oweals/openssl.git
5 years agoAdd BN_check_prime()
Kurt Roeckx [Sun, 6 Oct 2019 15:21:16 +0000 (17:21 +0200)]
Add BN_check_prime()

Add a new API to test for primes that can't be misused, deprecated the
old APIs.

Suggested by Jake Massimo and Kenneth Paterson

Reviewed-by: Paul Dale <paul.dale@oracle.com>
GH: #9272

5 years agoUse fewer primes for the trial division
Kurt Roeckx [Sun, 6 Oct 2019 11:48:10 +0000 (13:48 +0200)]
Use fewer primes for the trial division

When using Miller-Rabin to test for primes, it's can be faster to first
do trial divisions, but when doing too many trial divisions it gets
slower again. We reduce the number of trial divisions to a point that
gives better performance.

Based on research by Jake Massimo and Kenneth Paterson

Reviewed-by: Paul Dale <paul.dale@oracle.com>
GH: #9272

5 years agoMove MD2, MD4 and MD5 digests completely to the providers
Richard Levitte [Sun, 13 Oct 2019 12:44:54 +0000 (14:44 +0200)]
Move MD2, MD4 and MD5 digests completely to the providers

This leaves minimal implementations of EVP_md2, EVP_md4, EVP_md5 and
EVP_mdc2, that are now only there to provide a name for implicit fetches.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10164)

5 years agoReplace '=for comment ifdef' with '=for openssl'
Rich Salz [Fri, 11 Oct 2019 15:52:12 +0000 (11:52 -0400)]
Replace '=for comment ifdef' with '=for openssl'

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10151)

5 years agoBuilding: Add modules with DEPENDs to GENERATEd files
Richard Levitte [Sun, 13 Oct 2019 10:33:15 +0000 (12:33 +0200)]
Building: Add modules with DEPENDs to GENERATEd files

For files GENERATEd from templates (.in files), any perl module (.pm
file) that the file depends on will automatically be used.

This means that these two lines:

    GENERATE[foo]=foo.in
    DEPEND[foo]=whatever.pm

will emit this command in a Makefile (or corresponding):

    foo: foo.in whatever.pm configdata.pm
    $(PERL) -I. -Ipathto -Mwhatever -Mconfigdata $(SRCDIR)/util/dofile.pl \\
        foo.in > foo

Note that configdata.pm is automatically added, since util/dofile.pl
itself depends on it.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10162)

5 years agoRestore MD5-SHA1 in legacy method database
Richard Levitte [Mon, 14 Oct 2019 14:07:41 +0000 (16:07 +0200)]
Restore MD5-SHA1 in legacy method database

If we remove these, the functions EVP_get_digestbyname() and
EVP_get_cipherbyname() will stop working entirely, and it's too early
to criple them yet.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10176)

5 years agoKDF: clean away old EVP_KDF declarations
Richard Levitte [Mon, 14 Oct 2019 10:12:54 +0000 (12:12 +0200)]
KDF: clean away old EVP_KDF declarations

They were left-overs from when we still had the legacy KDF implementation

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10170)

5 years agoRemove providers/default which seems to have been missed.
Pauli [Thu, 10 Oct 2019 12:05:28 +0000 (22:05 +1000)]
Remove providers/default which seems to have been missed.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10147)

5 years agoConfigure: accept Windows style compiler options
Dr. Matthias St. Pierre [Fri, 20 Sep 2019 22:14:16 +0000 (00:14 +0200)]
Configure: accept Windows style compiler options

Currently the Configure command only supports passing UNIX style
options (`-opt`) to the compiler. Passing Windows style options
(`/opt`) yields an error. Fortunately, the compiler accepts both
types of options, nevertheless this commit fixes that discrimination
of Windows users.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9961)

5 years agoIgnore empty ALPN elements in CLI args
Viktor Dukhovni [Fri, 11 Oct 2019 21:52:19 +0000 (17:52 -0400)]
Ignore empty ALPN elements in CLI args

Reviewed-by: Matt Caswell <matt@openssl.org>
5 years agoRemove EVP_CIPH_FLAG_CUSTOM_CIPHER in all our providers
Richard Levitte [Thu, 10 Oct 2019 16:16:19 +0000 (18:16 +0200)]
Remove EVP_CIPH_FLAG_CUSTOM_CIPHER in all our providers

