Add a style-check workflow

Add a CI job that evaluates style issues, restricted only to lines
changed for the affected files in a given commit

Also provide a mechanism to waive

Add a style-check workflow

Add a CI job that evaluates style issues, restricted only to lines
changed for the affected files in a given commit

Also provide a mechanism to waive those style issues. by applying the
style:exempted label to a PR, the checks are still run (its nice to see
what they are regardless), but the test will pass CI regardless of
weather any issues are found.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24806)

show more ...

Add a check-format-commit.sh script

Add a wrapper script to check-format.pl, which is capable of analyzing
commits rather than just a file. for a provided commit this script:

1

Add a check-format-commit.sh script

Add a wrapper script to check-format.pl, which is capable of analyzing
commits rather than just a file. for a provided commit this script:

1) runs check-format.pl on the files changed in the provided commit

2) filters the output of check-format.pl, only producing lines that
match ranges of changed lines in those files

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24806)

show more ...

Enhance documentation for `BN_mask_bits()`

Fixes #5537

Added a note that the error check for `BN_mask_bits()` depends
on the internal representation that depends on the platform

Enhance documentation for `BN_mask_bits()`

Fixes #5537

Added a note that the error check for `BN_mask_bits()` depends
on the internal representation that depends on the platform's word size.
Included a reference to the `BN_num_bits()` function for precise bit checking.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24812)

show more ...

Extend TLSv1.3 record layer padding API calls

Added SSL_set_block_padding_ex() and SSL_CTX_set_block_padding_ex()
to allow separate padding block size values for handshake messages
a

Extend TLSv1.3 record layer padding API calls

Added SSL_set_block_padding_ex() and SSL_CTX_set_block_padding_ex()
to allow separate padding block size values for handshake messages
and application data messages.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24796)

show more ...

Add documentation for deprecated CMAC_CTX functions

Fixes #5539: Create a new manual page `CMAC_CTX.pod` documenting the deprecated `CMAC_CTX` functions and add the necessary build dependenc

Add documentation for deprecated CMAC_CTX functions

Fixes #5539: Create a new manual page `CMAC_CTX.pod` documenting the deprecated `CMAC_CTX` functions and add the necessary build dependencies. This page includes function descriptions, usage details, and replacement suggestions with the `EVP_MAC` interface.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24814)

show more ...

Add and Update Documentation for TS_VERIFY_CTX Functions

Mark the existing `TS_VERIFY_CTX_set_certs` function as deprecated in the
documentation.
Add missing documentation for the de

Add and Update Documentation for TS_VERIFY_CTX Functions

Mark the existing `TS_VERIFY_CTX_set_certs` function as deprecated in the
documentation.
Add missing documentation for the deprecated functions `TS_VERIFY_CTX_set_data`,
`TS_VERIFY_CTX_set_imprint`, and `TS_VERIFY_CTX_set_store`.
Write missing documentation for the following functions:
- `TS_VERIFY_CTX_new`
- `TS_VERIFY_CTX_init`
- `TS_VERIFY_CTX_free`
- `TS_VERIFY_CTX_cleanup`
- `TS_VERIFY_CTX_set_flags`
- `TS_VERIFY_CTX_add_flags`
- `TS_VERIFY_CTX_set0_data`
- `TS_VERIFY_CTX_set0_imprint`
- `TS_VERIFY_CTX_set0_store`
- `TS_VERIFY_CTX_set0_certs`

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24701)

show more ...

Replace and Deprecate TS_VERIFY_CTX Functions

Fixes #18854

Replace and deprecate the functions `TS_VERIFY_CTX_set_data`,
`TS_VERIFY_CTX_set_store`, `TS_VERIFY_CTX_set_certs`, `T

Replace and Deprecate TS_VERIFY_CTX Functions

Fixes #18854

Replace and deprecate the functions `TS_VERIFY_CTX_set_data`,
`TS_VERIFY_CTX_set_store`, `TS_VERIFY_CTX_set_certs`, `TS_VERIFY_CTX_set_imprint`
with new versions: `TS_VERIFY_CTX_set0_data`,
`TS_VERIFY_CTX_set0_store`, `TS_VERIFY_CTX_set0_certs` and `TS_VERIFY_CTX_set0_imprint`.

The previous functions had poorly documented memory handling, potentially
leading to memory leaks. The new functions improve memory management and provide
clearer usage.

Also, update existing code to use the new function calls instead of the deprecated
ones.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24701)

show more ...

Clarify supported curves in the s_client/s_server documentation

Mention that supported curves (aka groups) include named EC parameters
as well as X25519 and X448 or FFDHE groups.

Clarify supported curves in the s_client/s_server documentation

Mention that supported curves (aka groups) include named EC parameters
as well as X25519 and X448 or FFDHE groups.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24774)

show more ...

os-zoo.yml: Cleanup unnecessary -Wno-switch-default

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <ppzgs1@gma

os-zoo.yml: Cleanup unnecessary -Wno-switch-default

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24787)

show more ...

read lock store on ossl_method_store_do_all

Theres a data race between ossl_method_store_insert and
ossl_method_store_do_all, as the latter doesn't take the property lock
before iter

read lock store on ossl_method_store_do_all

Theres a data race between ossl_method_store_insert and
ossl_method_store_do_all, as the latter doesn't take the property lock
before iterating.

