Tomas Mraz [Wed, 19 May 2021 12:18:04 +0000 (14:18 +0200)]
Add some basic Windows builds to the Windows CI workflow
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15349)
Jon Spillett [Wed, 19 May 2021 04:52:16 +0000 (14:52 +1000)]
Add a test for PKCS5_PBE_keyivgen()
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14326)
Jon Spillett [Thu, 6 May 2021 05:25:29 +0000 (15:25 +1000)]
Added PKCS5_PBE_keyivgen_ex() to allow PBKDF1 algorithms to be fetched for a specific library context
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14326)
Jon Spillett [Fri, 26 Feb 2021 05:21:47 +0000 (15:21 +1000)]
Add PBKDF1 to the legacy provider
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14326)
Matt Caswell [Thu, 20 May 2021 13:02:12 +0000 (14:02 +0100)]
Remove some perl 5.14 use from rsaz-avx512.pl
The non-destructive substitution syntax (s///r), was introduced in perl
5.14. We need to support 5.10 and above.
Fixes #15378
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15379)
Shane Lontis [Fri, 14 May 2021 03:08:42 +0000 (13:08 +1000)]
Rename the field 'provctx and data' to 'algctx' inside some objects containing
pointers to provider size algorithm contexts.
Fixes #14284
The gettable_ctx_params methods were confusingly passing a 'provctx' and
a provider context which are completely different objects.
Some objects such as EVP_KDF used 'data' while others such as EVP_MD used 'provctx'.
For libcrypto this 'ctx' is an opaque ptr returned when a providers algorithm
implementation creates an internal context using a new_ctx() method.
Hence the new name 'algctx'.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15275)
Pauli [Tue, 18 May 2021 09:03:28 +0000 (19:03 +1000)]
fips: default to running self tests when starting the fips provider
Also add a C++ constructor as per note 7 of IG 9.10 if no DEP is available and
C++ is being used.
Fixes #15322
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15324)
Pauli [Thu, 20 May 2021 22:54:07 +0000 (08:54 +1000)]
doc: update core_thread_start() documentation
It is now passed an arugment to pass to the callback
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15278)
Matt Caswell [Thu, 20 May 2021 10:52:56 +0000 (11:52 +0100)]
Fix a memleak in the FIPS provider
If the DRBG is used within the scope of the FIPS OSSL_provider_init
function then it attempts to register a thread callback via c_thread_start.
However the implementation of c_thread_start assumed that the provider's
provctx was already present. However because OSSL_provider_init is still
running it was actually NULL. This means the thread callback fail to work
correctly and a memory leak resulted.
Instead of having c_thread_start use the provctx as the callback argument
we change the definition of c_thread_start to have an explicit callback
argument to use.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15278)
Pauli [Mon, 17 May 2021 02:59:19 +0000 (12:59 +1000)]
test: fix typo in comment in threadstest.c
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15278)
Pauli [Tue, 18 May 2021 07:54:43 +0000 (17:54 +1000)]
core: condition out more in FIPS builds
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15278)
Pauli [Fri, 14 May 2021 05:41:14 +0000 (15:41 +1000)]
test: add test case to reliably reproduce RAND leak during POST
The FIPS provider leaks a RAND if the POST is run at initialisation time.
This test case reliably reproduces this event.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15278)
Dr. David von Oheimb [Fri, 21 May 2021 07:24:10 +0000 (09:24 +0200)]
80-test_cmp_http: Invert and correct the logic of success vs. failure exit
This makes the logic more intuitive and corrects the interpretation for NonStop.
Fixes #15386
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15402)
Dr. David von Oheimb [Wed, 19 May 2021 17:44:22 +0000 (19:44 +0200)]
apps/cms.c: Correct -sign output and -verify input with -binary
Also add related warnings on irrelevant use of -nodetach and -content options.
Fixes #15347
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15358)
Richard Levitte [Mon, 17 May 2021 21:10:11 +0000 (23:10 +0200)]
Disable loader_attic by default on VMS
The reason is that it currently doesn't build properly, due to the of
pvkfmt.c, causing multiply defined symbols since libcrypto exports
them as well. At the same time, it can't do without that source file,
or it won't have access to certain internal symbols from there.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15320)
Richard Levitte [Mon, 17 May 2021 21:10:02 +0000 (23:10 +0200)]
Make it possible to disable the loader_attic engine
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15320)
Richard Levitte [Fri, 21 May 2021 03:52:01 +0000 (05:52 +0200)]
VMS: Fix run of generic generator programs in descrip.mms.tmpl
For a generic program, always go through the MCR utility.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15397)
Richard Levitte [Wed, 19 May 2021 08:57:48 +0000 (10:57 +0200)]
Configurations/descrip.mms.tmpl: rework the inclusion hacks
Because VMS C has some trouble with recursive inclusion of header
files, we have had to help it out for object files where there is such
an inclusion structure.
