aboutsummaryrefslogtreecommitdiffstats
path: root/CHANGES.md
Commit message (Collapse)AuthorAgeFilesLines
* Add atexit configuration option to using atexit() in libcrypto at build-time.Randall S. Becker2024-02-011-0/+7
| | | | | | | | | | | | | | | | | | | | | | | This fixes an issue with a mix of atexit() usage in DLL and statically linked libcrypto that came out in the test suite on NonStop, which has slightly different DLL unload processing semantics compared to Linux. The change allows a build configuration to select whether to register OPENSSL_cleanup() with atexit() or not, so avoid situations where atexit() registration causes SIGSEGV. INSTALL.md and CHANGES.md have been modified to include and describe this option. The no-atexit option has been added to .github/workflows/run-checker-daily.yml. Fixes: #23135 Signed-of-by: Randall S. Becker <randall.becker@nexbridge.ca> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from https://github.com/openssl/openssl/pull/23394)
* Remove a CVE reference from CHANGES/NEWSMatt Caswell2024-02-011-7/+7
| | | | | | | | | master/3.2 was never vulnerable to CVE-2023-5678 since it was fixed before it was released. Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23432)
* Fix typo in CHANGES.mdIngo Franzki2024-02-011-1/+1
| | | | | | | | | | | OSSL_PKEY_PARAM_DERIVE_FROM_PQ must be OSSL_PKEY_PARAM_RSA_DERIVE_FROM_PQ (note the missing '_RSA'). Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23438)
* Update CHANGES.md and NEWS.md for new releaseMatt Caswell2024-01-301-23/+42
| | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Release: yes (Merged from https://github.com/openssl/openssl/pull/23421)
* Add CHANGES entryHugo Landau2024-01-231-0/+5
| | | | | | Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23343)
* Add CHANGES.md and NEWS.md entries for CVE-2023-6237Tomas Mraz2024-01-151-0/+23
| | | | | | Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23243)
* Add apps/x509 -set_issuer & -set_subject option to override issuer & subjectJob Snijders2024-01-151-0/+6
| | | | | | | | | | | | | | | | | This changeset adds the counterpart to the '-subj' option to allow overriding the Issuer. For consistency, the `-subj` option is aliased to `-set_subject`. The issuer can be specified as following apps/openssl x509 -new -set_issuer '/CN=example-nro-ta' -subj '/CN=2a7dd1d787d793e4c8af56e197d4eed92af6ba13' ... This is useful in constructing specific test-cases or rechaining PKI trees Joint work with George Michaelson (@geeohgeegeeoh) Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23257)
* Fix the encoding of SM2 keysRichard Levitte2024-01-121-0/+6
| | | | | | | | | | | | | | OpenSSL's encoding of SM2 keys used the SM2 OID for the algorithm OID where an AlgorithmIdentifier is encoded (for encoding into the structures PrivateKeyInfo and SubjectPublicKeyInfo). Such keys should be encoded as ECC keys. Fixes #22184 Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22529)
* Add CHANGES.md and NEWS.md entries for CVE-2023-6129Tomas Mraz2024-01-091-0/+21
| | | | | | Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23200)
* Sync CHANGES.md and NEWS.md with 3.2 branchTomas Mraz2024-01-091-5/+7
| | | | | | Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23200)
* Augment RSA provider to generate CRT coefficients on EVP_PKEY_fromdata()Neil Horman2024-01-091-0/+6
| | | | | | | | | | | | | | It would be helpful to be able to generate RSA's dmp1/dmq1/iqmp values when not provided in the param list to EVP_PKEY_fromdata. Augment the provider in ossl_rsa_fromdata to preform this generation iff: a) At least p q n e and e are provided b) the new parameter OSSL_PARAM_RSA_DERIVE_PQ is set to 1 Fixes #21826 Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/21875)
* Make OPENSSL_sk_push return only 0 or 1Tomas Mraz2024-01-041-0/+5
| | | | | | | | | | | | Most of the callers do not actually check for the special -1 return condition because they do not pass NULL to it. It is also extremely improbable that any code depends on this -1 return value in this condition so it can be safely changed to 0 return. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/22930)
* Disable building quicserver utility when configured with `no-apps` optionVitalii Koshura2023-12-291-0/+5
| | | | | | | | Signed-off-by: Vitalii Koshura <lestat.de.lionkur@gmail.com> Reviewed-by: Paul Yang <kaishen.yy@antfin.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23149)
