AmiSSL version defines mismatches #64
Comments
|
I'm not sure what you mean by "to successfully use AmiSSL 4.0-4.2, InitAmiSSLMaster() must be called with version 0x06, else it fails". Which version of amisslmaster.library is installed when it fails? Actually, if you specify 0x06, that doesn't mean you get 4.0 - any newer compatible version will be opened instead. That means it tries to open 4.12 first, then 4.11 and so on down to 4.0. The reason I moved away from a constant AMISSL_V11x is because, for example, if a program compiled with the 4.2 SDK and used newly added functions in 4.2 (from OpenSSL 1.1.0e), that program would crash on any system with 4.0 (OpenSSL 1.1.0c) or 4.1 (OpenSSL 1.1.0d) installed and not 4.2. It became a bigger issue with 4.3 (OpenSSL 1.1.1a) because that is when TLS 1.3 was first supported and programs built with 4.3 were even more likely to crash on systems with only 4.0-4.2 installed. The only solution was to move back to the AmiSSL v3 concept and ensure every AmiSSL release gets a unique version number, when the OpenSSL version was updated. That way amisslmaster.library can always correctly choose the correct compatible version. Backwards compatibility was not affected by these changes. Really, it is only safe to use AMISSL_CURRENT_VERSION - I often think about removing AMISSL_V11x, and similar, completely. It was originally left in for backwards compatibility. It should maybe be removed from AmiSSL v5 because it would be wrong to specify AMISSL_V11x when using the AmiSSL v5 SDK (you don't want to compile an application for OpenSSL 3.0 and end up opening OpenSSL 1.1.x - it will probably crash!). |
I was using a separate install of AmiSSL 4.0, 4,1 or 4.2. So no combo-install in that case and those versions of amisslmaster.library. I am guessing that a newer (4.3+) amisslmaster.library would give you the corresponding amissl.library for AmiSSL 4.0 if you call InitAmiSSLMaster() with version 0x07? Anyway, what I am getting at is that if you only have AmiSSL 4.0 with its old amisslmaster.library you can't call InitAmiSSLMaster() with version 0x07, but need to use 0x06. Maybe this is an irrelevant issue, don't know why someone would want to be using these old AmiSSL versions. For some background: the functionality I need (basic http/https/gemini client), every function was already present in OpenSSL 1.1.0d of AmiSSL 4.0, so it actually works the whole span from 4.0-5.3 without recompiling... if I call InitAmiSSLMaster with version 0x06 of course to get the 4.0-4.2 installations working. Walking a thin line perhaps :D. |
|
Ok, I understand your issue now - it is a pretty complex subject. If you want to maintain a minimum AmiSSL version requirement in any application, which is fine, it is always recommended to use the SDK from that version (same as AMISSL_CURRENT_VERSION). So, that means using the AmiSSL 4.0 SDK for you. As you say, this means your application will then be able to use 4.0-4.12 depending on what the user has installed (it will never use 5.1+ though). That said, I've been guilty of specifying AMISSL_v111d to InitAmiSSLMaster() when using a newer SDK, in IBrowse. It is kind of safe to do that, albeit not recommended, if you can be sure nothing in the newer SDK will cause the application to crash with an older AmiSSL version. A prime example is when the OpenSSL team replace an older function with a macro redirecting to a new function - this would cause an application to crash if you passed an older version than AMISSL_CURRENT_VERSION, even though you made no changes to your own code. I perhaps should have left AMISSL_V11x set to 0x06, but I changed that to AMISSL_V111c and then AMISSL_V111d to force those as minimum versions. For AmiSSL v5, I think it is going to be best to phase AMISSL_V11x out completely (remove it or define it as AMISSL_CURRENT_VERSION instead) as it is completely unsafe to specify a v4 version to InitAmiSSLMaster() using the v5 SDK. I understand Jens' original intention to use AmiSSL_V11x to load any available 4.x version, due to the OpenSSL ABI remaining backwards compatible in OpenSSL 1.1.x. It would have made things easier to update and a little cleaner. However, as indicated in my previous reply, it gave amisslmaster.library no power to pick and choose specific 4.x versions. This was a critical oversight as it was required to handle what happens when applications use newer OpenSSL functions added to newer 4.x versions. For example, if you were to use an newer OpenSSL tool with only older AmiSSL libraries installed, which would overwise crash. It is similar to AmigaOS - if you want to use newer functions available in a V47 library, you must ask for V47 as a minimum, not V40 (if using AmiSSL 4.0-4.2 approach, even if you asked for V47, the OS would allow V40 to be opened instead if V47 was not present - a certain crash if using functions added to V47). Changing the version numbering in 4.3 was the only real option. The flipside of the applications maintaining an old minimum version of AmiSSL is that if the user doesn't bother to update AmiSSL they miss out on OpenSSL bugfixes and other AmiSSL improvements. For example, 4.3 was a big step for 68060 users and it also added TLS 1.3 support - it would probably be a good idea to force 4.3 as a minimum (well, 4.4 now due to mistakes I unfortunately made with 4.3!). When applications are updated, if they are always built with the latest AmiSSL SDK, not only does it mean that application gets to use the latest AmiSSL, all other existing applications built using older versions will automatically get upgraded to the latest AmiSSL too (that applies to 4.0-4.12 separately to 5-1-5.3 of course). I could probably write a whole essay on more pros and cons, but ultimately it is best to always use AMISSL_CURRENT_VERSION and if you want to keep an old minimum version, always use the matching SDK version. If you want an application to use 4.0-4.12, there is no need to update the SDK to anything newer than 4.0. If you want to use 5.1, you'll need to recompile using the 5.1 SDK. |
|
Thanks for going into details, very interesting. I would indeed say that I am walking a thin line then with no functions being turned into macros or changed otherwise. So I started using the 4.12 SDK in my project and still is, also when using 5.x 😁. To use 5.x, I do like this:
Apart from that, my code is the same as when I only used 4.12 and this works, but I guess then only because I am lucky that the OpenSSL functions I am using have not changed:
|
|
Aha, that's quite clever - hope you're using SSL_free() too 😉. Just as well I didn't really mess with the <= 4.12 library jump table for 5.1, in terms of not moving functions about, and left the deprecated OpenSSL stuff in. Deprecated function entry points in the jump table will still work and use the newer function. This was with the full intention of originally allowing applications built with 4.x to auto upgrade to 5.x, as usual - IBrowse worked fine like that during testing. I had to abandon that idea mainly due to some changes in the public OpenSSL structures and a few changes in existing API functions (int32 changing to int64, for example). I probably could have patched around everything, but it would become a nightmare to maintain, plus I could never be 100% sure that I had patched everything (due to the heavy macro usage in the OpenSSL includes that define certain functions and structures). There is also the fact that InitAmiSSLMaster() is deprecated too in v5 (actually, the new OpenAmiSSLTags() uses it internally 😄). Probably you will be safe to continue like this, at least until OpenSSL 3.1. |
Futaura
added a commit
that referenced
this issue
Feb 7, 2023
31157bc0b46 Prepare for release of 3.0.8 8c0eaeaf7c6 make update 2a4b68ef012 Update copyright year 2ad99281707 Internaly declare the DSA type for no-deprecated builds 071e702aec8 Add CHANGES.md and NEWS.md entries for the 3.0.8 release a0f2359613f Add testcase for missing return check of BIO_set_md() calls d3b6dfd70db pk7_doit.c: Check return of BIO_set_md() calls 2f7530077e0 CVE-2023-0286: Fix GENERAL_NAME_cmp for x400Address (3.0) 7e371855829 Add test for DSA pubkey without param import and check fab4973801b Do not create DSA keys without parameters by decoder c1b4467a7cc Prevent creating DSA and DH keys without parameters through import 23985bac83f Fix NULL deference when validating FFC public key. 67813d8a4d1 Add test for d2i_PKCS7 NULL dereference 934a04f0e77 Do not dereference PKCS7 object data if not set f596ec8a6f9 Check CMS failure during BIO setup with -stream is handled correctly 8818064ce3c Fix a UAF resulting from a bug in BIO_new_NDEF cbafa34b5a0 Add a test for CVE-2022-4450 63bcf189be7 Avoid dangling ptrs in header and data params for PEM_read_bio_ex 8e257b86e58 Fix Timing Oracle in RSA decryption fe6842f5a5d Add testcase for nc_match_single type confusion c927a349269 Fix type confusion in nc_match_single() 36d85b02cef doc/man1/{storeutl,gendsa}: point out that extra options/arguments are ignored 77f29142b26 Fix incomplete check on EVP_CIPHER_param_to_asn1() 28b78f39560 Use $config{build_file} instead of $target{build_file} 0f67990573f Fix a potential memory leak in crypto/provider_child.c 45e6a974736 BIO_read.pod: fix small typo d36b0450d9d Do not include sparse_array.o in libssl with no-shared 5a1b22fc2e6 Avoid duplicating symbols in legacy.a with some build options 721aca05df2 Fix incomplete check on X509V3_add1_i2d() 39bc59bc83c ChaCha20-Poly1305 no longer supports truncated IV's. da6d4180526 coverity 1520506: error handling 2680cd25ed0 coverity 1520505: error handling 3a0bbaba732 Add notes about ignoring initialization failures on contexts a47eff38d7e Document that the RSA e value is mandatory when importing. d646730b89c Fix Coverity 1520485: logically dead code 84eace37362 Clarify the change of enc -S behavior in 3.0 9c92c4917e1 Fix incomplete checks for EVP_CIPHER_asn1_to_param ce7193b1233 OSSL_trace_set_channel(): add important statement that it takes BIO ownership a478dd11e9e set_trace_data(): prevent double free on