Previously, we did so with temporary logical names that were the same
as the first directory in an inclusion, so for example, to enable this
inclusion (found in ssl/ssl_local.h), we created the logical name
"record" when building any of the object files in the ssl/
subdirectories:
#include "record/record.h"
However, there is another way with the VMS C compiler, to selectively
specify extra include directories in Unix form directly to the
compiler. The logic is that from the directory where the source file
to compile is located, the specified inclusion directory merged with
the inclusion string should be able to access to specified header
file.
So for example, when a file in ssl/record/ is compiled, the following
inclusion is found:
#include "../ssl_local.h"
So far so good, VMS C handles it properly. However, the recursive
inclusion of "record/record.h" fails. However, if the compiler is
helped out a little bit, with the following extra qualifier, then it
works:
/INCLUDE="../"
The reason is that the compiler merges "../" and "record/record.h"
into "../record/record.h", which is the correct path to that header
file from the directory of the source file being compiled.
All that remained was to figure out all places where this trouble may
occur, and specify extra Unix formatted inclusion directories to
specify on per object file basis.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15369)
Robbie Harwood [Wed, 19 May 2021 19:15:19 +0000 (15:15 -0400)]
Fix upgrading docs for RSA_private_encrypt/RSA_public_decrypt
Despite the name, these functions manipulate signatures, which means
that their replacements are the EVP_PKEY_sign/EVP_PKEY_verify family.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/15359)
Dr. David von Oheimb [Sat, 3 Apr 2021 17:51:36 +0000 (19:51 +0200)]
apps/cms: Simplify handling of encerts; add warning if they are ignored
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14843)
Pauli [Fri, 21 May 2021 05:24:57 +0000 (15:24 +1000)]
configurations: update template makefiles to install documentation images
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15399)
Pauli [Fri, 21 May 2021 05:16:39 +0000 (15:16 +1000)]
configure: build list of image files
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15399)
Pauli [Fri, 21 May 2021 05:16:18 +0000 (15:16 +1000)]
doc: process images when installing
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15399)
Pauli [Fri, 21 May 2021 05:16:03 +0000 (15:16 +1000)]
doc: rereference img locations into subdirectory
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15399)
Pauli [Fri, 21 May 2021 05:14:57 +0000 (15:14 +1000)]
doc: move images into their own subdirectory
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15399)
Pauli [Fri, 21 May 2021 01:19:30 +0000 (11:19 +1000)]
property: convert integers to strings properly.
The int64_t type was converted to int (truncation).
Negative values were not handled at all.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15396)
Richard Levitte [Thu, 20 May 2021 07:42:22 +0000 (09:42 +0200)]
test/params_conversion_test.c: fix the use of strtoumax and strtoimax on VMS
We do this by making them aliases for strtoull and strtoll, since long
long is the current largest integer that have this sort of routine on
VMS.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15366)
Richard Levitte [Thu, 20 May 2021 07:42:12 +0000 (09:42 +0200)]
Include "internal/numbers.h" in test programs using SIZE_MAX
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15366)
Richard Levitte [Thu, 20 May 2021 08:31:21 +0000 (10:31 +0200)]
VMS: don't use app_malloc() in apps/lib/vms_decc_argv.c
The reason being that it would otherwise force test programs to link
with all of libapps.a, which unfortunately causes multiple symbol
definition issues.
The quick and dirty fix is to use OPENSSL_malloc() instead of
app_malloc() in apps/lib/vms_decc_argv.c, and clean up libapps.a
later.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15368)
Dmitry Belyavskiy [Thu, 20 May 2021 14:03:05 +0000 (16:03 +0200)]
Cleanup the peer point formats on regotiation
Fixes #14875
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15383)
Richard Levitte [Thu, 20 May 2021 11:32:28 +0000 (13:32 +0200)]
DOCS: Fixups of the migration guide and the FIPS module manual
The markup needed a few touch-ups
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/15377)
Dmitry Belyavskiy [Thu, 20 May 2021 08:59:07 +0000 (10:59 +0200)]
HMAC doesn't work with a default digest
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15371)
Jean-Philippe Boivin [Mon, 17 May 2021 20:38:14 +0000 (16:38 -0400)]
Properly restore XMM registers in ChaCha20's AVX-512(VL) assembly
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15315)
Richard Levitte [Wed, 19 May 2021 16:51:07 +0000 (18:51 +0200)]
PROV: Relegate most of the FIPS provider code to libfips.a
provider/fips/fipsprov.c contains a number of symbols that get used by
anything that's included in libfips.a, at least on Unix.
