openssl.git
6 months agoDon't crash if we fail to find a serializer for the current provider
Matt Caswell [Fri, 6 Mar 2020 18:02:46 +0000 (18:02 +0000)]
Don't crash if we fail to find a serializer for the current provider

The code was assuming that a serializer would always be found - but this
may not be the case.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11271)

6 months agoAES CTR-DRGB: add test for 32-bit counter overflow
Patrick Steuer [Sat, 22 Feb 2020 00:34:20 +0000 (01:34 +0100)]
AES CTR-DRGB: add test for 32-bit counter overflow

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10457)

6 months agoAES CTR-DRGB: performance improvement
Patrick Steuer [Fri, 15 Nov 2019 22:27:09 +0000 (23:27 +0100)]
AES CTR-DRGB: performance improvement

Optimize the the AES-based implementation of the CTR_DRBG
construction, see 10.2.1 in [1].
Due to the optimizations, the code may deviate (more) from the
pseudocode in [1], but it is functional equivalence being decisive
for compliance:

"All DRBG mechanisms and algorithms are described in this document
in pseudocode, which is intended to explain functionality.
The pseudocode is not intended to constrain real-world
implementations." [9 in [1]].

The following optimizations are done:

- Replace multiple plain AES encryptions by a single AES-ECB
  encryption of a corresponding pre-initialized buffer, where
  possible.
  This allows platform-specific AES-ECB support to
  be used and reduces the overhead of multiple EVP calls.

- Replace the generate operation loop (which is a counter
  increment followed by a plain AES encryption) by a
  loop which does a plain AES encryption followed by
  a counter increment. The latter loop is just a description
  of AES-CTR, so we replace it by a single AES-CTR
  encryption.
  This allows for platform-specific AES-CTR support to be used
  and reduces the overhead of multiple EVP calls.
  This change, that is, going from a pre- to a post- counter
  increment, requires the counter in the internal state
  to be kept at "+1" (compared to the pseudocode in [1])
  such that it is in the correct state, when a generate
  operation is called.
  That in turn also requires all other operations to be
  changed from pre- to post-increment to keep functional
  equivalence.

[1] NIST SP 800-90A Revision 1

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10457)

6 months agoDOCS: Use "command" not "tool" or "utility"
Rich Salz [Tue, 18 Feb 2020 16:52:12 +0000 (11:52 -0500)]
DOCS: Use "command" not "tool" or "utility"

Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11123)

6 months agoMove OSSL_CMP_X509_digest() to x_all.c, renaming it to X509_digest_sig()
Dr. David von Oheimb [Thu, 5 Mar 2020 08:16:29 +0000 (09:16 +0100)]
Move OSSL_CMP_X509_digest() to x_all.c, renaming it to X509_digest_sig()

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11142)

6 months agoFix handling of CMP msg senderKID and improve doc of related CTX functions
Dr. David von Oheimb [Wed, 26 Feb 2020 20:41:47 +0000 (21:41 +0100)]
Fix handling of CMP msg senderKID and improve doc of related CTX functions

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11142)

6 months agoFix error in case CMP msg POPO is not provided in OSSL_CRMF_MSGS_verify_popo()
Dr. David von Oheimb [Tue, 25 Feb 2020 07:58:39 +0000 (08:58 +0100)]
Fix error in case CMP msg POPO is not provided in OSSL_CRMF_MSGS_verify_popo()

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11142)

6 months agoChunk 8 of CMP contribution to OpenSSL: CMP server and cmp_mock_srv.c for testing
Dr. David von Oheimb [Tue, 10 Mar 2020 09:29:46 +0000 (10:29 +0100)]
Chunk 8 of CMP contribution to OpenSSL: CMP server and cmp_mock_srv.c for testing

Certificate Management Protocol (CMP, RFC 4210) extension to OpenSSL
Also includes CRMF (RFC 4211) and HTTP transfer (RFC 6712).
Adds the CMP and CRMF API to libcrypto and the "cmp" app to the CLI.
Adds extensive documentation and tests.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11142)

6 months agoExtract sk_ASN1_UTF8STRING2text() from ts_get_status_text() in ts_rsp_verify.c to...
Dr. David von Oheimb [Thu, 5 Mar 2020 07:43:06 +0000 (08:43 +0100)]
Extract sk_ASN1_UTF8STRING2text() from ts_get_status_text() in ts_rsp_verify.c to asn1_lib.c

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11142)

6 months agofix coding style nits w.r.t. 'defined' in http_local.h, http.h, and ocsp.h
Dr. David von Oheimb [Tue, 10 Mar 2020 09:40:43 +0000 (10:40 +0100)]
fix coding style nits w.r.t. 'defined' in http_local.h, http.h, and ocsp.h

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11142)

6 months agofix two mistakes w.r.t. ERR_LIB_* parameters in ERR_add_error_txt()
Dr. David von Oheimb [Tue, 10 Mar 2020 09:39:22 +0000 (10:39 +0100)]
fix two mistakes w.r.t. ERR_LIB_* parameters in ERR_add_error_txt()

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11142)

6 months agoDOCS: Clean up doc/man3/EVP_DigestInit.pod
Richard Levitte [Sat, 7 Mar 2020 07:00:51 +0000 (08:00 +0100)]
DOCS: Clean up doc/man3/EVP_DigestInit.pod

We touch it, we clean it up!
Accordding to common man-pages(7) guidelines.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11270)

6 months agoDOCS: Add translation information for EVP_MD_CTX_ctrl()
Richard Levitte [Sat, 7 Mar 2020 06:51:27 +0000 (07:51 +0100)]
DOCS: Add translation information for EVP_MD_CTX_ctrl()

EVP_MD_CTX_ctrl() translates some known control commands when faced
with a fetched EVP_MD, so we need to document it.