Not needed any more, since the presence of the OSSL_FUNC_CIPHER_CIPHER
function is enough to tell that there's a custom cipher function.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10137)

5 years agoProviders: fix OSSL_FUNC_CIPHER_CIPHER functions
Richard Levitte [Thu, 10 Oct 2019 16:14:33 +0000 (18:14 +0200)]
Providers: fix OSSL_FUNC_CIPHER_CIPHER functions

This involves gcm_cipher() (providers/common/ciphers/cipher_gcm.c),
ccm_cipher() (providers/common/ciphers/cipher_ccm.c), and
tdes_wrap_cipher() (providers/common/ciphers/cipher_tdes_wrap.c)

These are generic implementations of the OSSL_FUNC_CIPHER_CIPHER
function, which returned -1 on error when they should return 0.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10137)

5 years agoFix EVP_Cipher() for provided cipher implementations
Richard Levitte [Thu, 10 Oct 2019 16:04:06 +0000 (18:04 +0200)]
Fix EVP_Cipher() for provided cipher implementations

EVP_Cipher() would return whatever ctx->cipher->ccipher() returned
with no regard for historical semantics.

We change this to first look if there is a ctx->cipher->ccipher(), and
in that case we treat the implementation as one with a custom cipher,
and "translate" it's return value like this: 0 => -1, 1 => outl, where
|outl| is the output length.

If there is no ctx->cipher->ccipher, we treat the implementation as
one without a custom cipher, call ctx->cipher->cupdate or
ctx->cipher->cfinal depending on input, and return whatever they
return (0 or 1).

Furthermore, we add a small hack in EVP_CIPHER_flags() to check if the
cipher is a provided one, and add EVP_CIPH_FLAG_CUSTOM_CIPHER to the
flags to be returned if there is a cipher->ccipher.  That way,
provided implementations never have to set that flag themselves, all
they need to do is to include a OSSL_FUNC_CIPHER_CIPHER function.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10137)

5 years agoPOD: stop abusing comment
Richard Levitte [Sun, 29 Sep 2019 15:10:59 +0000 (17:10 +0200)]
POD: stop abusing comment

OpenSSL uses some POD directives masquerading as 'comment'
('=for comment' etc).  This is abusive and confusing.  Instead, we use
our own keyword.

    =for openssl whatever

    =begin openssl

    whatever

    =end openssl

(we have never used the multiline form, but might start one day)

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10048)

5 years agoAdd a test for EVP_Digest[Sign|Verify]* with a BIO MD
Matt Caswell [Mon, 7 Oct 2019 17:21:39 +0000 (18:21 +0100)]
Add a test for EVP_Digest[Sign|Verify]* with a BIO MD

If an EVP_MD_CTX is initialised with EVP_DigestSignInit_ex() or
EVP_DigestVerifyInit_ex() it should work with an MD BIO to provide
the "Updates". Test that this is the case.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10116)

5 years agoSupport calling EVP_DigestUpdate instead of EVP_Digest[Sign|Verify]Update
Matt Caswell [Mon, 7 Oct 2019 16:47:04 +0000 (17:47 +0100)]
Support calling EVP_DigestUpdate instead of EVP_Digest[Sign|Verify]Update

Prior to OpenSSL 3.0 EVP_Digest[Sign|Verify|Update were just macros for
EVP_DigestUpdate. They are now separate functions. Unfortunately some
code assumes that EVP_Digest[Sign|Verify]Update is interchangeable with
EVP_DigestUpdate. For example the dgst app uses an MD bio which always
calls EVP_DigestUpdate(). However the dgst app supports signing instead
of digesting and may initialise with EVP_DigestSignInit_ex() instead of
just EVP_DigestInit().

We now detect these differences and redirect to the correct function
where appropriate.