Unfortunately, there are platforms that do not support resolving
symbols to things that are already included in the end product (module
in this case) being built; they only support resolving symbols with
what comes next in the linking process.
The offending symbols in this case are FIPS_security_check_enabled,
c_thread_start and ossl_fips_intern_provider_init.
We resolve this by placing provider/fips/fipsprov.c in libfips.a along
with everything else there. That takes care of the offending symbols.
What remains is to ensure that there is an entry point in an object
file used directly when linking the module, providers/fips/fips_entry.c
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15370)
Matt Caswell [Tue, 18 May 2021 16:39:56 +0000 (17:39 +0100)]
Cleanup the missing*.txt files
One macro existed that was added since 1.1.1 and was undocumented. This
had been added to missingmacro.txt. This is the wrong approach and so
has been removed from there.
There were some entries in missingcrypto.txt that don't exist as functions
at all. There were also some which were in fact documented.
Additionally 2 entries from missingcrypto.txt have been moved to
missingmacro.txt. These entries existed in 1.1.1 and were undocumented. In
master they have been deprecated and compatibility macros for them
implemented. The replacement functions have been documented.
An entry in missingcrypto111.txt was not in alphabetical order (and was
also) duplicated, but the equivalent entry in missingcrypto.txt was in the
correct place. This has been corrected to make comparisons between the files
easier.
Finally a function has been added to missingcrypto111.txt. This function
did exist in 1.1.1 and was undocumented. Its unclear why this wasn't in
missingcrypto111.txt to start with.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15333)
Tomas Mraz [Tue, 18 May 2021 15:20:49 +0000 (17:20 +0200)]
apps: Cleanup useless bio_open_default() calls for key input
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15331)
Tomas Mraz [Wed, 19 May 2021 07:50:17 +0000 (09:50 +0200)]
FIPS label CI: Save PR number and use it
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15345)
Matt Caswell [Wed, 19 May 2021 10:46:00 +0000 (11:46 +0100)]
Clean up the "fips" option to Configure
Don't die if someone says "fips" instead of "enable-fips"
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15346)
Dr. David von Oheimb [Wed, 19 May 2021 15:20:53 +0000 (17:20 +0200)]
BIO_s_accept.pod: Document port auto-selection feature of BIO_set_accept_port()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15354)
Dr. David von Oheimb [Wed, 19 May 2021 14:12:49 +0000 (16:12 +0200)]
EVP_DigestSignInit.pod: Clarification in EVP_DigestSignFinal() parameter 'sig'
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15354)
Tomas Mraz [Wed, 19 May 2021 16:21:44 +0000 (18:21 +0200)]
Exchange no-siv and no-ec2m between daily and ci workflows
The no-ec2m with ec enabled is much more likely to show
regressions such as #15170 than the no-siv build.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15355)
Tomas Mraz [Wed, 19 May 2021 16:16:21 +0000 (18:16 +0200)]
pem_read_bio_key_legacy: Do not obscure real error if there is one
Fixes #15170
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15355)
Matt Caswell [Thu, 20 May 2021 14:44:10 +0000 (15:44 +0100)]
Add ordinal numbers to the .num files
Now that our next release is expected to be a beta release, "make update"
wants to see ordinal numbers in the .num files.