This also ensures that we don't drop the information on the "micalg"
parameter entirely.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11270)

6 months agoDOCS: Add missing documentation in util/missingcrypto.txt
Richard Levitte [Fri, 6 Mar 2020 13:33:17 +0000 (14:33 +0100)]
DOCS: Add missing documentation in util/missingcrypto.txt

These lines will be taken away as documentation moves from diverse
provider operation interface manuals to implementation specific docs.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11270)

6 months agoDOCS: Move implementation specific docs away from provider-digest(7)
Richard Levitte [Fri, 6 Mar 2020 13:29:00 +0000 (14:29 +0100)]
DOCS: Move implementation specific docs away from provider-digest(7)

The provider- manuals are meant to describe the general interface for
their respective operation.  This is not the place to describe
implementation specific details.

This change creates a number of doc/man7/EVP_MD manuals, one for each
algorithm or set of algorithms, as well as doc/man7/EVP_MD-common.pod
to describe what's common to them all.

While we're at it, correct the SHA3 settable context params array to
match what's actually settable.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11270)

6 months agoDOCS: Start restructuring our provider and implementation documentation
Richard Levitte [Fri, 6 Mar 2020 13:25:42 +0000 (14:25 +0100)]
DOCS: Start restructuring our provider and implementation documentation

This adds doc/man7/OSSL_PROVIDER-default.pod and OSSL_PROVIDER-legacy.pod,
and fills in currently implemented operations and algorithms in them, as
well as in doc/man7/OSSL_PROVIDER-FIPS.pod, with links to documentation to
come.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11270)

6 months agoRenew and extend the tool for checking adherence to C coding style rules
Dr. David von Oheimb [Mon, 9 Mar 2020 10:03:21 +0000 (11:03 +0100)]
Renew and extend the tool for checking adherence to C coding style rules

aims at checking most of https://www.openssl.org/policies/codingstyle.html
and various requirements not yet explicitly stated there - see also #10725

add util/check-format.pl and its self-tests in
util/check-format-test-{positives,negatives}.c
remove util/openssl-format-source

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/10363)

6 months agoDH: add internal dh_get_method()
Richard Levitte [Sat, 29 Feb 2020 07:57:34 +0000 (08:57 +0100)]
DH: add internal dh_get_method()

This should have been publically present a long time ago, to be
consistent with the RSA, DSA and EC_KEY APIs.  However, since we've
now deprecated that kind of function for the other key types, there's
no point in adding a public function, but we still need it internally.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11193)

6 months agoEVP: Check that key methods aren't foreign when exporting
Richard Levitte [Thu, 27 Feb 2020 09:51:45 +0000 (10:51 +0100)]
EVP: Check that key methods aren't foreign when exporting

The EVP_PKEY_ASN1_METHOD function export_to() must check that the key
we're trying to export has a known libcrypto method, i.e. is a built
in RSA_METHOD, DSA_METHOD, etc.  Otherwise, the method may be defined
by the calling application, by an engine, by another library, and we
simply cannot know all the quirks hidden behind that method, if we
have access to the key data, or much anything.

Such keys are simply deemed impossible to export to provider keys,
i.e. have export_to() return 0.  This cascades back to functions like
evp_pkey_export_to_provider() and evp_pkey_upgrade_to_provider() and
their callers.  In most cases, this is fine, but if these get mixed in
with provider side keys in any function, that function will fail.

Fixes #11179
Fixes #9915

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11193)

6 months agoDOCS: Fix documentation on asymmetric keydata types
Richard Levitte [Sat, 7 Mar 2020 07:23:16 +0000 (08:23 +0100)]
DOCS: Fix documentation on asymmetric keydata types

Some type specs didn't correspond to actual use.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11275)

6 months agodocs: fix typo in SSL functions
James Peach [Thu, 5 Mar 2020 07:43:54 +0000 (07:43 +0000)]
docs: fix typo in SSL functions

CLA: trivial

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11253)

6 months agoutil/wrap.pl: do not look at EXE_SHELL
Richard Levitte [Thu, 5 Mar 2020 13:14:09 +0000 (14:14 +0100)]
util/wrap.pl: do not look at EXE_SHELL

Acting on EXE_SHELL was a bit over the top, especially in light of
instructions like this (from NOTES.VALGRIND):

    EXE_SHELL="`/bin/pwd`/util/wrap.pl valgrind --error-exitcode=1 --leak-check=full -q"

Fixes #11255

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11258)

6 months agoRemove double fetch of "OSSL_EX_DATA_GLOBAL" for global lock
Davide Galassi [Sun, 23 Feb 2020 09:01:45 +0000 (10:01 +0100)]
Remove double fetch of "OSSL_EX_DATA_GLOBAL" for global lock

Fetch once and just pass the global ex_data to the "get_and_lock" static
function.