OPENSSL_strdup() failure a3dd46d2c63 Fix corruption when searching for CRLs in hashed directories ae0f54d3005 Add DTLS support to the large app data test ecafcd8ad35 Ensure our buffer allocation allows for the Explicit IV 6960fb03d58 Add a test for large app data 299f096ff39 MD5.pod: Recommend SHA-2 or SHA-3 family hashes instead of legacy ones 5f77f91a42f X509_V_ERR_INVALID_PURPOSE: fix misleading text; Fix omission in X509_VERIFY_PARAM_clear_flags doc add42e0b3b5 cmp_client.c: fix handling of total_timeout for RR and GENM transactions 538682c62ac cmp_client_test.c: add tests for end_time being initialized for RR/GENM de3b3c9c04e CMP docs: clarify behavior on message/total timeout values given 780e7b11a54 Fixes wrong return type in BIO_do_connect man page. 846d5099f3c Fix incorrect check on RAND_bytes_ex() in generate_q_fips186_4() f45c6033ceb Padlock: fix byte swapping assembly for AES-192 and 256 36d03d2f05a Add link to EBNF definition 9db21bebd18 Add negative test for unquoted property string 5aa0554ac37 Correct property EBNF for unquoted strings b9097b0c3b0 Fix incorrect error return value in i2r_ADMISSION_SYNTAX() 60c19d0d61d Fix potential NULL pointer dereference e594a9b7605 Clarify documentation of X509_STORE_CTX_get_current_cert() 46d4cb4d8f1 pkey: Imply public check if -pubin is specified 5701ead8f20 Bump actions/setup-python from 4.4.0 to 4.5.0 d6220d1b7f6 Documenting lack of error codes stability e6b1586ea2b Limit size of modulus for bn_mul_mont and BN_mod_exp_mont_consttime 54eb24982b6 Revert "Limit size of modulus for BN_mod_exp_mont_consttime()" 18308d6616c SSKDF with KMAC should return SIZE_MAX when EVP_KDF_CTX_get_kdf_size() is used. 757fd35182b fix manpage of `d2i_X509(3)` d92a5da5ae2 Do not check definition of a macro and use it in a single condition 1932e595c80 OSSL_PARAM_BLD and BIGNUM; ensure at least one byte is allocated f51b4ebb079 In OSSL_PARAM_set_BN(), make sure that the data_size field is at least 1 5601648e91d test/param_build_test.c: test zero BIGNUM 7b807ad6eaa Add testcase for OSSL_trace_set_callback() 318a27d4e9a Avoid ifdefs in trace categories b4419635c99 test/trace_api_test.c: fix gcc error on -Werror=strict-prototypes 5c6936e92df Add tests for trace_api. 2f2176dc8d3 Doc: Update history section of EC_GROUP API's. accd85ce7cd Documentation for EVP_PKEY_CTX_get0_pkey() and EVP_PKEY_CTX_get0_peerkey(). b9b411be841 info.c: Fix typos in seed macro name and description string 4f46ff14bec rsaz_exp_x2.c: Remove leftover from broken cherry-pick e3a9668e48b Revert "rsaz_exp_x2.c: Remove unused ALIGN64 macro" 2a57a117a2e rsaz_exp_x2.c: Remove unused ALIGN64 macro dcde8ea8c46 rsaz_exp_x2.c: Avoid potential undefined behavior with strict aliasing 842311ae30b Revert "Fix an occasional CI failure due to unaligned access" 6f252dd632a BIO_s_dgram: add documentation and hazard warnings 0a69ca8f635 Avoid possible divide by zero 5b449de0f0a 80-test_cms.t: Fix rsapssSaltlen check on MinGW 7736379c5c0 Cleanse internal BN_generate_dsa_nonce() buffers used to generate k. 1bd53640a2a Bump actions/setup-python from 4.3.1 to 4.4.0 46cf94e5e6e INSTALL.md: Remove trailing space 4a8e7e27649 Docs: Move deprecated ECDSA_ functions into a separate file. 12f64521194 Change HKDF to alloc the info buffer. 053e06bd050 ec_kmgmt.c: check the return of BN_CTX_get() in time. f0bbb25f348 INSTALL.md: Fix typo b65285ba438 Add Demos for DSA params/DSA keygen. b49d8da7745 Fix possible UB in init_info_strings 00323667e3b Add a CMS test for a bad encryption algorithm e979d9aaf5f Ensure ossl_cms_EncryptedContent_init_bio() reports an error on no OID a923d9bbb52 Fix BIO_f_asn1() to properly report some errors 0a3eeb3346d Fix SMIME_crlf_copy() to properly report an error 1619478374f Fix BIO_f_cipher() flushing 36d6ebad8f6 Update pyca-cryptography submodule to 38.0.4 999509c235a Honor OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT as set and default to UNCOMPRESSED 6651044b4d8 Fix a logic flaw in test_mod_exp_zero c935b89f285 Raise the KMAC limits for key and custom size to 512 bytes 0a229aec0a5 Update FIPS related build instructions. 4ae8fe6cc8d Refine the documents of several APIs 75fa52ddc97 Update HMAC() documentation. 5ba39c0bf79 Fix FIPS Provider compat CI of 3.0 libcrypto with 3.2 FIPS provider 878b00aa336 Coverity: fix 272011 resource leak 53c643f67fe Fix openssl storeutl to allow serial + issuer f92b294563b Make error reason for disallowed legacy sigalg more specific bb3a931f867 crypto/err: expand on error code generation 353521b7720 Run-checker merge CI: Memleak test does not work without ubsan 921e19c20aa Revert "Run-checker merge CI: Replace no-shared with no-modules" 4343b2923ac unbuffer stdin before get passwd from stdin 17bd383dd21 Obtain PSS salt length from provider 39fcc351c2c Run-checker merge CI: Replace no-shared with no-modules bc136fd386b Cross compiles CI: Disable stringop-overflow warning on s390x and m68k 8face2721b7 Fuzz checker CI: Use more generic include dir for fuzzer includes 42cd898bd30 Bump actions/setup-python from 4.3.0 to 4.3.1 c438de07c00 Fix `no-ec enable-ktls` build 6fbbb53477a test: add test case for deadlock reported in #19643 7725e7bfe6f x509: fix double locking problem 9a5c884999a cmp_vfy_test.c: fix name OSSL_CMP_CTX_set0_trusted{,Store} f6fdbe63c7c OSSL_CMP_validate_msg(): make sure to reject protection type mismatch c919280f793 Replace some boldened types with a corresponding man page link 2365be29764 Move the description of the core types into their own pages a0564dc8553 Better sorting of util/other.syms f60dfe81847 Fix treatment of BUILD_METADATA f15d23e2f9e Replace "a RSA" with "an RSA" 544758738da Fix the check of BIO_set_write_buffer_size and BIO_set_read_buffer_size 18e45bd9ead Fix the check of EVP_PKEY_decrypt_init 5812a2d282a Fix the checks in rsautl_main 17345cf10f9 doc: fix EVP_SignInit.pod e3ce39ab344 Clarify the EVP_PKEY_decrypt manual page d4394159918 cmp_client_test.c: add tests for OSSL_CMP_CTX_get_status d1aa7d11363 doc: fix location of AES-SIV ciphers e2758d1a39e Fix occasional assertion failure when storing properties 0e4c201cb88 Drop incorrect skipping of some evp_test testcases with no-gost ff2f8c81a08 Add test for EVP_PKEY_Q_keygen ac591bf69e6 Fix typos in doc/man3/EVP_EncryptInit.pod e7a7aa78348 When using PEM_read_bio_PrivateKey_ex() the public key is optional e2cf3852733 add missing OSSL_CMP_CTX_reset_geninfo_ITAVs() function 27a09e77667 add missing OSSL_CMP_CTX_reset_geninfo_ITAVs() function 2c65de46785 OSSL_CMP_CTX_reinit(): fix missing reset of ctx->genm_ITAVs 327e968c336 CMP: fix gen_new() in cmp_msg.c checking wrong ITAVs 79701dea429 Fix typo in openssl-x509.pod.in 1c8b17358fe Add SM2 support for EVP_PKEY_Q_keygen f2784497264 CMP: fix handling of unset or missing failInfo PKI status information 69d3c81ca5c CMP: fix status held in OSSL_CMP_CTX, in particular for genp messages c28c2e0c7e6 Fix coverity issues in X509v3_addr f35a4be939a Add missing HISTORY sections for OpenSSL 3.0 related documents. 5ac7cfb5621 Add doc for EVP_ASYM_CIPHER-RSA and clean up OSSL_PROVIDER-FIPS.pod. 07f21b22ca9 evp_extra_test2: Test DH param checks with non-NULL libctx 2bc3854a6cf DH_check[_params]() use libctx of the dh for prime checks 9aa9d6a9426 ParseC.pm: gracefully handle DOS-style end-of-line in source files 3e0a1c2c18b Add test to confirm IPAddressFamily_check_len catches invalid len 17af63c1df8 Catch incorrect IPAddressFamily lengths 56de1f3ce3d Drop explicit check for engines in opt_legacy_okay b67935515ed Fix the check of EC_GROUP_check_named_curve e29ea41f6d5 apps/speed.c: fix the wrong checks eb153d04294 Add documentation for CPUID bit #64+17 17d20f6159a Add test for EVP_PKEY_eq 38066a07e09 Update documentation for keymgmt export utils aeb80f63d44 Propagate selection all the way on key export d163bd08bb9 apps/ocsp.c: Add missing test if make_ocsp_response failed c3e8128befa fipsinstall test: skip PCT DSA signature test for new providers 00cd0627252 test: add two comparision options to fips version test utility code bb0190e8a4d Use the same encryption growth macro consistently 1aef13c0bdb apps/speed.c: add verifying if fdopen returns NULL 511d8c0fb0e Resign test/certs/rootCA.pem to expire in 100 years 2f27b9363e8 Update the validity period of ed25519 cerificates b697ae10287 Add test for generating safeprime DH parameters 0f68f59dd45 Use libctx when generating DH parameters 2fee530c86d pem: avoid segfault if PKEY is NULL in PEM_write_bio_PrivateKey 60d391b6f01 pem: fix a memory leak in PEM_write_bio_PrivateKey_traditional b8a5adf3ec4 Limit size of modulus for BN_mod_exp_mont_consttime() d0f8056c47f Release the drbg in the global default context before engines aa97297427f Add a test case for the engine crash with AES-256-CTR e285a0b5a0e fips-label.yml: Fix the script after actions/github-script upgrade 6feff2e59df Fix PACKET_equal test with BUF_LEN+1 on -Wstringop-overread f3aa51d6347 Fix documentation for some i2d return values. 424c9521182 Test that signatures using hash name commands work properly 03c5381b41d apps/dgst.c: Set digestname from argv[0] if it is a builtin hash name 76962505be6 Check for private key existence before calling eddsa sign functions 22530d31789 crypto/sha/asm/sha512-ia64.pl: When checking assembler file names, ignore case 4aabade09f9 Configurations/*.tmpl: overhaul assembler make rules. 7343f687705 Update GitHub actions as suggested by dependabot de45fecf8ae Coverity 1516624: Fix overrun memory access. f8e6dda7b7c Fix the ceiling on how much encryption growth we can have c5bc976d9a0 providers/common/der/oids_to_c.pm: Remove use of Data::Dumper 716712f378f Potential null pointer reference 7bfbf68ad04 Prepare for 3.0.8 git-subtree-dir: openssl git-subtree-split: 31157bc0b46e04227b8468d3e6915e4d0332777c
Futaura
added a commit
that referenced
this issue
Mar 14, 2023
a92271e03a8 Prepare for release of 3.1.0
33fd20b5d7a make update
cb224f4e27b Update copyright year
f02e5cd6067 Fix aarch64 signed bit shift issue found by UBSAN
1beb33bda63 fips: Use salt >= 16 bytes in PBKDF2 selftest
6a0a3fee222 Add option to FIPS module to enforce EMS check during KDF TLS1_PRF.