Run make update to add them.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15384)
Dr. David von Oheimb [Sat, 3 Apr 2021 17:42:39 +0000 (19:42 +0200)]
apps/cms: Clean up order of options in help output and documentation
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15126)
Dr. David von Oheimb [Mon, 12 Apr 2021 17:00:00 +0000 (19:00 +0200)]
APPS: Allow duplicate entries in options list, marking them OPT_DUP
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15126)
Dr. David von Oheimb [Sat, 3 Apr 2021 14:03:21 +0000 (16:03 +0200)]
APPS: Allow non-option parameters appear anywhere in list, marking them OPT_PARAM
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15126)
Dr. David von Oheimb [Fri, 30 Apr 2021 05:30:33 +0000 (07:30 +0200)]
check-format.pl: Rename '*-cmt' options '*-comment'
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15077)
Dr. David von Oheimb [Thu, 29 Apr 2021 20:09:55 +0000 (22:09 +0200)]
check-format.pl: Rename 'one-letter' to 'single-letter', do not report 'l'
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15077)
Dr. David von Oheimb [Thu, 29 Apr 2021 20:02:41 +0000 (22:02 +0200)]
check-format.pl: Allow extra space before end-of-line comments unless -e|--eol-cmt given
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15077)
Dr. David von Oheimb [Thu, 29 Apr 2021 17:43:16 +0000 (19:43 +0200)]
check-format.pl: Replace 'SPC' and 'spc' by 'space' in reports and option names
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15077)
Dr. David von Oheimb [Thu, 29 Apr 2021 07:41:30 +0000 (09:41 +0200)]
check-format.pl: Fix false positive on struct/union/enum in func return type
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15077)
Dr. David von Oheimb [Thu, 29 Apr 2021 06:05:10 +0000 (08:05 +0200)]
check-format.pl: Fix false positive "no SPC before binary '*'" for '!*'
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15077)
Dr. David von Oheimb [Thu, 29 Apr 2021 05:57:36 +0000 (07:57 +0200)]
check-format.pl: Report needless intermediate multiple SPC only on -e or --extra-spc
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15077)
Dr. David von Oheimb [Wed, 28 Apr 2021 19:45:07 +0000 (21:45 +0200)]
check-format.pl: Add check for constant left of comparison operator
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15077)
Richard Levitte [Wed, 19 May 2021 07:43:13 +0000 (09:43 +0200)]
VMS: Copy __DECC_INCLUDE_{PROLOGUE,EPILOGUE}.H to more places
Every inclusion directory related to a library we build need these two
files. That signals to any other module using anything from these
libraries what to expect in terms of case sensitivity as well as how
long symbol names are dealt with.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15341)
Dr. David von Oheimb [Wed, 19 May 2021 07:38:20 +0000 (09:38 +0200)]
util/find-doc-nits: Improve helpstr pattern matching
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15299)
Dr. David von Oheimb [Mon, 17 May 2021 09:04:40 +0000 (11:04 +0200)]
DOC: Fix nits found by new check on SYNOPSIS and OPTIONS consistency
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15299)
Dr. David von Oheimb [Sun, 16 May 2021 13:38:19 +0000 (15:38 +0200)]
find-doc-nits: Check that man1 SYNOPSIS and OPTIONS contain same options
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15299)
Dr. David von Oheimb [Sun, 16 May 2021 10:48:50 +0000 (12:48 +0200)]
find-doc-nits: Add -m option allowing to select on which of man1,man3,man5,man7 to focus on
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15299)
Dr. David von Oheimb [Sun, 16 May 2021 10:12:32 +0000 (12:12 +0200)]
find-doc-nits: Minor improvements of help and diagnostic output
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15299)
Dr. David von Oheimb [Wed, 19 May 2021 08:01:25 +0000 (10:01 +0200)]
CMP test server: move apps/{,lib/}cmp_mock_srv.c and apps/{,include/}cmp_mock_srv.h
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15343)
Dr. David von Oheimb [Wed, 19 May 2021 07:54:11 +0000 (09:54 +0200)]
apps/cmp.c: Move CMP server code portion to separate function
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15343)
Matt Caswell [Thu, 20 May 2021 13:30:39 +0000 (14:30 +0100)]
Prepare for 3.0 beta 1
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Thu, 20 May 2021 13:30:20 +0000 (14:30 +0100)]
Prepare for release of 3.0 alpha 17
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Thu, 20 May 2021 13:30:19 +0000 (14:30 +0100)]
make update
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Thu, 20 May 2021 13:22:33 +0000 (14:22 +0100)]
Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15381)
Richard Levitte [Sat, 15 May 2021 05:45:31 +0000 (07:45 +0200)]
EVP: Modify EVP_PKEY_export() to handle legacy EVP_PKEYs
We use a fake EVP_KEYMGMT import function with the newly modified
EVP_PKEY_ASN1_METHOD export_to function to pass the exported
OSSL_PARAM array directly to the EVP_PKEY_export() callback instead of
exporting to an actual provided key and then getting the OSSL_PARAM
array from there, just to throw away that key again.