Fixes #10114

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10116)

5 years agoDon't use internal knowledge about EVP_MD_CTX in and MD BIO
Matt Caswell [Mon, 7 Oct 2019 16:45:25 +0000 (17:45 +0100)]
Don't use internal knowledge about EVP_MD_CTX in and MD BIO

There is no need for us to be diving inside the EVP_MD_CTX in the
implementation of an MD BIO. We can just use public APIs. By doing this
certain calls (such as getting the MD out of the BIO were not working
correctly) where providers are in use.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10116)

5 years agoDoc: update internal build.info manual
Richard Levitte [Fri, 11 Oct 2019 06:22:01 +0000 (08:22 +0200)]
Doc: update internal build.info manual

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10148)

5 years agoStop using EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
Richard Levitte [Thu, 10 Oct 2019 16:49:28 +0000 (18:49 +0200)]
Stop using EVP_MD_CTX_FLAG_NON_FIPS_ALLOW

This is a flag that has lost its relevance.  The new mechanism to do
the same thing is to fetch the needed digest explicitly with "-fips"
as property query, i.e. we remove any requirement for that property to
be set when fetching, even if the default property query string
requires its presence.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10138)

5 years agoFix unused goto label gcc warning
Viktor Szakats [Tue, 10 Sep 2019 22:47:57 +0000 (22:47 +0000)]
Fix unused goto label gcc warning

On systems with undefined AI_ADDRCONFIG and AI_NUMERICHOST:

x86_64-w64-mingw32-gcc  -I. -Icrypto/include -Iinclude -m64 -Wall -O3 -fno-ident ...
crypto/bio/b_addr.c: In function 'BIO_lookup_ex':
crypto/bio/b_addr.c:699:7: warning: label 'retry' defined but not used [-Wunused-label]
       retry:
       ^~~~~

Regression from: 3f91ede9aea70774d9b5d509bc76d484ebaff6aa

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/9856)

5 years agossl/statem/statem_lib.c: make servercontext/clientcontext arrays of chars instead...
Artiom Vaskov [Thu, 12 Sep 2019 10:40:32 +0000 (13:40 +0300)]
ssl/statem/statem_lib.c: make servercontext/clientcontext arrays of chars instead of char pointers to fix EBCDIC builds.

Fixes #9869

CLA:trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9878)

(cherry picked from commit d8e8ed0220f0656a6e7e384ef4d7e1757b48fd95)

5 years agoCleanup: move provider mains up
Richard Levitte [Fri, 4 Oct 2019 13:37:14 +0000 (15:37 +0200)]
Cleanup: move provider mains up

providers/default/defltprov.c and providers/legacy/legacyprov.c
are moved up to providers/ and providers/build.info is adjusted
accordingly.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10088)

5 years agoCleanup: move remaining providers/common/include/internal/*.h
Richard Levitte [Fri, 4 Oct 2019 13:25:59 +0000 (15:25 +0200)]
Cleanup: move remaining providers/common/include/internal/*.h

The end up in providers/common/include/prov/.
All inclusions are adjusted accordingly.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10088)

5 years agoCleanup: move providers/common/include/internal/provider_args.h
Richard Levitte [Fri, 4 Oct 2019 13:20:48 +0000 (15:20 +0200)]
Cleanup: move providers/common/include/internal/provider_args.h

New name is providers/implementations/include/prov/implementations.h
All inclusions are adapted accordingly.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10088)

5 years agoProviders: move all ciphers
Richard Levitte [Fri, 4 Oct 2019 12:44:42 +0000 (14:44 +0200)]
Providers: move all ciphers

From providers/{common,default}/ to providers/implementations/

Except for common code, which remains in providers/common/ciphers/.
However, we do move providers/common/include/internal/ciphers/*.h
to providers/common/include/prov/, and adjust all source including
any of those header files.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10088)

5 years agoProviders: move all digests
Richard Levitte [Fri, 4 Oct 2019 10:30:33 +0000 (12:30 +0200)]
Providers: move all digests

From providers/{common,default,legacy}/ to providers/implementations/
However, providers/common/digests/digest_common.c stays where it is,
because it's support code rather than an implementation.

To better support all kinds of implementations with common code, we
add the library providers/libcommon.a.  Code that ends up in this
library must be FIPS agnostic.

While we're moving things around, though, we move digestscommon.h
from providers/common/include/internal to providers/common/include/prov,
thereby starting on a provider specific include structure, which
follows the line of thoughts of the recent header file reorganization.
We modify the affected '#include "internal/something.h"' to
'#include "prov/something.h"'.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10088)

5 years agoProviders: move default kdfs,macs
Richard Levitte [Fri, 4 Oct 2019 09:28:20 +0000 (11:28 +0200)]
Providers: move default kdfs,macs

From providers/default/ to providers/implementations/

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10088)