* Fix remaining provider config settings to be decisive in valueNeil Horman2023-12-271-5/+5
| | | | | | | | | | | | | | | There is one remaining config setting for providers, soft_load, which is enabled when provided in a config, regardless of its value. Augment it to require a decisive value 1/0, yes/no, on/off, true/false, as we've recently done for the activate setting. Also, since it wasn't previously documented, add docs for it. Fixes #23105 Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23111)
* crypto/cmp/,apps/lib/cmp_mock_srv.c: various improvements on delayed deliveryDr. David von Oheimb2023-12-211-0/+1
| | | | | | | Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/20727)
* Make the activate setting more intuitiveNeil Horman2023-12-211-0/+8
| | | | | | | | | | | | | | | | | | | | | | | Currently, a provider is activated from our config file using the activate parameter. However, the presence of the config parameter is sufficient to trigger activation, leading to a counterintuitive situation in which setting "activate = 0" still activates the provider Make activation more intuitive by requiring that activate be set to one of yes|true|1 to trigger activation. Any other value, as well as omitting the parameter entirely, prevents activation (and also maintains backward compatibility. It seems a bit heavyweight to create a test specifically to validate the plurality of these settings. Instead, modify the exiting openssl config files in the test directory to use variants of these settings, and augment the default.cnf file to include a provider section that is explicitly disabled Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22906)
* CMP lib and app: add optional certProfile request message header and ↵Dr. David von Oheimb2023-12-191-0/+5
| | | | | | | | | | | respective -profile option Also add missing getter functionss OSSL_CMP_{CTX,HDR}_get0_geninfo_ITAVs() to CMP API. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/21281)
* PreferNoDHEKEX changelog and history anticipating inclusion in OpenSSL ↵Markus Minichmayr2023-11-241-0/+6
| | | | | | | | version 3.3. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22794)
* speed: make hmac(sha256) the default hmacJames Muir2023-11-231-0/+5
| | | | | | | | | | prefer hmac(sha256) rather than hmac(md5). Also, drop the "skip_hmac" label. If we are supposed to do hmac(hash_func) and hash_func cannot be found, then error out immediately. Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22793)
* Make CHANGES.md header more appropriateHugo Landau2023-11-231-3/+5
| | | | | | | | | Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22785) (cherry picked from commit d330fef1f1446c968e31803778bc7b3d067c7e99)
* Document the exporter change in CHANGES.md and NEWS.mdRichard Levitte2023-11-151-0/+7
| | | | | | Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20878)
* Add CHANGES.md and NEWS.md entry for CVE-2023-5678Tomas Mraz2023-11-081-1/+14
| | | | | | | | Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22647) (cherry picked from commit 4ee71b4c302a06c24b46a5def1cff2096bd57f0b)
* Sync CHANGES.md and NEWS.md with 3.1 branchTomas Mraz2023-11-081-2/+6
| | | | | | | | Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22647) (cherry picked from commit 2d0d3edb04ab0fa53e30e3cbdd114de9933d5361)
* CHANGES.md: note BLAKE2s supports BLAKE2b-like "size" settingнаб2023-11-081-1/+4
| | | | | | Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22444)
* CHANGES.md: document BLAKE2b's "size"-setting supportнаб2023-11-021-0/+5
| | | | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22583)
* Prepare for 3.3Richard Levitte2023-10-271-0/+8
| | | | | | | | Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22525)
* changes and news entries for CVE-2023-5363Pauli2023-10-241-1/+10
| | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
* * Enable extra Arm64 optimization on Windows for GHASH, RAND and AESEvgeny Karpov2023-10-101-0/+4
| | | | | | Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/21673)
* CHANGES.md: Mention new features added after 3.2 alpha1Tomas Mraz2023-10-041-0/+11
| | | | | | Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22251)
* Prepare for 3.2 alpha 3Matt Caswell2023-09-281-1/+1
| | | | | Reviewed-by: Richard Levitte <levitte@openssl.org> Release: yes