5b2fe0ba65b DOCS: provider-keymgmt(7) - params for EVP_PKEY_get_default_digest_{name,nid}()
aa7f2efcf8a Improve the performance of EVP_PKCS82PKEY_ex
3a272c1ef56 Fix cast.
493ab45169d Fix typo in base provider example code
0937c01f2e0 Coverity 1521557: Error handling issues
2bb9e445209 Add sections that were missing
f118ab321ad Fix FFC mdprop setting bugs.
2022b9e761f Fix potential infinite loops in ECDSA signing.
dda8b03284a Fix infinite loops in DSA sign code.
3d896a18277 ec: Use .machine "any" explicitly in ecp_nistp521-ppc64
97b926c852a Update FIPS provider documentation to note that fips=yes is mandatory
cdcb9c76bdd Disable atomic refcounts with no-threads
b175e870e97 Fix incomplete error check on RSA_public_decrypt()
de80517c640 Fix incomplete error check on ASN1_item_i2d()
b7f3b7d8aba Document the list of RAND algorithms in the default and fips providers.
1b9b1d5ad6a Add provider pre-fetching documentation
b4ac0bfc320 Add documentation for "NULL" cipher and digest algorithms.
da30fd892e2 CMS_decrypt_set1_*(): fix NULL deref on unsuitable content type
b2df2651dfc CMS_decrypt_set1_*(): remove misleading error queue entry when recipient mismatch was not the issue
540e4388bc9 CMS_decrypt_set1_password(): prevent mem leak on any previously set decryption key
d4a8a5307b5 CMS_decrypt*(): fix misconceptions and mem leak
3c8cee20650 CMS_add0_cert.pod: remove wrong text on duplicate CRLs; small further improvements
913020e7aba CMS_add1_crl(): prevent double free on failure of CMS_add0_crl()
2c4b1c7b7b0 Do not have more data in a pipeline than the split_send_fragment
89ed54456ec Update the pipelining docs
1d06598f0e9 Fix read pipelining
df9c7ceefef Pipeline output/input buf arrays must live until the EVP_Cipher is called
24c7d367b61 Add a test for TLS pipelining
a92dd651abf Skip subdirectories in SSL_add_dir_cert_subjects_to_stack()
b14928611b0 Fixes #20278: Fixed double free bug in crypto/http/http_client.c
0c51788e31e Fix potential NULL pointer dereference in function evp_pkey_asn1_ctrl
73b0126150b update documentation to note that EdDSA is not FIPS approved
098e655e212 update changes entry to note EdDSA is not FIPS approved
a4720e98904 Revert "Put EdDSA back as approved algorithms."
ed8d2c9948f Add a test for no initialisation of the default config file
ba8e2074fe3 Only call OPENSSL_init_crypto on fetch if using the default libctx
a57ab43975d Document return value of OSSL_DECODER_from_data
d1e1a8feeb7 Fix incorrect error branch in ossl_bn_rsa_fips186_4_derive_prime()
cae7b99285e Fix failing cms test when no-des is used
3da073c405e openssl-3.0#20290: Fixed typo in "config" man page
2f32721db4e kbkdf: Fix kbkdf_dup function pointer type
67315e59a1d Use of sparse_array.c only in the shared libssl
e10bbf112e0 OSSL_CMP_certConf_cb(): fix regression on checking newly enrolled cert
440bc71b543 Correct a copy&paste error in a link URL
dbb1d378977 Sync CHANGES.md and NEWS.md with 3.0.8 release
c062097bf3e rsa: add msvc intrinsic for non x64 platforms
9b4015eccca Add /test/timing_load_creds to gitignore
fba38088640 Fix the return values of the aarch64 unroll8_eor_aes_gcm_*_*_kernel functions
13ca68791ff Fix BIO_set_indent() check
cf3cf2ba81f Fix incomplete BIO_dup_state() error check
a5a3532ab0e Fix incomplete check on CMS_SharedInfo_encode
b887310c59b Fix error check on default_check() helper function
9b77bd92f89 Fix incomplete error check on BIO_set_md()
e80518db6d5 Document limits on static and dynamic linking for HPE NonStop platforms.
4cfae921af8 Fix a potential memory leak in apps/s_server.c
510e4935ca7 Fix incomplete error check on BIO_set_accept_name()
2175054e320 ci: Add djgpp build
b0e596cd254 des: prevent error when using two key triple DES with a random key
c99faac4f1b Internaly declare the DSA type for no-deprecated builds
77ca40dcd5d remove EdDSA from changes entry about non-fips algorithms
58f28b402a1 doc: remove EdDSA from list of non-FIPS algorithms.
b1ef927c92a Put EdDSA back as approved algorithms.
84358a87be2 Add testcase for missing return check of BIO_set_md() calls
4561dc7972a pk7_doit.c: Check return of BIO_set_md() calls
84d85fcabd6 CVE-2023-0286: Fix GENERAL_NAME_cmp for x400Address (3.0)
de4e3868de2 Add test for DSA pubkey without param import and check
b2dc025d149 Do not create DSA keys without parameters by decoder
9ce43690cee Prevent creating DSA and DH keys without parameters through import
6e0760302b4 Fix NULL deference when validating FFC public key.
c05921c4b83 Add test for d2i_PKCS7 NULL dereference
fc173dc3105 Do not dereference PKCS7 object data if not set
ae72afd0281 Check CMS failure during BIO setup with -stream is handled correctly
16f263d7ad3 Fix a UAF resulting from a bug in BIO_new_NDEF
de3ab47deb9 Add a test for CVE-2022-4450
7e1d8445b57 Avoid dangling ptrs in header and data params for PEM_read_bio_ex
8022a4799fe Fix Timing Oracle in RSA decryption
e2d0a3b5f55 Add testcase for nc_match_single type confusion
4679cfce391 Fix type confusion in nc_match_single()
b767b00c81a Fix typo in Ordinals.pm from PR #14074
b85a1f13d6d doc/man1/{storeutl,gendsa}: point out that extra options/arguments are ignored
63176a011b6 Fix incomplete check on EVP_CIPHER_param_to_asn1()
b0bd7a28e8b Use $config{build_file} instead of $target{build_file}
26328e53b04 Fix a potential memory leak in crypto/provider_child.c
008d81694d5 BIO_read.pod: fix small typo
984d28b9fe1 Do not include sparse_array.o in libssl with no-shared
58e8162e73d Avoid duplicating symbols in legacy.a with some build options
c122d15039a [doc] Sync documentation now that 3.0 honors OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT
f526461da3b Fix incomplete check on X509V3_add1_i2d()
f006e27ff02 Workaround crash in atexit on NonStop platforms
b4120a155ba ChaCha20-Poly1305 no longer supports truncated IV's.
00e8275a8e4 coverity 1520506: error handling
4476dcaf9fd coverity 1520505: error handling
c6a7b7bebaf Add notes about ignoring initialization failures on contexts
3100e52ebad Document that the RSA e value is mandatory when importing.
16897205581 Fix Coverity 1520485: logically dead code
0c76c217b7c Revert "CI: cross-compile: riscv: Add RV64 machine with Zb* and Zk*"
67374d8c5c7 Clarify the change of enc -S behavior in 3.0
27675857653 Fix incomplete checks for EVP_CIPHER_asn1_to_param
c46385e996f test: note that a default property query must be included for FIPS validity
d702d0144f8 changes entry about non-approved FIPS algorithms
6f09571af0e Put X25519 and X448 back as approved algorithms
12d2997109f fips: document that the EdDSA algorithms are not-validated
f0af262bd8d OSSL_trace_set_channel(): add important statement that it takes BIO ownership
4700b80d7c6 set_trace_data(): prevent double free on OPENSSL_strdup() failure
2c83dedef6a CI: cross-compile: riscv: Add RV64 machine with Zb* and Zk*
27527f230cd CI: cross-compile: Allow to set CPU capabilities
538358abc9f Fix corruption when searching for CRLs in hashed directories
d36a9d66dc7 Add DTLS support to the large app data test
3be93f1b264 Ensure our buffer allocation allows for the Explicit IV
5e73bf03d78 Add a test for large app data
ba8159638bc MD5.pod: Recommend SHA-2 or SHA-3 family hashes instead of legacy ones
21c06d4ac98 X509_V_ERR_INVALID_PURPOSE: fix misleading text; Fix omission in X509_VERIFY_PARAM_clear_flags doc
605a13842ac cmp_client.c: fix handling of total_timeout for RR and GENM transactions
bf277d54f93 cmp_client_test.c: add tests for end_time being initialized for RR/GENM
de107d4c94b CMP docs: clarify behavior on message/total timeout values given
de1ce231ab3 Fixes wrong return type in BIO_do_connect man page.
c167983269e Fix incorrect check on RAND_bytes_ex() in generate_q_fips186_4()
f9abf587747 Padlock: fix byte swapping assembly for AES-192 and 256
7b662e0fc7a Add link to EBNF definition
3107aafad2e Add negative test for unquoted property string
f60b1239cfd Correct property EBNF for unquoted strings
fe89566149f Fix incorrect error return value in i2r_ADMISSION_SYNTAX()
05040e96971 Fix potential NULL pointer dereference
16129bf1b84 Clarify documentation of X509_STORE_CTX_get_current_cert()
9d0de908ec1 pkey: Imply public check if -pubin is specified
281c6b4a785 s390x: Fix keccak xofs via CPACF
a419d3aa8d0 Fix big-endian issue in chacha20 SVE implementation on aarch64
c9d7c0b349b Bump actions/setup-python from 4.4.0 to 4.5.0
7f7918e9244 Documenting lack of error codes stability
5ed42a26dac Limit size of modulus for bn_mul_mont and BN_mod_exp_mont_consttime
ada7f2258ea Revert "Limit size of modulus for BN_mod_exp_mont_consttime()"
f70ef016b2b fips: make EdDSA unapproved for FIPS
c6fc9f75814 SSKDF with KMAC should return SIZE_MAX when EVP_KDF_CTX_get_kdf_size() is used.