5 years agoProviders: move common exchange,kdfs,keymgmt,macs,signature
Richard Levitte [Fri, 4 Oct 2019 08:24:09 +0000 (10:24 +0200)]
Providers: move common exchange,kdfs,keymgmt,macs,signature

From providers/common/ to providers/implementations/

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10088)

5 years agoRework how our providers are built
Richard Levitte [Thu, 3 Oct 2019 23:38:17 +0000 (01:38 +0200)]
Rework how our providers are built

We put almost everything in these internal static libraries:

libcommon               Block building code that can be used by all
                        our implementations, legacy and non-legacy
                        alike.
libimplementations      All non-legacy algorithm implementations and
                        only them.  All the code that ends up here is
                        agnostic to the definitions of FIPS_MODE.
liblegacy               All legacy implementations.

libnonfips              Support code for the algorithm implementations.
                        Built with FIPS_MODE undefined.  Any code that
                        checks that FIPS_MODE isn't defined must end
                        up in this library.
libfips                 Support code for the algorithm implementations.
                        Built with FIPS_MODE defined.  Any code that
                        checks that FIPS_MODE is defined must end up
                        in this library.

The FIPS provider module is built from providers/fips/*.c and linked
with libimplementations, libcommon and libfips.

The Legacy provider module is built from providers/legacy/*.c and
linked with liblegacy, libcommon and libcrypto.
If module building is disabled, the object files from liblegacy and
libcommon are added to libcrypto and the Legacy provider becomes a
built-in provider.

The Default provider module is built-in, so it ends up being linked
with libimplementations, libcommon and libnonfips.  For libcrypto in
form of static library, the object files from those other libraries
are simply being added to libcrypto.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10088)

5 years agoBuild files: Make it possible to source libraries into other libraries
Richard Levitte [Thu, 3 Oct 2019 22:08:01 +0000 (00:08 +0200)]
Build files: Make it possible to source libraries into other libraries

Added functionality to use static libraries as source for other
libraries.  When done this way, the target library will use the object
files from the sourced static libraries, making the sourced libraries
work as "containers" for object files.

We also need to make sure that the Unix Makefile template knows how to
deal with shared libraries and modules that depend on static libraries.
That's new situation we haven't had before.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10088)

5 years agoConfigurations/common.tmpl: Rework dependency resolution
Richard Levitte [Thu, 3 Oct 2019 21:42:46 +0000 (23:42 +0200)]
Configurations/common.tmpl: Rework dependency resolution

The dependency resolution is made uniquely to resolve proper library
order when linking a program, a module or a shared library.

resolvedepends() did a little too much at once, so it's now reduced to
only collect dependencies (and is renamed to collectdepends()), while
a new function, expanddepends(), expands a list of dependency to
insure that dependent libraries are present after depending libraries,
and finally there is reducedepends() which removes unnecessary
duplicates, leaving only the last one.

resolvedepends() is now a simple utility routine that calls the three
mentioned above in correct order.

As part of this, we implement weak dependencies through the 'weak'
build.info attribute.  This is meant to cause a specific order between
libraries without requiring that they are all present.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10088)

5 years agoConfigure: Implement attributes for DEPEND[xxx]
Richard Levitte [Thu, 3 Oct 2019 22:00:24 +0000 (00:00 +0200)]
Configure: Implement attributes for DEPEND[xxx]

We want to attach attributes on dependencies.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10088)

5 years agoConfigure: rework build.info grammar and attributes
Richard Levitte [Thu, 3 Oct 2019 21:30:58 +0000 (23:30 +0200)]
Configure: rework build.info grammar and attributes

The build.info grammar's regular expressions were a horrible read.
By assigning certain sub-expressions to variables, we hope to make
it a little more readable.

Also, the handling of build.info attributes is reworked to use a
common function instead of having copies of the same code.