Fixes #15290
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15293)
Richard Levitte [Sat, 15 May 2021 05:43:06 +0000 (07:43 +0200)]
Modify EVP_PKEY_ASN1_METHOD's export_to function to take an importer
We previously took an EVP_KEYMGMT pointer, but now found it necessary
to use a different import function in some cases. Since that's the
only thing we use from EVP_KEYMGMT, we might as well pass the import
function directly, allowing for some flexibility in how export_to is
used.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15293)
Richard Levitte [Sat, 15 May 2021 06:14:49 +0000 (08:14 +0200)]
test/evp_extra_test2.c: Try EVP_PKEY_export() with a legacy RSA key
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15293)
Matt Caswell [Thu, 20 May 2021 09:47:47 +0000 (10:47 +0100)]
Refer to the migration guide rather than the wiki in our announcements
We now have a migration guide which should be the definitive source of
information for upgrading from a previous version of OpenSSL.
Fixes #15186
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15373)
Matt Caswell [Mon, 17 May 2021 16:40:56 +0000 (17:40 +0100)]
Create symlinks when installing man pages
In 1.1.1 when installing the man pages we created symlinks to the base
page for all functions described on the page. We need to continue doing
this.
Fixes #14846
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15312)
Pauli [Tue, 18 May 2021 08:45:31 +0000 (18:45 +1000)]
app: add a -store_loaders option to list.
Fixes #15307
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15323)
Richard Levitte [Wed, 19 May 2021 04:07:30 +0000 (06:07 +0200)]
Complete 'no-sock' guards in apps/ocsp.c
Modern compilers complain about variable being set but otherwise not used.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15339)
Matt Caswell [Wed, 12 May 2021 08:44:20 +0000 (09:44 +0100)]
Update documentation for global properties mirroring
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15242)
Matt Caswell [Tue, 11 May 2021 15:50:27 +0000 (16:50 +0100)]
Ensure mirroring of properties works for subsequent updates
If the global properties are updated after a provider with a child libctx
has already started we need to make sure those updates are mirrored in
that child.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15242)
Matt Caswell [Tue, 11 May 2021 15:49:45 +0000 (16:49 +0100)]
Documentation updates for mirroring of global properties
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15242)
Matt Caswell [Tue, 11 May 2021 10:44:43 +0000 (11:44 +0100)]
Test that properties are mirrored as we expect
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15242)
Matt Caswell [Fri, 7 May 2021 16:59:47 +0000 (17:59 +0100)]
Add a callback for providers to know about global properties changes
Where a child libctx is in use it needs to know what the current global
properties are.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15242)
Matt Caswell [Fri, 7 May 2021 16:13:05 +0000 (17:13 +0100)]
Add a test for converting a property list to a string
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15242)
Matt Caswell [Fri, 7 May 2021 15:42:53 +0000 (16:42 +0100)]
Implement the ability to convert a PROPERTY_LIST to a string
We have the ability to parse a string into a PROPERTY_LIST already. Now
we have the ability to go the other way.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15242)
Pauli [Tue, 18 May 2021 10:27:35 +0000 (20:27 +1000)]
todo: remove TODO(3.0) from the sources.
Almost all were notes about wanting to deprecate CTRLs/utility functions.
Fixes #15325
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15328)
Shane Lontis [Mon, 17 May 2021 08:21:19 +0000 (18:21 +1000)]
Test d2i_PrivateKey_bio() does not add errors to stack when decoding a X25519 key sucessfully.
This confirms that another merge has addressed this issue.
Fixes #14996
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15303)
Pauli [Thu, 20 May 2021 03:51:59 +0000 (13:51 +1000)]
Revert "ARM assembly pack: translate bit-sliced AES implementation to AArch64"
This reverts commit
da51566b256e0c0536d5b986e676863b0526bf5e.
Fixes #15321
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15364)
Shane Lontis [Sun, 28 Mar 2021 07:22:40 +0000 (17:22 +1000)]
Add migration guide for 3.0
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14710)
Benjamin Kaduk [Fri, 9 Apr 2021 01:41:46 +0000 (18:41 -0700)]
Update SSL_new_session_ticket() manual for triggered send
Document the recently added functionality.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14817)
Benjamin Kaduk [Fri, 9 Apr 2021 00:09:18 +0000 (17:09 -0700)]
Test new SSL_new_session_ticket() functionality
Now that we can become "in init" directly after the call, test the
various scenarios where explicit SSL_do_handshake() calls can come
into play.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14817)
Benjamin Kaduk [Fri, 2 Apr 2021 17:04:24 +0000 (10:04 -0700)]
Let SSL_new_session_ticket() enter init immediately
The initial implementation always deferred the generation of the
requested ticket(s) until the next application write, but this
is not a great fit for what it actually does, architecturally wise.