* Prepare for release of 3.2 alpha 2openssl-3.2.0-alpha2Matt Caswell2023-09-281-1/+1
| | | | | Reviewed-by: Richard Levitte <levitte@openssl.org> Release: yes
* Add CVE-2023-4807 fix to CHANGES.md and NEWS.mdTomas Mraz2023-09-111-1/+22
| | | | | | | Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22033)
* Sync changes between 3.2 and 3.1 branchesTomas Mraz2023-09-111-0/+4
| | | | | | | Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22033)
* Prepare for 3.2 alpha 2Matt Caswell2023-09-071-1/+1
| | | | | Reviewed-by: Richard Levitte <levitte@openssl.org> Release: yes
* Prepare for release of 3.2 alpha 1openssl-3.2.0-alpha1Matt Caswell2023-09-071-1/+1
| | | | | Reviewed-by: Richard Levitte <levitte@openssl.org> Release: yes
* Added 'saltlen' option to the OpenSSL enc command line app.slontis2023-09-041-0/+3
| | | | | | | | | | | This allows PBKDF2 to change the saltlen to something other than the new default value of 16. Previously this app hardwired the salt length to a maximum of 8 bytes. Non PBKDF2 mode uses EVP_BytesToKey() internally, which is documented to only allow 8 bytes. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/21858)
* Change PBES2 KDF default salt length to 16 bytes.slontis2023-09-041-0/+10
| | | | | | | | | | | | | The PKCS5 (RFC 8018) standard uses a 64 bit salt length for PBE, and recommends a minimum of 64 bits for PBES2. For FIPS compliance PBKDF2 requires a salt length of 128 bits. This affects OpenSSL command line applications such as "genrsa" and "pkcs8" and API's such as PEM_write_bio_PrivateKey() that are reliant on the default salt length. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/21858)
* Add CHANGES.md entry for ess_cert_id_alg default changeTomas Mraz2023-08-311-0/+7
| | | | | | | | The default was changed in 10536b7f5b07aab3dc9631e94a56258155a1d942 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/21845)
* Optimize SM2 on aarch64Xu Yizhou2023-08-241-0/+7
| | | | | | | | Signed-off-by: Xu Yizhou <xuyizhou1@huawei.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20754)
* Update CHANGES.md and NEWS.md for the upcoming 3.2 releaseTomas Mraz2023-08-231-26/+181
| | | | | | Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/21802)
* Add CHANGES.md and NEWS.md entries for CVE-2023-3817Tomas Mraz2023-07-271-2/+20
| | | | | | | | Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Todd Short <todd.short@me.com> (Merged from https://github.com/openssl/openssl/pull/21550)
* Update CHANGES/NEWS for CVE-2023-3446Matt Caswell2023-07-191-0/+20
| | | | | | | | Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/21451)
* Fix typos found by codespellDimitri Papadopoulos2023-07-181-1/+1
| | | | | | | Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/21467)
* Add CHANGES.md and NEWS.md entries for CVE-2023-2975Tomas Mraz2023-07-141-0/+21
| | | | | | Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/21384)
* Add a NEWS entry covering the FIPS related changes.Pauli2023-07-141-1/+10
| | | | | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/21386) (cherry picked from commit dfc4b6c93b99f6666cd958c5643a24bb6edff7b7)
* Enable QUIC by defaultMatt Caswell2023-07-061-0/+4
| | | | | | | | | | | | | | | Ensure builds enable QUIC without explicitly having to ask for it. To disable QUIC pass "no-quic" to Configure. As a result we can remove all use of "enable-quic" from the various CI runs. We also add a CHANGES and NEWS entry for QUIC support. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/21332)
* Add support for SHA256/192Fergus Dall2023-06-281-0/+4
| | | | | | | | | | | This is defined in NIST SP 800-208 as the truncation to 192 bits of SHA256. Unlike other truncated hashes in the SHA2 suite, this variant doesn't have a different initial state, it is just a pure truncation of the output. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/21180)
* add no-httpVladimír Kotal2023-06-191-0/+5
| | | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/21217)
* Partially revert #18070 (Add support for Windows CA certificate store)Hugo Landau2023-06-151-16/+5
| | | | | | | | Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/21190)
* Fix typos found by codespellDimitri Papadopoulos2023-06-151-3/+3
| | | | | | | | Typos in doc/man* will be fixed in a different commit. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20910)
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-07 08:02:43 +0000