However, we can't lock in do_all, as the call stack in several cases
later attempts to take the write lock.

The choices to fix it are I think:
1) add an argument to indicate to ossl_method_store_do_all weather to
take the read or write lock when doing iterations, and add an
is_locked api to the ossl_property_[read|write] lock family so that
subsequent callers can determine if they need to take a lock or not

2) Clone the algs sparse array in ossl_method_store_do_all and use the
clone to iterate with no lock held, ensuring that updates to the
parent copy of the sparse array are left untoucheTheres a data race
between ossl_method_store_insert and ossl_method_store_do_all, as the
latter doesn't take the property lock before iterating.

I think method (2), while being a bit more expensive, is probably the
far less invasive way to go here

Fixes #24672

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24782)

show more ...

Allow openssl version to function in the absence of a config file

the openssl application attempts to load a config file on startup
always, calling x509_get_default_cert_area() to locate

Allow openssl version to function in the absence of a config file

the openssl application attempts to load a config file on startup
always, calling x509_get_default_cert_area() to locate the file. On
Windows builds with -DOSSL_WINCTX set, this fails if the corresponding
registry keys are unset. allow openssl to continue to function properly
for applets that don't actually require a configuration file.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24450)

show more ...

Fix sed/awk usage in windows ci jobs

The addition of sed and awk, while available in the windows vm's for CI
in powershell, don't behave as I would expect (though the same commands
w

Fix sed/awk usage in windows ci jobs

The addition of sed and awk, while available in the windows vm's for CI
in powershell, don't behave as I would expect (though the same commands
work with a local installation on windows using GnuWin32). In trying to
figure out what was going on I found it was far more stable and
predictable to use the powershell -split and -replace commands instead
of sed and awk

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24450)

show more ...

Avoid chicken and egg problem with reg setting

Because openssl with -DOSSL_WINCTX no longer falls back to build time
defines, we have a chicken and egg problem. CI needs to query openss

Avoid chicken and egg problem with reg setting

Because openssl with -DOSSL_WINCTX no longer falls back to build time
defines, we have a chicken and egg problem. CI needs to query openssl
for its version string so registry keys can be set properly, but openssl
version refuses to run because no configuration file can be found

So we work around it by, for the purposes of setting the registry keys,
we set OPENSSL_CONF to a know config file, so that openssl version runs
properly.

Once the version is extracted, we can set the registry keys, and openssl
will function properly without OPENSSL_CONF set

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24450)

show more ...

Adjust ci to only use major.minor when setting reg keys

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/opens

Adjust ci to only use major.minor when setting reg keys

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24450)

show more ...

Update defaults to install keys against major.minor

we want patch level updates to use the same keys, so only create the key
against the major.minor version

Reviewed-by: Tomas M

Update defaults to install keys against major.minor

we want patch level updates to use the same keys, so only create the key
against the major.minor version

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24450)

show more ...

Fixes for defaults code

Fix up some indenting, and ensure that the run_once routines don't get
defined if OSSL_WINCTX isn't defined to avoid compiler errors

Reviewed-by: Tomas M

Fixes for defaults code

Fix up some indenting, and ensure that the run_once routines don't get
defined if OSSL_WINCTX isn't defined to avoid compiler errors

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24450)

show more ...

Augment version.c to not display -w options on non-windows

Don't need the -w option on non-windows builds

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <

Augment version.c to not display -w options on non-windows

Don't need the -w option on non-windows builds

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24450)

show more ...

Update NOTES-WINDOWS.md

The behavior of windows with registry keys is somewhat confusing, and
based on both build time defines, and reg key availablility. Add a
table defining behav

Update NOTES-WINDOWS.md

The behavior of windows with registry keys is somewhat confusing, and
based on both build time defines, and reg key availablility. Add a
table defining behavior in all cases

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24450)

show more ...

Add Changes entry

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24450)

Allow OPENSSLDIR/ENGINESDIR/MODULESDIR to be NULL

To prevent inadvertent use of insecure directories, we need to be able
to detect and react when our new registry keys aren't set, which

Allow OPENSSLDIR/ENGINESDIR/MODULESDIR to be NULL

To prevent inadvertent use of insecure directories, we need to be able
to detect and react when our new registry keys aren't set, which implies
allowing the values for the dynamic representations of
OPENSSLDIR/ENGINESDIR/MODULESDIR to return NULL. This in turn requires
that we detect and handle NULL string in several call sites that
previously assumed they would never be NULL. This commit fixes those up

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24450)

show more ...

Update docs

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24450)

update windows_comp ci run to use new registry reads

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/

update windows_comp ci run to use new registry reads

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24450)

show more ...

Update NOTES-WINDOWS for typos/grammar

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2

Update NOTES-WINDOWS for typos/grammar

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24450)

show more ...

Don't fall back to pre-defined constants on windows

We don't want to allow windows systems on new installs to use
OPENSSLDIR/MODULESDIR/ENGINESDIR at all, as it makes no sense to define

Don't fall back to pre-defined constants on windows

We don't want to allow windows systems on new installs to use
OPENSSLDIR/MODULESDIR/ENGINESDIR at all, as it makes no sense to define
paths at build time that have no meaning at install time.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24450)

show more ...

Fix windows ci to use proper OSSL_WINCTX define

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/opens

Fix windows ci to use proper OSSL_WINCTX define

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24450)

show more ...