6828d87b93f fix manpage of `d2i_X509(3)`
e72a0ab363e Do not check definition of a macro and use it in a single condition
e33c37aead7 OSSL_PARAM_BLD and BIGNUM; ensure at least one byte is allocated
fcc224a3c5c In OSSL_PARAM_set_BN(), make sure that the data_size field is at least 1
2b7b7eebf9b test/param_build_test.c: test zero BIGNUM
3d63177fac7 Add empty migration guide for 3.1
84292823699 Doc: Update history section of EC_GROUP API's.
92990ab3597 Documentation for EVP_PKEY_CTX_get0_pkey() and EVP_PKEY_CTX_get0_peerkey().
a8e8afe885b info.c: Fix typos in seed macro name and description string
49f2bc922fa rsaz_exp_x2.c: Remove unused ALIGN64 macro
df073dd603c rsaz_exp_x2.c: Avoid potential undefined behavior with strict aliasing
9470c182834 Revert "Fix an occasional CI failure due to unaligned access"
b21e82f62ac Fix SM4 test failures on big-endian ARM processors
69e18a4d93e BIO_s_dgram: add documentation and hazard warnings
8c29e5ebfd5 Avoid possible divide by zero
cbae8a5fc40 80-test_cms.t: Fix rsapssSaltlen check on MinGW
98fa15347ea Cleanse internal BN_generate_dsa_nonce() buffers used to generate k.
de87b146c43 Bump actions/setup-python from 4.3.1 to 4.4.0
eebdca29004 INSTALL.md: Remove trailing space
73e4007ad67 Docs: Move deprecated ECDSA_ functions into a separate file.
129c41906b9 Change HKDF to alloc the info buffer.
63549494c89 ec_kmgmt.c: check the return of BN_CTX_get() in time.
9f78288f15b INSTALL.md: Fix typo
6a4bda0cbf6 Add Demos for DSA params/DSA keygen.
85f172a5156 Fix possible UB in init_info_strings
cdc23b16bb5 Add testcase for OSSL_trace_set_callback()
e1f09938ca6 Avoid ifdefs in trace categories
0c5fe6e4e74 Add a CMS test for a bad encryption algorithm
cc122995d1f Ensure ossl_cms_EncryptedContent_init_bio() reports an error on no OID
903e96599b5 Fix BIO_f_asn1() to properly report some errors
6259cf34eab Fix SMIME_crlf_copy() to properly report an error
54b5aeb94c3 Fix BIO_f_cipher() flushing
92d86b387ea Fix a logic flaw in test_mod_exp_zero
cb6bd940310 Prepare for 3.1 beta 2
84ae1c1fb94 Prepare for release of 3.1 beta 1
06444ab2e38 make update
19e1bc0e97d Update copyright year
c75203021bd Add CHANGES.md entry for support for KMAC in KBKDF
f39d181c470 Update FIPS related build instructions.
e6852268066 Refine the documents of several APIs
4e98cb5733a Update HMAC() documentation.
b46d2209691 Fix FIPS Provider compat CI of 3.0 libcrypto with 3.2 FIPS provider
a92a0097d07 Add KMAC support to KBKDF.
47dec02433a timing_load_creds requires POSIX1.2001 due to rusage
0756e7a4016 Coverity: fix 272011 resource leak
f1b104953af timing_load_creds: Fix typos in the timersub macro
5c92ac52c28 Do not build P10-specific AES-GCM assembler on AIX
cdcc439aa0a Do not build P10-specific Chacha20 assembler on AIX
cda5515a5ef CHANGES.md: Fix the 3.0.7 release date
28864841616 Fix openssl storeutl to allow serial + issuer
4d2d39c9609 Make error reason for disallowed legacy sigalg more specific
2f05fe946bc Fix SM4-CBC regression on Armv8
b018b05d6bf crypto/err: expand on error code generation
c153dd8a254 Run-checker merge CI: Memleak test does not work without ubsan
a800b7adbee Revert "Run-checker merge CI: Replace no-shared with no-modules"
c3f24a0390d OSSL_CMP_validate_msg(): make sure to reject protection type mismatch
4d4b5e10c28 unbuffer stdin before get passwd from stdin
db2fc00945b signature: Clamp PSS salt len to MD len
fea151a24de Obtain PSS salt length from provider
3956fc91afc Run-checker merge CI: Replace no-shared with no-modules
b23521c40ab Cross compiles CI: Disable stringop-overflow warning on s390x and m68k
a09f6a10e8c Fuzz checker CI: Use more generic include dir for fuzzer includes
843b0524eb7 Bump actions/setup-python from 4.3.0 to 4.3.1
c69ac438306 Fix `no-ec enable-ktls` build
d2cdcb663e6 test: add test case for deadlock reported in #19643
1adc6dbdb8f x509: fix double locking problem
31240c1a53a Replace some boldened types with a corresponding man page link
e921c278aaa Move the description of the core types into their own pages
2e1ec27bca3 Better sorting of util/other.syms
3aad04a0286 Fix treatment of BUILD_METADATA
25b0b217220 djgpp: Fix unused-but-set-variable warning
afec90df259 Fix warnings with unsigned time_t
2a210032983 Define threads_lib.c functions only for OPENSSL_SYS_UNIX
f7ff0d34f29 Cast socklen_t to size_t in assert comparison
2ce940e54e9 Cast values to match printf format strings.
f3e9308fe1b Replace "a RSA" with "an RSA"
8ca2a012c8e timing_load_creds: Add timersub macro for platforms where it is missing
a6e50030516 Fix the code used to detect aarch64 capabilities when we don't have getauxval()
cca2d261d59 Fix the check of BIO_set_write_buffer_size and BIO_set_read_buffer_size
bdb66dd4c56 Fix the check of EVP_PKEY_decrypt_init
6a858e9f596 Fix the checks in rsautl_main
2fcf42c062c Drop a spurious printf in evp_test.c
f0294208d11 Fix build on NonStop
998174c5d8f doc: fix EVP_SignInit.pod
f491f96ab0d Clarify the EVP_PKEY_decrypt manual page
4277516fd1b Prepare for 3.1 beta 1
21037dfc280 Prepare for release of 3.1 alpha 1
be8d1efbafc make update
967f2014402 Update copyright year
f73a5b7d986 NEWS.md: Update with changes from 3.0.7 and major items from 3.1
be3392084ab cmp_client_test.c: add tests for OSSL_CMP_CTX_get_status
ca0dd5f4a30 Remove redundant assignment in felem_mul_ref in p521
059123bed8f doc: fix location of AES-SIV ciphers
d656efb9eb7 Update pyca-cryptography submodule to 38.0.4
926db476bc6 Honor OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT as set and default to UNCOMPRESSED
18e72cbefec Fix occasional assertion failure when storing properties
93d3ad02123 Drop incorrect skipping of some evp_test testcases with no-gost
5462d8d6a6a Add test for EVP_PKEY_Q_keygen
d0f33da0273 Fix typos in doc/man3/EVP_EncryptInit.pod
2c3ea16b232 When using PEM_read_bio_PrivateKey_ex() the public key is optional
afc18bfdb83 add missing OSSL_CMP_CTX_reset_geninfo_ITAVs() function
23a0b31f32a add missing OSSL_CMP_CTX_reset_geninfo_ITAVs() function
b3d29175f70 OSSL_CMP_CTX_reinit(): fix missing reset of ctx->genm_ITAVs
f494a5c2fe7 CMP: fix gen_new() in cmp_msg.c checking wrong ITAVs
9bf67ed5525 Fix typo in openssl-x509.pod.in
80d89bde843 test/timing_load_creds.c: use OPENSSL_SYS_ macros
5e616482dc1 Disable test/timing_load_creds.c on VMS
5d8c9e2c28f Add SM2 support for EVP_PKEY_Q_keygen
fb705bebeef CMP: fix handling of unset or missing failInfo PKI status information
12dbea73ef5 CMP: fix status held in OSSL_CMP_CTX, in particular for genp messages
0703f3f9dff Add two new build targets to enable the possibility of using clang-cl as an assembler for Windows on Arm builds and also clang-cl as the compiler as well. Make appropriate changes to armcap source and peralsm scripts.
bf8365842f2 OSSL_trace_enabled.pod and OSSL_trace_set_channel.pod: improve doc
59b51db3d24 http_client.c: Dump response on error when tracing is enabled
d04231c1741 c_rehash: Fix file extension matching
18292564ba2 Coverity 1515953: negative loop bound
762473f53a0 Improve performance of the encoder collection
69bcdb7dcdf optimize ossl_sm4_set_key speed
10c2f19420e Add vpaes-loongarch64.pl module.
e5a5a194fa7 Add LoongArch64 cpuid and OPENSSL_loongarchcap_P
bf0e3fae0d8 nit: fix some pointer comparisons
fee9986c3da apps & al : Fix various typos, repeated words, align some spelling to LDP.
f24b716f26f Fix various typos, repeated words, align some spelling to LDP.
2c54276e89e crypto/*: Fix various typos, repeated words, align some spelling to LDP.
5af0050147e crypto: Fix various typos, repeated words, align some spelling to LDP.
86699ac6ef4 Fixed some grammar and spelling
cb6f8ae4638 ERR: replace remnant ECerr() and EVPerr() calls in crypto/
98e3f4e9d0a apps/speed.c: Lock buffer in memory
a193030d324 Add config option for speed command Fixed #16986
b800396dddc test/trace_api_test.c: fix gcc error on -Werror=strict-prototypes
9099a0564be Add tests for trace_api.
24e1432e187 Fix AES-GCM on Power 8 CPUs
64668674e80 OSSL_CRYPTO_ALLOC attribute introduction proposal.