A request to send a session ticket means entering back into the
handshake state machine (or "in init", as it's known in the
implementation). The state machine transition is not something that
only occurs at an application-data write, and in general could occur at
any time. The only constraint is that we can't enter "init" while in
the middle of writing application data. In such cases we will need to
wait until the next TLS record boundary to enter the state machine,
as is currently done.
However, there is no reason why we cannot enter the handshake state
machine immediately in SSL_new_session_ticket() if there are no
application writes pending. Doing so provides a cleaner API surface to
the application, as then calling SSL_do_handshake() suffices to drive
the actual ticket generation. In the previous state of affairs a dummy
zero-length SSL_write() would be needed to trigger the ticket
generation, which is a logical mismatch in the type of operation being
performed.
This commit should only change whether SSL_do_handshake() vs zero-length
SSL_write() is needed to immediately generate a ticket after the
SSL_new_session_ticket() call -- the default behavior is still to defer
the actual write until there is other application data to write, unless
the application requests otherwise.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14817)
Dr. David von Oheimb [Thu, 4 Mar 2021 20:18:45 +0000 (21:18 +0100)]
danetest.c: Improve code formatting
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14422)
Dr. David von Oheimb [Thu, 4 Mar 2021 20:18:09 +0000 (21:18 +0100)]
X509_STORE_CTX_get1_issuer(): Simplify code, reducing risk of failure
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14422)
Dr. David von Oheimb [Thu, 4 Mar 2021 20:17:31 +0000 (21:17 +0100)]
X509 build_chain(): Fix two potential memory leaks on issuer variable
This also removes an inadequate guard: if (num == ctx->num_untrusted)
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14422)
Dr. David von Oheimb [Thu, 4 Mar 2021 16:35:46 +0000 (17:35 +0100)]
X509 build_chain(): Make the variable 'curr' local to the loop body
This increases readability and maintainability.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14422)
Dr. David von Oheimb [Thu, 4 Mar 2021 09:59:18 +0000 (10:59 +0100)]
X509 build_chain(): Rename variable 'depth' to 'max_depth'
This should increase readability and maintainability.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14422)
Dr. David von Oheimb [Thu, 4 Mar 2021 09:56:27 +0000 (10:56 +0100)]
X509 build_chain(): Restrict scope of 'self_signed' variable
This should increase readability and maintainability.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14422)
Richard Levitte [Tue, 18 May 2021 16:22:57 +0000 (18:22 +0200)]
Make apps/progs.pl not look at apps/progs.c
apps/progs.pl will have apps/progs.c as output, and on some systems,
the output file of a program is locked against reading.
Unfortunately, apps/progs.c is also part of the sources that make up
apps/openssl, so it's necessary to mark that file in a way that makes
progs.pl skip over it.
Fortunately, this is easily done with a special attribute in
apps/build.info and a simple adaptation of apps/progs.pl.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15332)
Richard Levitte [Tue, 18 May 2021 16:21:51 +0000 (18:21 +0200)]
build.info: Make it possible to set attributes on SOURCE / SHARED_SOURCE stmts
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15332)
Tomas Mraz [Tue, 18 May 2021 13:23:04 +0000 (15:23 +0200)]
speed: Document the deficiencies of the command
Fixes #7032
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15330)
Dr. David von Oheimb [Wed, 19 May 2021 13:03:15 +0000 (15:03 +0200)]
80-test_cms.t: Disable new tests for binary input in Windows
This is a quick workaround for #15347.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15351)
Dr. David von Oheimb [Tue, 18 May 2021 09:30:01 +0000 (11:30 +0200)]
apps/list: Remove obsolete -missing-help option
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15329)
Dr. David von Oheimb [Tue, 18 May 2021 09:23:13 +0000 (11:23 +0200)]
find-doc-nits -c: Fix handling in case expected helpstr is not found
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15329)
Dr. David von Oheimb [Tue, 18 May 2021 09:18:26 +0000 (11:18 +0200)]
unix-Makefile.tmpl and ci.yml: Merge cmd-nits into doc-nits
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15329)