Commit Graph

36052 Commits

Author SHA1 Message Date
Frederik Wedel-Heinen
357e27342e Support DEFAULT keyword and '-' prefix in SSL_CTX_set1_groups_list()
Fixes #25790

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25813)
2024-11-04 11:49:49 +01:00
Dr. David von Oheimb
1ee906143c APPS/pkeyutl: strengthen error message on too long sign/verify input
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22910)
2024-11-04 10:19:04 +01:00
Dr. David von Oheimb
50c0241de2 APPS/pkeyutl: -digest implies -rawin and can only be used with -sign and -verify
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22910)
2024-11-04 10:19:02 +01:00
Dr. David von Oheimb
c7764dacdf APPS/pkeyutl: improve -rawin usability (implied by Ed25519 and Ed448) and doc
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22910)
2024-11-04 10:18:24 +01:00
Dr. David von Oheimb
7086332550 CHANGES.md: re-word 'app' to 'command' and 'apps' to 'commands' for consistency
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22910)
2024-11-04 10:16:04 +01:00
Mohammed Alhabib
607a46d003 apps/speed.c: Fix the benchmarking for AEAD ciphers
Fixed the benchmarking for the evp aead interface for ccm, gcm, ocb, and siv,
where decryption fails when executing
`openssl speed -evp aes-128-ccm -decrypt` and
`openssl speed -evp aes-128-gcm -decrypt`.

Related issues are [24686](https://github.com/openssl/openssl/issues/24686)
and [24250](https://github.com/openssl/openssl/issues/24250).
Now both encryption and decryption, with or without AAD, executes correctly
without issues.

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25823)
2024-11-04 10:04:23 +01:00
Aditya
539b17b658 apps: Change default cipher to aes-256-cbc for req, cms and smime apps
Update `CHANGES.md` and `NEWS.md`; remove `no-des` guard from req, cms,
and smime apps

Update MAN pages for default cipher; fix styling by removing braces around single statements

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25839)
2024-11-04 09:56:55 +01:00
Zheyu Shen
1d160dbf39 Fix incorrect openssl-smime doc sample command for encrypt
Original documented sample command causes error. PEM recipient cert argument needs to go last.

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25829)
2024-11-01 17:27:19 +01:00
Tomas Mraz
59f5f6c73c speed.c: Check for 0 block size
Although this cannot really happen check for 0 block size
to avoid division by 0.

Fixes Coverity 1633936

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25822)
2024-10-31 13:00:10 +01:00
Niels Dossche
8ff6edb9da Fix potential memory leak in OSSL_HPKE_CTX_new()
ctx->propq is a duplicated string, but the error code does not free
the duplicated string's memory. If e.g. EVP_CIPHER_fetch() fails then
we can leak the string's memory.

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25812)
2024-10-30 11:58:16 +00:00
Aditya
7e3f7f1dbb test: Add test cases for req -cipher option
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25796)
2024-10-30 11:55:23 +00:00
Aditya
bca1bb2977 req: Add -cipher option to specify private key encryption cipher
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25796)
2024-10-30 11:55:23 +00:00
Neil Horman
43ba601723 Remove sslkeylog file setup from quic-hq-interop
Now that libcrypto supports the user of SSLKEYLOGFILE, the interop demo
attempts to open the same file based on the same env variable.

The hq-interop-demo code can just be removed, and it fixes the open
failure when both libcrypto and hq-interop attempt to open and write the
same file, which is causing the nightly failure

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25819)
2024-10-30 11:49:11 +00:00
Richard Levitte
4c29044a83 fix: util/check-format-commit.sh - fix ending check
Look at the end result instead of the file name it's stored in

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25810)
2024-10-30 11:41:55 +00:00
Michael Baentsch
280c1d0f3e output negotiated TLS1.3 group
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25808)
2024-10-30 11:39:29 +00:00
Tomas Mraz
a3660729e6 speed.c: Check block size before running EVP_Cipher_loop()
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/25792)
2024-10-28 15:53:31 -04:00
Tomas Mraz
c60a2b1830 test_speed: Explicitly test the crashing command line on sparc
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/25792)
2024-10-28 15:53:31 -04:00
Matt Caswell
27fa9d33e1 Fix builds on riscv64 using musl
Some environments using musl are reported to have the hwprobe.h include
file but not have the __NR_riscv_hwprobe define.