8cef32cd2e0 Fix PROV_RC5_CTX's original structure name
0094d5c26b7 openssl.cnf: split option value and comment and remove leading space
7bfa68fe580 Cleanup EBCDIC string defintions
150c6f0f3c1 Add some API tests for TLSv1.3 record padding
7bda9e81a68 Add a test for read_ahead data crossing a key change
291f8294d47 provider: cipher: aes: add riscv32 zkn (zbkb) support
8aff1e8bf30 aes_platform: add riscv32 zkn asm support
fd7953b7b93 add build support for riscv32 aes zkn
2f97366e469 Add RISC-V 32 cpuid support
624bd6890da Add linux32-riscv32/BSD-riscv32 target
ef832b3b5dd Add AES implementation in riscv32 zkn asm
38186a241eb Add BSD-armv4 target based on linux-armv4
8bee6acc6fa Improve chacha20 perfomance on aarch64 by interleaving scalar with SVE/SVE2
6bf9a6e59cb Drop the optimisation level for ppc64le cross-compile
8ba5893e4a9 Add CODE-OF-CONDUCT.md
8a63360e8ec Fix unrolled montgomery multiplication for POWER9
3a2da102b42 Revert "Revert "bn: Add fixed length (n=6), unrolled PPC Montgomery Multiplication""
40230f66c42 test/timing_load_creds.c: fix coding style and other (mostly minor) issues
93485e8ed8b Rename the "timing" program to "timing_load_creds" and integrate it with test/build.info
e5124e1cb52 Add a stand-alone "timing" program
411a3d81874 Add ROTATE inline RISC-V zbb/zbkb asm for DES
41ac1b428f8 Fix GHASH-ASM implementation on s390x
15c7642b9e2 Change name of parameter in documentation from sigret to sig
74bfc163f10 gcm_get_funcs(): Add missing fallback for ghash on x86_64
77d99f03a19 Fix regression from GCM mode refactoring
6df6a44fe9d s390x: Optimize kmac
61763c03235 s390x: Fix GCM setup
5c7a383d5e3 Clean up GCM_MUL and remove GCM_FUNCREF_4BIT
aa973176940 Clean up use of GHASH macro
6843c1e4a71 Use separate function to get GCM functions
a66a1162310 Remove some unused 4bit GCM code
be25847920f Remove unused 1bit GCM implementation
b2587f03d84 Remove unused 8bit GCM implementation
6df209b410b Emit rev8 on __riscv_zbkb as on __riscv_zbb
fe606019274 Cleanup : directly include of `internal/nelem.h` when required.
3431dd4b3ee Improve FIPS RSA keygen performance.
86479643a4b params_api_test.c: Fix mistake in backported test fix
d5c02e2de86 Release the drbg in the global default context before engines
872dd0a21f2 Add a test case for the engine crash with AES-256-CTR
e4d8eaac7e2 Add an EVP signature demo using DSA
20d3731006c test/recipes/80-test_cms.t: Fix the "CAdES ko" test
b3840494e92 Fix coverity issues in X509v3_addr
de22633a877 Add missing HISTORY sections for OpenSSL 3.0 related documents.
1136c4dc391 Improve FIPS RSA keygen performance.
6f6f4133129 Fix no-dtls1_2
ba86c086c72 dhparam: Correct the documentation of -dsaparam
4890f26e398 dhparam_test: Test that we add private key length on generation and print it
ac214d70155 Use as small dh key size as possible to support the security
1f664896b90 Add ROTATE inline RISC-V zbb/zbkb asm for chacha
dc6daead2f2 Add config option OPENSSL_NO_UNIX_SOCK
713f6a14e25 Add a DTLS next epoch test
01c7d59f035 VMS: For executables, process the use of /INCLUDE=main a bit differently
81bfb11b8d6 VMS: use selective search when linking with shareable images
72f022b9940 Add ROTATE inline asm support for SM3
674ecc0c5a1 Add SM3 implementation in RISC-V Zksh asm
433471084e4 Add deprecation macro for 3.1 and deprecate OPENSSL_LH_stats
2adb7908ef8 Optimize chacha20 on aarch64 by SVE2
c25f2c18735 Add test cases for verification of time stamping certificates
31117e602a4 Remove debug and other outdated build targets.
d8813ae09a2 [crypto/bn] BN_consttime_swap: remove superfluous early exit
03b825f74f4 providers: cipher: aes: add riscv64 zkn support
9243129b5f3 aes_platform: add riscv64 zkn asm support
67026390bf7 Add riscv scalar crypto extension capability
3c2287309c6 add build support for riscv64 aes zkn
a85f5cd635d Add AES implementation in riscv64 zkn asm
73cf79101c4 Fix code format: BLOCK_CIPHER_custom
fbb9a1f9971 Move types.h #undefs for wincrypt.h compatibility
e373c086c4d Make running individual ssl-test easier
c251c628f80 Add riscv64 asm_arch to BSD-riscv64 target
2e7f6ca65d4 Apply the AES-GCM unroll8 optimization patch to Neoverse N2
d295e4b1da6 performance: improve ossl_lh_strcasehash
fca5d6a2b76 Drop ossl_namemap_add_name_n() and simplify ossl_namemap_add_names()
8af5c6c4d34 ossl_namemap_name2_num: Avoid unnecessary OPENSSL_strndup().
2a24b6f170f Add BSWAP4/BSWAP8 routines for riscv64 with Zbb
58901bfaf9f Add clmul-based gmult for riscv64 with Zbb, Zbc
8448432a3be Add basic RISC-V cpuid and OPENSSL_riscvcap
b60603c5e3a Add AES implementation in generic riscv64 asm
1aadae96206 Prepare NonStop for fixed-size integer types.
b28fbe26f5d add tests for PBKDF2 with SHA-3
5b8b7bcbab1 add support for SHA-3 based PRF to PBES2
e12f0f11b30 Make IV/buf in prov_cipher_ctx_st aligned
5c03d5ddce0 Add riscv64 asm_arch to linux64-riscv64 target
45e16e9e45d RISC-V support for the SHA256
c606775c4e4 evp_md: assert digest is provided for algctx reuse
9c5104948b8 Exclude IPv6 code using OPENSSL_USE_IPV6 instead of AF_INET6
b595301793c Header file cleanup for C++20 header-units
0f6ff63bdf3 doc: add not that DTLS 1.0, TLS 1.1 and before are disabled at security level 1
a8b6c9f83ce tls: ban SSL3, TLS1, TLS1.1 and DTLS1.0 at security level one and above
4a929c7c5cb Remove the _fetch_by_number functions
f68b78e3076 Remove duplicated #include headers
a14eff6319e Acceleration of chacha20 on aarch64 by SVE
b9b91dad9f1 md5: add assembly implementation for aarch64
708bf3dde8f evp_md_init_internal: Avoid reallocating algctx if digest unchanged
dbe58ce23e7 Prefer .inst rather than .long for probe instructions in arm64cpuid.pl
092f0eded32 Clear unused variables in X509_print_ex()
a44616e9464 Fix gcc 6.3 builds of aarch64 BSAES
afb3f8ad95f fix some typos
a06a72f797d fix for sslecho in demos echoing garbage #18165
0c6bca79085 Added Simple SSL Echo Client/Server to demos.
e3bcb12b6e9 s390: Add new machine generation
2535075bf0b SM4 optimization for ARM by ASIMD
553e125aff6 Remove unused libctx functions (runonce, onfree)
519481c7748 Add -static-libgcc to solaris-sparcv7-gcc shared_ldflag
a48081ac606 OSSL_PARAM_get_*_ptr: Drop errors from ptr/string mismatch
8436ef8bdb9 Refactor OSSL_LIB_CTX to avoid using CRYPTO_EX_DATA
ee246234bf5 Refactor: a separate func for provider activation from config
851bbd0f571 Add doc for EVP_ASYM_CIPHER-RSA and clean up OSSL_PROVIDER-FIPS.pod.
0306ba1da18 evp_extra_test2: Test DH param checks with non-NULL libctx
b049d9add2b DH_check[_params]() use libctx of the dh for prime checks
52ca4c4bac5 ParseC.pm: gracefully handle DOS-style end-of-line in source files
7fe68ca8382 Use <openssl/e_os2.h> rather than <stdint.h>
c097598ca49 Add test to confirm IPAddressFamily_check_len catches invalid len
fabdc09b1ff Catch incorrect IPAddressFamily lengths
5aaa3458e5d Drop explicit check for engines in opt_legacy_okay
31d6565c846 Fix the check of EC_GROUP_check_named_curve
3a4dd7f7d1a apps/speed.c: fix the wrong checks
8fe8c0f89eb Ensure that SIZE_MAX is defined where OSSL_SSIZE_MAX is used.
46b13bbfa1b Add documentation for CPUID bit #64+17
176836fce91 test: fix typo in test description
6953cda1edf test: add two comparision options to fips version test utility code
08715aaa249 Add test for EVP_PKEY_eq
d619035d034 Update documentation for keymgmt export utils
2c2726cd99a Propagate selection all the way on key export
2f3f0b0c420 apps/ocsp.c: Add missing test if make_ocsp_response failed
3d004cefec5 Use the same encryption growth macro consistently
a05e2aa5488 apps/speed.c: add verifying if fdopen returns NULL
38977853ec0 Resign test/certs/rootCA.pem to expire in 100 years
a7b0ea5ad04 Update the validity period of ed25519 cerificates
66ecce223ce test_CMAC_keygen(): Avoid using ECB cipher with CMAC
d90a4c7d5a1 cmac_set_ctx_params(): Fail if cipher mode is not CBC
66c4f141369 demos/mac/cmac-aes256: Clarify the cipher algorithm used
985eb23fbf8 Add test for generating safeprime DH parameters
729295023af Use libctx when generating DH parameters
c6fb30f488f Remove further uses of __ARMEL__ in AArch64 assembly
c2564d1323f Fix Coverity 1503218: negative loop bound
4a1108eb590 Decoder resolution performance optimizations
ae154847632 Disable the test_afalg on cross compile targets
c425e365f49 Configure: don't try to be clever when configuring afalgeng
ceae983354d Fix incorrect comments in aes-gcm-armv8-unroll8_64.pl
42fe0f1aa4a Add EVP RSA key encode/decode demo
6907e6a1480 Fix typos in CCM test vector titles
e2c3aea2ea5 Fix IV length caching in EVP encryption code
a1fed5b2f62 aes-gcm-avx512.pl: Fixed mingw64 build
3f3d32832c6 Fix bug in scrypt KDF provider dup method
38f3427cb6f Fixed conditional statement testing 64 and 256 bytes
afb67ad1e1b update oqsprovider/liboqs to v0.7.2
5929d5287a3 Update the oqs-provider submodule to a more recent commit
9a937ef4731 test_external_oqsprovider: Use working checkout of liboqs
c635400be1f Add external testing with oqsprovider
bfdcbe95fde Use Perl to generate bsaes-armv8.S
8a2941870ec ARM assembly pack: translate bit-sliced AES implementation to AArch64
e301e531fb1 Further acceleration for SM4-GCM on ARM
1dd1e2df3d8 Fix build issue with aes-gcm-armv8-unroll8_64.S on older aarch64 assemblers
0f3de2f0b92 Add testing of OBJ_find_sigid_by_algs()
c581148fa48 enable CMS sign/verify for provider-implemented PKEYs
0c8684e7945 SM4 optimization for non-asm mode
41e2d878419 chacha20 performance optimizations for ppc64le with 8x lanes, Performance increase around 50%.
