openssl.git
6 months agorsa: add ossl_ prefix to internal rsa_ calls.
Pauli [Wed, 30 Sep 2020 04:20:14 +0000 (14:20 +1000)]
rsa: add ossl_ prefix to internal rsa_ calls.

The functions being:
    rsa_check_crt_components, rsa_check_key, rsa_check_pminusq_diff,
    rsa_check_prime_factor, rsa_check_prime_factor_range,
    rsa_check_private_exponent, rsa_check_public_exponent,
    rsa_digestinfo_encoding, rsa_fips186_4_gen_prob_primes, rsa_fromdata,
    rsa_get0_all_params, rsa_get0_libctx, rsa_get0_pss_params_30,
    rsa_get_lcm, rsa_mgf_nid2name, rsa_mp_coeff_names, rsa_mp_exp_names,
    rsa_mp_factor_names, rsa_new_with_ctx, rsa_oaeppss_md2nid,
    rsa_oaeppss_nid2name, rsa_padding_add_PKCS1_OAEP_mgf1_with_libctx,
    rsa_padding_add_PKCS1_type_2_with_libctx,
    rsa_padding_add_SSLv23_with_libctx, rsa_padding_check_PKCS1_type_2_TLS,
    rsa_pkey_method, rsa_pss_params_30_copy, rsa_pss_params_30_fromdata,
    rsa_pss_params_30_hashalg, rsa_pss_params_30_is_unrestricted,
    rsa_pss_params_30_maskgenalg, rsa_pss_params_30_maskgenhashalg,
    rsa_pss_params_30_saltlen, rsa_pss_params_30_set_defaults,
    rsa_pss_params_30_set_hashalg, rsa_pss_params_30_set_maskgenalg,
    rsa_pss_params_30_set_maskgenhashalg, rsa_pss_params_30_set_saltlen,
    rsa_pss_params_30_set_trailerfield, rsa_pss_params_30_todata,
    rsa_pss_params_30_trailerfield, rsa_pss_pkey_method, rsa_set0_all_params,
    rsa_sp800_56b_check_keypair, rsa_sp800_56b_check_private,
    rsa_sp800_56b_check_public, rsa_sp800_56b_derive_params_from_pq,
    rsa_sp800_56b_generate_key, rsa_sp800_56b_pairwise_test,
    rsa_sp800_56b_validate_strength, rsa_todata, rsa_validate_pairwise,
    rsa_validate_private and rsa_validate_public.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13040)

6 months agoAvoid memory leak of parent on allocation failure for child structure
Benny Baumann [Thu, 1 Oct 2020 23:06:12 +0000 (01:06 +0200)]
Avoid memory leak of parent on allocation failure for child structure

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13055)

6 months agoUse size of target buffer for allocation
Benny Baumann [Thu, 1 Oct 2020 23:04:06 +0000 (01:04 +0200)]
Use size of target buffer for allocation

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13055)

6 months agoMove CMP CLI test output files to BLDTOP/test-runs/test_cmp_cli/
Dr. David von Oheimb [Mon, 21 Sep 2020 12:14:33 +0000 (14:14 +0200)]
Move CMP CLI test output files to BLDTOP/test-runs/test_cmp_cli/

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12934)

6 months agoTest.pm: Add result_dir and export both result_dir and result_file
Dr. David von Oheimb [Wed, 23 Sep 2020 16:58:17 +0000 (18:58 +0200)]
Test.pm: Add result_dir and export both result_dir and result_file

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12934)

6 months agoChange CVE link style in CHANGES and NEWS
Dr. Matthias St. Pierre [Thu, 24 Sep 2020 06:11:00 +0000 (08:11 +0200)]
Change CVE link style in CHANGES and NEWS

Replace [collapsed reference links][] for the CVEs by
[shortcut reference links], in order to to improve the
readability of the raw markdown text.

Consistently add parentheses around the CVE links at the
end of the CVE descriptions. (The NEWS file already had
the parentheses, in the CHANGES file they where missing.)

[collapsed reference links]:
  https://github.github.com/gfm/#collapsed-reference-link

[shortcut reference links]:
  https://github.github.com/gfm/#shortcut-reference-link

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12967)

6 months agoUpdate CHANGES and NEWS for 1.1.1h release
Dr. Matthias St. Pierre [Thu, 24 Sep 2020 05:58:52 +0000 (07:58 +0200)]
Update CHANGES and NEWS for 1.1.1h release

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12967)

6 months agoffc: add _ossl to exported but internal functions
Pauli [Wed, 30 Sep 2020 05:07:24 +0000 (15:07 +1000)]
ffc: add _ossl to exported but internal functions