Fixes #25772

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/25787)
2024-10-28 15:44:44 -04:00
Bernd Edlinger
f30d6ba455 Fix ambiguous output of Signature Algorithms
Signature Algorithms are printed in a SIG+HASH format.
In some cases this is ambiguous like brainpool and RSA-PSS.
And the name of ed25519 and ed448 must be spelled in lower case,
so that the output can be used as a -sigalgs parameter value.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25797)
2024-10-28 05:52:48 +01:00
Dr. David von Oheimb
80026e5d9e check-format-commit.sh: various improvements; check unstaged changes on empty commit range
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25666)
2024-10-26 18:52:57 +02:00
Dr. David von Oheimb
380ea5974c check-format-commit.sh: make awk patterns more robust for MacOS and certain flavors of Linux
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25666)
2024-10-26 18:52:57 +02:00
dependabot[bot]
06aa41a5f5 Dependabot update
CLA: trivial

(deps): Bump actions/setup-python

Bumps [actions/setup-python](https://github.com/actions/setup-python) from 5.2.0 to 5.3.0.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](https://github.com/actions/setup-python/compare/v5.2.0...v5.3.0)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25795)
2024-10-24 17:45:24 +00:00
Dimitri John Ledkov
a08a145d4a github: add fips configuration, with legacy transitions turned off
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25762)
2024-10-24 15:27:43 +02:00
Dimitri John Ledkov
9d70bba135 fips no-des: compile out TDES KAT
FIPS provider correctly supports no-des build time option and doesn't
advertise DES related algorithms. However KAT test for DES is still
attempted to be executed and fails.

This prevents configuring FIPS provider without legacy behaviour as
defined in SP 800-131Arev2. Also see #25761 internal docs.

Fix `enable-fips no-des` build option, and add a daily checker for
"legacy-free" (as much as currently feasible) FIPS configuration.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25762)
2024-10-24 15:27:43 +02:00
Frederik Wedel-Heinen
fc0e79461f tls_common.c: Align the calculation of maximal alignment value
In tls_setup_write_buffer() and tls_setup_read_buffer() the calculation
is different. Make them the same.

Fixes #25746

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25764)
2024-10-24 15:24:52 +02:00
Alexandr Nedvedicky
3d3bb26a13 Do not confuse TAP::Parser by mixing up stderr with stdout.
This avoids false psotivie failures on FreeBSD-CI which
suffers most from this issue.

Fixes #23992

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/25613)
2024-10-23 15:45:57 +02:00
Kurt Roeckx
76783a8286 Dependabot: no longer set an "approval: otc review pending" label
The label doesn't exist anymore.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25706)
2024-10-23 15:21:23 +02:00
Tomas Mraz
c5795689c9 Fix missing sendmmsg/recvmmsg on AIX
This at least fixes the build failures on AIX

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25704)
2024-10-23 15:19:34 +02:00
Dr. David von Oheimb
72d3e9bac4 TRACE: automatically respect disabled categories
by fixing OSSL_trace_begin() to return NULL when given category is not enabled

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25652)
2024-10-23 15:16:37 +02:00
Niels Dossche
e8d963594f Fix memory leaks in ossl_quic_calculate_retry_integrity_tag()
Fixes #25625

Several error paths return 0 directly instead of going to err to clean
up the objects.

CLA: trivial

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25636)
2024-10-23 15:14:08 +02:00
Michael Baentsch
37aa1143c3 Improve documentation about duplicate algorithm registrations
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25624)
2024-10-23 15:10:49 +02:00
Ingo Franzki
f928304a9d s390x: Don't probe crypto cards for ME/CRT offloading during initialization
Probing for crypto cards during initialization by issuing an ioctl to the
zcrypt device driver can cause a lot of traffic and overhead, because it
runs for each and every application that uses OpenSSL, regardless if that
application will later perform ME or CRT operations or not.

Fix this by performing no probing during initialization, but detect the
crypto card availability only at the first ME/CRT operation that is subject
to be offloaded. If the ioctl returns ENODEV, then no suitable crypto
card is available in the system, and we disable further offloading
attempts by setting flag OPENSSL_s390xcex_nodev to 1.

Setting the global flag OPENSSL_s390xcex_nodev in case of ENODEV is
intentionally not made in a thread save manner, because the only thing
that could happen is that another thread, that misses the flag update,
also issues an ioctl and gets ENODEV as well.