Removed a redundant null pointer check within the "get_and_lock" static
function (control already performed by the caller).

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11152)

6 months agospkac: Check return values of NETSCAPE_SPKI functions
Vladimir Panteleev [Tue, 3 Mar 2020 18:04:00 +0000 (18:04 +0000)]
spkac: Check return values of NETSCAPE_SPKI functions

Fixes silently producing an invalid SPKAC with non-RSA keys.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11224)

6 months agoDocument the new DigestSign provider functions
Matt Caswell [Thu, 5 Mar 2020 17:16:04 +0000 (17:16 +0000)]
Document the new DigestSign provider functions

As well as the newly added "one shot" functions, we also document a number
of the other other digestsign functions which were missing documentation in
provider-signature.pod.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11261)

6 months agoImplement provider support for Ed25519 annd Ed448
Matt Caswell [Thu, 5 Mar 2020 15:42:13 +0000 (15:42 +0000)]
Implement provider support for Ed25519 annd Ed448

At the moment we only provider support for these algorithms in the default
provider. These algorithms only support "one shot" EVP_DigestSign() and
EVP_DigestVerify() as per the existing libcrypto versions.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11261)

6 months agoAdd provider awareness of EVP_DigestSign() and EVP_DigestVerify()
Matt Caswell [Thu, 5 Mar 2020 15:40:48 +0000 (15:40 +0000)]
Add provider awareness of EVP_DigestSign() and EVP_DigestVerify()

These "one-shot" functions are the only ones supported by Ed25519 and
Ed448, so we need to ensure that libcrypto can handle provider
based implementations of these functions.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11261)

6 months agoAdd Key Management support for EdDSA keys
Matt Caswell [Mon, 17 Feb 2020 16:37:24 +0000 (16:37 +0000)]
Add Key Management support for EdDSA keys

Support added for Ed25519 and Ed448

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11261)

6 months agoRefactor CRMF_poposigningkey_init() to work with provider keys
Richard Levitte [Wed, 19 Feb 2020 06:05:52 +0000 (07:05 +0100)]
Refactor CRMF_poposigningkey_init() to work with provider keys

The code in this function was almost entirely a copy of the
functionality in ASN1_item_sign(), so it gets refactored to actually
call ASN1_item_sign(), and thereby automatically gets support for
EVP_PKEYs with only provider side keys.

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11126)

6 months agodoc: slightly reformulate 'openssl(1)/Random State Options' section
Dr. Matthias St. Pierre [Wed, 4 Mar 2020 22:13:24 +0000 (23:13 +0100)]
doc: slightly reformulate 'openssl(1)/Random State Options' section

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11252)

6 months agoImprove small block cipher performance
Kurt Roeckx [Sun, 16 Feb 2020 13:44:06 +0000 (14:44 +0100)]
Improve small block cipher performance

Avoid function calls we don't need to do.

In 1.1.1 we have:
aes-128-cbc     572267.80k   681197.08k   715430.74k   720508.59k   722359.64k   723004.07k

Current master:
aes-128-cbc     460663.70k   631125.66k   701283.58k   719794.52k   724732.59k   726668.63k

new:
aes-128-cbc     582057.64k   684288.62k   715721.90k   724856.15k   717578.24k   727176.53k

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11102)

6 months agoAdd -section option to 'req' command
Rich Salz [Wed, 4 Mar 2020 19:41:53 +0000 (14:41 -0500)]
Add -section option to 'req' command

This removes "req" as the hardwired section for the req command.
Doing this will let us merge some test configs.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11249)

6 months agocmdline app: add provider commandline options.
Pauli [Tue, 25 Feb 2020 04:29:30 +0000 (14:29 +1000)]
cmdline app: add provider commandline options.

Add a -provider option to allow providers to be loaded. This option can be
specified multiple times.

Add a -provider_path option to allow the path to providers to be specified.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11167)

6 months agoman1: make all openssl command line tool documentation generated.
Pauli [Wed, 26 Feb 2020 21:45:31 +0000 (07:45 +1000)]
man1: make all openssl command line tool documentation generated.

With the introduction of provider command line options which are applicable to
almost all of the command line tools, it seemed reasonable to make them all
generated.  This simplifes the .gitignore and avoids having to keep two lists
in sync.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11167)

6 months agoChange DH_get_nid() to set the value of q if it is not already set
Shane Lontis [Fri, 6 Mar 2020 21:47:58 +0000 (07:47 +1000)]
Change DH_get_nid() to set the value of q if it is not already set

Fixes #11108.

It only sets q if a valid named group is found.
The function signature was recently changed to pass a non const DH pointer
in order to allow the nid to be cached internally. As an extension of this
the value of q can now also be set as q is always known for named groups.
The length field is also set if q is set.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11114)

6 months agoClarify the usage of EVP_PKEY_get_raw_[private|public]_key()
Matt Caswell [Thu, 5 Mar 2020 09:21:56 +0000 (09:21 +0000)]
Clarify the usage of EVP_PKEY_get_raw_[private|public]_key()

EVP_PKEY_get_raw_private_key() and EVP_PKEY_get_raw_public_key() expect
the size of the key buffer to be populated in the |*len| parameter on
entry - but the docs made no mention of this.

Fixes #11245

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11254)

6 months agoUse .cnf for config files, not .conf
Rich Salz [Tue, 25 Feb 2020 18:25:13 +0000 (13:25 -0500)]
Use .cnf for config files, not .conf

The default is openssl.cnf  The project seems to prefer xxx.conf these
days, but we should use the default convention.

Rename all foo.conf (except for Configurations) to foo.cnf

Fixes #11174

Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11176)

6 months agoRemove unused files
Rich Salz [Tue, 25 Feb 2020 17:03:44 +0000 (12:03 -0500)]
Remove unused files

Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11176)

6 months agofix a minor bug of s_client
Roger Ning [Mon, 2 Mar 2020 05:35:02 +0000 (13:35 +0800)]
fix a minor bug of s_client

CLA: trivial

-CAstore's option should be OPT_CASTORE, instead of OPT_CAFILE
correct also -no-CAstore option from OPT_NOCAPATH to OPT_NOCASTORE

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11215)

6 months agoAdd CIFuzz action
Leo Neat [Fri, 21 Feb 2020 00:42:32 +0000 (16:42 -0800)]
Add CIFuzz action

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11140)

6 months agocrypto/ec/curve448/eddsa.c: fix EBCDIC platforms
Patrick Steuer [Tue, 3 Mar 2020 12:29:03 +0000 (13:29 +0100)]
crypto/ec/curve448/eddsa.c: fix EBCDIC platforms

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11229)

6 months agoaes-s390x.pl: fix stg offset caused by typo in perlasm
Patrick Steuer [Tue, 3 Mar 2020 16:40:07 +0000 (17:40 +0100)]
aes-s390x.pl: fix stg offset caused by typo in perlasm

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11234)

6 months ago.github/PULL_REQUEST_TEMPLATE.md: Fix link to contributors guide
Vladimir Panteleev [Mon, 2 Mar 2020 20:36:07 +0000 (20:36 +0000)]
.github/PULL_REQUEST_TEMPLATE.md: Fix link to contributors guide

The file was converted to Markdown and renamed appropriately in
2e07506a12e126894cd820304465162bc0e732b4.

CLA: trivial

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11223)

6 months agoAdd DSA Key validation to default provider
Shane Lontis [Tue, 21 Jan 2020 05:57:25 +0000 (15:57 +1000)]
Add DSA Key validation to default provider

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10912)

6 months agoAdd DH key validation to default provider
Shane Lontis [Tue, 21 Jan 2020 05:45:40 +0000 (15:45 +1000)]
Add DH key validation to default provider

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10911)

6 months agoconfig, Configure: move the check of removed crypto/ sub-systems
Richard Levitte [Mon, 2 Mar 2020 09:50:24 +0000 (10:50 +0100)]
config, Configure: move the check of removed crypto/ sub-systems

The 'config' script checked for a bunch of crypto/ sub-system
directories, and added 'no-' options if they weren't there.

We move it to 'Configure' in an effort to simplify 'config' for
further work.

Note: this is pretty much a historical thing.  In modern OpenSSL, it's
much simpler to edit the SUBDIRS statement in crypto/build.info.
However, it's been claimed the there are those who still remove some
of these sub-system sources.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11217)

6 months ago.travis.yml: where it matters, have build and source nesting levels differ
Richard Levitte [Wed, 26 Feb 2020 13:57:39 +0000 (14:57 +0100)]
.travis.yml: where it matters, have build and source nesting levels differ

Where we build out of source, the source directory was _srcdist and
the build directory was _build.  That gives the same nesting level for
both, which doesn't quite exercise all aspects of relative back
references from build to source tree.

Changing the build tree to be in _build/tree will challenge back
references a bit more, and ensure a bit more that we got it right.

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11186)

6 months agoAdd some missing env var documentation
Rich Salz [Wed, 26 Feb 2020 20:25:43 +0000 (15:25 -0500)]
Add some missing env var documentation

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11189)

6 months ago.gitignore: Add /apps/progs.{c,h}
Vladimir Panteleev [Mon, 2 Mar 2020 18:05:03 +0000 (18:05 +0000)]
.gitignore: Add /apps/progs.{c,h}

These files were removed from the source tree in
fe909ee4aeb6eb64f6f31a1544c5d3c81c5fe1f1.

CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11222)

6 months agoAdd Serializers for EC
Shane Lontis [Sun, 16 Feb 2020 09:54:08 +0000 (19:54 +1000)]
Add Serializers for EC

Provide EC serializers for text, pem and der.

EC parameters use ANS1 'CHOICE' - which means they are more embedded than other parameters used by
other KEY types (which normally have a SEQUENCE at the top level).
For this reason the ANS1_STRING type that was being passed around has been changed to a void so that the
code can still be shared with EC.

The EC serializer only supports named curves currently.

NOTE the serializer code assumes PKCS8 format - if the older encode methods are needed they will need to be
added in another PR. (Probably when deserialization is considered).

EVP_PKEY_key_fromdata_init was changed from using a keypair selection to all bits of a key. A side effect of this was
that the very restrictive checks in the ecx code needed to be relaxed as it was assuming all selection flags were non
optional. As this is not the case for any other key the code has been modified.

Fixed a bug in legacy_ctrl_str_to_params() - "ecdh_cofactor_mode" was being incorrectly converted to the wrong keyname.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11107)

6 months agoCorrect two small documentation issues
Tomas Mraz [Tue, 3 Mar 2020 14:34:53 +0000 (15:34 +0100)]
Correct two small documentation issues

The find-doc-nits complains about non-zero word and about missing
line before =head1 which causes build failure.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11231)

6 months agoDocumenting newly added CMS modification
Dmitry Belyavskiy [Tue, 21 Jan 2020 12:04:42 +0000 (15:04 +0300)]
Documenting newly added CMS modification

Documented CMS-related API functions.
Documented flags added to openssl-cms command

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10904)

6 months agoImplementation of Russian GOST CMS
Dmitry Belyavskiy [Mon, 20 Jan 2020 15:17:44 +0000 (18:17 +0300)]
Implementation of Russian GOST CMS

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10904)

6 months agodoc: document that 'openssl rand' is cryptographically secure
Dr. Matthias St. Pierre [Sun, 1 Mar 2020 23:25:29 +0000 (00:25 +0100)]
doc: document that 'openssl rand' is cryptographically secure

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11213)

6 months agoFix build with clang assembler
Philippe Antoine [Mon, 2 Mar 2020 12:46:37 +0000 (13:46 +0100)]
Fix build with clang assembler

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11219)

6 months agoAdd pairwise consistency self tests to asym keygenerators
Shane Lontis [Tue, 3 Mar 2020 04:02:36 +0000 (14:02 +1000)]
Add pairwise consistency self tests to asym keygenerators

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10952)

6 months ago.travis.yml: Remove NOUPDATE support
Richard Levitte [Thu, 27 Feb 2020 01:07:50 +0000 (02:07 +0100)]
.travis.yml: Remove NOUPDATE support

It was a temporary measure to deal with the fact that util/progs.pl
didn't work right at all times, but that has now been fixed.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11185)

6 months agoRemove apps/progs.c and apps/progs.h
Richard Levitte [Wed, 26 Feb 2020 13:52:04 +0000 (14:52 +0100)]
Remove apps/progs.c and apps/progs.h

Since they are generated in build time, there's not need to keep them
in the source tree.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11185)

6 months agoConfigure: Diverse cleanups
Richard Levitte [Wed, 26 Feb 2020 13:42:10 +0000 (14:42 +0100)]
Configure: Diverse cleanups

There were some remaining old code and comments that don't serve a
purpose any longer.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11185)

6 months agoBuild: Generate apps/progs.c and apps/progs.h in build time
Richard Levitte [Wed, 26 Feb 2020 13:39:16 +0000 (14:39 +0100)]
Build: Generate apps/progs.c and apps/progs.h in build time

util/progs.pl depends on the build tree (on configdata.pm,
specifically), so it needs to be run from the build tree.  But why
stop there?  We might as well generate apps/progs.c and apps/progs.h
when building.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11185)

6 months agobuild.info: Implement simply substitutions in variable values
Richard Levitte [Wed, 26 Feb 2020 13:35:17 +0000 (14:35 +0100)]
build.info: Implement simply substitutions in variable values

Use case: having a variable with multiple source files in its value,
and wanting to refer to the corresponding object file.

    $SRCS=foo.c bar.c
    SOURCE[program]=$SRCS
    DEPEND[${SRCS/.c/.o}]=prog.h

    GENERATE[prog.h]=...

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11185)

6 months agobuild.info: Make it possible to have more than one item in KEYWORD[]
Richard Levitte [Wed, 26 Feb 2020 13:30:38 +0000 (14:30 +0100)]
build.info: Make it possible to have more than one item in KEYWORD[]

So far, the "index" part of KEYWORD[whatever] could only handle one
item.  There are cases, however, where we want to add the exact same
value to multiple items.  This is especially helpful if a variable
that may have multi-item values are used in the "index" part.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11185)

6 months agoPROV: Add a OP_keymgmt_match() function to our DH, DSA, RSA and EC_KEY impl
Richard Levitte [Thu, 6 Feb 2020 08:53:15 +0000 (09:53 +0100)]
PROV: Add a OP_keymgmt_match() function to our DH, DSA, RSA and EC_KEY impl

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11158)

6 months agoEVP: Add support for copying provided EVP_PKEYs
Richard Levitte [Wed, 5 Feb 2020 15:30:21 +0000 (16:30 +0100)]
EVP: Add support for copying provided EVP_PKEYs

This adds evp_keymgmt_util_copy() and affects EVP_PKEY_copy_parameters()

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11158)

6 months agoKEYMGMT: Add a keydata copy function
Richard Levitte [Wed, 5 Feb 2020 14:41:58 +0000 (15:41 +0100)]
KEYMGMT: Add a keydata copy function

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11158)

6 months agoEVP: Add support for comparing provided EVP_PKEYs
Richard Levitte [Wed, 5 Feb 2020 11:55:43 +0000 (12:55 +0100)]
EVP: Add support for comparing provided EVP_PKEYs

This adds evp_keymgmt_util_match() and affects EVP_PKEY_cmp() and
EVP_PKEY_cmp_parameters().

The word 'match' was used for the new routines because many associate
'cmp' with comparison functions that allows sorting, i.e. return -1, 0
or 1 depending on the order in which the two compared elements should
be sorted.  EVP_PKEY_cmp() and EVP_PKEY_cmp_parameters() don't quite
do that.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11158)

6 months agoKEYMGMT: Add a keydata matching function
Richard Levitte [Wed, 5 Feb 2020 11:53:14 +0000 (12:53 +0100)]
KEYMGMT: Add a keydata matching function

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11158)

6 months agoEVP: Adapt EVP_PKEY_missing_parameters() for provider keys
Richard Levitte [Wed, 5 Feb 2020 09:18:51 +0000 (10:18 +0100)]
EVP: Adapt EVP_PKEY_missing_parameters() for provider keys

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11158)

6 months agocrypto/perlasm/x86_64-xlate.pl: detect GNU as to deal with quirks
Richard Levitte [Thu, 27 Feb 2020 05:03:52 +0000 (06:03 +0100)]
crypto/perlasm/x86_64-xlate.pl: detect GNU as to deal with quirks

It turns out that GNU as and Solaris as don't have compatible ideas on
the .section syntax, so we need to check if we're using GNU as or
another assembler and adapt this .section syntax accordingly.

Fixes #11132

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11191)

6 months agoFix drop of const qualifier
André Klitzing [Sat, 29 Feb 2020 22:40:29 +0000 (23:40 +0100)]
Fix drop of const qualifier

The parameter got "const" in 9fdcc21fdc9 but that was not added
to cast. So this throws a -Wcast-qual in user code.

error: cast from 'const DUMMY *' to 'ASN1_VALUE_st *' drops const qualifier [-Werror,-Wcast-qual]

CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11210)

6 months agoDOCS: Add and modify docs for internal EVP_KEYMGMT utility functions
Richard Levitte [Mon, 24 Feb 2020 18:15:47 +0000 (19:15 +0100)]
DOCS: Add and modify docs for internal EVP_KEYMGMT utility functions

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11148)

6 months agoDOCS: Add internal docs for EVP_PKEY and the export functions
Richard Levitte [Mon, 24 Feb 2020 13:36:09 +0000 (14:36 +0100)]
DOCS: Add internal docs for EVP_PKEY and the export functions

Functions covered:

- evp_pkey_export_to_provider()
- evp_pkey_upgrade_to_provider()

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11148)

6 months agoEVP: Add evp_pkey_upgrade_to_provider(), for EVP_PKEY upgrades
Richard Levitte [Thu, 20 Feb 2020 21:55:41 +0000 (22:55 +0100)]
EVP: Add evp_pkey_upgrade_to_provider(), for EVP_PKEY upgrades

This function "upgrades" a key from a legacy key container to a
provider side key container.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11148)

6 months agoRethink the EVP_PKEY cache of provider side keys
Richard Levitte [Thu, 20 Feb 2020 19:26:16 +0000 (20:26 +0100)]
Rethink the EVP_PKEY cache of provider side keys

The role of this cache was two-fold:

1.  It was a cache of key copies exported to providers with which an
    operation was initiated.
2.  If the EVP_PKEY didn't have a legacy key, item 0 of the cache was
    the corresponding provider side origin, while the rest was the
    actual cache.

This dual role for item 0 made the code a bit confusing, so we now
make a separate keymgmt / keydata pair outside of that cache, which is
the provider side "origin" key.

A hard rule is that an EVP_PKEY cannot hold a legacy "origin" and a
provider side "origin" at the same time.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11148)

6 months agoman: openssl-ocsp: separate client and server options
Dr. Matthias St. Pierre [Thu, 6 Feb 2020 14:24:07 +0000 (15:24 +0100)]
man: openssl-ocsp: separate client and server options

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11033)

6 months agox509v3 subjectSignTool extention support
Nikolay Morozov [Fri, 14 Feb 2020 10:14:30 +0000 (13:14 +0300)]
x509v3 subjectSignTool extention support

Subject Sign Tool (1.2.643.100.111) The name of the tool used to signs the subject (UTF8String)
This extention is required to obtain the status of a qualified certificate at Russian Federation.
RFC-style description is available here: https://tools.ietf.org/html/draft-deremin-rfc4491-bis-04#section-5
Russian Federal Law 63 "Digital Sign" is available here:  http://www.consultant.ru/document/cons_doc_LAW_112701/

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11093)

6 months agoFix util/mktar.sh to use the new VERSION information
Richard Levitte [Thu, 27 Feb 2020 00:09:23 +0000 (01:09 +0100)]
Fix util/mktar.sh to use the new VERSION information

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11190)

6 months agoFix comment placement in ecp_nistp256.ci
Scott Arciszewski [Mon, 24 Feb 2020 20:29:12 +0000 (12:29 -0800)]
Fix comment placement in ecp_nistp256.ci

CLA: trivial

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/11175)

6 months agoDeprecate ASN1_sign(), ASN1_verify() and ASN1_digest()
Richard Levitte [Mon, 24 Feb 2020 21:33:52 +0000 (22:33 +0100)]
Deprecate ASN1_sign(), ASN1_verify() and ASN1_digest()

These are old functions that fell out of use with OpenSL 0.9.7.
It's more than time to deprecate them.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11161)

6 months agoImplement the ECX Serializers
Matt Caswell [Thu, 27 Feb 2020 22:08:59 +0000 (08:08 +1000)]
Implement the ECX Serializers

Provide serializers for X25519 and X448 for text, pem and der. There are
no parameter serializers because there are no parameters for these
algorithms.

Add some documentation about the various import/export types available
Add additional testing for the serializers

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11095)

6 months agoReplace util/shlib_wrap.sh with util/wrap.pl in diverse docs
Richard Levitte [Tue, 18 Feb 2020 07:25:06 +0000 (08:25 +0100)]
Replace util/shlib_wrap.sh with util/wrap.pl in diverse docs

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/11110)

6 months agoBuild file templates: don't set OPENSSL_{ENGINES,MODULES}
Richard Levitte [Mon, 17 Feb 2020 14:20:57 +0000 (15:20 +0100)]
Build file templates: don't set OPENSSL_{ENGINES,MODULES}

Since we've now switched to use util/wrap.pl to wrap uninstalled
programs everywhere, there's no need to set the environment variables
OPENSSL_ENGINES and OPENSSL_MODULES globally for the tests.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/11110)

6 months agoTEST: add util/wrap.pl and use it
Richard Levitte [Mon, 17 Feb 2020 14:05:04 +0000 (15:05 +0100)]
TEST: add util/wrap.pl and use it

util/wrap.pl is a script that defines the environment variables
OPENSSL_ENGINES and OPENSSL_MODULES, then calls the command line
that's given as its arguments.

On a POSIX platform, the command line call is done via
util/shlib_wrap.sh to ensure that the shared library paths are
correct.  For other platforms, util/wrap.pl currently assumes that
similar things are already in place through other means.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/11110)

6 months agoVMS: mitigate for the C++ compiler that doesn't understand certain pragmas
Richard Levitte [Mon, 24 Feb 2020 13:56:26 +0000 (14:56 +0100)]
VMS: mitigate for the C++ compiler that doesn't understand certain pragmas

This only affects __DECC_INCLUDE_EPILOGUE.H and __DECC_INCLUDE_PROLOGUE.H,
which are used automatically by HP and VSI C/C++ compilers.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/11159)

(cherry picked from commit 605a0c709f4d50497a1c49ee117a0ec4bb956d58)

7 months agodoc: add a fancy CHANGES entry to celebrate the new Markdown format
Dr. Matthias St. Pierre [Tue, 25 Feb 2020 16:04:47 +0000 (17:04 +0100)]
doc: add a fancy CHANGES entry to celebrate the new Markdown format

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10545)

7 months agodoc: revamp the SUPPORT file
Dr. Matthias St. Pierre [Fri, 29 Nov 2019 18:45:56 +0000 (19:45 +0100)]
doc: revamp the SUPPORT file

Too be continued...

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10545)

7 months agodoc: revamp the INSTALL file
Dr. Matthias St. Pierre [Tue, 31 Dec 2019 00:09:40 +0000 (01:09 +0100)]
doc: revamp the INSTALL file

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10545)

7 months agodoc: add missing CHANGES entries for all versions >= 1.0.0
Dr. Matthias St. Pierre [Tue, 3 Dec 2019 17:32:21 +0000 (18:32 +0100)]
doc: add missing CHANGES entries for all versions >= 1.0.0

Up to now, CHANGES entries for older releases where only added to the
corresponding stable branches, so they were missing in the master
branch. This commit adds the missing entries, taking them from the
respective stable branches.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10545)

7 months agodoc: add missing NEWS entries for all versions >= 1.0.0
Dr. Matthias St. Pierre [Sat, 30 Nov 2019 16:07:31 +0000 (17:07 +0100)]
doc: add missing NEWS entries for all versions >= 1.0.0

Up to now, NEWS entries for older releases where only added to the
corresponding stable branches, so they were missing in the master
branch. This commit adds the missing entries, taking them from the
respective stable branches.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10545)

7 months agodoc: revamp the README file
Dr. Matthias St. Pierre [Fri, 29 Nov 2019 19:45:28 +0000 (20:45 +0100)]
doc: revamp the README file

 * Add an OpenSSL logo and CI badges
 * Add a table of contents
 * Add a lot of links

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10545)

7 months agodoc: add OpenSSL logo
Dr. Matthias St. Pierre [Sat, 30 Nov 2019 22:45:03 +0000 (23:45 +0100)]
doc: add OpenSSL logo

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10545)

7 months agodoc: introduce some minimalistic markdown without essential changes
Dr. Matthias St. Pierre [Thu, 28 Nov 2019 22:10:51 +0000 (23:10 +0100)]
doc: introduce some minimalistic markdown without essential changes

The goal is to transform the standard documents

    README, INSTALL, SUPPORT, CONTRIBUTING, ...

from a pure text format into markdown format, but in such a way
that the documentation remains nicely formatted an easy readable
when viewed with an normal text editor.

To achieve this goal, we use a special form of 'minimalistic' markdown
which interferes as little as possible with the reading flow.

 * avoid [ATX headings][] and use [setext headings][] instead
   (works for `<h1>` and `<h2>` headings only).
 * avoid [inline links][] and use [reference links][] instead.
 * avoid [fenced code blocks][], use [indented-code-blocks][] instead.

The transformation will take place in several steps. This commit
introduces mostly changes the formatting and does not chang the
content significantly.

[ATX headings]:         https://github.github.com/gfm/#atx-headings
[setext headings]:      https://github.github.com/gfm/#setext-headings
[inline links]:         https://github.github.com/gfm/#inline-link
[reference links]:      https://github.github.com/gfm/#reference-link
[fenced code blocks]:   https://github.github.com/gfm/#fenced-code-blocks
[indented code blocks]: https://github.github.com/gfm/#indented-code-blocks

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10545)

7 months agodoc: convert standard project docs to markdown
Dr. Matthias St. Pierre [Thu, 28 Nov 2019 22:56:36 +0000 (23:56 +0100)]
doc: convert standard project docs to markdown

In the first step, we just add the .md extension and move some
files around, without changing any content. These changes will
occur in the following commits.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10545)

7 months agoUse a wrapper for pod2html
Rich Salz [Wed, 15 Jan 2020 19:53:29 +0000 (14:53 -0500)]
Use a wrapper for pod2html

Remove unused util/process_docs.pl

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10856)

7 months agoapps x509: restrict CAkeyform option to OPT_FMT_PDE
Bastian Germann [Thu, 13 Feb 2020 10:45:50 +0000 (11:45 +0100)]
apps x509: restrict CAkeyform option to OPT_FMT_PDE

CAkeyform may be set to PEM, DER or ENGINE, but the current options
are not using the proper optionformat 'E' (OPT_FMT_PDE) for this.

Set the valtype for CAkeyform to 'E' and use OPT_FMT_PDE when extracting
the option value.

This amends 0ab6fc79a9a ("Fix regression on x509 keyform argument") which
did the same thing for keyform and changed the manpage synopsis entries
for both keyform and CAkeyform but did not change the option section.
Hence, change the option section for both of them.

CLA: trivial

Co-developed-by: Torben Hohn <torben.hohn@linutronix.de>
Signed-off-by: Torben Hohn <torben.hohn@linutronix.de>
Signed-off-by: Bastian Germann <bage@linutronix.de>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11085)

7 months agobugfix in cmac calculation example
Asfak Rahman [Fri, 21 Feb 2020 07:41:29 +0000 (09:41 +0200)]
bugfix in cmac calculation example

The example never executes code inside of the while loop, as read()
returns bigger number than 0. Thus the end result is wrong.

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11143)

7 months agoAvoid arm64 builds timeout due to silent make taking too long time
Tomas Mraz [Wed, 26 Feb 2020 07:41:36 +0000 (08:41 +0100)]
Avoid arm64 builds timeout due to silent make taking too long time

Also reuse one of the arm64 builds as a no-deprecated build
Also include a single ppc64le-build

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11181)

7 months agosecmem: ignore small minsize arguments to CRYPTO_secure_malloc_init().
Pauli [Sat, 22 Feb 2020 08:39:28 +0000 (18:39 +1000)]
secmem: ignore small minsize arguments to CRYPTO_secure_malloc_init().

If the user specifies a minimum allocation size that is smaller than
the free list structure (or zero), calculate the minimum possible size rather
than failing.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11149)

7 months agosec_mem: add note about the minimum size parameter.
Pauli [Sat, 22 Feb 2020 00:35:26 +0000 (10:35 +1000)]
sec_mem: add note about the minimum size parameter.

Add a note indicating that the minimum size parameter to
CRYPTO_secure_malloc_init() should be small.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11149)

7 months agoMem-sec small code adjustment
Davide Galassi [Wed, 26 Feb 2020 05:31:17 +0000 (15:31 +1000)]
Mem-sec small code adjustment

Conditional code readability improvement.

Remove unused macro

Commit #11042 has introduced a new, unused, CRYPTO_EX_INDEX macro.
Remove before version release.

Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11103)