The functions updated are:
    ffc_generate_private_key, ffc_named_group_from_uid,
    ffc_named_group_to_uid, ffc_params_FIPS186_2_gen_verify,
    ffc_params_FIPS186_2_generate, ffc_params_FIPS186_2_validate,
    ffc_params_FIPS186_4_gen_verify, ffc_params_FIPS186_4_generate,
    ffc_params_FIPS186_4_validate, ffc_params_cleanup, ffc_params_cmp,
    ffc_params_copy, ffc_params_enable_flags, ffc_params_flags_from_name,
    ffc_params_flags_to_name, ffc_params_fromdata,
    ffc_params_get0_pqg, ffc_params_get_validate_params,
    ffc_params_init, ffc_params_print, ffc_params_set0_j,
    ffc_params_set0_pqg, ffc_params_set_flags, ffc_params_set_gindex,
    ffc_params_set_h, ffc_params_set_pcounter, ffc_params_set_seed,
    ffc_params_set_validate_params, ffc_params_simple_validate,
    ffc_params_todata, ffc_params_validate_unverifiable_g, ffc_set_digest,
    ffc_set_group_pqg, ffc_validate_private_key, ffc_validate_public_key
    and ffc_validate_public_key_partial.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13041)

6 months agodoc: remove duplicated code in example
Pauli [Wed, 30 Sep 2020 10:01:02 +0000 (20:01 +1000)]
doc: remove duplicated code in example

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13048)

6 months agoSome OIDs used in Russian X.509 certificates.
Dmitry Belyavskiy [Fri, 22 Feb 2019 15:36:00 +0000 (18:36 +0300)]
Some OIDs used in Russian X.509 certificates.

OBJ_OGRNIP denotes a specific legal status of the certificate owner.
OBJ_classSignTool* denotes a level of certification of the software
created the certificate.

http://www.garant.ru/products/ipo/prime/doc/70033464/ is the relevant
link (in Russian).

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8309)

6 months agoAPPS: Reduce deprecation warning suppression - ENGINE
Richard Levitte [Wed, 30 Sep 2020 16:01:06 +0000 (18:01 +0200)]
APPS: Reduce deprecation warning suppression - ENGINE

Some of our apps turn off deprecation warnings solely for the sake of
ENGINE, and thereby shadowing other deprecations that we should take
better care of.

To solve this, all apps ENGINE functionality is move to one file,
where deprecation warning suppression is activate, and the same
suppression can then easily be removed in at least some of the apps.
Any remaining suppression that we still need to deal with should
happen as separate efforts.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13044)

6 months agoDECODER: Allow precise result type for OSSL_DECODER_CTX_new_by_EVP_PKEY()
Richard Levitte [Fri, 2 Oct 2020 12:21:51 +0000 (14:21 +0200)]
DECODER: Allow precise result type for OSSL_DECODER_CTX_new_by_EVP_PKEY()

There is some data that is very difficult to guess.  For example, DSA
parameters and X9.42 DH parameters look exactly the same, a SEQUENCE
of 3 INTEGER.  Therefore, callers may need the possibility to select
the exact keytype that they expect to get.

This will also allow use to translate d2i_TYPEPrivateKey(),
d2i_TYPEPublicKey() and d2i_TYPEParams() into OSSL_DECODER terms much
more smoothly.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13061)

6 months agoDECODER: Handle abstract object data type
Richard Levitte [Fri, 2 Oct 2020 11:56:54 +0000 (13:56 +0200)]
DECODER: Handle abstract object data type

The PEM->DER decoder passes the data type of its contents, something
that decoder_process() ignored.

On the other hand, the PEM->DER decoder passed nonsense.

Both issues are fixed here.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13060)

6 months agoConfiguration: add initial NonStop values in OpenSSL::config
Richard Levitte [Thu, 24 Sep 2020 20:00:16 +0000 (22:00 +0200)]
Configuration: add initial NonStop values in OpenSSL::config

This makes Configure work it's automatic config detection, at least for
the simple straightforward cases.

Fixes #12972

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12973)

6 months agoEnsure that _GNU_SOURCE is defined for NI_MAXHOST and NI_MAXSERV
drgler [Thu, 1 Oct 2020 19:20:33 +0000 (21:20 +0200)]
Ensure that _GNU_SOURCE is defined for NI_MAXHOST and NI_MAXSERV

Since glibc 2.8, these defines like `NI_MAXHOST` are exposed only
if suitable feature test macros are defined, namely: _GNU_SOURCE,
_DEFAULT_SOURCE (since glibc 2.19), or _BSD_SOURCE or _SVID_SOURCE
(before glibc 2.19), see GETNAMEINFO(3).