659b645d15d Fix typo
8095adc16b7 test/helpers/handshake.c: Add check for OPENSSL_strdup
270c72a340c Add test of FIPS provider from the master branch with 3.0 build
fa82704ea65 evp_test: Skip testcase if r parameter is unsupported
64e20b1f442 Add test of FIPS provider from the 3.0 branch with master build
0a23b2b5308 AES-GCM enabled with AVX512 vAES and vPCLMULQDQ.
af84bf2d52d aarch64: fix branch target indications in arm64cpuid.pl and keccak1600
106050faebc Fixed counter overflow
817096e9b51 Fix typos
bbbccd79594 evp enc: cache cipher key length
071f5f874bb aes: avoid accessing key length field directly
97477bb6c48 Move e_os.h to include/internal
70df6caa0bf indentation fix
dbe35ee6bfc tls1 prf: implement ctx dup operation
0ca770e3785 pkcs12 kdf: implement ctx dup operation
6e6024c37c3 test: change pkey kdf dup fail test to a pkey kdf dup success test
0f5229723ff k942 kdf: implement ctx dup operation
ab09d2d7cb8 ss KDF: implement ctx dup operation
99a414d1df1 ssh kdf: implement ctx dup operation
e85d09d9803 scrypt: implement ctx dup operation
cb949048d6e krb5kdf: implement ctx dup operation
a0a589babcf kbkdf: implement ctx dup operation
6343c3cf7e7 hkdf: implement ctx dup operation
e9f0b7243c1 pbkdf2: implement ctx dup operation
34d2a072a9c pbkdf1: implement ctx dup operation
f46befd667e evp_test: add a ctx dup operation to the KDF tests
a262d4ff181 prov: add a safe memdup function for context cloning
bc15591d7d3 Support different R_BITS lengths for KBKDF
e8f1d76b502 Fix endianness problem in params_api_test
34ca334e5de Optimize AES-GCM for uarchs with unroll and new instructions
a2bdca6fe66 AES-GCM performance optimzation with stitched method for p9+ ppc64le
f01ebab0c0e fuzz: add punycode decoder fuzz test
709c04b5dd6 punycode: update to use WPACKET instead of using custom range checking
7abe06cbb52 pem: avoid segfault if PKEY is NULL in PEM_write_bio_PrivateKey
c8df0736e42 pem: fix a memory leak in PEM_write_bio_PrivateKey_traditional
80645dfb8fd Limit size of modulus for BN_mod_exp_mont_consttime()
78a4827dad6 Revert "Skip DES based tests in FIPS mode"
a7fb08256d0 Revert "Remove conditional FIPS dependence for 3DES"
d0afc4ecc00 Revert "Move DES based test cases out of FIPS territory"
d65b52ab575 Put 3DES back into the FIPS provider as a non-approved algorithm
13d3be4a37f pkcs7: Remove unused includes
3ede8f19b58 fips-label.yml: Fix the script after actions/github-script upgrade
08043118d1d Simpler square-root computation for Ed25519
5948336502a Fix sm3ss1 translation issue in sm3-armv8.pl
3fe69d976b5 test: add cipher context dup test
15e6cb6223a test: add digest context dup tests
0e1634db8e1 doc: document digest and cipher dup functions
107b16037ed Add context dup functions for digests and ciphers
fc83bd1a1d8 fix indentation
37f1828d870 SM4 optimization for ARM by HW instruction
8c39948b269 providers: Add SM4 GCM implementation
852bb13853b property: reduce memory consumption when OPENSSL_SMALL_FOOTPRINT is defined.
8ea185e2e41 test: add some unit tests for the property to string functions
b1b4806a8ca property: use a stack to efficiently convert index to string
654490cebf8 SM3 acceleration with SM3 hardware instruction on aarch64
4c4ac7c7ddb param dup: add errors to failure returns
584e4473779 param build set: add errors to failure returns
b08f61e7c4d param build: add errors to failure returns
c737132dff0 test: check for properly raised errors during param conversion
59548647a81 params: add error messages for built in param conversions
a99bc331302 err: add additional errors
ec8ee00100f Statically link the legacy provider to endecode_test
0029f786658 Don't use __ARMEL__/__ARMEB__ in aarch64 assembly
068c7fa9952 APPS load_key_certs_crls(): Make file access errors much more readable
00ce8311524 OSSL_STORE_open_ex(): Prevent spurious error: unregistered scheme=file
0aaa71b90a9 Fix typos
53f2ed74370 Don't run TLSFuzzer tests when it is not properly set
8963caee374 Run TLSfuzzer tests for CI
cda2f1b9d4b TLS Fuzzer: initial test infrastructure
6f79bda426c TLSfuzzer: submodules
490934c61bd fix building failure when using -Wconditional-uninitialized
f53caf04eba Fix compile error when building with no-asm
ea578b6553b check the return value of EVP_MD_fetch in ecdh_exch.c:285 & dh_exch.c:347
9316125febb improving tests for adding sigalg with empty digest
25136fcf1b0 Documentation for RNDR and RNDRRS
f716af3484c Add tests for RNDR and combine tests with RDRAND
42ffe7812ca Add support for RNDRRS Provider
45c74dea20c Add Arm Assembly (aarch64) support for RNG
ee51843cbe8 Remove some unnecessary undefs in bn_asm.c
923140bd003 Add support for BSD-ppc, BSD-ppc64 and BSD-ppc64le configurations
3d2b47bcdf8 Dual 1536/2048-bit exponentiation optimization for Intel IceLake CPU
0bed814750c Add RSA encrypt demo
b25d775e6cc sha/asm/keccak1600-ppc64.pl: Load data in 8 byte chunks on little endian
e7557d7d747 prov: remove unused field `flag_fallback` and function `ossl_provider_set_fallback`
c3f76ee8e40 x509: remove dead call to strlen()
8786f7058c0 Remove redundant tests
5f113755bde Revise s_client and s_server verbiage re secure renegotiation.
37fdd76d06b aarch64: support BTI and pointer authentication in assembly
17366644e4d RISC-V support for the SHA512
8bb214fae17 Add changes entry indicating that the OBJ_* calls are now thread safe
74299cf58fe test: add threading test for object creation
cd0cc4911f8 doc: add note to indicate that the OBJ_ functions were not thread safe in 3.0
a5d27c2907e doc: Document that the OBJ creation functions are now thread safe.
060290e6aaf obj: add locking to the OBJ sigid calls
26d9ed7aef6 obj: make new NIDs use tsan if possible
196c57ee6a9 obj: make the OBJ_ calls thread safe
0c1613aeb92 tsan: add an addition macro
6460c3cf931 increase x509 code coverage metrics
b699a1e89d2 Fix PACKET_equal test with BUF_LEN+1 on -Wstringop-overread
bae1d405cf0 Fix documentation for some i2d return values.
42e1a641a48 Test that signatures using hash name commands work properly
0391198f48f apps/dgst.c: Set digestname from argv[0] if it is a builtin hash name
db30d8f90d8 Check for private key existence before calling eddsa sign functions
733084ae065 crypto/sha/asm/sha512-ia64.pl: When checking assembler file names, ignore case
6f6d7eeda1d Configurations/*.tmpl: overhaul assembler make rules.
ec33ed71266 Update GitHub actions as suggested by dependabot
5c7a2fc2790 Coverity 1516624: Fix overrun memory access.
eaa20600732 Fix the ceiling on how much encryption growth we can have
27cf118437c providers/common/der/oids_to_c.pm: Remove use of Data::Dumper
78ed5ab1d70 Potential null pointer reference
7f6bf5cdac7 fips: verify that the RNG was restored after the self tests
dad5676c1a7 fipsinstall: add -self_test_oninstall option.
18477977496 Update FIPS KATs for 140-3
df8f8432eb1 dsa/ec: update pairwise tests to account for 140-3 IG 10.3.A additiocal comment 1
dfb79d08e28 Remove DES cipher from the FIPS provider
f66c14a0cc1 Update fipsinstall tests
bf9c7c4bb42 Remove conditional FIPS dependence for 3DES
55d9f73a43d Move DES based test cases out of FIPS territory
3e218fd7bed Skip DES based tests in FIPS mode
e30aad54159 rand: add set0 calls for the private and public DRBGs
5e244a93778 Update CHANGES.md and NEWS.md for new release
355be308eb2 punycode: add unit tests
4af7a0e48f4 Fix CVE-2022-3786 in punycode decoder.
0d50c5e2885 Fix CVE-2022-3602 in punycode decoder.
f1b7a6c2475 tests: clear error queue before executing a testcase
6001ba23e08 Fix parameter names for RSA private key example
868141d4506 Make openVMS seeding less dependent of OpenVMS version
4215d649e92 Use RSA CRT parameters in FIPS self tests.
49e5865692f test: driver: fix -Wunused-but-set-variable
551aa3b6f96 x509: fix -Wunused-but-set-variable
6bfde830c86 txt_db: fix -Wunused-but-set-variable
e556b05083f pem: fix -Wunused-but-set-variable
1462e6f9a65 CI: add Clang 15
8024730835d CI: Upgrade to Ubuntu 22.04 to add GCC 12, Clang 13, Clang 14
259b9dd55ee CI: add GCC 11
9fb0ff30343 rand: remove the ossl_rand_pool_add_additional_data() function.
