65 min agoPROV: Make the DER to KEY deserializer decode parameters too master
Richard Levitte [Sun, 2 Aug 2020 11:12:54 +0000 (13:12 +0200)]
PROV: Make the DER to KEY deserializer decode parameters too

It should be noted that this may be dodgy if we ever encounter
parameter objects that look like something else.  However, experience
with the OSSL_STORE 'file:' loader, which does exactly this kind of
thing, has worked fine so far.

A possibility could be that to decode parameters specifically, we
demand that there's an incoming data type specifying this, which
demands by extension that parameters can only come from a file format
that has the parameter type encoded, such as PEM.  This would be a
future effort.

Fixes #12568

Reviewed-by: Paul Dale <>
(Merged from

3 hours agoCoverity Fixes for issue #12531
Norman Ashley [Tue, 4 Aug 2020 02:34:22 +0000 (12:34 +1000)]
Coverity Fixes for issue #12531

Fixes #12531 on master branch.

Reviewed-by: Matt Caswell <>
Reviewed-by: Shane Lontis <>
(Merged from

3 hours agoChange the provider implementation of X942kdf to use wpacket to do der encoding of...
Shane Lontis [Tue, 4 Aug 2020 02:18:51 +0000 (12:18 +1000)]
Change the provider implementation of X942kdf to use wpacket to do der encoding of sharedInfo

Added der_writer functions for writing octet string primitives.
Generate OID's for key wrapping algorithms used by X942 KDF.

Reviewed-by: Matt Caswell <>
(Merged from

14 hours agoAdd entry for SSL_set1_host()/SSL_add1_host() taking IP literals
David Woodhouse [Tue, 19 May 2020 10:51:14 +0000 (11:51 +0100)]
Add entry for SSL_set1_host()/SSL_add1_host() taking IP literals

Reviewed-by: Viktor Dukhovni <>
Reviewed-by: Tomas Mraz <>
(Merged from

14 hours agoDisallow setting more than one IP address with SSL_add1_host()
David Woodhouse [Mon, 11 May 2020 18:28:03 +0000 (19:28 +0100)]
Disallow setting more than one IP address with SSL_add1_host()

The X509_VERIFY_PARAM can only take a single IP address, although it can
have multiple hostnames. When SSL_add1_host() is given an IP address,
don't accept it if there is already one configured.

Reviewed-by: Viktor Dukhovni <>
Reviewed-by: Tomas Mraz <>
(Merged from

14 hours agoFix certificate validation for IPv6 literals in sconnect demo
David Woodhouse [Thu, 20 Jun 2019 20:39:38 +0000 (21:39 +0100)]
Fix certificate validation for IPv6 literals in sconnect demo

Instead of na├»vely trying to truncate at the first colon, use
BIO_get_conn_hostname(). That handles IPv6 literals correctly, even
stripping the [] from around them.

Reviewed-by: Viktor Dukhovni <>
Reviewed-by: Tomas Mraz <>
(Merged from

14 hours agoMake SSL_set1_host() and SSL_add1_host() take IP addresses
David Woodhouse [Mon, 14 Oct 2019 09:46:07 +0000 (10:46 +0100)]
Make SSL_set1_host() and SSL_add1_host() take IP addresses

There is a slight mismatch here because X509_VERIFY_PARAM copes only
with a single IP address, and doesn't let it be cleared once it's set.
But this fixes up the major use case, making things easier for users to
get it right.

The sconnect demo now works for Legacy IP literals; for IPv6 it needs to
fix up the way it tries to split the host:port string, which will happen
in a subsequent patch.

Reviewed-by: Viktor Dukhovni <>
Reviewed-by: Tomas Mraz <>
(Merged from

23 hours ago81-test_cmp_cli.t: Skip tests with mock server if server cannot be started
Dr. David von Oheimb [Mon, 27 Jul 2020 06:50:27 +0000 (08:50 +0200)]
81-test_cmp_cli.t: Skip tests with mock server if server cannot be started

Fixes #12514

Reviewed-by: Paul Dale <>
(Merged from

3 days agoFix an ENGINE leak in asn1_item_digest_with_libctx
Matt Caswell [Thu, 30 Jul 2020 14:15:05 +0000 (15:15 +0100)]
Fix an ENGINE leak in asn1_item_digest_with_libctx

Commit 6725682d introduced a call to ENGINE_get_digest_engine() into
the function asn1_item_digest_with_libctx() to determine whether there
is an ENGINE registered to handle the specified digest. However that
function increases the ref count on the returned ENGINE object, so it
must be freed.

Fixes #12558

[extended tests]

Reviewed-by: Paul Dale <>
Reviewed-by: Nicola Tuveri <>
(Merged from

3 days agoDESERIALIZER: Small bugfix in the deser_process()
Richard Levitte [Mon, 27 Jul 2020 20:11:53 +0000 (22:11 +0200)]
DESERIALIZER: Small bugfix in the deser_process()

Reviewed-by: Paul Dale <>
(Merged from

3 days agoDESERIALIZER: Make OSSL_DESERIALIZER_from_{bio,fp} use BIO_tell() / BIO_seek()
Richard Levitte [Mon, 27 Jul 2020 20:02:07 +0000 (22:02 +0200)]
DESERIALIZER: Make OSSL_DESERIALIZER_from_{bio,fp} use BIO_tell() / BIO_seek()

Depending on the BIO used, using BIO_reset() may lead to "interesting"
results.  For example, a BIO_f_buffer() on top of another BIO that
handles BIO_reset() as a BIO_seek(bio, 0), the deserialization process
may find itself with a file that's rewound more than expected.

Therefore, OSSL_DESERIALIZER_from_{bio,fp}'s behaviour is changed to
rely purely on BIO_tell() / BIO_seek(), and since BIO_s_mem() is used
internally, it's changed to handle BIO_tell() and BIO_seek() better.

This does currently mean that OSSL_DESERIALIZER can't be easily used
with streams that don't support BIO_tell() / BIO_seek().

