on successful load of CRL

Fixes #23693

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged fr

Fix a memory leak on successful load of CRL

Fixes #23693

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23695)

show more ...

QUIC QLOG: Fix ANSI

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23744)

QUIC QLOG: Fix use of sprintf

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23744)

Enable qlog support by default

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23744)

Document that unknown groups and sigalgs marked with ? are ignored

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from http

Document that unknown groups and sigalgs marked with ? are ignored

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/23050)

show more ...

Add test for ignoring unknown sigalgs and groups marked with ?

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://

Add test for ignoring unknown sigalgs and groups marked with ?

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/23050)

show more ...

Allow ignoring unknown sigalgs and groups in the configuration

Related to #20789

Signature algorithms and groups in the configuration that are
preceded with ? character and are

Allow ignoring unknown sigalgs and groups in the configuration

Related to #20789

Signature algorithms and groups in the configuration that are
preceded with ? character and are unknown to libssl are just ignored.
The handling for them is similar to handling of ciphers.
I.e., there should be a failure only in case the configuration produces
no valid sigalgs or groups.

Also ignore duplicate sigalgs and groups as such confiuration errors
should not be fatal.

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/23050)

show more ...

apps/cmp: improve -reqin option to read fallback public key from first request message file given

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmai

apps/cmp: improve -reqin option to read fallback public key from first request message file given

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/21660)

show more ...

crypto/cmp: add OSSL_CMP_MSG_get0_certreq_publickey(); fix coding style nit

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by

crypto/cmp: add OSSL_CMP_MSG_get0_certreq_publickey(); fix coding style nit

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/21660)

show more ...

apps/cmp: extend documentation and diagnostics for using -reqin in special situations

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
R

apps/cmp: extend documentation and diagnostics for using -reqin in special situations

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/21660)

show more ...

apps/cmp: add -reqout_only option for dumping/saving just the initial CMP request message

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>

apps/cmp: add -reqout_only option for dumping/saving just the initial CMP request message

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/21660)

show more ...

apps/cmp.c: refactor to fix some coding style nits and more convenient source-level debugging

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.co

apps/cmp.c: refactor to fix some coding style nits and more convenient source-level debugging

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/21660)

show more ...

cmperr.h: use free reason value 106 rather than 197 for CMP_R_UNEXPECTED_SENDER

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged

cmperr.h: use free reason value 106 rather than 197 for CMP_R_UNEXPECTED_SENDER

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/21660)

show more ...

Dump out qlog json if it is malformed

We're still seeing periodic failures in qlog from malformed json output,
so lets try to catch it.

Modify the verify-qlog.py script to, in t

Dump out qlog json if it is malformed

We're still seeing periodic failures in qlog from malformed json output,
so lets try to catch it.

Modify the verify-qlog.py script to, in the event of an exception in
json.loads, to replay the entire json file to the console, followed by
an exception indicating what line it died trying to parse.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23715)

show more ...

Implement PCT for EDDSA

According to FIPS 140-3 IG 10.3.A Additonal Comment 1, a PCT shall be
performed consistent with the intended use of the keys.

This commit implements PCT

Implement PCT for EDDSA

According to FIPS 140-3 IG 10.3.A Additonal Comment 1, a PCT shall be
performed consistent with the intended use of the keys.

This commit implements PCT for EDDSA via performing sign and verify
operations after key generated.

Also use the same pairwise test logic in EVP_PKEY_keygen and
EVP_PKEY_pairwise_check for EDDSA in FIPS_MODULE.

Add OSSL_SELF_TEST_DESC_PCT_EDDSA to OSSL_PROVIDER-FIPS page.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23408)

show more ...

demos/http3: Use `SSL_write_ex2()` together with `SSL_WRITE_FLAG_CONCLUDE`

These calls were introduced by PR #23343.

Change also does a minor tweak to Makefile so CFLAGS and LDFLAGS

demos/http3: Use `SSL_write_ex2()` together with `SSL_WRITE_FLAG_CONCLUDE`

These calls were introduced by PR #23343.

Change also does a minor tweak to Makefile so CFLAGS and LDFLAGS variables
from the environment are respected.

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23602)

show more ...

Fix off by one issue in buf2hexstr_sep()

Fixes #23363

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://githu

Fix off by one issue in buf2hexstr_sep()

Fixes #23363

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23404)

show more ...