91caaa3ba3e ssl_cipher_process_rulestr: don't read outside rule_str buffer
cc62162a540 Add missing ERR_R_XXX_LIB codes
22b486e2ac0 Finer grained error records for provider load/init failures
432616d448c Update VERSION.dat, CHANGES.md and NEWS.md for branch openssl-3.1
02be04e5359 Fix a lock in provider_remove_store_methods()
REVERT: 31157bc0b46 Prepare for release of 3.0.8
REVERT: 8c0eaeaf7c6 make update
REVERT: 2a4b68ef012 Update copyright year
REVERT: 2ad99281707 Internaly declare the DSA type for no-deprecated builds
REVERT: 071e702aec8 Add CHANGES.md and NEWS.md entries for the 3.0.8 release
REVERT: a0f2359613f Add testcase for missing return check of BIO_set_md() calls
REVERT: d3b6dfd70db pk7_doit.c: Check return of BIO_set_md() calls
REVERT: 2f7530077e0 CVE-2023-0286: Fix GENERAL_NAME_cmp for x400Address (3.0)
REVERT: 7e371855829 Add test for DSA pubkey without param import and check
REVERT: fab4973801b Do not create DSA keys without parameters by decoder
REVERT: c1b4467a7cc Prevent creating DSA and DH keys without parameters through import
REVERT: 23985bac83f Fix NULL deference when validating FFC public key.
REVERT: 67813d8a4d1 Add test for d2i_PKCS7 NULL dereference
REVERT: 934a04f0e77 Do not dereference PKCS7 object data if not set
REVERT: f596ec8a6f9 Check CMS failure during BIO setup with -stream is handled correctly
REVERT: 8818064ce3c Fix a UAF resulting from a bug in BIO_new_NDEF
REVERT: cbafa34b5a0 Add a test for CVE-2022-4450
REVERT: 63bcf189be7 Avoid dangling ptrs in header and data params for PEM_read_bio_ex
REVERT: 8e257b86e58 Fix Timing Oracle in RSA decryption
REVERT: fe6842f5a5d Add testcase for nc_match_single type confusion
REVERT: c927a349269 Fix type confusion in nc_match_single()
REVERT: 36d85b02cef doc/man1/{storeutl,gendsa}: point out that extra options/arguments are ignored
REVERT: 77f29142b26 Fix incomplete check on EVP_CIPHER_param_to_asn1()
REVERT: 28b78f39560 Use $config{build_file} instead of $target{build_file}
REVERT: 0f67990573f Fix a potential memory leak in crypto/provider_child.c
REVERT: 45e6a974736 BIO_read.pod: fix small typo
REVERT: d36b0450d9d Do not include sparse_array.o in libssl with no-shared
REVERT: 5a1b22fc2e6 Avoid duplicating symbols in legacy.a with some build options
REVERT: 721aca05df2 Fix incomplete check on X509V3_add1_i2d()
REVERT: 39bc59bc83c ChaCha20-Poly1305 no longer supports truncated IV's.
REVERT: da6d4180526 coverity 1520506: error handling
REVERT: 2680cd25ed0 coverity 1520505: error handling
REVERT: 3a0bbaba732 Add notes about ignoring initialization failures on contexts
REVERT: a47eff38d7e Document that the RSA e value is mandatory when importing.
REVERT: d646730b89c Fix Coverity 1520485: logically dead code
REVERT: 84eace37362 Clarify the change of enc -S behavior in 3.0
REVERT: 9c92c4917e1 Fix incomplete checks for EVP_CIPHER_asn1_to_param
REVERT: ce7193b1233 OSSL_trace_set_channel(): add important statement that it takes BIO ownership
REVERT: a478dd11e9e set_trace_data(): prevent double free on OPENSSL_strdup() failure
REVERT: a3dd46d2c63 Fix corruption when searching for CRLs in hashed directories
REVERT: ae0f54d3005 Add DTLS support to the large app data test
REVERT: ecafcd8ad35 Ensure our buffer allocation allows for the Explicit IV
REVERT: 6960fb03d58 Add a test for large app data
REVERT: 299f096ff39 MD5.pod: Recommend SHA-2 or SHA-3 family hashes instead of legacy ones
REVERT: 5f77f91a42f X509_V_ERR_INVALID_PURPOSE: fix misleading text; Fix omission in X509_VERIFY_PARAM_clear_flags doc
REVERT: add42e0b3b5 cmp_client.c: fix handling of total_timeout for RR and GENM transactions
REVERT: 538682c62ac cmp_client_test.c: add tests for end_time being initialized for RR/GENM
REVERT: de3b3c9c04e CMP docs: clarify behavior on message/total timeout values given
REVERT: 780e7b11a54 Fixes wrong return type in BIO_do_connect man page.
REVERT: 846d5099f3c Fix incorrect check on RAND_bytes_ex() in generate_q_fips186_4()
REVERT: f45c6033ceb Padlock: fix byte swapping assembly for AES-192 and 256
REVERT: 36d03d2f05a Add link to EBNF definition
REVERT: 9db21bebd18 Add negative test for unquoted property string
REVERT: 5aa0554ac37 Correct property EBNF for unquoted strings
REVERT: b9097b0c3b0 Fix incorrect error return value in i2r_ADMISSION_SYNTAX()
REVERT: 60c19d0d61d Fix potential NULL pointer dereference
REVERT: e594a9b7605 Clarify documentation of X509_STORE_CTX_get_current_cert()
REVERT: 46d4cb4d8f1 pkey: Imply public check if -pubin is specified
REVERT: 5701ead8f20 Bump actions/setup-python from 4.4.0 to 4.5.0
REVERT: d6220d1b7f6 Documenting lack of error codes stability
REVERT: e6b1586ea2b Limit size of modulus for bn_mul_mont and BN_mod_exp_mont_consttime
REVERT: 54eb24982b6 Revert "Limit size of modulus for BN_mod_exp_mont_consttime()"
REVERT: 18308d6616c SSKDF with KMAC should return SIZE_MAX when EVP_KDF_CTX_get_kdf_size() is used.
REVERT: 757fd35182b fix manpage of `d2i_X509(3)`
REVERT: d92a5da5ae2 Do not check definition of a macro and use it in a single condition
REVERT: 1932e595c80 OSSL_PARAM_BLD and BIGNUM; ensure at least one byte is allocated
REVERT: f51b4ebb079 In OSSL_PARAM_set_BN(), make sure that the data_size field is at least 1
REVERT: 5601648e91d test/param_build_test.c: test zero BIGNUM
REVERT: 7b807ad6eaa Add testcase for OSSL_trace_set_callback()
REVERT: 318a27d4e9a Avoid ifdefs in trace categories
REVERT: b4419635c99 test/trace_api_test.c: fix gcc error on -Werror=strict-prototypes
REVERT: 5c6936e92df Add tests for trace_api.
REVERT: 2f2176dc8d3 Doc: Update history section of EC_GROUP API's.
REVERT: accd85ce7cd Documentation for EVP_PKEY_CTX_get0_pkey() and EVP_PKEY_CTX_get0_peerkey().
REVERT: b9b411be841 info.c: Fix typos in seed macro name and description string
REVERT: 4f46ff14bec rsaz_exp_x2.c: Remove leftover from broken cherry-pick
REVERT: e3a9668e48b Revert "rsaz_exp_x2.c: Remove unused ALIGN64 macro"
REVERT: 2a57a117a2e rsaz_exp_x2.c: Remove unused ALIGN64 macro
REVERT: dcde8ea8c46 rsaz_exp_x2.c: Avoid potential undefined behavior with strict aliasing
REVERT: 842311ae30b Revert "Fix an occasional CI failure due to unaligned access"
REVERT: 6f252dd632a BIO_s_dgram: add documentation and hazard warnings
REVERT: 0a69ca8f635 Avoid possible divide by zero
REVERT: 5b449de0f0a 80-test_cms.t: Fix rsapssSaltlen check on MinGW
REVERT: 7736379c5c0 Cleanse internal BN_generate_dsa_nonce() buffers used to generate k.
REVERT: 1bd53640a2a Bump actions/setup-python from 4.3.1 to 4.4.0
REVERT: 46cf94e5e6e INSTALL.md: Remove trailing space
REVERT: 4a8e7e27649 Docs: Move deprecated ECDSA_ functions into a separate file.
REVERT: 12f64521194 Change HKDF to alloc the info buffer.
REVERT: 053e06bd050 ec_kmgmt.c: check the return of BN_CTX_get() in time.
REVERT: f0bbb25f348 INSTALL.md: Fix typo
REVERT: b65285ba438 Add Demos for DSA params/DSA keygen.
REVERT: b49d8da7745 Fix possible UB in init_info_strings
REVERT: 00323667e3b Add a CMS test for a bad encryption algorithm
REVERT: e979d9aaf5f Ensure ossl_cms_EncryptedContent_init_bio() reports an error on no OID
REVERT: a923d9bbb52 Fix BIO_f_asn1() to properly report some errors
REVERT: 0a3eeb3346d Fix SMIME_crlf_copy() to properly report an error
REVERT: 1619478374f Fix BIO_f_cipher() flushing
REVERT: 36d6ebad8f6 Update pyca-cryptography submodule to 38.0.4
REVERT: 999509c235a Honor OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT as set and default to UNCOMPRESSED
REVERT: 6651044b4d8 Fix a logic flaw in test_mod_exp_zero
REVERT: c935b89f285 Raise the KMAC limits for key and custom size to 512 bytes
REVERT: 0a229aec0a5 Update FIPS related build instructions.
REVERT: 4ae8fe6cc8d Refine the documents of several APIs
REVERT: 75fa52ddc97 Update HMAC() documentation.