Fixes #12541

Reviewed-by: Paul Dale <>
(Merged from

3 days agoDESERIALIZER: Refactor the constructor setting API
Richard Levitte [Mon, 27 Jul 2020 19:51:44 +0000 (21:51 +0200)]
DESERIALIZER: Refactor the constructor setting API

It's not the best idea to set a whole bunch of parameters in one call,
that leads to functions that are hard to update.  Better to re-model
this into several function made to set one parameter each.

This also renames "finalizer" to "constructor", which was suggested
earlier but got lost at the time.

Reviewed-by: Paul Dale <>
(Merged from

3 days agoTEST: Add testutil tests to compare unterminated strings of different lengths
Richard Levitte [Mon, 27 Jul 2020 16:40:11 +0000 (18:40 +0200)]
TEST: Add testutil tests to compare unterminated strings of different lengths

We use this in test/serdes_test.c, to compare serializations into PEM,
which aren't necessarily terminated with a NUL byte when they were
written to a BIO_s_mem().

Reviewed-by: Paul Dale <>
(Merged from

3 days agoDESERIALIZER: Add deserializers for the rest of our asymmetric key types
Richard Levitte [Mon, 27 Jul 2020 16:40:05 +0000 (18:40 +0200)]
DESERIALIZER: Add deserializers for the rest of our asymmetric key types

To be able to implement this, there was a need for the standard
EVP_PKEY_set1_, EVP_PKEY_get0_ and EVP_PKEY_get1_ functions for
ED25519, ED448, X25519 and X448, as well as the corresponding
EVP_PKEY_assign_ macros.  There was also a need to extend the list of
hard coded names that EVP_PKEY_is_a() recognise.

Along with this, OSSL_FUNC_keymgmt_load() are implemented for all
those key types.

The deserializers for these key types are all implemented generically,
in providers/implementations/serializers/deserializer_der2key.c.

Reviewed-by: Paul Dale <>
(Merged from

3 days agoDESERIALIZER: Make it possible to deserialize public keys too
Richard Levitte [Mon, 27 Jul 2020 16:40:02 +0000 (18:40 +0200)]
DESERIALIZER: Make it possible to deserialize public keys too

Reviewed-by: Paul Dale <>
(Merged from

3 days agoDESERIALIZER: Rethink password handling
Richard Levitte [Mon, 27 Jul 2020 16:39:58 +0000 (18:39 +0200)]
DESERIALIZER: Rethink password handling

The OSSL_DESERIALIZER API makes the incorrect assumption that the
caller must cipher and other pass phrase related parameters to the
individual desserializer implementations, when the reality is that
they only need a passphrase callback, and will be able to figure out
the rest themselves from the input they get.

We simplify it further by never passing any explicit passphrase to the
provider implementation, and simply have them call the passphrase
callback unconditionally when they need, leaving it to libcrypto code
to juggle explicit passphrases, cached passphrases and actual
passphrase callback calls.

Reviewed-by: Paul Dale <>
(Merged from

3 days agoRSA: Better synchronisation between ASN1 PSS params and RSA_PSS_PARAMS_30
Richard Levitte [Mon, 27 Jul 2020 16:39:55 +0000 (18:39 +0200)]
RSA: Better synchronisation between ASN1 PSS params and RSA_PSS_PARAMS_30

This is needed so RSA keys created from different code paths have a
chance to compare as equal.

Reviewed-by: Paul Dale <>
(Merged from

4 days agoDER writer: Make context-specific tags constructed (i.e. explicit)
Richard Levitte [Mon, 27 Jul 2020 16:39:51 +0000 (18:39 +0200)]
DER writer: Make context-specific tags constructed (i.e. explicit)

For now, that's what we see being used.  It's possible that we will
have to figure out a way to specific if these should be implicit or
explicit on a case by case basis.

Reviewed-by: Paul Dale <>
(Merged from

4 days agoPROV: Fix small logic error in ec_kmgmt.c matching function
Richard Levitte [Mon, 27 Jul 2020 16:39:44 +0000 (18:39 +0200)]
PROV: Fix small logic error in ec_kmgmt.c matching function

Reviewed-by: Paul Dale <>
(Merged from

4 days agoAdd OSSL_CMP_MSG_write(), use it in apps/cmp.c
Dr. David von Oheimb [Sat, 11 Jul 2020 10:26:22 +0000 (12:26 +0200)]
Add OSSL_CMP_MSG_write(), use it in apps/cmp.c

Reviewed-by: Paul Dale <>
(Merged from

4 days agoExport ossl_cmp_msg_load() as OSSL_CMP_MSG_read(), use it in apps/cmp.c
Dr. David von Oheimb [Sat, 11 Jul 2020 09:36:48 +0000 (11:36 +0200)]
Export ossl_cmp_msg_load() as OSSL_CMP_MSG_read(), use it in apps/cmp.c

Fixes #12403

Reviewed-by: Paul Dale <>
(Merged from

4 days agoapps/cmp.c: Improve documentation of -recipient option
Dr. David von Oheimb [Sat, 11 Jul 2020 09:21:06 +0000 (11:21 +0200)]
apps/cmp.c: Improve documentation of -recipient option

Reviewed-by: Paul Dale <>
(Merged from

4 days agodeserialisation: add deserialisation to the base provider
Pauli [Mon, 27 Jul 2020 04:47:59 +0000 (14:47 +1000)]
deserialisation: add deserialisation to the base provider

Reviewed-by: Matt Caswell <>
(Merged from

4 days agoserialisation: Add a built-in base provider.
Pauli [Wed, 10 Jun 2020 23:08:01 +0000 (09:08 +1000)]
serialisation: Add a built-in base provider.

Move the libcrypto serialisation functionality into a place where it can
be provided at some point. The serialisation still remains native in the
default provider.

Add additional code to the list command to display what kind of serialisation
each entry is capable of.

Having the FIPS provider auto load the base provider is a future
(but necessary) enhancement.

Reviewed-by: Matt Caswell <>
(Merged from

4 days agounify spelling of serialize
Pauli [Wed, 10 Jun 2020 23:42:34 +0000 (09:42 +1000)]
unify spelling of serialize

Reviewed-by: Matt Caswell <>
(Merged from

4 days agoFix test_cmp_cli for extended tests
Matt Caswell [Wed, 29 Jul 2020 12:58:18 +0000 (13:58 +0100)]
Fix test_cmp_cli for extended tests

The test_cmp_cli was failing in the extended tests on cross-compiled
mingw builds. This was due to the test not using wine when it should do.
The simplest solution is to just skip the test in this case.

[extended tests]

Reviewed-by: Paul Dale <>
(Merged from

4 days agoDon't fallback to legacy in DigestSignInit/DigestVerifyInit too easily
Matt Caswell [Tue, 28 Jul 2020 15:47:03 +0000 (16:47 +0100)]
Don't fallback to legacy in DigestSignInit/DigestVerifyInit too easily

The only reason we should fallback to legacy codepaths in DigestSignInit/
DigestVerifyInit, is if we have an engine, or we have a legacy algorithm
that does not (yet) have a provider based equivalent (e.g. SM2, HMAC, etc).
Currently we were falling back even if we have a suitable key manager but
the export of the key fails. This might be for legitimate reasons (e.g.
we only have the FIPS provider, but we're trying to export a brainpool key).
In those circumstances we don't want to fallback to the legacy code.

Therefore we tighten then checks for falling back to legacy. Eventually this
particular fallback can be removed entirely (once all legacy algorithms have
provider based key managers).

Reviewed-by: Nicola Tuveri <>
Reviewed-by: Paul Dale <>
(Merged from

4 days agoExport crm_new() of cmp_msg.c under the name OSSL_CMP_CTX_setup_CRM()
Dr. David von Oheimb [Sat, 18 Jul 2020 14:59:06 +0000 (16:59 +0200)]
Export crm_new() of cmp_msg.c under the name OSSL_CMP_CTX_setup_CRM()

Reviewed-by: Matt Caswell <>
(Merged from

4 days agoStreamline the CMP request session API, adding the generalized OSSL_CMP_exec_certreq()
Dr. David von Oheimb [Mon, 13 Jul 2020 12:12:02 +0000 (14:12 +0200)]
Streamline the CMP request session API, adding the generalized OSSL_CMP_exec_certreq()

Fixes #12395

Reviewed-by: Matt Caswell <>
(Merged from

5 days ago[test][ectest] Minor touches to custom_generator_test
Nicola Tuveri [Tue, 21 Jul 2020 20:12:59 +0000 (23:12 +0300)]
[test][ectest] Minor touches to custom_generator_test

Minor changes to `custom_generator_test`:

- this is to align to the 1.1.1 version of the test (simplify the code
  as there is no need to use `EC_GROUP_get_field_type()`)
- add comment to explain how the buffer size is computed

Reviewed-by: Matt Caswell <>
Reviewed-by: Paul Dale <>
(Merged from

5 days ago[test] Vertically test explicit EC params API patterns
Nicola Tuveri [Tue, 21 Jul 2020 15:04:38 +0000 (18:04 +0300)]
[test] Vertically test explicit EC params API patterns

This commit adds a new test (run on all the built-in curves) to create
`EC_GROUP` with **unknown** *explicit parameters*: from a built-in group
we create an alternative group from scratch that differs in the
generator used.

At the `EC_GROUP` layer we perform a basic math check to ensure that the
math on the alternative group still makes sense, using comparable
results from the origin group.

We then create two `EC_KEY` objects on top of this alternative group and
run key generation from the `EC_KEY` layer.

Then we promote these two `EC_KEY`s to `EVP_PKEY` objects and try to
run the derive operation at the highest abstraction layer, comparing
results in both directions.

Finally, we create provider-native keys using `EVP_PKEY_fromdata` and
data derived from the previous objects, we compute an equivalent shared
secret from these provider keys, and compare it to the result obtained
from the previous steps.

Reviewed-by: Matt Caswell <>
Reviewed-by: Paul Dale <>
(Merged from

5 days agonamemap: fix threading issue
Pauli [Tue, 28 Jul 2020 01:14:14 +0000 (11:14 +1000)]
namemap: fix threading issue

The locking was too fine grained when adding entries to a namemap.
Refactored the working code into unlocked functions and call these with
appropriate locking.

Reviewed-by: Richard Levitte <>
(Merged from

6 days agoFix a test_verify failure
Matt Caswell [Tue, 28 Jul 2020 14:28:06 +0000 (15:28 +0100)]
Fix a test_verify failure

A recently added certificate in test/certs expired causing test_verify to fail.
This add a replacement certificate with a long expiry date.

Reviewed-by: Nicola Tuveri <>
Reviewed-by: Paul Dale <>
(Merged from

6 days agoDeprecate -nodes in favor of -noenc in pkcs12 and req app
Dr. David von Oheimb [Mon, 11 May 2020 13:41:08 +0000 (15:41 +0200)]
Deprecate -nodes in favor of -noenc in pkcs12 and req app

Reviewed-by: Dmitry Belyavskiy <>
Reviewed-by: Shane Lontis <>
(Merged from

7 days agoTEST: Add RSA-PSS cases in test/serdes_test.c
Richard Levitte [Mon, 20 Jul 2020 14:14:40 +0000 (16:14 +0200)]
TEST: Add RSA-PSS cases in test/serdes_test.c

Reviewed-by: Shane Lontis <>
(Merged from

7 days agoPROV: Add a DER to RSA-PSS deserializer implementation
Richard Levitte [Mon, 20 Jul 2020 14:13:18 +0000 (16:13 +0200)]
PROV: Add a DER to RSA-PSS deserializer implementation

Reviewed-by: Shane Lontis <>
(Merged from

7 days agoEVP, PROV: Add misc missing bits for RSA-PSS
Richard Levitte [Mon, 20 Jul 2020 14:09:47 +0000 (16:09 +0200)]
EVP, PROV: Add misc missing bits for RSA-PSS

- EVP_PKEY_is_a() didn't recognise "RSA-PSS" for legacy keys.
- The RSA-PSS keymgmt didn't have a OSSL_FUNC_keymgmt_match() function.
- ossl_prov_prepare_rsa_params() didn't return 1 for unrestricted
  RSA-PSS params.

Reviewed-by: Shane Lontis <>
(Merged from

7 days agoFix no-ec2m
Matt Caswell [Fri, 24 Jul 2020 11:24:45 +0000 (12:24 +0100)]
Fix no-ec2m

Reviewed-by: Paul Dale <>
(Merged from

8 days agoDER to RSA deserializer: fix inclusion
Richard Levitte [Sun, 26 Jul 2020 08:39:00 +0000 (10:39 +0200)]
DER to RSA deserializer: fix inclusion

Reviewed-by: Tim Hudson <>
(Merged from

8 days agoFix no-dh and no-dsa
Matt Caswell [Fri, 24 Jul 2020 11:04:00 +0000 (12:04 +0100)]
Fix no-dh and no-dsa

Reviewed-by: Paul Dale <>
(Merged from

10 days agoUpdate EVP_EncodeInit.pod
Read Hughes [Thu, 23 Jul 2020 14:25:28 +0000 (10:25 -0400)]
Update EVP_EncodeInit.pod

Fix EVP_EncodeBlock description using incorrect parameter name for encoding length

CLA: trivial

Reviewed-by: Matt Caswell <>
Reviewed-by: Dmitry Belyavskiy <>
(Merged from

10 days agoEVP: Fix key type check logic in evp_pkey_cmp_any()
Richard Levitte [Mon, 20 Jul 2020 08:50:04 +0000 (10:50 +0200)]
EVP: Fix key type check logic in evp_pkey_cmp_any()

Reviewed-by: Matt Caswell <>
Reviewed-by: Shane Lontis <>
(Merged from

10 days agoTEST: Update the serialization/deserialization test with legacy PEM encryption
Richard Levitte [Mon, 20 Jul 2020 08:47:59 +0000 (10:47 +0200)]
TEST: Update the serialization/deserialization test with legacy PEM encryption

This adds legacy PEM variants of already existing tests.

Reviewed-by: Matt Caswell <>
Reviewed-by: Shane Lontis <>
(Merged from

10 days agoPROV: Update the PEM to DER deserializer to handle encrypted legacy PEM
Richard Levitte [Mon, 20 Jul 2020 08:46:49 +0000 (10:46 +0200)]
PROV: Update the PEM to DER deserializer to handle encrypted legacy PEM

Reviewed-by: Matt Caswell <>
Reviewed-by: Shane Lontis <>
(Merged from

10 days agoTEST: Update the serialization/deserialization test with encryption
Richard Levitte [Fri, 10 Jul 2020 13:28:05 +0000 (15:28 +0200)]
TEST: Update the serialization/deserialization test with encryption

This adds variants of already existing tests, but where the object
is encrypted / decrypted along the way as well.

Reviewed-by: Matt Caswell <>
Reviewed-by: Shane Lontis <>
(Merged from

10 days agoPROV: Update the DER to RSA deserializer to handle encrypted PKCS#8
Richard Levitte [Fri, 10 Jul 2020 13:25:15 +0000 (15:25 +0200)]
PROV: Update the DER to RSA deserializer to handle encrypted PKCS#8

Reviewed-by: Matt Caswell <>
Reviewed-by: Shane Lontis <>
(Merged from

10 days agoDESERIALIZER: Implement decryption of password protected objects
Richard Levitte [Fri, 10 Jul 2020 13:13:55 +0000 (15:13 +0200)]
DESERIALIZER: Implement decryption of password protected objects

This implements these functions:


To be able to deal with multiple deserializers trying to work on the
same byte array and wanting to decrypt it while doing so, the
deserializer caches the passphrase.  This cache is cleared at the end
of OSSL_DESERIALIZER_from_bio().

Reviewed-by: Matt Caswell <>
Reviewed-by: Shane Lontis <>
(Merged from

10 days agoSERIALIZER: No enc argument for OSSL_SERIALIZER_CTX_set_passphrase_cb()
Richard Levitte [Fri, 10 Jul 2020 13:08:29 +0000 (15:08 +0200)]
SERIALIZER: No enc argument for OSSL_SERIALIZER_CTX_set_passphrase_cb()

Serialization will only encrypt, so there's no point telling
OSSL_SERIALIZER_CTX_set_passphrase_cb() that's going to happen.

We fix the declaration of OSSL_DESERIALIZER_CTX_set_passphrase_cb()
the same way.

Reviewed-by: Matt Caswell <>
Reviewed-by: Shane Lontis <>
(Merged from

10 days agoTEST: Add new serializer and deserializer test
Richard Levitte [Thu, 9 Jul 2020 17:10:39 +0000 (19:10 +0200)]
TEST: Add new serializer and deserializer test

This test revolves around a central function that will first serialize
an EVP_PKEY, then deserialize the result into a new EVP_PKEY and
compare the two.

The following tests are currently implemented:

1.  EVP_PKEY (RSA) -> DER, then DER -> EVP_PKEY (RSA).
2.  EVP_PKEY (RSA) -> PEM, then PEM -> EVP_PKEY (RSA).
    This one exercises deserializer chains, as we know that there is a
    PEM -> DER and a DER -> EVP_PKEY (RSA) deserializer, but no direct
    PEM -> EVP_PKEY (RSA) deserializer.

Additionally, a small fix in test_fail_string_common(), as strcmp()
could run past a buffer if one of the strings isn't terminated with
a null byte within the given length.

Reviewed-by: Matt Caswell <>
Reviewed-by: Shane Lontis <>
(Merged from

10 days agoPROV: Implement PEM to DER deserializer
Richard Levitte [Thu, 9 Jul 2020 17:09:40 +0000 (19:09 +0200)]
PROV: Implement PEM to DER deserializer

Reviewed-by: Matt Caswell <>
Reviewed-by: Shane Lontis <>
(Merged from

10 days agoPROV: Implement DER to RSA deserializer
Richard Levitte [Thu, 9 Jul 2020 17:07:12 +0000 (19:07 +0200)]
PROV: Implement DER to RSA deserializer

Reviewed-by: Matt Caswell <>
Reviewed-by: Shane Lontis <>
(Merged from

10 days agoCORE: Add upcalls for BIO_gets() and BIO_puts()
Richard Levitte [Thu, 9 Jul 2020 16:55:44 +0000 (18:55 +0200)]
CORE: Add upcalls for BIO_gets() and BIO_puts()

Reviewed-by: Matt Caswell <>
Reviewed-by: Shane Lontis <>
(Merged from

10 days agoSERIALIZER: Add functions to deserialize into an EVP_PKEY
Richard Levitte [Wed, 8 Jul 2020 21:19:13 +0000 (23:19 +0200)]
SERIALIZER: Add functions to deserialize into an EVP_PKEY

EVP_PKEY is the fundamental type for provider side code, so we
implement specific support for it, in form of a special context

This constructor looks up and collects all available KEYMGMT
implementations, and then uses those names to collect deserializer
implementations, as described in the previous commit.

Reviewed-by: Matt Caswell <>
Reviewed-by: Shane Lontis <>
(Merged from

10 days agoDESERIALIZER: Add foundation for deserializers
Richard Levitte [Wed, 8 Jul 2020 21:04:08 +0000 (23:04 +0200)]
DESERIALIZER: Add foundation for deserializers

This adds a method OSSL_DESERIALIZER, a deserializer context and basic
support to use a set of serializers to get a desired type of data, as
well as deserializer chains.

The idea is that the caller can call OSSL_DESERIALIZER_CTX_add_serializer()
to set up the set of desired results, and to add possible chains, call
OSSL_DESERIALIZER_CTX_add_extra().  All these deserializers are pushed
on an internal stack.

The actual deserialization is then performed using functions like
OSSL_DESERIALIZER_from_bio().  When performing deserialization, the
inernal stack is walked backwards, keeping track of the deserialized
data and its type along the way, until the data kan be processed into
the desired type of data.

Reviewed-by: Matt Caswell <>
Reviewed-by: Shane Lontis <>
(Merged from

10 days agoKEYMGMT: Add key loading function OSSL_FUNC_keymgmt_load()
Richard Levitte [Wed, 8 Jul 2020 20:21:18 +0000 (22:21 +0200)]
KEYMGMT: Add key loading function OSSL_FUNC_keymgmt_load()

This function is used to create a keydata for a key that libcrypto
only has a reference to.

This introduces provider references, the contents which only the
provider know how to interpret.  Outside of the provider, this is just
an array of bytes.

Reviewed-by: Matt Caswell <>
Reviewed-by: Shane Lontis <>
(Merged from

10 days agoEVP KEYMGMT utils: Make a few more utility functions available
Richard Levitte [Wed, 8 Jul 2020 20:09:32 +0000 (22:09 +0200)]
EVP KEYMGMT utils: Make a few more utility functions available

This makes the following functions available for libcrypto code:

evp_keymgmt_util_try_import()  - callback function
evp_keymgmt_util_assign_pkey() - assigns keymgmt and keydata to an EVP_PKEY
evp_keymgmt_util_make_pkey()   - creates an EVP_PKEY from keymgmt and keydata

Reviewed-by: Matt Caswell <>
Reviewed-by: Shane Lontis <>
(Merged from

10 days agoAdd X509 related libctx changes.
Shane Lontis [Fri, 24 Jul 2020 12:53:27 +0000 (22:53 +1000)]
Add X509 related libctx changes.

- In order to not add many X509_XXXX_with_libctx() functions the libctx and propq may be stored in the X509 object via a call to X509_new_with_libctx().
- Loading via PEM_read_bio_X509() or d2i_X509() should pass in a created cert using X509_new_with_libctx().
- Renamed some XXXX_ex() to XXX_with_libctx() for X509 API's.
- Removed the extra parameters in check_purpose..
- X509_digest() has been modified so that it expects a const EVP_MD object() and then internally it does the fetch when it needs to (via ASN1_item_digest_with_libctx()).
- Added API's that set the libctx when they load such as X509_STORE_new_with_libctx() so that the cert chains can be verified.

Reviewed-by: Richard Levitte <>
Reviewed-by: Matt Caswell <>
(Merged from

11 days agoTest RSA oaep in fips mode
Shane Lontis [Thu, 23 Jul 2020 07:40:40 +0000 (17:40 +1000)]
Test RSA oaep in fips mode

Added RSA oaep test that uses the pkeyutl application.
Added an openssl application option to support loading a (fips) provider via the '-config' option.
Added openssl application related environment variable 'OPENSSL_TEST_LIBCTX' (for testing purposes only),
that creates a non default library context.

Reviewed-by: Richard Levitte <>
(Merged from

12 days agoFix: uninstantiation breaks the RAND_DRBG callback mechanism
Dr. Matthias St. Pierre [Mon, 20 Jul 2020 21:21:37 +0000 (23:21 +0200)]
Fix: uninstantiation breaks the RAND_DRBG callback mechanism

The RAND_DRBG callbacks are wrappers around the EVP_RAND callbacks.
During uninstantiation, the EVP_RAND callbacks got lost while the
RAND_DRBG callbacks remained, because RAND_DRBG_uninstantiate()
calls RAND_DRBG_set(), which recreates the EVP_RAND object.
This was causing drbgtest failures.

This commit fixes the problem by adding code to RAND_DRBG_set() for
saving and restoring the EVP_RAND callbacks.

Reviewed-by: Paul Dale <>
(Merged from

12 days agotest/drbgtest.c: set the correct counter to trigger reseeding
Dr. Matthias St. Pierre [Mon, 13 Jul 2020 00:02:15 +0000 (02:02 +0200)]
test/drbgtest.c: set the correct counter to trigger reseeding

It's the generate counter (drbg->reseed_gen_counter), not the
reseed counter which needs to be raised above the reseed_interval.
This mix-up was partially caused by some recent renamings of DRBG
members variables, but that will be dealt with in a separate commit.

Reviewed-by: Paul Dale <>
(Merged from

12 days agotest/drbgtest.c: Remove error check for large generate requests
Dr. Matthias St. Pierre [Sat, 4 Jul 2020 10:29:14 +0000 (12:29 +0200)]
test/drbgtest.c: Remove error check for large generate requests

The behaviour of RAND_DRBG_generate() has changed. Previously, it
would fail for requests larger than max_request, now it automatically
splits large input into chunks (which was previously done only
by RAND_DRBG_bytes() before calling RAND_DRBG_generate()).

So this test has not only become obsolete, the fact that it succeeded
unexpectedly also caused a buffer overflow that terminated the test.

Reviewed-by: Paul Dale <>
(Merged from

12 days agoFix DRBG reseed counter condition.
Vitezslav Cizek [Mon, 1 Jun 2020 09:45:09 +0000 (11:45 +0200)]
Fix DRBG reseed counter condition.

The reseed counter condition was broken since a93ba40, where the
initial value was wrongly changed from one to zero.
Commit 8bf3665 fixed the initialization, but also adjusted the check,
so the problem remained.
This change restores original (OpenSSL-fips-2_0-stable) behavior.

Reviewed-by: Paul Dale <>
Reviewed-by: Matthias St. Pierre <>
(Merged from

12 days agotest/drbgtest.c: Fix error check test
Vitezslav Cizek [Thu, 27 Feb 2020 14:37:43 +0000 (15:37 +0100)]
test/drbgtest.c: Fix error check test

The condition in test_error_checks() was inverted, so it succeeded
as long as error_check() failed. Incidently, error_check() contained
several bugs that assured it always failed, thus giving overall drbg
test success.

Reviewed-by: Paul Dale <>
Reviewed-by: Matthias St. Pierre <>
(Merged from

12 days agoCleanup fips provider init
Shane Lontis [Tue, 21 Jul 2020 00:51:33 +0000 (10:51 +1000)]
Cleanup fips provider init

Removed dummy evp_test
Changed all algorithm properties to use fips=yes (except for RAND_TEST) (This changes the DRBG and ECX settings)
Removed unused includes.
Added TODO(3.0) for issue(s) that need to be resolved.

Reviewed-by: Matt Caswell <>
(Merged from

12 days agodocument the deprecation of the '-public-key-methods' option to list
Pauli [Tue, 21 Jul 2020 07:40:19 +0000 (17:40 +1000)]
document the deprecation of the '-public-key-methods' option to list

Reviewed-by: Richard Levitte <>
(Merged from

12 days agoEVP: deprecate the EVP_X_meth_ functions.
Pauli [Thu, 13 Feb 2020 01:00:57 +0000 (11:00 +1000)]
EVP: deprecate the EVP_X_meth_ functions.

Reviewed-by: Richard Levitte <>
(Merged from

12 days agoengines: fixed to work with EVP_*_meth calls deprecated
Pauli [Wed, 22 Apr 2020 00:38:10 +0000 (10:38 +1000)]
engines: fixed to work with EVP_*_meth calls deprecated

Reviewed-by: Richard Levitte <>
(Merged from

12 days agoevp_test: use correct deallocation for EVP_CIPHER
Pauli [Wed, 22 Apr 2020 00:25:23 +0000 (10:25 +1000)]
evp_test: use correct deallocation for EVP_CIPHER

Reviewed-by: Richard Levitte <>
(Merged from

12 days agoevp_test: use correct deallocation for EVP_MD
Pauli [Wed, 22 Apr 2020 00:24:05 +0000 (10:24 +1000)]
evp_test: use correct deallocation for EVP_MD

Reviewed-by: Richard Levitte <>
(Merged from

12 days agoSpecific the engine pointer
gujinqiang [Fri, 17 Jul 2020 09:52:26 +0000 (17:52 +0800)]
Specific the engine pointer

CLA: trivial

I found that when I wanted to use an engine by the option-engine XXX , it didn't work. Checking the code, I guess it missed the engine pointer when calling EVP_CipherInit_ex.

Reviewed-by: Shane Lontis <>
Reviewed-by: Paul Yang <>
Reviewed-by: Dmitry Belyavskiy <>
(Merged from

12 days agoAlign documentation with recommendations of Linux Documentation Project
Gustaf Neumann [Fri, 17 Jul 2020 10:31:26 +0000 (12:31 +0200)]
Align documentation with recommendations of Linux Documentation Project

This change applies the recommendation of the Linux Documentation Project
to the documentation files of OpenSSL. Additionally, util/find-doc-nits
was updated accordingly.

The change follows a suggestion of mspncp on
and incoporates the requested changes on the pull request

Reviewed-by: Shane Lontis <>
Reviewed-by: Matthias St. Pierre <>
(Merged from

13 days agoFix UI method setup, which should be independent of (deprecated) engine use
Dr. David von Oheimb [Sat, 18 Jul 2020 14:09:19 +0000 (16:09 +0200)]
Fix UI method setup, which should be independent of (deprecated) engine use

Reviewed-by: Paul Dale <>
(Merged from

13 days ago81-test_cmp_cli.t: Avoid using 'tail', 'awk', and the '-s' option of 'lsof'
Dr. David von Oheimb [Tue, 14 Jul 2020 08:38:06 +0000 (10:38 +0200)]
81-test_cmp_cli.t: Avoid using 'tail', 'awk', and the '-s' option of 'lsof'

Reviewed-by: Paul Dale <>
(Merged from

13 days agoSkip test_cmp_cli if 'lsof' or 'kill' command is not available
Dr. David von Oheimb [Sat, 11 Jul 2020 11:20:39 +0000 (13:20 +0200)]
Skip test_cmp_cli if 'lsof' or 'kill' command is not available

Fixes #12324
partly fixes #12378

Reviewed-by: Paul Dale <>
(Merged from

13 days agoFix provider cipher reinit issue
Shane Lontis [Wed, 22 Jul 2020 00:40:55 +0000 (10:40 +1000)]
Fix provider cipher reinit issue

Fixes #12405
Fixes #12377

Calling Init()/Update() and then Init()/Update() again gave a different result when using the same key and iv.
Cipher modes that were using ctx->num were not resetting this value, this includes OFB, CFB & CTR.
The fix is to reset this value during the ciphers einit() and dinit() methods.
Most ciphers go thru a generic method so one line fixes most cases.

Add test for calling EVP_EncryptInit()/EVP_EncryptUpdate() multiple times for all ciphers.
Ciphers should return the same value for both updates.
DES3-WRAP does not since it uses a random in the update.
CCM modes currently also fail on the second update (This also happens in 1_1_1).

Fix memory leak in AES_OCB cipher if EVP_EncryptInit is called multiple times.

Fix AES_SIV cipher dup_ctx and init.
Calling EVP_CIPHER_init multiple times resulted in a memory leak in the siv.
Fixing this leak also showed that the dup ctx was not working for siv mode.
Note: aes_siv_cleanup() can not be used by aes_siv_dupctx() as it clears data
that is required for the decrypt (e.g the tag).