CLA: trivial
Fixes #13049

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/13054)

6 months agoFix segfault on missing provider_query_operation()
Nicola Tuveri [Fri, 2 Oct 2020 00:58:10 +0000 (03:58 +0300)]
Fix segfault on missing provider_query_operation()

A provider without `provider_query_operation()` is admittedly quite
useless, yet technically the base provider functions are not mandatory
according to our documentation.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13058)

6 months agoTLS AEAD ciphers: more bytes for key_block than needed
Maxim Masiutin [Tue, 29 Sep 2020 15:40:56 +0000 (18:40 +0300)]
TLS AEAD ciphers: more bytes for key_block than needed

Fixes #12007
The key_block length was not written to trace, thus it was not obvious
that extra key_bytes were generated for TLS AEAD.

The problem was that EVP_CIPHER_iv_length was called even for AEAD ciphers
to figure out how many bytes from the key_block were needed for the IV.
The correct way was to take cipher mode (GCM, CCM, etc) into
consideration rather than simply callin the general function
EVP_CIPHER_iv_length.

The new function tls_iv_length_within_key_block takes this into
consideration.

Besides that, the order of addendums was counter-intuitive MAC length
was second, but it have to be first to correspond the order given in the RFC.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13035)

6 months agoEVP: use evp_pkey_ctx_is_legacy() to find what implementation to use
Richard Levitte [Wed, 30 Sep 2020 15:22:27 +0000 (17:22 +0200)]
EVP: use evp_pkey_ctx_is_legacy() to find what implementation to use

We've had explicit checks for when to fall back to legacy code for
operations that use an EVP_PKEY.  Unfortunately, the checks were
radically different in different spots, so we refactor that into a
macro that gets used everywhere.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13043)

6 months agoFix memory leak in req_cb() of x_req.c - handle distinguishing_id also with NO_SM2
Dr. David von Oheimb [Mon, 28 Sep 2020 08:31:46 +0000 (10:31 +0200)]
Fix memory leak in req_cb() of x_req.c - handle distinguishing_id also with NO_SM2

Was detected via test_req_distinguishing_id() with config having no-ec but not no-sm2

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13021)

6 months agoFix some things the rename script didn't quite get right
Matt Caswell [Thu, 24 Sep 2020 09:56:03 +0000 (10:56 +0100)]
Fix some things the rename script didn't quite get right

The previous commit ran an automated rename throughout the codebase.
There are a small number of things it didn't quite get right so we fix
those in this commit.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12970)

6 months agoRun the withlibctx.pl script
Matt Caswell [Thu, 24 Sep 2020 09:42:23 +0000 (10:42 +0100)]
Run the withlibctx.pl script

Automatically rename all instances of _with_libctx() to _ex() as per
our coding style.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12970)

6 months agoPerl util to do with_libctx renaming
Matt Caswell [Tue, 22 Sep 2020 07:16:44 +0000 (08:16 +0100)]
Perl util to do with_libctx renaming

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12970)

6 months agoder: _ossl prefix der_oid_ and der_aid_ functions
Pauli [Wed, 30 Sep 2020 03:59:20 +0000 (13:59 +1000)]
der: _ossl prefix der_oid_ and der_aid_ functions

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13038)

6 months agoder: _ossl prefix DER functions
Pauli [Wed, 30 Sep 2020 02:15:12 +0000 (12:15 +1000)]
der: _ossl prefix DER functions

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13038)

6 months agorsa_mp_coeff_names should only have one entry in it for fips mode.
Shane Lontis [Sun, 27 Sep 2020 21:46:29 +0000 (07:46 +1000)]
rsa_mp_coeff_names should only have one entry in it for fips mode.

Reported by Tim Hudson

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13011)

6 months agoprov: prefix all exposed 'cipher' symbols with ossl_
Pauli [Tue, 29 Sep 2020 07:40:26 +0000 (17:40 +1000)]
prov: prefix all exposed 'cipher' symbols with ossl_

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13030)

6 months agoprov: prefix aes-cbc-cts functions with ossl_
Pauli [Tue, 29 Sep 2020 06:40:58 +0000 (16:40 +1000)]
prov: prefix aes-cbc-cts functions with ossl_

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13030)

6 months agocheck-format.pl: Allow nested indentation of labels (not only at line pos 1)
Dr. David von Oheimb [Mon, 28 Sep 2020 07:18:01 +0000 (09:18 +0200)]
check-format.pl: Allow nested indentation of labels (not only at line pos 1)

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13019)

6 months agocheck-format.pl: Extend exceptions for no SPC after trailing ';' in 'for (...;)'
Dr. David von Oheimb [Mon, 28 Sep 2020 06:18:32 +0000 (08:18 +0200)]
check-format.pl: Extend exceptions for no SPC after trailing ';' in 'for (...;)'

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13019)

6 months agocheck-format.pl: Document how to run positive and negative self-tests
Dr. David von Oheimb [Mon, 28 Sep 2020 06:26:31 +0000 (08:26 +0200)]
check-format.pl: Document how to run positive and negative self-tests

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13019)

6 months agoEC_GROUP_new_by_curve_name_with_libctx(): Add name of unknown group to error output
Dr. David von Oheimb [Tue, 29 Sep 2020 08:33:22 +0000 (10:33 +0200)]
EC_GROUP_new_by_curve_name_with_libctx(): Add name of unknown group to error output

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13023)

6 months agoPrune low-level ASN.1 parse errors from error queue in der2key_decode() etc.
Dr. David von Oheimb [Mon, 28 Sep 2020 14:14:14 +0000 (16:14 +0200)]
Prune low-level ASN.1 parse errors from error queue in der2key_decode() etc.

Also adds error output tests on loading key files with unsupported algorithms to 30-test_evp.t

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13023)

6 months ago25-test_x509.t: Add test for suitable error report loading unsupported sm2 cert
Dr. David von Oheimb [Mon, 28 Sep 2020 17:44:49 +0000 (19:44 +0200)]
25-test_x509.t: Add test for suitable error report loading unsupported sm2 cert

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13023)

6 months agoConfigure: handle undefined shared_target.
Richard Levitte [Tue, 29 Sep 2020 08:31:56 +0000 (10:31 +0200)]
Configure: handle undefined shared_target.

Some very basic config targets don't defined the 'shared_target'
attribute at all.  This wasn't handled well enough in Configure.
This also cleans away an explicit reference to the ossltest engine in
Configurations/unix-Makefile.tmpl, which isn't necessary since the
build.info attributes were added.

Fixes openssl/web#197

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13031)

6 months agoprov: prefix provider internal functions with ossl_
Pauli [Mon, 28 Sep 2020 02:47:04 +0000 (12:47 +1000)]
prov: prefix provider internal functions with ossl_

Also convert the names to lower case.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13014)

6 months agoprov: prefix all OSSL_DISPATCH tables names with ossl_
Pauli [Mon, 28 Sep 2020 02:28:29 +0000 (12:28 +1000)]
prov: prefix all OSSL_DISPATCH tables names with ossl_

This stops them leaking into other namespaces in a static build.
They remain internal.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13013)

6 months ago30-test_evp.t: On no-dh, no-dsa, no-ec, no-sm2, and no-gost configurations disable...
Dr. David von Oheimb [Mon, 28 Sep 2020 08:57:00 +0000 (10:57 +0200)]
30-test_evp.t: On no-dh, no-dsa, no-ec, no-sm2, and no-gost configurations disable respective tests

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13022)

6 months agoappveyor.yml: Clean up minimal configuration, adding no-ec and pruning cascaded no-*
Dr. David von Oheimb [Mon, 28 Sep 2020 12:16:30 +0000 (14:16 +0200)]
appveyor.yml: Clean up minimal configuration, adding no-ec and pruning cascaded no-*

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13022)

6 months agorand: declare get_hardware_random_value() before use.
Pauli [Sun, 27 Sep 2020 02:47:47 +0000 (12:47 +1000)]
rand: declare get_hardware_random_value() before use.

Introduced by #12923

Fixes #13004

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13005)

6 months agoRemove TODO comment from sskdf.c
Shane Lontis [Sat, 26 Sep 2020 02:41:41 +0000 (12:41 +1000)]
Remove TODO comment from sskdf.c

Fixes #12993

The implementation follows the standards/recommendations specified by https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12999)

6 months agotodo: remove fork protection todo comment, it isn't relevant to the FIPS provider
Pauli [Fri, 25 Sep 2020 22:37:38 +0000 (08:37 +1000)]
todo: remove fork protection todo comment, it isn't relevant to the FIPS provider

Fixes #12984

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12997)

6 months agooptimise ssl3_get_cipher_by_std_name()
hklaas [Sat, 26 Sep 2020 09:54:13 +0000 (10:54 +0100)]
optimise ssl3_get_cipher_by_std_name()

Return immediately on matched cipher. Without this patch the code only breaks out of the inner for loop, meaning for a matched TLS13 cipher the code will still loop through 160ish SSL3 ciphers.

CLA: trivial

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13000)

6 months agoSTORE: Clear a couple of TODOs that were there for the sake of SM2
Richard Levitte [Fri, 25 Sep 2020 13:58:02 +0000 (15:58 +0200)]
STORE: Clear a couple of TODOs that were there for the sake of SM2

We now have decoder support for SM2, so the cheats that were in place
for the sake of lacking decoders aren't needed any more.

Fixes #12982

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12986)

6 months agoImplement treatment of id-pkix-ocsp-no-check extension for OCSP_basic_verify()
Dr. David von Oheimb [Tue, 22 Sep 2020 06:36:22 +0000 (08:36 +0200)]
Implement treatment of id-pkix-ocsp-no-check extension for OCSP_basic_verify()

Fixes #7761

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12947)

6 months agoGenerate a certificate with critical id-pkix-ocsp-nocheck extension
Tomas Mraz [Wed, 23 Sep 2020 07:43:43 +0000 (09:43 +0200)]
Generate a certificate with critical id-pkix-ocsp-nocheck extension

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/12947)

6 months agoOCSP_resp_find_status.pod: Slightly improve the documentation of various flags
Dr. David von Oheimb [Tue, 22 Sep 2020 06:31:17 +0000 (08:31 +0200)]
OCSP_resp_find_status.pod: Slightly improve the documentation of various flags

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12947)

6 months agoOCSP_resp_find_status.pod: Replace function arg references B<...> by I<...>
Dr. David von Oheimb [Tue, 22 Sep 2020 06:18:31 +0000 (08:18 +0200)]
OCSP_resp_find_status.pod: Replace function arg references B<...> by I<...>

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12947)

6 months agoFix bug in EDDSA speed test
Shane Lontis [Fri, 25 Sep 2020 03:50:25 +0000 (13:50 +1000)]
Fix bug in EDDSA speed test

The pkey created in one loop was being fed into the keygen of the next loop - since it was not set to NULL after the
free. This meant that the 2 EVP_MD_CTX objects that still had ref counts to this key were getting confused.

All other tests clear the key after freeing the key if they loop (some do this by declaring/initing the pkey inside the loop).
The offending code is a recent addition to the speed app.
This was found using the -async_jobs option.
Similar code was tried for an RSA key using 111 which resulted in the same issue.

Found while trying to test issue #128867 (It is not known if this will fix that issue yet).

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12975)

6 months agoen EVP_PKEY_CTX_set_rsa_keygen_pubexp() BIGNUM management
jwalch [Thu, 24 Sep 2020 15:43:06 +0000 (11:43 -0400)]
en EVP_PKEY_CTX_set_rsa_keygen_pubexp() BIGNUM management

Fixes #12635

As discussed in the issue, supporting the set0-like semantics long-term is not necessarily desirable, although necessary for short-term compatibility concerns. So I've deprecated the original method and added an equivalent that is explicitly labelled as set1.

I tried to audit existing usages of the (now-deprecated) API and update them to use set1 if that appeared to align with their expectations.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12917)

6 months agoRemove openssl provider app
Shane Lontis [Tue, 22 Sep 2020 01:40:46 +0000 (11:40 +1000)]
Remove openssl provider app

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12943)

6 months agoUpdate openssl list to support new provider objects.
Shane Lontis [Tue, 22 Sep 2020 01:02:53 +0000 (11:02 +1000)]
Update openssl list to support new provider objects.

Added Keymanager, signatures, kem, asymciphers and keyexchange.
Added -select option so that specific algorithms are easier to view when using -verbose

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12943)

6 months agoAdd EVP_ASYM_CIPHER_gettable_ctx_params() and EVP_ASYM_CIPHER_settable_ctx_params()
Shane Lontis [Tue, 22 Sep 2020 00:38:13 +0000 (10:38 +1000)]
Add EVP_ASYM_CIPHER_gettable_ctx_params() and EVP_ASYM_CIPHER_settable_ctx_params()

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12943)

6 months agoAdd EVP_KEM_gettable_ctx_params() and EVP_KEM_settable_ctx_params()
Shane Lontis [Tue, 22 Sep 2020 00:36:50 +0000 (10:36 +1000)]
Add EVP_KEM_gettable_ctx_params() and EVP_KEM_settable_ctx_params()

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12943)

6 months agoModified rand_cpu_x86.c to support builtin hardware randomizer on HPE NonStop.
Randall S. Becker [Thu, 24 Sep 2020 13:16:37 +0000 (08:16 -0500)]
Modified rand_cpu_x86.c to support builtin hardware randomizer on HPE NonStop.

CLA: Permission is granted by the author to the OpenSSL team to use these modifications.
Fixes #12903

Signed-off-by: Randall S. Becker <rsbecker@nexbridge.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12923)

6 months agoDocument the provider side SM2 Asymmetric Cipher support
Matt Caswell [Fri, 18 Sep 2020 11:10:21 +0000 (12:10 +0100)]
Document the provider side SM2 Asymmetric Cipher support

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12913)

6 months agoExtend the SM2 asym cipher test
Matt Caswell [Fri, 18 Sep 2020 10:57:24 +0000 (11:57 +0100)]
Extend the SM2 asym cipher test

Ensure we test getting and setting ctx params

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12913)