REVERT: 5ba39c0bf79 Fix FIPS Provider compat CI of 3.0 libcrypto with 3.2 FIPS provider
REVERT: 878b00aa336 Coverity: fix 272011 resource leak
REVERT: 53c643f67fe Fix openssl storeutl to allow serial + issuer
REVERT: f92b294563b Make error reason for disallowed legacy sigalg more specific
REVERT: bb3a931f867 crypto/err: expand on error code generation
REVERT: 353521b7720 Run-checker merge CI: Memleak test does not work without ubsan
REVERT: 921e19c20aa Revert "Run-checker merge CI: Replace no-shared with no-modules"
REVERT: 4343b2923ac unbuffer stdin before get passwd from stdin
REVERT: 17bd383dd21 Obtain PSS salt length from provider
REVERT: 39fcc351c2c Run-checker merge CI: Replace no-shared with no-modules
REVERT: bc136fd386b Cross compiles CI: Disable stringop-overflow warning on s390x and m68k
REVERT: 8face2721b7 Fuzz checker CI: Use more generic include dir for fuzzer includes
REVERT: 42cd898bd30 Bump actions/setup-python from 4.3.0 to 4.3.1
REVERT: c438de07c00 Fix `no-ec enable-ktls` build
REVERT: 6fbbb53477a test: add test case for deadlock reported in #19643
REVERT: 7725e7bfe6f x509: fix double locking problem
REVERT: 9a5c884999a cmp_vfy_test.c: fix name OSSL_CMP_CTX_set0_trusted{,Store}
REVERT: f6fdbe63c7c OSSL_CMP_validate_msg(): make sure to reject protection type mismatch
REVERT: c919280f793 Replace some boldened types with a corresponding man page link
REVERT: 2365be29764 Move the description of the core types into their own pages
REVERT: a0564dc8553 Better sorting of util/other.syms
REVERT: f60dfe81847 Fix treatment of BUILD_METADATA
REVERT: f15d23e2f9e Replace "a RSA" with "an RSA"
REVERT: 544758738da Fix the check of BIO_set_write_buffer_size and BIO_set_read_buffer_size
REVERT: 18e45bd9ead Fix the check of EVP_PKEY_decrypt_init
REVERT: 5812a2d282a Fix the checks in rsautl_main
REVERT: 17345cf10f9 doc: fix EVP_SignInit.pod
REVERT: e3ce39ab344 Clarify the EVP_PKEY_decrypt manual page
REVERT: d4394159918 cmp_client_test.c: add tests for OSSL_CMP_CTX_get_status
REVERT: d1aa7d11363 doc: fix location of AES-SIV ciphers
REVERT: e2758d1a39e Fix occasional assertion failure when storing properties
REVERT: 0e4c201cb88 Drop incorrect skipping of some evp_test testcases with no-gost
REVERT: ff2f8c81a08 Add test for EVP_PKEY_Q_keygen
REVERT: ac591bf69e6 Fix typos in doc/man3/EVP_EncryptInit.pod
REVERT: e7a7aa78348 When using PEM_read_bio_PrivateKey_ex() the public key is optional
REVERT: e2cf3852733 add missing OSSL_CMP_CTX_reset_geninfo_ITAVs() function
REVERT: 27a09e77667 add missing OSSL_CMP_CTX_reset_geninfo_ITAVs() function
REVERT: 2c65de46785 OSSL_CMP_CTX_reinit(): fix missing reset of ctx->genm_ITAVs
REVERT: 327e968c336 CMP: fix gen_new() in cmp_msg.c checking wrong ITAVs
REVERT: 79701dea429 Fix typo in openssl-x509.pod.in
REVERT: 1c8b17358fe Add SM2 support for EVP_PKEY_Q_keygen
REVERT: f2784497264 CMP: fix handling of unset or missing failInfo PKI status information
REVERT: 69d3c81ca5c CMP: fix status held in OSSL_CMP_CTX, in particular for genp messages
REVERT: c28c2e0c7e6 Fix coverity issues in X509v3_addr
REVERT: f35a4be939a Add missing HISTORY sections for OpenSSL 3.0 related documents.
REVERT: 5ac7cfb5621 Add doc for EVP_ASYM_CIPHER-RSA and clean up OSSL_PROVIDER-FIPS.pod.
REVERT: 07f21b22ca9 evp_extra_test2: Test DH param checks with non-NULL libctx
REVERT: 2bc3854a6cf DH_check[_params]() use libctx of the dh for prime checks
REVERT: 9aa9d6a9426 ParseC.pm: gracefully handle DOS-style end-of-line in source files
REVERT: 3e0a1c2c18b Add test to confirm IPAddressFamily_check_len catches invalid len
REVERT: 17af63c1df8 Catch incorrect IPAddressFamily lengths
REVERT: 56de1f3ce3d Drop explicit check for engines in opt_legacy_okay
REVERT: b67935515ed Fix the check of EC_GROUP_check_named_curve
REVERT: e29ea41f6d5 apps/speed.c: fix the wrong checks
REVERT: eb153d04294 Add documentation for CPUID bit #64+17
REVERT: 17d20f6159a Add test for EVP_PKEY_eq
REVERT: 38066a07e09 Update documentation for keymgmt export utils
REVERT: aeb80f63d44 Propagate selection all the way on key export
REVERT: d163bd08bb9 apps/ocsp.c: Add missing test if make_ocsp_response failed
REVERT: c3e8128befa fipsinstall test: skip PCT DSA signature test for new providers
REVERT: 00cd0627252 test: add two comparision options to fips version test utility code
REVERT: bb0190e8a4d Use the same encryption growth macro consistently
REVERT: 1aef13c0bdb apps/speed.c: add verifying if fdopen returns NULL
REVERT: 511d8c0fb0e Resign test/certs/rootCA.pem to expire in 100 years
REVERT: 2f27b9363e8 Update the validity period of ed25519 cerificates
REVERT: b697ae10287 Add test for generating safeprime DH parameters
REVERT: 0f68f59dd45 Use libctx when generating DH parameters
REVERT: 2fee530c86d pem: avoid segfault if PKEY is NULL in PEM_write_bio_PrivateKey
REVERT: 60d391b6f01 pem: fix a memory leak in PEM_write_bio_PrivateKey_traditional
REVERT: b8a5adf3ec4 Limit size of modulus for BN_mod_exp_mont_consttime()
REVERT: d0f8056c47f Release the drbg in the global default context before engines
REVERT: aa97297427f Add a test case for the engine crash with AES-256-CTR
REVERT: e285a0b5a0e fips-label.yml: Fix the script after actions/github-script upgrade
REVERT: 6feff2e59df Fix PACKET_equal test with BUF_LEN+1 on -Wstringop-overread
REVERT: f3aa51d6347 Fix documentation for some i2d return values.
REVERT: 424c9521182 Test that signatures using hash name commands work properly
REVERT: 03c5381b41d apps/dgst.c: Set digestname from argv[0] if it is a builtin hash name
REVERT: 76962505be6 Check for private key existence before calling eddsa sign functions
REVERT: 22530d31789 crypto/sha/asm/sha512-ia64.pl: When checking assembler file names, ignore case
REVERT: 4aabade09f9 Configurations/*.tmpl: overhaul assembler make rules.
REVERT: 7343f687705 Update GitHub actions as suggested by dependabot
REVERT: de45fecf8ae Coverity 1516624: Fix overrun memory access.
REVERT: f8e6dda7b7c Fix the ceiling on how much encryption growth we can have
REVERT: c5bc976d9a0 providers/common/der/oids_to_c.pm: Remove use of Data::Dumper
REVERT: 716712f378f Potential null pointer reference
REVERT: 7bfbf68ad04 Prepare for 3.0.8
REVERT: 19cc035b6c6 Prepare for release of 3.0.7
REVERT: 4539f7486b8 make update
REVERT: 2fa4bde7264 Update copyright year
REVERT: cf889ec8d9e Update CHANGES.md and NEWS.md for new release
REVERT: f0f530216bf punycode: add unit tests
REVERT: c42165b5706 Fix CVE-2022-3786 in punycode decoder.
REVERT: fe3b639dc19 Fix CVE-2022-3602 in punycode decoder.
REVERT: 4bae06d47ae tests: clear error queue before executing a testcase
REVERT: e6623693597 Fix parameter names for RSA private key example
REVERT: bc84a93a992 Make openVMS seeding less dependent of OpenVMS version
REVERT: 34e3cbf99f2 Use RSA CRT parameters in FIPS self tests.
REVERT: 1cfc95b25c9 test: driver: fix -Wunused-but-set-variable
REVERT: 1b85fc806a7 x509: fix -Wunused-but-set-variable
REVERT: e8c8f6faeac txt_db: fix -Wunused-but-set-variable
REVERT: 15d698d2f82 pem: fix -Wunused-but-set-variable
REVERT: 49c2c81d55d CI: add Clang 15
REVERT: 33da0e2b0d0 CI: Upgrade to Ubuntu 22.04 to add GCC 12, Clang 13, Clang 14
REVERT: e701d98618e CI: add GCC 11
REVERT: 3efb41c026d ssl_cipher_process_rulestr: don't read outside rule_str buffer
REVERT: 38acfc30cc7 Add missing ERR_R_XXX_LIB codes
REVERT: 840a8298297 Finer grained error records for provider load/init failures
REVERT: 9cbd2e1098c Fix a lock in provider_remove_store_methods()
git-subtree-dir: openssl
git-subtree-split: a92271e03a8d0dee507b6f1e7f49512568b2c7ad
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
For AmiSSL 4.0-4.2, AMISSL_V11x is defined as 0x06.
For AmiSSL 4.3+, AMISSL_V11x is changed to 0x07 and is claimed to be AmiSSL 4.0 and 0x08 is claimed to be AmiSSL 4.1, which reasonably is not correct given the 4.0-4.2 includes states they both are 0x06.
Additionally, to successfully use AmiSSL 4.0-4.2, InitAmiSSLMaster() must be called with version 0x06, else it fails.
See:
https://github.com/jens-maus/amissl/blob/4.0/include/libraries/amisslmaster.h#L10
https://github.com/jens-maus/amissl/blob/4.1/include/libraries/amisslmaster.h#L10
https://github.com/jens-maus/amissl/blob/4.2/include/libraries/amisslmaster.h#L10
https://github.com/jens-maus/amissl/blob/4.3/include/libraries/amisslmaster.h#L11
https://github.com/jens-maus/amissl/blob/5.3/include/libraries/amisslmaster.h#L35
So when specifying AMISSL_V11x, I would according to a current amisslmaster.h expect to be able to be able to use AmiSSL 4.0+, but I will instead need AmiSSL 4.3+.
The text was updated successfully, but these errors were encountered: