The last (and only?) user has been removed in commit eca471391378 "APPS:
Drop interactive mode in the 'openssl' program".
Complements: eca471391378 "APPS: Drop interactive mode in the 'openssl' program" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28441)
Pauli [Thu, 4 Sep 2025 21:24:19 +0000 (07:24 +1000)]
slh-dsa: omit test of import PCT
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/28447)
Pauli [Thu, 4 Sep 2025 21:23:28 +0000 (07:23 +1000)]
import pct: remove import PCTs for most algorithms
This coveres DH, EC, RSA and SLH-DSA.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/28447)
Tomas Mraz [Fri, 5 Sep 2025 10:14:31 +0000 (12:14 +0200)]
interop-test.yml: Install new openssl version alongside the old
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28451)
Tomas Mraz [Fri, 5 Sep 2025 07:20:11 +0000 (09:20 +0200)]
interop-tests.yml: Fix also the soversion in the RPM spec file
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28451)
Only unlock in rsa_get_blinding when locking was successful
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28438)
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28437)
Refactor cache_objects() loop and object type handling
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/28382)
X509_VERIFY_PARAM_get0(): add check to defend on out-of-bound table access
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28370)
There are some code paths where resp is used without a previous check
for being non-NULL (specifically, OCSP_response_create() can return
NULL, and do_responder() can return -1, that would also lead to resp
being NULL). Avoid hitting NULL dereferences by wrapping the code that
uses resp in "if (resp != NULL)".
Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1665155
References: https://github.com/openssl/project/issues/1362 Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28405)
crypto/x509/t_req.c: avoid exts leaking on error paths
If an error occurred and jump to the "err" label is performed after
exts has been allocated, it can leak. Avoid that by adding
sk_X509_EXTENSION_pop_free() on the error path and setting exts to NULL
after sk_X509_EXTENSION_pop_free() in the normal handling.
Fixes: ae880ae6719e "Fix error handling in X509_REQ_print_ex" Fixes: 87c49f622e7f "Support for parsing of certificate extensions in PKCS#10 requests: these are"
Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1665161
References: https://github.com/openssl/project/issues/1362 Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28405)
test/radix/quic_bindings.c: move locking after child_script_info assignment
Coverity complains that some child_script_info field accesses are guarded
by the mutexes, while others are not; placate it by performing the assignment
before taking the lock.
Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1665151
References: https://github.com/openssl/project/issues/1362 Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28405)
doc/man1/openssl-enc.pod.in: document 'k' handling for -bufsize
Apparently, '-bufsize' option parser can handle the 'k' suffix
(and treat is as the value being provided in the multiples of 1024).
Document that.
Complements: d02b48c63a58 "Import of old SSLeay release: SSLeay 0.8.1b" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28405)
apps/enc.c: avoid signed integer overflow on bufsize assignment
The calculated option value, while being long-typed, is not checked
for fitting into int-sized bufsize. Avoid overflow by throwing error
if it is bigger than INT_MAX and document that behaviour.
Fixes: 7e1b7485706c "Big apps cleanup (option-parsing, etc)"
Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1665149
References: https://github.com/openssl/project/issues/1362 Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28405)
Per paragraph 3 of section 6.5.16.1 "Simple assignment" of ISO 9899:1999 TC3:
If the value being stored in an object is read from another object
that overlaps in any way the storage of the first object, then the overlap
shall be exact and the two objects shall have qualified or unqualified
versions of a compatible type; otherwise, the behavior is undefined.
And that is what exactly violated when one field of the union is
assigned to another; avoid that by introducing separate local variable
where the cast value is stored and then compared.
Fixes: 9deaf8383338 "test/bioprinttest.c: add some checks for integer and string printing"
Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1665144
Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1665145
Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1665146
Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1665147
Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1665148
Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1665150
Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1665152
Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1665153
Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1665156
Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1665157
Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1665158
Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1665159
Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1665160
Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1665162
References: https://github.com/openssl/project/issues/1362 Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28405)
Pauli [Thu, 28 Aug 2025 04:48:59 +0000 (14:48 +1000)]
remove ossl_prov_digest_load_from_params()
This is no longer used or needed and is internal, so away it goes.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28361)
Pauli [Thu, 28 Aug 2025 04:48:51 +0000 (14:48 +1000)]
kmac: avoid using ossl_prov_digest_load_from_params()
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28361)
Pauli [Thu, 28 Aug 2025 04:48:31 +0000 (14:48 +1000)]
pvkkdf: avoid using ossl_prov_digest_load_from_params()
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28361)
Pauli [Thu, 28 Aug 2025 04:48:10 +0000 (14:48 +1000)]
pbkdf2: avoid using ossl_prov_digest_load_from_params()
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28361)
Pauli [Thu, 28 Aug 2025 04:47:52 +0000 (14:47 +1000)]
hkdf: avoid using ossl_prov_digest_load_from_params()
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28361)
slontis [Fri, 29 Aug 2025 04:11:59 +0000 (14:11 +1000)]
FIPS: Don't allow SHA512-224 and SHA512-256 for ECDSA/DSA signatures
These algorithms do not have OIDS (Note that RSA does have OIDS),
and are not valid values for FIPS.
Note that this was only possible if the "ECDSA" algorithm is fetched.
Note that "ECDSA-SHA512-256" and "ECDSA-SHA512-224" are not currently
fetchable.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28377)
Pauli [Sun, 31 Aug 2025 07:21:42 +0000 (17:21 +1000)]
slh-dsa: enter FIPS error state if pairwise test fails
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28394)
Signed-off-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28403)
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28369)
Simo Sorce [Fri, 10 Jan 2025 22:20:59 +0000 (17:20 -0500)]
Implement EVP_KDF_CTX_set_SKEY
This allows to use a SKEY as input to a KDF derive operation.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28369)
Signed-off-by: Dmitry Belyavskiy <beldmit@gmail.com> Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28369)
Signed-off-by: Dmitry Belyavskiy <beldmit@gmail.com> Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28369)
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28369)
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28369)
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28369)
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28369)
Design document of using opaque object as symmetric key
Signed-off-by: Dmitry Belyavskiy <beldmit@gmail.com> Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28369)
Leonabcd123 [Thu, 28 Aug 2025 08:46:13 +0000 (11:46 +0300)]
Fix typos and whitespace
Added "the" before "use"
Add missing whitespace
Removed unnecessary apostrophe in FIPS.md
CLA: trivial
Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28362)
test/bioprinttest.c: move the %n result to the field that is later checked
The test_n test implicitly assumed a certain union layout, as the %n was
writing to the union field in accordance with the length modifier being
tested, but comparison of the expected value was dan agains the val field,
and that is incorrect, especially on big-endian architectures. Fix that
by explicitly assigning the result to the val field of the union and
updating the expected values where the resulting value overflows
into negative.
Fixes: 9deaf8383338 "test/bioprinttest.c: add some checks for integer and string printing" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28388)
test/bioprinttest.c: fix sloppy length modifier usage in int_data
Some test vectors used in int_data have mismatching (or, more
spercifically) missing length modifiers in conversion specifiers;
most of the time it has gone unnoticed, but on some architectures where
64-bit arguments supplied differently (sugh as mips and armv7) it led
to garbage being retrieved instead of the expected values. Fix it
by properly providing proper length modifiers.
Fixes: 9deaf8383338 "test/bioprinttest.c: add some checks for integer and string printing" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28388)
Pauli [Thu, 14 Aug 2025 04:57:19 +0000 (14:57 +1000)]
slh-dsa: add a PCT for key import when in FIPS mode
Fixes #28182
Co-Authored-By: slontis <shane.lontis@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28276)
crypto/bio/bio_print.c: improve the precision handling in fmtint
Per [1]:
* A negative precision is taken as if the precision were omitted.
* The default precision is 1.
* For d, i, o, u, x, and X conversion specifiers, if a precision
is specified, the '0' flag shall be ignored.
crypto/bio/bio_print.c: bring back the length modifier support for %n
For some reason, it has been removed in commit 15b337fa58ba "bio/b_print.c:
switch to int64_t as "greatest-width integer type".", despite being a part
of the standard in both ANSI C and POSIX.1-2001. Bring it back for all
the supported length modifiers.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28177)
crypto/bio/bio_print.c: make %n in line with other libc implementations
The standard[1] is pretty vague in its definition of the %n specifier
by using "the number of bytes written to the output so far", without
actually elaborating, whether only the actually written bytes, or the bytes
that would be written (but discarded) are used; the consensus across
implementations, however, seems to gravitate towards the latter. Track
the virtual "write position" separately and use its value when %n format
is occurred. That also means that we cannot finish the output early
upon reach of the end of buffer (unless we made sure that no %n specifiers
occur in the remainder of the format string).
crypto/bio/bio_print.c: always terminate output with \0
Man page states that the result is terminated with \0 on error, however,
when the jump to the "out" label is performed in _dopr, writing out \0
is skipped. Rearrange the end of the routine to make the "out" part
include the overflow calculation and the final \0 writing.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28177)
crypto/bio/bio_print.c: consolidating print arguments in a structure
buffer/sbuffer/maxlen/currlen are passed together between _dopr, fmt*,
and doapr_outch; consolidate them together in a structure and pass
it instead. A preparatory commit before introducing a separate "write
position" parameter, that is also to be passed around.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28177)
crypto/bio/bio_print.c: no prefix for zero value in alternative form
Per [1] (emphasis is added):
- For o conversion, it shall increase the precision,
**if and only if necessary**, to force the first digit of the result
to be a zero (**if the value and precision are both 0,
a single 0 is printed**).
- For x or X conversion specifiers, a **non-zero** result shall have
0x (or 0X) prefixed to it.
