This repository was archived by the owner on Jan 5, 2026. It is now read-only.
Merged
Conversation
Reviewed-by: Richard Levitte <[email protected]>
Reviewed-by: Richard Levitte <[email protected]>
Reviewed-by: Richard Levitte <[email protected]>
Reviewed-by: Richard Levitte <[email protected]>
Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#16385) (cherry picked from commit 562d4cd)
Reviewed-by: Paul Yang <[email protected]> Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#16381)
Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Richard Levitte <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#16375)
Command 'openssl ciphers -convert <name>' always returns failure, this patch set the correct return value. Signed-off-by: Tianjia Zhang <[email protected]> Reviewed-by: Paul Yang <[email protected]> Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#16383) (cherry picked from commit 8b4e9c5)
Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#16382)
CLA: trivial Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#16347) (cherry picked from commit 62bae84)
issue openssl#16407 openssl#16408 Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#16409)
CLA: trivial Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#16403)
ubsan found undefined pointer addtions in crypto/bio/bss_mem.c (mem_ctrl), crypto/pem/pem_lib.c (PEM_read_bio_ex), test/testutil/format_output.c (test_fail_string_common, test_fail_memory_common). Mostly a straight back-port-of: a07dc81 Additionally enable the ubsan run-checker, to prevent regressions. Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Nicola Tuveri <[email protected]> (Merged from openssl#16423)
the following config: ./config no-shared enable-asan enable-buildtest-c++ enable-external-tests fails to build with unresolved asan symbols when linking test/ossl_shim/ossl_shim Fixed by passing all sanitizer-flags to cxxflags. Reviewed-by: Paul Dale <[email protected]> (Merged from openssl#16434)
This test did not really execute, since usually the OPENSSL_malloc(0) will fail and prevent the execution of the KDF. Reviewed-by: Paul Dale <[email protected]> (Merged from openssl#16446)
This fixes the following error with gcc10 under strict ANSI conditions: .../crypto/bio/bss_dgram.c:373:20: error: 'const struct in6_addr' has no member named 's6_addr32' CLA: trivial Fixes openssl#16449 Reviewed-by: Bernd Edlinger <[email protected]> Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Dmitry Belyavskiy <[email protected]> (Merged from openssl#16451) (cherry picked from commit e8e1f6d)
This recently added test needs DH2048 to work without tls1_3. Fixes: openssl#16335 Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#16453)
These functions are part of the public API but we don't have tests covering their usage. They are actually implemented as macros and the absence of tests has caused them to fall out-of-sync with the latest changes to ASN1 related functions and cause compilation warnings. @@ Note: This commit limits to ECPKParameters as a type. (cherry picked from commit ea1128e) Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#12457)
These functions are part of the public API but we don't have tests covering their usage. They are actually implemented as macros and the absence of tests has caused them to fall out-of-sync with the latest changes to ASN1 related functions and cause compilation warnings. This commit fixes the public headers to reflect these changes. Fixes openssl#12443 (cherry picked from commit cca8a4c) Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#12457)
Some curves don't have an associated OID: for those we should not default to `OPENSSL_EC_NAMED_CURVE` encoding of parameters and instead set the ASN1 flag to `OPENSSL_EC_EXPLICIT_CURVE`. This is a follow-up to openssl#12312 (cherry picked from commit 7aa3dfc) Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#12457)
(cherry picked from commit <bernd-edlinger@96a463c>) Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Nicola Tuveri <[email protected]> (Merged from openssl#12457)
Fixes openssl#16428 Reviewed-by: Bernd Edlinger <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from openssl#16441)
Reviewed-by: Bernd Edlinger <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from openssl#16441)
(kfreebsd-amd64, kfreebsd-i386). The error reported by the compiler
is:
../crypto/uid.c: In function 'OPENSSL_issetugid':
../crypto/uid.c:50:22: error: 'AT_SECURE' undeclared (first use in this function)
50 | return getauxval(AT_SECURE) != 0;
| ^~~~~~~~~
This commit changes the code to use the freebsd code in this case.
This fixes the compilation.
CLA: trivial
Reviewed-by: Ben Kaduk <[email protected]>
Reviewed-by: Tomas Mraz <[email protected]>
Reviewed-by: Paul Dale <[email protected]>
(Merged from openssl#16477)
(cherry picked from commit 3a1fa01)
This was missing but essential for using non-SHA1 digests with OAEP. Fixes openssl#15998 Manual backport of openssl#16410 Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Tim Hudson <[email protected]> (Merged from openssl#16488)
When building the certificate chain, prioritise any Cert(0) Full(0) certificates from TLSA records over certificates received from the peer. This is important when the server sends a cross cert, but TLSA records include the underlying root CA cert. We want to construct a chain with the issuer from the TLSA record, which can then match the TLSA records (while the associated cross cert may not). Reviewed-by: Tomáš Mráz <[email protected]>
Reviewed-by: Tomáš Mráz <[email protected]>
Whenever the source from $target{apps_init_src} is added to the source
of a test program, it needs to be linked with libapps.a as well. Some
init sources depend on that.
Without this, builds break on VMS because of the unresolved symbol
'app_malloc'.
On platforms that do not need anything from libapps.a, adding it is a
no-op.
This is for OpenSSL 1.1.1 only. OpenSSL 3.0 and beyond have a
different solution.