The file descriptor is not closed in such error cases, because this could
cause raise conditions where we would close a foreign file if the same
file descriptor got reused by another thread. The file descriptor is finally
closed during termination by the atexit handler.

In case the ioctl returns ENOTTY then this indicates that the file descriptor
was closed (e.g. by a sandbox), but in the meantime the same file descriptor
has been reused for another file. Do not use the file descriptor anymore,
and also do not close it during termination.

Fixes: 79040cf29e

Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25576)
2024-10-23 15:07:01 +02:00
Michael Baentsch
e1886edf4b work around oqsprovider out-of-source build bug
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25702)
2024-10-23 11:12:33 +11:00
Michael Baentsch
8bcf488011 Updated oqsprovider to v0.7.0
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25702)
2024-10-23 11:12:33 +11:00
Tomas Mraz
36254fda37 Add CHANGES.md and NEWS.md entries for CVE-2024-9143
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/25734)

(cherry picked from commit 233034bc5a)
2024-10-22 10:45:14 +01:00
Tomas Mraz
1f0cb85047 ecdh_cofactor_derive_test(): Skip the test if the curve is not supported
It will not be supported if the fips provider was built with no-ec2m.

Fixes #25729

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25731)
2024-10-21 14:57:20 +01:00
Tomas Mraz
dfc5ba8afa run-checker-merge.yml: Combine no-ec2m with enable-fips
This can reveal more errors than just no-ec2m.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25731)
2024-10-21 14:57:20 +01:00
Dmitry Misharov
e84878a7eb update logo
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25725)
2024-10-21 11:49:25 +01:00
Michael Baentsch
51921b8737 first cut at KEM & key management skeletons
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25640)
2024-10-21 11:47:16 +01:00
Ondrej Moris
00776cba04 ci: re-organize external tests
Signed-off-by: Ondrej Moris <omoris@redhat.com>

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25587)
2024-10-21 11:43:03 +01:00
Ondrej Moris
7832374ffb test: clean-up README-external documentation
Signed-off-by: Ondrej Moris <omoris@redhat.com>

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25587)
2024-10-21 11:43:03 +01:00
Ondrej Moris
e9af1eaa54 test: Add external test for pkcs11-provider
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25587)
2024-10-21 11:43:03 +01:00
Alicja Kario
144b9ebc3e add test coverage for #25298
Add test coverage for issue #25298, clean up the json file so
it uses consistent indentation

Signed-off-by: Alicja Kario <hkario@redhat.com>

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Hugo Landau <hlandau@devever.net>
(Merged from https://github.com/openssl/openssl/pull/25329)
2024-10-21 11:40:16 +01:00
Alicja Kario
bb221d3607 update tlsfuzzer to new version
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Hugo Landau <hlandau@devever.net>
(Merged from https://github.com/openssl/openssl/pull/25329)
2024-10-21 11:40:16 +01:00
Neil Horman
5b29c71aa4 updating comments in test recipie
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Hugo Landau <hlandau@devever.net>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25297)
2024-10-21 11:34:35 +01:00
Neil Horman
5dffe6afb0 updating docs to reflect security risks for SSLKEYLOGFILE
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Hugo Landau <hlandau@devever.net>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25297)
2024-10-21 11:34:35 +01:00
Neil Horman
6f7273a9b0 Convert keylogging in response to comments
1) Convert failures in keylog setup to trace messages for a warning-like
   mechanism

2) Convert sslkeylogfile_cb to be a flag used to determine making a
   direct call to the internal logging function

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Hugo Landau <hlandau@devever.net>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25297)
2024-10-21 11:34:35 +01:00
Neil Horman
a2b5e64907 Fix build break when OPENSSL_NO_SSLKEYLOGFILE is not defined
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Hugo Landau <hlandau@devever.net>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25297)
2024-10-21 11:34:35 +01:00
Neil Horman
3992add1b7 Update sslkeylog in response to comments
* instead of keeping an external reference count, just use the
  BIO_up_ref call, and the BIO's callback mechanism to detect the
  final free, for which we set keylog_bio to NULL

* Return an error from SSL_CTX_new_ex if the setup of the keylog file
  fails

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Hugo Landau <hlandau@devever.net>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25297)
2024-10-21 11:34:35 +01:00
Neil Horman
8458f873a0 Adding documentation to INSTALL
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Hugo Landau <hlandau@devever.net>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25297)
2024-10-21 11:34:35 +01:00