Pavol Žáčik [Wed, 20 Aug 2025 12:35:03 +0000 (14:35 +0200)]
Add SKEYMGMT support to the FIPS provider
And extend the SKEY managers listing test with a FIPS case.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28339)
Jakub Jelen [Mon, 25 Aug 2025 08:04:41 +0000 (10:04 +0200)]
doc: Fix function name in example code
CLA: trivial Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28334)
Holger Dengler [Wed, 20 Aug 2025 15:55:43 +0000 (17:55 +0200)]
aes-s390x.pl: Initialize reserved and unused memory
The reserved bytes in the parameter block (bytes 0-11) for the KMA
instruction should be set to zero to be compatible in case of future
architecture changes.
While at it, also the following unused parts of the parameter block
(bytes 48-63) are also cleared to avoid false positives with various
memory checkers like valgrind.
As it makes - performance wise - no difference to process 12, 48 or 64
bytes with one XC call, but two XC calls are slower than one call, the
first 64 bytes of the parameter block will be cleared with a single XC
call. This will also initialize the counter in the parameter block
(bytes 12-15), although it is not strictly necessary.
Co-developed-by: Juergen Christ <jchrist@linux.ibm.com> Signed-off-by: Juergen Christ <jchrist@linux.ibm.com> Signed-off-by: Holger Dengler <dengler@linux.ibm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28315)
doc/man3/SSL_poll.pod: mention SSL_POLL_EVENT_{EL,IC} in SYNOPSIS
While the constants are present since the initial commit 2a5ee0a08d2c "QUIC:
Add polling API", they weren't initially documented in c9b0df2250e2 "QUIC:
Add manpage for SSL_poll" (probably due to absence of the QUIC server
mode support at the time), and mentioned for the first time in b20f55702100
"QUIC: Update SSL_poll documentation", but without the accompanying update
of the SYNOPSIS section. Rescind the omission by updating it as well.
Complements: b20f55702100 "QUIC: Update SSL_poll documentation" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28303)
Pavol Žáčik [Tue, 19 Aug 2025 12:26:07 +0000 (14:26 +0200)]
Add targets to skip build of non-installable programs
These make it possible to split the build into two
parts, e.g., when tests should be built with different
compiler flags than installed software.
Also use these as dependecies where appropriate.
Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28302)
Michael Baentsch [Wed, 16 Jul 2025 09:18:02 +0000 (11:18 +0200)]
rebase to master fixing some missing group references
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26965)
Nachel72 [Sun, 17 Aug 2025 06:08:38 +0000 (14:08 +0800)]
Fix: Add free to avoid memory leak.
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28289)
Anthony Roberts [Thu, 3 Jul 2025 10:21:37 +0000 (11:21 +0100)]
Fix `VC-WIN64-CLANGASM-ARM` target
This was broken for Windows ARM64 in #22949
The comments were in the wrong format, and a define check of `_M_ARM64` was missed in places
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27958)
Nikola Pajkovsky [Fri, 15 Aug 2025 12:02:44 +0000 (14:02 +0200)]
dh: add FIPS 140-3 PCT on key generation
According to FIPS 140-3 IG 10.3.A Additonal Comment 1, a PCT shall be
performed.
Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/28280)
Nachel72 [Mon, 18 Aug 2025 07:53:48 +0000 (15:53 +0800)]
fix(pkcs12): prevent PKCS7 memleak in p12_npas.c
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/28292)
Viktor Dukhovni [Mon, 28 Jul 2025 07:45:18 +0000 (17:45 +1000)]
Add design doc for rfc4514 DN output format
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/28104)
Reviewed-by: Hugo Landau <hlandau@devever.net> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/28210)
ritoban23 [Wed, 13 Aug 2025 20:19:17 +0000 (01:49 +0530)]
Fix null pointer check in pkey_dh_derive to ensure both keys are set
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/28259)
Nachel72 [Wed, 13 Aug 2025 15:15:05 +0000 (23:15 +0800)]
Fix: Check for wrong object. The converted sc should be checked instead of the original s
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/28248)
Holger Dengler [Thu, 21 Aug 2025 12:14:04 +0000 (14:14 +0200)]
Ignore generated assembler files for cpuid functions
The architecture-specific code to detect CPU features at runtime is
generated from Perl Assembler. Modify the ignore pattern to match the
generated .S files for all architectures.
Signed-off-by: Holger Dengler <dengler@linux.ibm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/28318)
Niels Dossche [Thu, 21 Aug 2025 11:24:01 +0000 (13:24 +0200)]
Fix reallocation failure condition in qtx_resize_txe()
Returning the same pointer does not mean that the reallocation failed,
it would also prevent updating alloc_len down below.
This is similar code and a similar change to 043a41ddee.
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28317)
vkryl [Fri, 15 Aug 2025 12:01:51 +0000 (15:01 +0300)]
Android: Enable 16 KB ELF alignment for `arm64-v8a` and `x86_64` platforms
CLA: trivial
Reviewed-by: Hugo Landau <hlandau@devever.net> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28277)
projects / thirdparty / openssl.git / log