Reviewed-by: Tomas Mraz <[email protected]>
Reviewed-by: Paul Dale <[email protected]>
(Merged from openssl#16512)
The compiler says that 'unsigned long long' isn't the same as 'unsigned __int64'. Sure, and considering that crypto/rand/rand_vms.c is specific VMS only code, it's easy to just change the type to the exact same as what's specified in the system headers. Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from openssl#15613)
The options -1 and -apr1 were mentioned in DESCRIPTION, not mentioning any other options or even mentioning that there are more algorithms. The simple fix is to remove that sentence and let the OPTIONS section speak for itself. Fixes openssl#16529 Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from openssl#16531) (cherry picked from commit 116799f)
If the first app data record arrives before the Finished message we should be able to buffer it and move on to the Finished message. Reviewed-by: Hugo Landau <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#18976)
As of clang-14 the strict aliasing is causing code to magically disappear. By explicitly inlining the code, the aliasing problem evaporates. Fixes openssl#18225 Backport of openssl#18258 to 1.1.1. Reviewed-by: Hugo Landau <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#18948)
Avoid problems when the lower 32 bits of time_t roll over by delaying the cast to integer until after the time delta has been computed. Reviewed-by: Ben Kaduk <[email protected]> Reviewed-by: Matt Caswell <[email protected]> (Merged from openssl#19004) (cherry picked from commit a6cadcb)
Fixes a bug in the cookie code which would have caused problems for ten minutes before and after the lower 32 bits of time_t rolled over. Reviewed-by: Ben Kaduk <[email protected]> Reviewed-by: Matt Caswell <[email protected]> (Merged from openssl#19022)
CLA: trivial Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from openssl#19007) (cherry picked from commit c92c3df)
Fixes openssl#18183. Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Hugo Landau <[email protected]> (Merged from openssl#19081)
…a updated We need to reencode X509_req_info_st if member data updated. Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: David von Oheimb <[email protected]> (Merged from openssl#18879)
… successful Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: David von Oheimb <[email protected]> (Merged from openssl#18879)
The IRIX mips64-cpu, n32-abi configurations include SIXTY_FOUR_BIT in bn_ops, but it is missing from mips64*-linux-*abin32 (which OpenSSL calls "linux-mips64"). This causes heap corruption when verifying TLS certificates (which tend to be RSA-signed) with openssl 1.1.1q: ``` nix@oak:~$ /nix/store/4k04dh6a1zs6hxiacwcg4a4nvxvgli2j-openssl-mips64el-unknown-linux-gnuabin32-1.1.1q-bin/bin/openssl s_client -host www.google.com -port 443free(): invalid pointer Aborted ``` and a slightly different failure with current HEAD: ``` nix@oak:~$ /nix/store/9bqxharxajsl9fid0c8ls6fb9wxp8kdc-openssl-mips64el-unknown-linux-gnuabin32-1.1.1q-bin/bin/openssl s_client -host www.google.com -port 443 Connecting to 142.250.180.4 CONNECTED(00000003) Fatal glibc error: malloc assertion failure in sysmalloc: (old_top == initial_top (av) && old_size == 0) || ((unsigned long) (old_size) >= MINSIZE && prev_inuse (old_top) && ((unsigned long) old_end & (pagesize - 1)) == 0) Aborted ``` Applying this patch and recompiling produces the expected output instead of a crash. Note that Gentoo (and to my knowledge all other other distributions which support mips64n32) use the `linux-generic32` configuration, which uses only 32-bit arithmetic (rather than full 64-bit arithmetic) and lacks assembler implementations for the SHA hash functions: https://gitweb.gentoo.org/repo/gentoo.git/tree/dev-libs/openssl/files/gentoo.config-1.0.2#n102 For support in nixpkgs we would like to use the full 64-bit integer registers and perlasm routines, so I'm submitting this upstream as well. Fixes openssl#19319 CLA: trivial Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Bernd Edlinger <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from openssl#19320) (cherry picked from commit d250e85)
Reviewed-by: Richard Levitte <[email protected]> Release: yes (Merged from openssl#19381)
Reviewed-by: Richard Levitte <[email protected]> Release: yes (Merged from openssl#19383)
Reviewed-by: Richard Levitte <[email protected]> Release: yes
Reviewed-by: Richard Levitte <[email protected]> Release: yes
This reverts commit 748df18. Fixes openssl#19388 Reviewed-by: Bernd Edlinger <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#19392)
Also change B< to I< in {CMS,PKCS7}_verify.pod, PKCS7_sign{,_add_signer}.pod
Reviewed-by: Tomas Mraz <[email protected]>
Reviewed-by: Paul Dale <[email protected]>
Reviewed-by: David von Oheimb <[email protected]>
(Merged from openssl#19108)
(cherry picked from commit 312a6b3)
Fixes openssl#19460 Reviewed-by: Tim Hudson <[email protected]> Reviewed-by: Shane Lontis <[email protected]> (Merged from openssl#19461) (cherry picked from commit 5b9480f)
If rule_str ended in a "-", "l" was incremented one byte past the end of the buffer. This resulted in an out-of-bounds read when "l" is dereferenced at the end of the loop. It is safest to just return early in this case since the condition occurs inside a nested loop. CLA: trivial Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#19166) (cherry picked from commit 428511c)
SYS$GETTIM_PREC is a very new function, only available on OpenVMS v8.4. OpenSSL binaries built on OpenVMS v8.4 become unusable on older OpenVM versions, but building for the older CRTL version will make the high precision time functions unavailable. Tests have shown that on Alpha and Itanium, the time update granularity between SYS$GETTIM and SYS$GETTIM_PREC is marginal, so the former plus a sequence number turns out to be better to guarantee a unique nonce. Fixes openssl#18727 Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Hugo Landau <[email protected]> (Merged from openssl#18730)
Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Richard Levitte <[email protected]> (Merged from openssl#19558)
Reviewed-by: Richard Levitte <[email protected]> Release: yes (Merged from openssl#19560)
Reviewed-by: Richard Levitte <[email protected]> Release: yes
dstebila
approved these changes
Nov 19, 2022
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #404