oweals/openssl.git
4 years agoImplement provider support for Ed25519 annd Ed448
Matt Caswell [Thu, 5 Mar 2020 15:42:13 +0000 (15:42 +0000)]
Implement provider support for Ed25519 annd Ed448

At the moment we only provider support for these algorithms in the default
provider. These algorithms only support "one shot" EVP_DigestSign() and
EVP_DigestVerify() as per the existing libcrypto versions.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11261)

4 years agoAdd provider awareness of EVP_DigestSign() and EVP_DigestVerify()
Matt Caswell [Thu, 5 Mar 2020 15:40:48 +0000 (15:40 +0000)]
Add provider awareness of EVP_DigestSign() and EVP_DigestVerify()

These "one-shot" functions are the only ones supported by Ed25519 and
Ed448, so we need to ensure that libcrypto can handle provider
based implementations of these functions.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11261)

4 years agoAdd Key Management support for EdDSA keys
Matt Caswell [Mon, 17 Feb 2020 16:37:24 +0000 (16:37 +0000)]
Add Key Management support for EdDSA keys

Support added for Ed25519 and Ed448

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11261)

4 years agoRefactor CRMF_poposigningkey_init() to work with provider keys
Richard Levitte [Wed, 19 Feb 2020 06:05:52 +0000 (07:05 +0100)]
Refactor CRMF_poposigningkey_init() to work with provider keys

The code in this function was almost entirely a copy of the
functionality in ASN1_item_sign(), so it gets refactored to actually
call ASN1_item_sign(), and thereby automatically gets support for
EVP_PKEYs with only provider side keys.

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11126)

4 years agodoc: slightly reformulate 'openssl(1)/Random State Options' section
Dr. Matthias St. Pierre [Wed, 4 Mar 2020 22:13:24 +0000 (23:13 +0100)]
doc: slightly reformulate 'openssl(1)/Random State Options' section

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11252)

4 years agoImprove small block cipher performance
Kurt Roeckx [Sun, 16 Feb 2020 13:44:06 +0000 (14:44 +0100)]
Improve small block cipher performance

Avoid function calls we don't need to do.

In 1.1.1 we have:
aes-128-cbc     572267.80k   681197.08k   715430.74k   720508.59k   722359.64k   723004.07k

Current master:
aes-128-cbc     460663.70k   631125.66k   701283.58k   719794.52k   724732.59k   726668.63k

new:
aes-128-cbc     582057.64k   684288.62k   715721.90k   724856.15k   717578.24k   727176.53k

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11102)

4 years agoAdd -section option to 'req' command
Rich Salz [Wed, 4 Mar 2020 19:41:53 +0000 (14:41 -0500)]
Add -section option to 'req' command

This removes "req" as the hardwired section for the req command.
Doing this will let us merge some test configs.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11249)

4 years agocmdline app: add provider commandline options.
Pauli [Tue, 25 Feb 2020 04:29:30 +0000 (14:29 +1000)]
cmdline app: add provider commandline options.

Add a -provider option to allow providers to be loaded. This option can be
specified multiple times.

Add a -provider_path option to allow the path to providers to be specified.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11167)

4 years agoman1: make all openssl command line tool documentation generated.
Pauli [Wed, 26 Feb 2020 21:45:31 +0000 (07:45 +1000)]
man1: make all openssl command line tool documentation generated.

With the introduction of provider command line options which are applicable to
almost all of the command line tools, it seemed reasonable to make them all
generated.  This simplifes the .gitignore and avoids having to keep two lists
in sync.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11167)

4 years agoChange DH_get_nid() to set the value of q if it is not already set
Shane Lontis [Fri, 6 Mar 2020 21:47:58 +0000 (07:47 +1000)]
Change DH_get_nid() to set the value of q if it is not already set

Fixes #11108.

It only sets q if a valid named group is found.
The function signature was recently changed to pass a non const DH pointer
in order to allow the nid to be cached internally. As an extension of this
the value of q can now also be set as q is always known for named groups.
The length field is also set if q is set.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11114)

4 years agoClarify the usage of EVP_PKEY_get_raw_[private|public]_key()
Matt Caswell [Thu, 5 Mar 2020 09:21:56 +0000 (09:21 +0000)]
Clarify the usage of EVP_PKEY_get_raw_[private|public]_key()

EVP_PKEY_get_raw_private_key() and EVP_PKEY_get_raw_public_key() expect
the size of the key buffer to be populated in the |*len| parameter on
entry - but the docs made no mention of this.

Fixes #11245

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11254)

4 years agoUse .cnf for config files, not .conf
Rich Salz [Tue, 25 Feb 2020 18:25:13 +0000 (13:25 -0500)]
Use .cnf for config files, not .conf

The default is openssl.cnf  The project seems to prefer xxx.conf these
days, but we should use the default convention.

Rename all foo.conf (except for Configurations) to foo.cnf

Fixes #11174

Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11176)

4 years agoRemove unused files
Rich Salz [Tue, 25 Feb 2020 17:03:44 +0000 (12:03 -0500)]
Remove unused files

Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11176)

4 years agofix a minor bug of s_client
Roger Ning [Mon, 2 Mar 2020 05:35:02 +0000 (13:35 +0800)]
fix a minor bug of s_client

CLA: trivial

-CAstore's option should be OPT_CASTORE, instead of OPT_CAFILE
correct also -no-CAstore option from OPT_NOCAPATH to OPT_NOCASTORE

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11215)

4 years agoAdd CIFuzz action
Leo Neat [Fri, 21 Feb 2020 00:42:32 +0000 (16:42 -0800)]
Add CIFuzz action

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11140)

4 years agocrypto/ec/curve448/eddsa.c: fix EBCDIC platforms
Patrick Steuer [Tue, 3 Mar 2020 12:29:03 +0000 (13:29 +0100)]
crypto/ec/curve448/eddsa.c: fix EBCDIC platforms

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11229)

4 years agoaes-s390x.pl: fix stg offset caused by typo in perlasm
Patrick Steuer [Tue, 3 Mar 2020 16:40:07 +0000 (17:40 +0100)]
aes-s390x.pl: fix stg offset caused by typo in perlasm

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11234)

4 years ago.github/PULL_REQUEST_TEMPLATE.md: Fix link to contributors guide
Vladimir Panteleev [Mon, 2 Mar 2020 20:36:07 +0000 (20:36 +0000)]
.github/PULL_REQUEST_TEMPLATE.md: Fix link to contributors guide

The file was converted to Markdown and renamed appropriately in
2e07506a12e126894cd820304465162bc0e732b4.

CLA: trivial

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11223)

4 years agoAdd DSA Key validation to default provider
Shane Lontis [Tue, 21 Jan 2020 05:57:25 +0000 (15:57 +1000)]
Add DSA Key validation to default provider

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10912)

4 years agoAdd DH key validation to default provider
Shane Lontis [Tue, 21 Jan 2020 05:45:40 +0000 (15:45 +1000)]
Add DH key validation to default provider

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10911)

4 years agoconfig, Configure: move the check of removed crypto/ sub-systems
Richard Levitte [Mon, 2 Mar 2020 09:50:24 +0000 (10:50 +0100)]
config, Configure: move the check of removed crypto/ sub-systems

The 'config' script checked for a bunch of crypto/ sub-system
directories, and added 'no-' options if they weren't there.

We move it to 'Configure' in an effort to simplify 'config' for
further work.

Note: this is pretty much a historical thing.  In modern OpenSSL, it's
much simpler to edit the SUBDIRS statement in crypto/build.info.
However, it's been claimed the there are those who still remove some
of these sub-system sources.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11217)

4 years ago.travis.yml: where it matters, have build and source nesting levels differ
Richard Levitte [Wed, 26 Feb 2020 13:57:39 +0000 (14:57 +0100)]
.travis.yml: where it matters, have build and source nesting levels differ

Where we build out of source, the source directory was _srcdist and
the build directory was _build.  That gives the same nesting level for
both, which doesn't quite exercise all aspects of relative back
references from build to source tree.

Changing the build tree to be in _build/tree will challenge back
references a bit more, and ensure a bit more that we got it right.

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11186)

4 years agoAdd some missing env var documentation
Rich Salz [Wed, 26 Feb 2020 20:25:43 +0000 (15:25 -0500)]
Add some missing env var documentation

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11189)

4 years ago.gitignore: Add /apps/progs.{c,h}
Vladimir Panteleev [Mon, 2 Mar 2020 18:05:03 +0000 (18:05 +0000)]
.gitignore: Add /apps/progs.{c,h}

These files were removed from the source tree in
fe909ee4aeb6eb64f6f31a1544c5d3c81c5fe1f1.

CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11222)

4 years agoAdd Serializers for EC
Shane Lontis [Sun, 16 Feb 2020 09:54:08 +0000 (19:54 +1000)]
Add Serializers for EC

Provide EC serializers for text, pem and der.

EC parameters use ANS1 'CHOICE' - which means they are more embedded than other parameters used by
other KEY types (which normally have a SEQUENCE at the top level).
For this reason the ANS1_STRING type that was being passed around has been changed to a void so that the
code can still be shared with EC.

The EC serializer only supports named curves currently.

NOTE the serializer code assumes PKCS8 format - if the older encode methods are needed they will need to be
added in another PR. (Probably when deserialization is considered).

EVP_PKEY_key_fromdata_init was changed from using a keypair selection to all bits of a key. A side effect of this was
that the very restrictive checks in the ecx code needed to be relaxed as it was assuming all selection flags were non
optional. As this is not the case for any other key the code has been modified.

Fixed a bug in legacy_ctrl_str_to_params() - "ecdh_cofactor_mode" was being incorrectly converted to the wrong keyname.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11107)

4 years agoCorrect two small documentation issues
Tomas Mraz [Tue, 3 Mar 2020 14:34:53 +0000 (15:34 +0100)]
Correct two small documentation issues

The find-doc-nits complains about non-zero word and about missing
line before =head1 which causes build failure.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11231)

4 years agoDocumenting newly added CMS modification
Dmitry Belyavskiy [Tue, 21 Jan 2020 12:04:42 +0000 (15:04 +0300)]
Documenting newly added CMS modification

Documented CMS-related API functions.
Documented flags added to openssl-cms command

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10904)

4 years agoImplementation of Russian GOST CMS
Dmitry Belyavskiy [Mon, 20 Jan 2020 15:17:44 +0000 (18:17 +0300)]
Implementation of Russian GOST CMS

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10904)

4 years agodoc: document that 'openssl rand' is cryptographically secure
Dr. Matthias St. Pierre [Sun, 1 Mar 2020 23:25:29 +0000 (00:25 +0100)]
doc: document that 'openssl rand' is cryptographically secure

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11213)

4 years agoFix build with clang assembler
Philippe Antoine [Mon, 2 Mar 2020 12:46:37 +0000 (13:46 +0100)]
Fix build with clang assembler

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11219)

4 years agoAdd pairwise consistency self tests to asym keygenerators
Shane Lontis [Tue, 3 Mar 2020 04:02:36 +0000 (14:02 +1000)]
Add pairwise consistency self tests to asym keygenerators

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10952)

4 years ago.travis.yml: Remove NOUPDATE support
Richard Levitte [Thu, 27 Feb 2020 01:07:50 +0000 (02:07 +0100)]
.travis.yml: Remove NOUPDATE support

It was a temporary measure to deal with the fact that util/progs.pl
didn't work right at all times, but that has now been fixed.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11185)

4 years agoRemove apps/progs.c and apps/progs.h
Richard Levitte [Wed, 26 Feb 2020 13:52:04 +0000 (14:52 +0100)]
Remove apps/progs.c and apps/progs.h

Since they are generated in build time, there's not need to keep them
in the source tree.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11185)

4 years agoConfigure: Diverse cleanups
Richard Levitte [Wed, 26 Feb 2020 13:42:10 +0000 (14:42 +0100)]
Configure: Diverse cleanups

There were some remaining old code and comments that don't serve a
purpose any longer.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11185)

4 years agoBuild: Generate apps/progs.c and apps/progs.h in build time
Richard Levitte [Wed, 26 Feb 2020 13:39:16 +0000 (14:39 +0100)]
Build: Generate apps/progs.c and apps/progs.h in build time

util/progs.pl depends on the build tree (on configdata.pm,
specifically), so it needs to be run from the build tree.  But why
stop there?  We might as well generate apps/progs.c and apps/progs.h
when building.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11185)

4 years agobuild.info: Implement simply substitutions in variable values
Richard Levitte [Wed, 26 Feb 2020 13:35:17 +0000 (14:35 +0100)]
build.info: Implement simply substitutions in variable values

Use case: having a variable with multiple source files in its value,
and wanting to refer to the corresponding object file.

    $SRCS=foo.c bar.c
    SOURCE[program]=$SRCS
    DEPEND[${SRCS/.c/.o}]=prog.h

    GENERATE[prog.h]=...

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11185)

4 years agobuild.info: Make it possible to have more than one item in KEYWORD[]
Richard Levitte [Wed, 26 Feb 2020 13:30:38 +0000 (14:30 +0100)]
build.info: Make it possible to have more than one item in KEYWORD[]

So far, the "index" part of KEYWORD[whatever] could only handle one
item.  There are cases, however, where we want to add the exact same
value to multiple items.  This is especially helpful if a variable
that may have multi-item values are used in the "index" part.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11185)

4 years agoPROV: Add a OP_keymgmt_match() function to our DH, DSA, RSA and EC_KEY impl
Richard Levitte [Thu, 6 Feb 2020 08:53:15 +0000 (09:53 +0100)]
PROV: Add a OP_keymgmt_match() function to our DH, DSA, RSA and EC_KEY impl

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11158)

4 years agoEVP: Add support for copying provided EVP_PKEYs
Richard Levitte [Wed, 5 Feb 2020 15:30:21 +0000 (16:30 +0100)]
EVP: Add support for copying provided EVP_PKEYs

This adds evp_keymgmt_util_copy() and affects EVP_PKEY_copy_parameters()

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11158)

4 years agoKEYMGMT: Add a keydata copy function
Richard Levitte [Wed, 5 Feb 2020 14:41:58 +0000 (15:41 +0100)]
KEYMGMT: Add a keydata copy function

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11158)

4 years agoEVP: Add support for comparing provided EVP_PKEYs
Richard Levitte [Wed, 5 Feb 2020 11:55:43 +0000 (12:55 +0100)]
EVP: Add support for comparing provided EVP_PKEYs

This adds evp_keymgmt_util_match() and affects EVP_PKEY_cmp() and
EVP_PKEY_cmp_parameters().

The word 'match' was used for the new routines because many associate
'cmp' with comparison functions that allows sorting, i.e. return -1, 0
or 1 depending on the order in which the two compared elements should
be sorted.  EVP_PKEY_cmp() and EVP_PKEY_cmp_parameters() don't quite
do that.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11158)

4 years agoKEYMGMT: Add a keydata matching function
Richard Levitte [Wed, 5 Feb 2020 11:53:14 +0000 (12:53 +0100)]
KEYMGMT: Add a keydata matching function

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11158)

4 years agoEVP: Adapt EVP_PKEY_missing_parameters() for provider keys
Richard Levitte [Wed, 5 Feb 2020 09:18:51 +0000 (10:18 +0100)]
EVP: Adapt EVP_PKEY_missing_parameters() for provider keys

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11158)

4 years agocrypto/perlasm/x86_64-xlate.pl: detect GNU as to deal with quirks
Richard Levitte [Thu, 27 Feb 2020 05:03:52 +0000 (06:03 +0100)]
crypto/perlasm/x86_64-xlate.pl: detect GNU as to deal with quirks

It turns out that GNU as and Solaris as don't have compatible ideas on
the .section syntax, so we need to check if we're using GNU as or
another assembler and adapt this .section syntax accordingly.

Fixes #11132

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11191)

4 years agoFix drop of const qualifier
André Klitzing [Sat, 29 Feb 2020 22:40:29 +0000 (23:40 +0100)]
Fix drop of const qualifier

The parameter got "const" in 9fdcc21fdc9 but that was not added
to cast. So this throws a -Wcast-qual in user code.

error: cast from 'const DUMMY *' to 'ASN1_VALUE_st *' drops const qualifier [-Werror,-Wcast-qual]

CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11210)

4 years agoDOCS: Add and modify docs for internal EVP_KEYMGMT utility functions
Richard Levitte [Mon, 24 Feb 2020 18:15:47 +0000 (19:15 +0100)]
DOCS: Add and modify docs for internal EVP_KEYMGMT utility functions

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11148)

4 years agoDOCS: Add internal docs for EVP_PKEY and the export functions
Richard Levitte [Mon, 24 Feb 2020 13:36:09 +0000 (14:36 +0100)]
DOCS: Add internal docs for EVP_PKEY and the export functions

Functions covered:

- evp_pkey_export_to_provider()
- evp_pkey_upgrade_to_provider()

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11148)

4 years agoEVP: Add evp_pkey_upgrade_to_provider(), for EVP_PKEY upgrades
Richard Levitte [Thu, 20 Feb 2020 21:55:41 +0000 (22:55 +0100)]
EVP: Add evp_pkey_upgrade_to_provider(), for EVP_PKEY upgrades

This function "upgrades" a key from a legacy key container to a
provider side key container.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11148)

4 years agoRethink the EVP_PKEY cache of provider side keys
Richard Levitte [Thu, 20 Feb 2020 19:26:16 +0000 (20:26 +0100)]
Rethink the EVP_PKEY cache of provider side keys

The role of this cache was two-fold:

1.  It was a cache of key copies exported to providers with which an
    operation was initiated.
2.  If the EVP_PKEY didn't have a legacy key, item 0 of the cache was
    the corresponding provider side origin, while the rest was the
    actual cache.

This dual role for item 0 made the code a bit confusing, so we now
make a separate keymgmt / keydata pair outside of that cache, which is
the provider side "origin" key.

A hard rule is that an EVP_PKEY cannot hold a legacy "origin" and a
provider side "origin" at the same time.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11148)

4 years agoman: openssl-ocsp: separate client and server options
Dr. Matthias St. Pierre [Thu, 6 Feb 2020 14:24:07 +0000 (15:24 +0100)]
man: openssl-ocsp: separate client and server options

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11033)

4 years agox509v3 subjectSignTool extention support
Nikolay Morozov [Fri, 14 Feb 2020 10:14:30 +0000 (13:14 +0300)]
x509v3 subjectSignTool extention support

Subject Sign Tool (1.2.643.100.111) The name of the tool used to signs the subject (UTF8String)
This extention is required to obtain the status of a qualified certificate at Russian Federation.
RFC-style description is available here: https://tools.ietf.org/html/draft-deremin-rfc4491-bis-04#section-5
Russian Federal Law 63 "Digital Sign" is available here:  http://www.consultant.ru/document/cons_doc_LAW_112701/

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11093)

4 years agoFix util/mktar.sh to use the new VERSION information
Richard Levitte [Thu, 27 Feb 2020 00:09:23 +0000 (01:09 +0100)]
Fix util/mktar.sh to use the new VERSION information

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11190)

4 years agoFix comment placement in ecp_nistp256.ci
Scott Arciszewski [Mon, 24 Feb 2020 20:29:12 +0000 (12:29 -0800)]
Fix comment placement in ecp_nistp256.ci

CLA: trivial

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/11175)

4 years agoDeprecate ASN1_sign(), ASN1_verify() and ASN1_digest()
Richard Levitte [Mon, 24 Feb 2020 21:33:52 +0000 (22:33 +0100)]
Deprecate ASN1_sign(), ASN1_verify() and ASN1_digest()

These are old functions that fell out of use with OpenSL 0.9.7.
It's more than time to deprecate them.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11161)

4 years agoImplement the ECX Serializers
Matt Caswell [Thu, 27 Feb 2020 22:08:59 +0000 (08:08 +1000)]
Implement the ECX Serializers

Provide serializers for X25519 and X448 for text, pem and der. There are
no parameter serializers because there are no parameters for these
algorithms.

Add some documentation about the various import/export types available
Add additional testing for the serializers

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11095)

4 years agoReplace util/shlib_wrap.sh with util/wrap.pl in diverse docs
Richard Levitte [Tue, 18 Feb 2020 07:25:06 +0000 (08:25 +0100)]
Replace util/shlib_wrap.sh with util/wrap.pl in diverse docs

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/11110)

4 years agoBuild file templates: don't set OPENSSL_{ENGINES,MODULES}
Richard Levitte [Mon, 17 Feb 2020 14:20:57 +0000 (15:20 +0100)]
Build file templates: don't set OPENSSL_{ENGINES,MODULES}

Since we've now switched to use util/wrap.pl to wrap uninstalled
programs everywhere, there's no need to set the environment variables
OPENSSL_ENGINES and OPENSSL_MODULES globally for the tests.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/11110)

4 years agoTEST: add util/wrap.pl and use it
Richard Levitte [Mon, 17 Feb 2020 14:05:04 +0000 (15:05 +0100)]
TEST: add util/wrap.pl and use it

util/wrap.pl is a script that defines the environment variables
OPENSSL_ENGINES and OPENSSL_MODULES, then calls the command line
that's given as its arguments.

On a POSIX platform, the command line call is done via
util/shlib_wrap.sh to ensure that the shared library paths are
correct.  For other platforms, util/wrap.pl currently assumes that
similar things are already in place through other means.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/11110)

4 years agoVMS: mitigate for the C++ compiler that doesn't understand certain pragmas
Richard Levitte [Mon, 24 Feb 2020 13:56:26 +0000 (14:56 +0100)]
VMS: mitigate for the C++ compiler that doesn't understand certain pragmas

This only affects __DECC_INCLUDE_EPILOGUE.H and __DECC_INCLUDE_PROLOGUE.H,
which are used automatically by HP and VSI C/C++ compilers.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/11159)

(cherry picked from commit 605a0c709f4d50497a1c49ee117a0ec4bb956d58)

4 years agodoc: add a fancy CHANGES entry to celebrate the new Markdown format
Dr. Matthias St. Pierre [Tue, 25 Feb 2020 16:04:47 +0000 (17:04 +0100)]
doc: add a fancy CHANGES entry to celebrate the new Markdown format

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10545)

4 years agodoc: revamp the SUPPORT file
Dr. Matthias St. Pierre [Fri, 29 Nov 2019 18:45:56 +0000 (19:45 +0100)]
doc: revamp the SUPPORT file

Too be continued...

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10545)

4 years agodoc: revamp the INSTALL file
Dr. Matthias St. Pierre [Tue, 31 Dec 2019 00:09:40 +0000 (01:09 +0100)]
doc: revamp the INSTALL file

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10545)

4 years agodoc: add missing CHANGES entries for all versions >= 1.0.0
Dr. Matthias St. Pierre [Tue, 3 Dec 2019 17:32:21 +0000 (18:32 +0100)]
doc: add missing CHANGES entries for all versions >= 1.0.0

Up to now, CHANGES entries for older releases where only added to the
corresponding stable branches, so they were missing in the master
branch. This commit adds the missing entries, taking them from the
respective stable branches.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10545)

4 years agodoc: add missing NEWS entries for all versions >= 1.0.0
Dr. Matthias St. Pierre [Sat, 30 Nov 2019 16:07:31 +0000 (17:07 +0100)]
doc: add missing NEWS entries for all versions >= 1.0.0

Up to now, NEWS entries for older releases where only added to the
corresponding stable branches, so they were missing in the master
branch. This commit adds the missing entries, taking them from the
respective stable branches.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10545)

4 years agodoc: revamp the README file
Dr. Matthias St. Pierre [Fri, 29 Nov 2019 19:45:28 +0000 (20:45 +0100)]
doc: revamp the README file

 * Add an OpenSSL logo and CI badges
 * Add a table of contents
 * Add a lot of links

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10545)

4 years agodoc: add OpenSSL logo
Dr. Matthias St. Pierre [Sat, 30 Nov 2019 22:45:03 +0000 (23:45 +0100)]
doc: add OpenSSL logo

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10545)

4 years agodoc: introduce some minimalistic markdown without essential changes
Dr. Matthias St. Pierre [Thu, 28 Nov 2019 22:10:51 +0000 (23:10 +0100)]
doc: introduce some minimalistic markdown without essential changes

The goal is to transform the standard documents

    README, INSTALL, SUPPORT, CONTRIBUTING, ...

from a pure text format into markdown format, but in such a way
that the documentation remains nicely formatted an easy readable
when viewed with an normal text editor.

To achieve this goal, we use a special form of 'minimalistic' markdown
which interferes as little as possible with the reading flow.

 * avoid [ATX headings][] and use [setext headings][] instead
   (works for `<h1>` and `<h2>` headings only).
 * avoid [inline links][] and use [reference links][] instead.
 * avoid [fenced code blocks][], use [indented-code-blocks][] instead.

The transformation will take place in several steps. This commit
introduces mostly changes the formatting and does not chang the
content significantly.

[ATX headings]:         https://github.github.com/gfm/#atx-headings
[setext headings]:      https://github.github.com/gfm/#setext-headings
[inline links]:         https://github.github.com/gfm/#inline-link
[reference links]:      https://github.github.com/gfm/#reference-link
[fenced code blocks]:   https://github.github.com/gfm/#fenced-code-blocks
[indented code blocks]: https://github.github.com/gfm/#indented-code-blocks

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10545)

4 years agodoc: convert standard project docs to markdown
Dr. Matthias St. Pierre [Thu, 28 Nov 2019 22:56:36 +0000 (23:56 +0100)]
doc: convert standard project docs to markdown

In the first step, we just add the .md extension and move some
files around, without changing any content. These changes will
occur in the following commits.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10545)

4 years agoUse a wrapper for pod2html
Rich Salz [Wed, 15 Jan 2020 19:53:29 +0000 (14:53 -0500)]
Use a wrapper for pod2html

Remove unused util/process_docs.pl

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10856)

4 years agoapps x509: restrict CAkeyform option to OPT_FMT_PDE
Bastian Germann [Thu, 13 Feb 2020 10:45:50 +0000 (11:45 +0100)]
apps x509: restrict CAkeyform option to OPT_FMT_PDE

CAkeyform may be set to PEM, DER or ENGINE, but the current options
are not using the proper optionformat 'E' (OPT_FMT_PDE) for this.

Set the valtype for CAkeyform to 'E' and use OPT_FMT_PDE when extracting
the option value.

This amends 0ab6fc79a9a ("Fix regression on x509 keyform argument") which
did the same thing for keyform and changed the manpage synopsis entries
for both keyform and CAkeyform but did not change the option section.
Hence, change the option section for both of them.

CLA: trivial

Co-developed-by: Torben Hohn <torben.hohn@linutronix.de>
Signed-off-by: Torben Hohn <torben.hohn@linutronix.de>
Signed-off-by: Bastian Germann <bage@linutronix.de>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11085)

4 years agobugfix in cmac calculation example
Asfak Rahman [Fri, 21 Feb 2020 07:41:29 +0000 (09:41 +0200)]
bugfix in cmac calculation example

The example never executes code inside of the while loop, as read()
returns bigger number than 0. Thus the end result is wrong.

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11143)

4 years agoAvoid arm64 builds timeout due to silent make taking too long time
Tomas Mraz [Wed, 26 Feb 2020 07:41:36 +0000 (08:41 +0100)]
Avoid arm64 builds timeout due to silent make taking too long time

Also reuse one of the arm64 builds as a no-deprecated build
Also include a single ppc64le-build

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11181)

4 years agosecmem: ignore small minsize arguments to CRYPTO_secure_malloc_init().
Pauli [Sat, 22 Feb 2020 08:39:28 +0000 (18:39 +1000)]
secmem: ignore small minsize arguments to CRYPTO_secure_malloc_init().

If the user specifies a minimum allocation size that is smaller than
the free list structure (or zero), calculate the minimum possible size rather
than failing.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11149)

4 years agosec_mem: add note about the minimum size parameter.
Pauli [Sat, 22 Feb 2020 00:35:26 +0000 (10:35 +1000)]
sec_mem: add note about the minimum size parameter.

Add a note indicating that the minimum size parameter to
CRYPTO_secure_malloc_init() should be small.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11149)

4 years agoMem-sec small code adjustment
Davide Galassi [Wed, 26 Feb 2020 05:31:17 +0000 (15:31 +1000)]
Mem-sec small code adjustment

Conditional code readability improvement.

Remove unused macro

Commit #11042 has introduced a new, unused, CRYPTO_EX_INDEX macro.
Remove before version release.

Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11103)

4 years agox86_64: Replace .asciz "GNU" with .byte
H.J. Lu [Wed, 26 Feb 2020 03:04:41 +0000 (13:04 +1000)]
x86_64: Replace .asciz "GNU" with .byte

Replace .asciz "GNU" with .byte since .asciz isn't supported on Solaris.
Fixes https://github.com/openssl/openssl/issues/11132

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11137)

4 years agoCheck that the DRBG's internal state has been zeroized after uninstantiation
Dr. Matthias St. Pierre [Mon, 17 Feb 2020 18:39:05 +0000 (19:39 +0100)]
Check that the DRBG's internal state has been zeroized after uninstantiation

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11111)

4 years agoDRBG: delay initialization of DRBG method until instantiation
Dr. Matthias St. Pierre [Mon, 17 Feb 2020 18:25:55 +0000 (19:25 +0100)]
DRBG: delay initialization of DRBG method until instantiation

Previously, the initialization was done immediately in RAND_DRBG_set(),
which is also called in RAND_DRBG_uninstantiate().

This made it difficult for the FIPS DRBG self test to verify that the
internal state had been zeroized, because it had the side effect that
the drbg->data structure was reinitialized immediately.

To solve the problem, RAND_DRBG_set() has been split in two parts

    static int rand_drbg_set(RAND_DRBG *drbg, int type, unsigned int flags);
    static int rand_drbg_init_method(RAND_DRBG *drbg);

and only the first part is called from RAND_DRBG_uninstantiate().

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11111)

4 years agoconfig: Drop linux-alpha-gcc+bwx
Matt Turner [Tue, 18 Feb 2020 18:08:27 +0000 (10:08 -0800)]
config: Drop linux-alpha-gcc+bwx

Its entry in Configuration/10-main.conf was dropped in commit
7ead0c89185c ("Configure: fold related configurations more aggressively
and clean-up.") probably because all but one of its bn_ops were removed
(RC4_CHAR remained). Benchmarks on an Alpha EV7 indicate that RC4_INT is
better than RC4_CHAR so rather than restoring the configuation, remove
it from config.

CLA: trivial
Bug: https://bugs.gentoo.org/697840

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11130)

4 years agoFix default provider merge glitch
Richard Levitte [Sat, 22 Feb 2020 02:27:14 +0000 (03:27 +0100)]
Fix default provider merge glitch

Property "default" no longer exists, replace "default=yes" with
"provider=default"

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11150)

4 years agoRefactor evp_pkey_make_provided() to do legacy to provider export
Richard Levitte [Wed, 12 Feb 2020 13:28:50 +0000 (14:28 +0100)]
Refactor evp_pkey_make_provided() to do legacy to provider export

Previously, evp-keymgmt_util_export_to_provider() took care of all
kinds of exports of EVP_PKEYs to provider side keys, be it from its
legacy key or from another provider side key.  This works most of the
times, but there may be cases where the caller wants to be a bit more
in control of what sort of export happens when.

Also, when it's time to remove all legacy stuff, that job will be much
easier if we have a better separation between legacy support and
support of provided stuff, as far as we can take it.

This changes moves the support of legacy key to provider side key
export from evp-keymgmt_util_export_to_provider() to
evp_pkey_make_provided(), and makes sure the latter is called from all
EVP_PKEY functions that handle legacy stuff.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11074)

4 years agoDSA: More conforming names in crypto/dsa/dsa_aid.c
Richard Levitte [Thu, 30 Jan 2020 14:14:37 +0000 (15:14 +0100)]
DSA: More conforming names in crypto/dsa/dsa_aid.c

Made macro names that refer to a known base OID, an commented accordingly.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10557)

4 years agodoc/man3/EVP_PKEY_CTX_ctrl.pod: cleanup
Richard Levitte [Thu, 12 Dec 2019 08:21:59 +0000 (09:21 +0100)]
doc/man3/EVP_PKEY_CTX_ctrl.pod: cleanup

Clean up a manual we've touched, according to conventions found in
Linux' man-pages(7); function arguments in descriptions should be in
italics, and types, macros and similar should be in bold, with the
exception for NULL.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10557)

4 years agoPROV: Avoid MDC2 in the RSA signature implementation in the FIPS module
Richard Levitte [Wed, 4 Dec 2019 08:54:35 +0000 (09:54 +0100)]
PROV: Avoid MDC2 in the RSA signature implementation in the FIPS module

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10557)

4 years agotest/recipes/30-test_evp_data/evppkey.txt
Richard Levitte [Tue, 3 Dec 2019 10:02:58 +0000 (11:02 +0100)]
test/recipes/30-test_evp_data/evppkey.txt

Tests that go through provider cannot recognise PKEY_CTRL_INVALID from
PKEY_CTRL_ERROR any more, because provided implementations' param
setting functions return 0 or 1.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10557)

4 years agotest/evp_extra_test.c: adapt for RSA signature tests
Richard Levitte [Mon, 2 Dec 2019 10:26:15 +0000 (11:26 +0100)]
test/evp_extra_test.c: adapt for RSA signature tests

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10557)

4 years agorsa_get0_all_params(): Allow zero CRT params
Richard Levitte [Mon, 2 Dec 2019 10:25:47 +0000 (11:25 +0100)]
rsa_get0_all_params(): Allow zero CRT params

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10557)

4 years agoPROV: add RSA signature implementation
Richard Levitte [Sun, 1 Dec 2019 14:01:50 +0000 (15:01 +0100)]
PROV: add RSA signature implementation

This includes legacy PSS controls to params conversion, and an attempt
to generalise the parameter names when they are suitable for more than
one operation.

Also added crypto/rsa/rsa_aid.c, containing proper AlgorithmIdentifiers
for known RSA+hash function combinations.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10557)

4 years agoDon't exclude quite so much in a no-sock build
Dr. David von Oheimb [Fri, 21 Feb 2020 20:41:56 +0000 (21:41 +0100)]
Don't exclude quite so much in a no-sock build

We were excluding more code than we needed to in the OCSP/HTTP code in
the event of no-sock. We should also not assume that a BIO passed to our
API is socket based.

This fixes the no-sock build

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11134)

4 years agoIntroduce the provider property
Matt Caswell [Fri, 14 Feb 2020 22:49:26 +0000 (22:49 +0000)]
Introduce the provider property

Replace the properties default, fips and legacy with a single property
called "provider". So, for example, instead of writing "default=yes" to
get algorithms from the default provider you would instead write
"provider=default". We also have a new "fips" property to indicate that
an algorithm is compatible with FIPS mode. This applies to all the
algorithms in the FIPS provider, as well as any non-cryptographic
algorithms (currently only serializers).

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11097)

4 years agoAdd DRBG self tests
Shane Lontis [Thu, 30 Jan 2020 21:53:04 +0000 (07:53 +1000)]
Add DRBG self tests

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/11010)

4 years agopkey: additional EC related options
Pauli [Tue, 18 Feb 2020 01:36:08 +0000 (11:36 +1000)]
pkey: additional EC related options

Add options to change the parameter encoding and point conversions for EC
public and private keys.  These options are present in the deprecated 'ec'
utility.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11113)

4 years agopkey: update command line tool examples in light of deprecations.
Pauli [Mon, 17 Feb 2020 23:46:52 +0000 (09:46 +1000)]
pkey: update command line tool examples in light of deprecations.

Specifically, refer from the deprecated tools to the pkey equivalents.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11113)

4 years agoapps: distinguish between a parameter error and an unknown parameter.
Pauli [Mon, 10 Feb 2020 03:37:53 +0000 (13:37 +1000)]
apps: distinguish between a parameter error and an unknown parameter.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11049)

4 years agopmeth_lib: detect unsupported OSSL_PARAM.
Pauli [Mon, 10 Feb 2020 03:32:36 +0000 (13:32 +1000)]
pmeth_lib: detect unsupported OSSL_PARAM.

When converting legacy controls to OSSL_PARAMs, return the unsupported -2
value correctly.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11049)

4 years agoParams: add argument to the _from_text calls to indicate if the param exists.
Pauli [Mon, 10 Feb 2020 03:29:49 +0000 (13:29 +1000)]
Params: add argument to the _from_text calls to indicate if the param exists.

The extra argument is a integer pointer and is optional.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11049)

4 years agoAdd *.d.tmp files to .gitignore
Matt Caswell [Tue, 18 Feb 2020 16:08:30 +0000 (16:08 +0000)]
Add *.d.tmp files to .gitignore

These are temporary files generated by the build process that should not
be checked in.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11122)

4 years agoDeprecate the low level Diffie-Hellman functions.
Pauli [Mon, 3 Feb 2020 09:05:31 +0000 (19:05 +1000)]
Deprecate the low level Diffie-Hellman functions.

Use of the low level DH functions has been informally discouraged for a
long time.  We now formally deprecate them.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11024)

4 years agoDH: add CHANGES entry listing the deprecated DH functions.
Pauli [Sun, 16 Feb 2020 07:31:04 +0000 (17:31 +1000)]
DH: add CHANGES entry listing the deprecated DH functions.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11024)

4 years agoDH: fix header file indentation
Pauli [Mon, 3 Feb 2020 06:03:12 +0000 (16:03 +1000)]
DH: fix header file indentation

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11024)