Update fingerprints.txt

Add Paul Dale as an approved release signer.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richar

Update fingerprints.txt

Add Paul Dale as an approved release signer.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16175)

show more ...

Add missing session timeout calc

Fixes #16142

Add missing session timeout calculation in `ssl_get_new_session()`

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by

Add missing session timeout calc

Fixes #16142

Add missing session timeout calculation in `ssl_get_new_session()`

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16145)

show more ...

test: add a comment indication that a bad MAC is intentional

This permits negative testing of FIPS module load failure.

Also changed the MAC to all zeros to make it even clearer.

test: add a comment indication that a bad MAC is intentional

This permits negative testing of FIPS module load failure.

Also changed the MAC to all zeros to make it even clearer.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16168)

show more ...

Add some testing for the case where the FIPS provider fails to load

Ensure we get correct behaviour in the event that an attempt is made
to load the fips provider but it fails to load.

Add some testing for the case where the FIPS provider fails to load

Ensure we get correct behaviour in the event that an attempt is made
to load the fips provider but it fails to load.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16168)

show more ...

Don't try and load the config file while already loading the config file

Calls to the API function EVP_default_properties_enable_fips() will
automatically attempt to load the default con

Don't try and load the config file while already loading the config file

Calls to the API function EVP_default_properties_enable_fips() will
automatically attempt to load the default config file if it is not
already loaded. Therefore this function should not be called from inside
code to process the config file.

Fixes #16165

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16168)

show more ...

Ensure any default_properties still apply even in the event of a provider load failure

We don't treat a failure to load a provider as a fatal error. If it is fatal then
we give up attemp

Ensure any default_properties still apply even in the event of a provider load failure

We don't treat a failure to load a provider as a fatal error. If it is fatal then
we give up attempting to load the config file - including reading any default
properties. Additionally if an attempt has been made to load a provider then we
disable fallback loading.

Fixes #16166

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16168)

show more ...

Don't leak the OSSL_LIB_CTX in the event of a failure to load the FIPS module

Ensure we free the OSSL_LIB_CTX on the error path.

Fixes #16163

Reviewed-by: Tim Hudson <tjh@o

Don't leak the OSSL_LIB_CTX in the event of a failure to load the FIPS module

Ensure we free the OSSL_LIB_CTX on the error path.

Fixes #16163

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16168)

show more ...

ci: disable async for the SH4 build and reenable the associated test

The platform doesn't seem to have support for this.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from h

ci: disable async for the SH4 build and reenable the associated test

The platform doesn't seem to have support for this.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16144)

show more ...

ci: get rid of no-asm flag to m68k cross compiles

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16144)

ci: add the param conversion tests to the cross compiles.

There was a failure because an "inf" values was being read as a "NaN" not an
infinity.

Reviewed-by: Tim Hudson <tjh@ope

ci: add the param conversion tests to the cross compiles.

There was a failure because an "inf" values was being read as a "NaN" not an
infinity.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16144)

show more ...

QEMU: include test runs for most cross compilation targets

For the cross compiles where the tests couldn't be run, most are capable
of being run when statically linked. For these, a sha

QEMU: include test runs for most cross compilation targets

For the cross compiles where the tests couldn't be run, most are capable
of being run when statically linked. For these, a shared with FIPS build
but not test run is also included to maximise compilation coverage.
The builds take a couple of minutes so the impact of these extra jobs
isn't great.

The test failures for test_includes, test_store and test_x509_store
across several platforms are related the the OPENSSL_DIR_read() call.
This gets a "Value too large for defined data type" error calling the
standard library's readdir() wrapper. That is, the failure is during
the translation from the x86-64 structure to the 32 bit structure.
I've tried tweaking the include defines to use larger fields but couldn't
figure out how to make it work. The most prudent fix is to ignore these
tests for these platforms.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16144)

show more ...

test: handle not a number (NaN) values in the param conversion test.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16144)

Add a test case for EVP_MD_meth_dup() and EVP_CIPHER_meth_dup()

Check that EVP_MD_meth_free() and EVP_CIPHER_meth_free() does actually
free the data.

Reviewed-by: Dmitry Belyavs

Add a test case for EVP_MD_meth_dup() and EVP_CIPHER_meth_dup()

Check that EVP_MD_meth_free() and EVP_CIPHER_meth_free() does actually
free the data.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16159)

show more ...

Fix EVP_MD_meth_dup and EVP_CIPHER_meth_dup

Make sure the origin is set correctly when duping an EVP_MD or EVP_CIPHER.

Fixes #16157

Reviewed-by: Dmitry Belyavskiy <beldmit@

Fix EVP_MD_meth_dup and EVP_CIPHER_meth_dup

Make sure the origin is set correctly when duping an EVP_MD or EVP_CIPHER.

Fixes #16157

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16159)

show more ...

Mark the EVP_PKEY_METHOD arg as const on some EVP_PKEY_meth_get_*() funcs

Most EVP_PKEY_meth_get_*() functions mark the EVP_PKEY_METHOD argument as
const. But 3 did not. We fix those to

Mark the EVP_PKEY_METHOD arg as const on some EVP_PKEY_meth_get_*() funcs

Most EVP_PKEY_meth_get_*() functions mark the EVP_PKEY_METHOD argument as
const. But 3 did not. We fix those to be consistent.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16128)

show more ...

KTLS: AES-CCM in TLS-1.3 is broken on 5.x kernels, disable it

Fixes #16089

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Me

KTLS: AES-CCM in TLS-1.3 is broken on 5.x kernels, disable it

Fixes #16089

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16120)

show more ...

Test ktls in non-default options CI build

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/opens

Test ktls in non-default options CI build

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16120)

show more ...

Drop no-ktls from runchecker daily build as it has no effect

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://githu

Drop no-ktls from runchecker daily build as it has no effect

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16120)

show more ...

ECDSA_SIG_set0(): Clarify documentation and fix formatting errors

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16129)

ECDSA_SIG_set0: r and s parameters cannot be NULL

Fixes #7731

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16129)

DOCS: Move the description of EVP_PKEY_get0_description()

It appears to have been misplaced

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org

DOCS: Move the description of EVP_PKEY_get0_description()

It appears to have been misplaced

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16063)

show more ...

EVP: Add EVP_PKEY_get0_provider() and EVP_PKEY_CTX_get0_provider()

Fixes #16058

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merge

EVP: Add EVP_PKEY_get0_provider() and EVP_PKEY_CTX_get0_provider()

Fixes #16058

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16063)

show more ...

Fix potential problems with EVP_PKEY_CTX_new() with engine set

If an engine is non-NULL in EVP_PKEY_CTX_new() call an assert might
have been incorrectly triggered or the engine might be

Fix potential problems with EVP_PKEY_CTX_new() with engine set

If an engine is non-NULL in EVP_PKEY_CTX_new() call an assert might
have been incorrectly triggered or the engine might be finished
without being inited.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16137)

show more ...

do_sigver_init: Add missing ERR_clear_last_mark()

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openss

do_sigver_init: Add missing ERR_clear_last_mark()

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16138)

show more ...

ci: QEMU based cross compiled testing

With a little set up, Debian provides an ability to use QEMU to execute
programs compiled for other architectures. Using this, most of our cross

ci: QEMU based cross compiled testing

With a little set up, Debian provides an ability to use QEMU to execute
programs compiled for other architectures. Using this, most of our cross
compilation CI builds can be executed.

This PR does this.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16133)

show more ...