Reviewed-by: Tomas Mraz <>
(Merged from

13 days agoAvoid errors with a priori inapplicable protocol bounds
Viktor Dukhovni [Fri, 17 Jul 2020 01:30:43 +0000 (23:30 -0200)]
Avoid errors with a priori inapplicable protocol bounds

The 'MinProtocol' and 'MaxProtocol' configuration commands now silently
ignore TLS protocol version bounds when configurign DTLS-based contexts,
and conversely, silently ignore DTLS protocol version bounds when
configuring TLS-based contexts.  The commands can be repeated to set
bounds of both types.  The same applies with the corresponding
"min_protocol" and "max_protocol" command-line switches, in case some
application uses both TLS and DTLS.

SSL_CTX instances that are created for a fixed protocol version (e.g.
TLSv1_server_method()) also silently ignore version bounds.  Previously
attempts to apply bounds to these protocol versions would result in an
error.  Now only the "version-flexible" SSL_CTX instances are subject to
limits in configuration files in command-line options.

Expected to resolve #12394

Reviewed-by: Paul Dale <>
GH: #12472

13 days agoDOC: Fix SSL_CTX_set_cert_cb.pod and SSL_CTX_set_client_cert_cb.pod
Richard Levitte [Mon, 20 Jul 2020 15:14:45 +0000 (17:14 +0200)]
DOC: Fix SSL_CTX_set_cert_cb.pod and SSL_CTX_set_client_cert_cb.pod

The 'cert_cb' / 'client_cert_cb' arguments had extra, a bit weird

Reviewed-by: Matt Caswell <>
(Merged from

13 days agoutil/find-doc-nits: Relax check of function declarations in name_synopsis()
Richard Levitte [Mon, 20 Jul 2020 15:10:44 +0000 (17:10 +0200)]
util/find-doc-nits: Relax check of function declarations in name_synopsis()

The relaxation allows spaces between function name and argument list,
to allow line breaks like this when there are very long names:

    int (fantastically_long_name_breaks_80char_limit)
        (fantastically_long_name_breaks_80char_limit *something);

This revealed some other intricaties, such as documented internal
structures with function pointers inside, so a check of open
structures was also added, and they are now simply skipped over.

Reviewed-by: Matt Caswell <>
(Merged from

13 days agoPROV: Move bio_prov.c from libcommon.a to libfips.a / libnonfips.a
Richard Levitte [Mon, 20 Jul 2020 07:11:15 +0000 (09:11 +0200)]
PROV: Move bio_prov.c from libcommon.a to libfips.a / libnonfips.a

libcommon.a is FIPS agnostic, while libfips.a and libnonfips.a are
FIPS / non-FIPS specific.  Since bio_prov.c checks FIPS_MODULE, it
belongs to the latter.

Along with this, a bit more instruction commentary is added to

Reviewed-by: Paul Yang <>
(Merged from

13 days agofixed swapped parameter descriptions for x509
Nihal Jere [Sun, 19 Jul 2020 21:54:07 +0000 (16:54 -0500)]
fixed swapped parameter descriptions for x509

CLA: trivial

Reviewed-by: Shane Lontis <>
Reviewed-by: Dmitry Belyavskiy <>
(Merged from

13 days agoAdd ERR_raise() errors to fips OSSL_provider_init and self tests.
Shane Lontis [Tue, 21 Jul 2020 06:30:02 +0000 (16:30 +1000)]
Add ERR_raise() errors to fips OSSL_provider_init and self tests.

As the ERR_raise() is setup at this point returng a range of negative values for errors is not required.
This will need to be revisited if the code ever moves to running from the DEP.
Added a -config option to the fips install so that it can test if a fips module is loadable from configuration.
(The -verify option only uses the generated config, whereas -config uses the normal way of including the generated data via another config file).
Added more failure tests for the raised errors.

Reviewed-by: Matt Caswell <>
(Merged from

2 weeks agoFix API rename issue in shim layer that calls EVP_MAC_CTX_set_params
Shane Lontis [Mon, 20 Jul 2020 01:18:24 +0000 (11:18 +1000)]
Fix API rename issue in shim layer that calls EVP_MAC_CTX_set_params

Reviewed-by: Richard Levitte <>
(Merged from

2 weeks agoman3: Drop warning about using security levels higher than 1.
Dimitri John Ledkov [Tue, 14 Jul 2020 16:55:49 +0000 (17:55 +0100)]
man3: Drop warning about using security levels higher than 1.

Today, majority of web-browsers reject communication as allowed by the
security level 1. Instead key sizes and algorithms from security level
2 are required. Thus remove the now obsolete warning against using
security levels higher than 1. For example Ubuntu, compiles OpenSSL
with security level set to 2, and further restricts algorithm versions
available at that security level.

Reviewed-by: Kurt Roeckx <>
Reviewed-by: Ben Kaduk <>
(Merged from

2 weeks Add an entry about it to and to
Dr. David von Oheimb [Thu, 25 Jun 2020 09:55:56 +0000 (11:55 +0200)] Add an entry about it to and to

Reviewed-by: Paul Dale <>
(Merged from

2 weeks Report empty lines only if -s (--sloppy-spc) is not used
Dr. David von Oheimb [Sun, 7 Jun 2020 12:53:20 +0000 (14:53 +0200)] Report empty lines only if -s (--sloppy-spc) is not used

Reviewed-by: Paul Dale <>
(Merged from

2 weeks Add check for essentially empty line at beginning of file
Dr. David von Oheimb [Sun, 7 Jun 2020 12:47:16 +0000 (14:47 +0200)] Add check for essentially empty line at beginning of file

Reviewed-by: Paul Dale <>
(Merged from

2 weeks Add check for multiples essentially empty lines in a row
Dr. David von Oheimb [Sat, 6 Jun 2020 19:14:29 +0000 (21:14 +0200)] Add check for multiples essentially empty lines in a row

Reviewed-by: Paul Dale <>
(Merged from

2 weeks Allow comment start '/*' after opening '(','[','{'
Dr. David von Oheimb [Tue, 7 Apr 2020 12:27:08 +0000 (14:27 +0200)] Allow comment start '/*' after opening '(','[','{'

On this occasion fix uses of the word 'nor'.

Reviewed-by: Paul Dale <>
(Merged from

2 weeks agoFix linking against non-system zlib on macOS
Jean-Christophe Fillion-Robin [Tue, 23 Jun 2020 06:37:22 +0000 (02:37 -0400)]
Fix linking against non-system zlib on macOS

This commit ensures the -L/path/to/zlib flag associated with ldflags
property set in "Configurations/00-base-templates.conf" (under "BASE_unix")
is inherited when defining "darwin-common" configuration.

CLA: trivial

Reviewed-by: Richard Levitte <>
Reviewed-by: Shane Lontis <>
(Merged from

2 weeks agoAdded missing ';' after methods in the synopsis section of pod files
Shane Lontis [Wed, 15 Jul 2020 08:26:35 +0000 (18:26 +1000)]
Added missing ';' after methods in the synopsis section of pod files

Reviewed-by: Tomas Mraz <>
Reviewed-by: Richard Levitte <>
(Merged from

2 weeks agoutil/find-doc-nits: relax some SYNOPSIS checks
Richard Levitte [Wed, 15 Jul 2020 06:42:18 +0000 (08:42 +0200)]
util/find-doc-nits: relax some SYNOPSIS checks

-   The check that disallowed space before the argument list in a
    function typedef is tentatively removed, allowing this kind of

    typedef int (fantastically_long_name_breaks_80char_limit)
        (fantastically_long_name_breaks_80char_limit *something);

-   Accept the following style of function signature:

    typedef TYPE (NAME)(args...)

-   Accept space between '#' and 'defined' / 'undef'

-   Accept other spaces than SPC in argument list comma check,
    allowing declaration with line breaks.

Reviewed-by: Tomas Mraz <>
Reviewed-by: Shane Lontis <>
(Merged from

2 weeks agoutil/find-doc-nits: read full declarations as one line in name_synopsis()
Richard Levitte [Wed, 15 Jul 2020 06:33:08 +0000 (08:33 +0200)]
util/find-doc-nits: read full declarations as one line in name_synopsis()

name_synopsis was reading physical SYNOPSIS lines.  This changes it to
consider a declaration at a time, so we treat a C declaration that's
been broken up in several lines as one.

This makes it mandatory to end all C declarations in the SYNOPSIS with
a semicolon.  Those can be detected in two ways:

1.  Parsing an individual .pod file outputs this error:

    doc/man3/SOMETHING.pod:1: Can't parse rest of synopsis:

     int SOMETHING_status(SOMETHING *s)
     int SOMETHING_start(SOMETHING *s)

    (declarations not ending with a semicolon (;)?)

2.  Errors like this:

    doc/man3/SOMETHING.pod:1: SOMETHING_status missing from SYNOPSIS
    doc/man3/SOMETHING.pod:1: SOMETHING_start missing from SYNOPSIS

Reviewed-by: Tomas Mraz <>
Reviewed-by: Shane Lontis <>
(Merged from

2 weeks agoFix typo for SSL_get_peer_certificate()
Richard Levitte [Thu, 16 Jul 2020 17:21:22 +0000 (19:21 +0200)]
Fix typo for SSL_get_peer_certificate()

Reviewed-by: Shane Lontis <>
(Merged from

2 weeks agoRemove util/openssl-update-copyright
Richard Levitte [Thu, 16 Jul 2020 14:17:49 +0000 (16:17 +0200)]
Remove util/openssl-update-copyright

It was useful at the time for a one-time run.  However, since it does
its work based on file modification time stamps, and those are
notoriously untrustable in a git checkout, it ends up being harmful.

There is a replacement in OpenSSL's tools repository, which relies on
git history.

Fixes #12462

Reviewed-by: Tomas Mraz <>
(Merged from

2 weeks agomac: always pass a non-NULL output size pointer to providers.
Pauli [Thu, 16 Jul 2020 01:15:42 +0000 (11:15 +1000)]
mac: always pass a non-NULL output size pointer to providers.

The backend code varies for the different MACs and sometimes sets the output
length, sometimes checks the return pointer and sometimes neither.

Reviewed-by: Richard Levitte <>
(Merged from

2 weeks agodoc: Fix documentation of EVP_EncryptUpdate().
Pauli [Mon, 13 Jul 2020 22:39:32 +0000 (08:39 +1000)]
doc: Fix documentation of EVP_EncryptUpdate().

The documentation was off by one for the length this function could return.

Reviewed-by: Tomas Mraz <>
(Merged from

2 weeks agoinstall: add notes about ignored seed sources in the FIPS provider.
Pauli [Wed, 1 Jul 2020 01:09:38 +0000 (11:09 +1000)]
install: add notes about ignored seed sources in the FIPS provider.

Reviewed-by: Tomas Mraz <>
(Merged from

2 weeks agorand: detect if FIPS approved randomness sources are being used.
Pauli [Tue, 30 Jun 2020 03:15:05 +0000 (13:15 +1000)]
rand: detect if FIPS approved randomness sources are being used.

This boils down to the operating system sources and RDRAND.
All other sources are not available in the FIPS module.

Reviewed-by: Tomas Mraz <>
(Merged from

2 weeks agoFix trailing whitespace mismatch error when running 02-test_errstr.
Shane Lontis [Wed, 15 Jul 2020 01:49:57 +0000 (11:49 +1000)]
Fix trailing whitespace mismatch error when running 02-test_errstr.

Fixes #12449

On a aix7_ppc32 machine the error was of the form
match 'Previous owner died ' (2147483743) with one of ( 'Previous owner died', 'reason(95)' )
Stripping the trailing whitespace from the system error will address this issue.

Suggested fix by @pauldale.

Reviewed-by: Richard Levitte <>
(Merged from

2 weeks ago99-test_fuzz.t: Clean up and re-organize such that sub-tests could be split easily
Dr. David von Oheimb [Fri, 3 Jul 2020 12:19:43 +0000 (14:19 +0200)]
99-test_fuzz.t: Clean up and re-organize such that sub-tests could be split easily

Reviewed-by: Richard Levitte <>
(Merged from