6 months agoRemove some dead SM2 code
Matt Caswell [Fri, 18 Sep 2020 10:06:34 +0000 (11:06 +0100)]
Remove some dead SM2 code

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12913)

6 months agoClean up some SM2 related TODOs in the tests
Matt Caswell [Fri, 18 Sep 2020 09:41:58 +0000 (10:41 +0100)]
Clean up some SM2 related TODOs in the tests

Now that we have full SM2 support, we can remove some TODOs from the tests.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12913)

6 months agoMove SM2 asymmetric encryption to be available in the default provider
Matt Caswell [Fri, 18 Sep 2020 08:55:16 +0000 (09:55 +0100)]
Move SM2 asymmetric encryption to be available in the default provider

Fixes #12908

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12913)

6 months agoBuild: Make NonStop shared libraries only export selected symbols
Richard Levitte [Wed, 23 Sep 2020 14:52:13 +0000 (16:52 +0200)]
Build: Make NonStop shared libraries only export selected symbols

We can now re-enable test/recipes/01-test_symbol_presence.t for NonStop.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12962)

6 months agoTEST: Remove use of EVP_PKEY_set_alias_type() in test/evp_extra_test.c
Richard Levitte [Wed, 23 Sep 2020 04:18:06 +0000 (06:18 +0200)]
TEST: Remove use of EVP_PKEY_set_alias_type() in test/evp_extra_test.c

We already test EVP_PKEY_set_alias_type() quite thoroughly in
test/ecdsatest.c, that should be enough.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12920)

6 months agoEVP: Enforce that EVP_PKEY_set_alias_type() only works with legacy keys
Richard Levitte [Fri, 18 Sep 2020 18:46:08 +0000 (20:46 +0200)]
EVP: Enforce that EVP_PKEY_set_alias_type() only works with legacy keys

This also deprecates the function, as it is not necessary any more,
and should fall out of use.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12920)

6 months agoConfiguration: Don't have shared libraries depend on themselves
Richard Levitte [Wed, 23 Sep 2020 15:59:39 +0000 (17:59 +0200)]
Configuration: Don't have shared libraries depend on themselves

The NonStop config attributes mean that there's no separate "simple"
and "full" shared library name, they are the same.  Because we assumed
that they would always differ, we ended up with this dependency:

    libcrypto.so: libcrypto.so

A simple fix was all that was needed to clear that.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12960)

6 months agoConfiguration: Make it possible to have an argument file
Richard Levitte [Wed, 23 Sep 2020 10:54:56 +0000 (12:54 +0200)]
Configuration: Make it possible to have an argument file

Some compilers / linkers allow arguments to be given in a file instead
of on the command line.  We make it possible to specify this by giving
the compiler / linker flag for it, using the config attribute
'shared_argfileflag'.

This currently only impacts the build of shared libraries, as those
are potentially made up of a massive amount of object files, which has
been reported to overwhelm the command line on some platforms.

Fixes #12797

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12960)

6 months agoHide ECX_KEY again
Richard Levitte [Fri, 25 Sep 2020 02:12:22 +0000 (12:12 +1000)]
Hide ECX_KEY again

ECX_KEY was not meant for public consumption, it was only to be
accessed indirectly via EVP routines.  However, we still need internal
access for our decoders.

This partially reverts 7c664b1f1b5f60bf896f5fdea5c08c401c541dfe

Fixes #12880

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12956)

6 months agoAdd key length check to rsa_kem operation.
Shane Lontis [Wed, 23 Sep 2020 01:49:38 +0000 (11:49 +1000)]
Add key length check to rsa_kem operation.

This uses similiar code used by other rsa related operations.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12955)

6 months agoTest.pm: Some clarifications added to the documentation
Dr. David von Oheimb [Fri, 18 Sep 2020 08:36:15 +0000 (10:36 +0200)]
Test.pm: Some clarifications added to the documentation

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12893)

6 months agoapps/ca.c: Rename confusing variable 'req' to 'template_cert' in certify_cert()
Dr. David von Oheimb [Thu, 17 Sep 2020 07:55:28 +0000 (09:55 +0200)]
apps/ca.c: Rename confusing variable 'req' to 'template_cert' in certify_cert()

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12893)

6 months agoPrune low-level ASN.1 parse errors from error queue in decoder_process()
Dr. David von Oheimb [Wed, 16 Sep 2020 10:52:09 +0000 (12:52 +0200)]
Prune low-level ASN.1 parse errors from error queue in decoder_process()

Fixes #12840

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12893)

6 months agoload_key_certs_crls(): Restore output of fatal errors
Dr. David von Oheimb [Wed, 16 Sep 2020 23:39:00 +0000 (01:39 +0200)]
load_key_certs_crls(): Restore output of fatal errors

Also improve credentials loading diagnostics for many apps.

Fixes #12840

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12893)

6 months agoACVP: add test case for DRBG
Pauli [Fri, 18 Sep 2020 02:12:33 +0000 (12:12 +1000)]
ACVP: add test case for DRBG

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12905)

6 months agoUse OPENSSL_SYS_TANDEM instead of OPENSSL_SYSNAME_TANDEM
Richard Levitte [Mon, 21 Sep 2020 11:14:26 +0000 (13:14 +0200)]
Use OPENSSL_SYS_TANDEM instead of OPENSSL_SYSNAME_TANDEM

This streamlines with all other config targets, and draws from the
'sys_id' config attribute.

Fixes #12858

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12933)

6 months agoConfigure: Show 'enable' and 'disable' config attributes
Richard Levitte [Mon, 21 Sep 2020 11:13:25 +0000 (13:13 +0200)]
Configure: Show 'enable' and 'disable' config attributes

This makes a difference for './Configure HASH' and './Configure TABLE'

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12933)

6 months agoConfiguration: Streamline NonStop entries
Richard Levitte [Mon, 21 Sep 2020 11:11:28 +0000 (13:11 +0200)]
Configuration: Streamline NonStop entries

Because there are many combinations and much repetition, we add a large
number of templates to cover all aspects, and make the actual config
entries inherit from the templates combined.

Fixes #12858

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12933)

6 months agoSimplify the tarball generating scripts
Hu Keping [Wed, 9 Sep 2020 16:01:17 +0000 (16:01 +0000)]
Simplify the tarball generating scripts

As per discussed in issue #12364 [1], since the format of git archive is
inferred from the output file, it's safe to remove the pipe for gzip.

[1] https://github.com/openssl/openssl/issues/12364

Fixes #12364

Signed-off-by: Hu Keping <hukeping@huawei.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12841)

6 months agodrbg: revert renamings of the generate and reseed counter
Dr. Matthias St. Pierre [Sun, 13 Sep 2020 22:47:26 +0000 (00:47 +0200)]
drbg: revert renamings of the generate and reseed counter

The original names were more intuitive: the generate_counter counts the
number of generate requests, and the reseed_counter counts the number
of reseedings (of the principal DRBG).

    reseed_gen_counter  -> generate_counter
    reseed_prop_counter -> reseed_counter

This is the anologue to commit 8380f453ec81 on the 1.1.1 stable branch.
The only difference is that the second renaming has already been reverted
on the master branch.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12941)

6 months agoConfigurations/unix-Makefile.tmpl: make cleanup kinder
Richard Levitte [Mon, 21 Sep 2020 18:56:34 +0000 (20:56 +0200)]
Configurations/unix-Makefile.tmpl: make cleanup kinder

The removal of certain types of files we structured like this:

    -$(RM) `find . {{options}} -print`

This isn't very kind for shells with limited command line lengths
(even when that limit is generous, in our case), so we rewrite those
like this:

    -find . {{options}} -exec $(RM) {} \;

Fixes #12938

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12939)

6 months agoFix propq in x942kdf
Shane Lontis [Tue, 22 Sep 2020 05:57:19 +0000 (15:57 +1000)]
Fix propq in x942kdf

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12944)

6 months agoFix missing propq in sm2
Shane Lontis [Tue, 22 Sep 2020 05:56:11 +0000 (15:56 +1000)]
Fix missing propq in sm2

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12944)

6 months agoFix missing propq in ffc_params_generate
Shane Lontis [Tue, 22 Sep 2020 05:53:58 +0000 (15:53 +1000)]
Fix missing propq in ffc_params_generate

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12944)

6 months agoFix missing propq in ecdh_cms_set_shared_info()
Shane Lontis [Tue, 22 Sep 2020 05:53:27 +0000 (15:53 +1000)]
Fix missing propq in ecdh_cms_set_shared_info()

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12944)

6 months agoFix ecx so that is uses a settable propertyquery
Shane Lontis [Tue, 22 Sep 2020 05:51:49 +0000 (15:51 +1000)]
Fix ecx so that is uses a settable propertyquery

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12944)

6 months agoFix ssl_hmac_new() so that it uses the propq
Shane Lontis [Tue, 22 Sep 2020 05:48:45 +0000 (15:48 +1000)]
Fix ssl_hmac_new() so that it uses the propq

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12944)

6 months agoFix EVP_KDF_scrypt so that is uses a propq for its fetch.
Shane Lontis [Tue, 22 Sep 2020 05:45:17 +0000 (15:45 +1000)]
Fix EVP_KDF_scrypt so that is uses a propq for its fetch.

The parameter can be set via settable parameter OSSL_KDF_PARAM_PROPERTIES

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12944)

6 months agoChange rsa gen so it can use the propq from OSSL_PKEY_PARAM_RSA_DIGEST
Shane Lontis [Tue, 22 Sep 2020 05:43:32 +0000 (15:43 +1000)]
Change rsa gen so it can use the propq from OSSL_PKEY_PARAM_RSA_DIGEST

rsa_pss_params_30_fromdata() now uses the OSSL_PKEY_PARAM_RSA_DIGEST_PROPS parameter also.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12944)

6 months agoFix CID 1466709 : Negative value passed to a function that cant be negative in cms_sd.c
Shane Lontis [Mon, 21 Sep 2020 01:42:41 +0000 (11:42 +1000)]
Fix CID 1466709 : Negative value passed to a function that cant be negative in cms_sd.c

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12930)

6 months agoFix CID 1466710 : Resource leak in ec_kmgmt due to new call to ossl_prov_is_running()
Shane Lontis [Mon, 21 Sep 2020 01:39:04 +0000 (11:39 +1000)]
Fix CID 1466710 : Resource leak in ec_kmgmt due to new call to ossl_prov_is_running()

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12930)

6 months agoFix CID 1466712 : Resource leak in ec_kmgmt due to new callto ossl_prov_is_running()
Shane Lontis [Mon, 21 Sep 2020 01:29:30 +0000 (11:29 +1000)]
Fix CID 1466712 : Resource leak in ec_kmgmt due to new callto ossl_prov_is_running()

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12930)

6 months agoFix CID 1466713 : Dead code in encode_key2text.c
Shane Lontis [Mon, 21 Sep 2020 01:09:10 +0000 (11:09 +1000)]
Fix CID 1466713 : Dead code in encode_key2text.c

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12930)

6 months agoFix CID 1466714 : Null pointer dereference in EVP_PKEY_CTX_ctrl() due to new call...
Shane Lontis [Mon, 21 Sep 2020 00:59:20 +0000 (10:59 +1000)]
Fix CID 1466714 : Null pointer dereference in EVP_PKEY_CTX_ctrl() due to new call to evp_pkey_ctx_store_cached_data()

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12930)

6 months agoFix CID 1467068 : Null pointer dereference in self_test.c
Shane Lontis [Mon, 21 Sep 2020 00:47:03 +0000 (10:47 +1000)]
Fix CID 1467068 : Null pointer dereference in self_test.c

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12930)

6 months agorand: add a test case for configuration based random
Pauli [Tue, 22 Sep 2020 05:09:25 +0000 (15:09 +1000)]
rand: add a test case for configuration based random

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12931)

6 months agolist: add capability to print details about the current DRBGs
Pauli [Mon, 21 Sep 2020 23:36:53 +0000 (09:36 +1000)]
list: add capability to print details about the current DRBGs

This allows a user to confirm that the DRBG their configuration specified is
being used.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12931)

6 months agodrbg: gettable parameters for cipher/digest/mac type.
Pauli [Mon, 21 Sep 2020 23:26:23 +0000 (09:26 +1000)]
drbg: gettable parameters for cipher/digest/mac type.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12931)

6 months agokdf/mac: add name query calls for KDFs and MACs
Pauli [Mon, 21 Sep 2020 23:25:35 +0000 (09:25 +1000)]
kdf/mac: add name query calls for KDFs and MACs

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12931)

6 months agoevp_rand: fix bug in gettable_ctx/settable_ctx calls
Pauli [Mon, 21 Sep 2020 22:29:58 +0000 (08:29 +1000)]
evp_rand: fix bug in gettable_ctx/settable_ctx calls

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12931)

6 months agoAdd a "random" configuration section.
Pauli [Mon, 21 Sep 2020 06:07:34 +0000 (16:07 +1000)]
Add a "random" configuration section.

This permits the default trio of DRBGs to have their type and parameters set
using configuration.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12931)

6 months agoDOC: remove OPENSSL_CTX from OSSL_DECODER_CTX_new
Daniel Bevenius [Mon, 21 Sep 2020 13:48:55 +0000 (15:48 +0200)]
DOC: remove OPENSSL_CTX from OSSL_DECODER_CTX_new

This commit changes the man page for OSSL_DECODER_CTX_new by removing
the OPENSSL_CTX parameter which matches the declaration in decoder.h.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12935)

6 months agorand: reference count the EVP_RAND contexts.
Pauli [Wed, 16 Sep 2020 01:10:01 +0000 (11:10 +1000)]
rand: reference count the EVP_RAND contexts.

This is required before the RAND/DRBG framework can be made user mutable.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12904)

6 months agoAdd auto-gen SM2 der files into .gitignore
Paul Yang [Fri, 18 Sep 2020 02:27:42 +0000 (10:27 +0800)]
Add auto-gen SM2 der files into .gitignore

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12536)