Finally, the attributes are reorganized to specify if they belong with
programs, libraries, modules or scripts.  This will enable more
intricate attribute assignment in changes to come.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10088)

5 years agoExplicitly test against NULL; do not use !p or similar
Rich Salz [Mon, 16 Sep 2019 19:28:57 +0000 (15:28 -0400)]
Explicitly test against NULL; do not use !p or similar

Also added blanks lines after declarations in a couple of places.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9916)

5 years agoRefactor -passin/-passout documentation
Rich Salz [Tue, 8 Oct 2019 17:10:04 +0000 (13:10 -0400)]
Refactor -passin/-passout documentation

Always refer to openssl.pod instead of repeating the same description
everywhere.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10126)

5 years agoDocument build.info syntax internally
Richard Levitte [Tue, 8 Oct 2019 08:30:21 +0000 (10:30 +0200)]
Document build.info syntax internally

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10121)

5 years agoFix reference to PEM docs
Rich Salz [Sat, 5 Oct 2019 17:48:50 +0000 (13:48 -0400)]
Fix reference to PEM docs

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10101)

5 years agoutil/find-doc-nits: ignore tsget.pod name
Richard Levitte [Wed, 2 Oct 2019 17:41:20 +0000 (19:41 +0200)]
util/find-doc-nits: ignore tsget.pod name

It's a separate script, not an openssl sub-command

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10065)

5 years agoCommand docs: more reference fixes
Richard Levitte [Tue, 1 Oct 2019 19:57:00 +0000 (21:57 +0200)]
Command docs: more reference fixes

Normalise on L<openssl-cmd(1)> over L<cmd(1)>

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10065)

5 years agoCommand docs: rename openssl-tsget.pod to tsget.pod, and fix it
Richard Levitte [Tue, 1 Oct 2019 19:26:16 +0000 (21:26 +0200)]
Command docs: rename openssl-tsget.pod to tsget.pod, and fix it

Make replacables italic, change '-rand' to '-r', fix links.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10065)

5 years agoCommand docs: diverse small fixes
Richard Levitte [Tue, 1 Oct 2019 19:10:17 +0000 (21:10 +0200)]
Command docs: diverse small fixes

Better synopsis for 'openssl dgst' and 'openssl enc', correct names
for 'openssl rehash' ('c_rehash' is mentioned there too), correct
option end marker for 'openssl verify', and finally, refer to
sub-commands as sub-commands.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10065)

5 years agoCommand docs: fix some engine references
Richard Levitte [Tue, 1 Oct 2019 18:41:53 +0000 (20:41 +0200)]
Command docs: fix some engine references

"gost" was called "ccgost".
"rsax" was treated like literal input rather than an engine name.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10065)

5 years agoCommand docs: wrap literal input/output with C<>
Richard Levitte [Tue, 1 Oct 2019 18:29:52 +0000 (20:29 +0200)]
Command docs: wrap literal input/output with C<>

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10065)

5 years agoCommand docs: wrap literal file names with F<>
Richard Levitte [Tue, 1 Oct 2019 18:19:45 +0000 (20:19 +0200)]
Command docs: wrap literal file names with F<>

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10065)

5 years agoCommand docs: fix links to other sections (sometimes in other manuals)
Richard Levitte [Tue, 1 Oct 2019 18:06:22 +0000 (20:06 +0200)]
Command docs: fix links to other sections (sometimes in other manuals)

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10065)

5 years agoCommand docs: fix up command references
Richard Levitte [Tue, 1 Oct 2019 17:43:36 +0000 (19:43 +0200)]
Command docs: fix up command references

Almost all OpenSSL commands are in reality 'openssl cmd', so make sure
they are refered to like that and not just as the sub-command.

Self-references are avoided as much as is possible, and replaced with
"this command".  In some cases, we even avoid that with a slight
rewrite of the sentence or paragrah they were in.  However, in the few
cases where a self-reference is still admissible, they are done in
bold, i.e. openssl-speed.pod references itself like this:

    B<openssl speed>

References to other commands are done as manual links, i.e. CA.pl.pod
references 'openssl req' like this: L<openssl-req(1)>

Some commands are examples rather than references; we enclose those in
C<>.

While we are it, we abolish "utility", replacing it with "command", or
remove it entirely in some cases.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10065)

5 years agoCommand docs: replacables are in italics, options always start with a dash
Richard Levitte [Tue, 1 Oct 2019 16:16:29 +0000 (18:16 +0200)]
Command docs: replacables are in italics, options always start with a dash

Quite a lot of replacables were still bold, and some options were
mentioned without a beginning dash.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10065)

5 years agoCommand docs: remove ellipses for '-rand'
Richard Levitte [Tue, 1 Oct 2019 08:00:14 +0000 (10:00 +0200)]
Command docs: remove ellipses for '-rand'

Ellipses were used to express that the '-rand' value can specify
multiple files, like this:

    B<-rand> I<file...>

Because there are conventions around ellipses, this becomes confusing,
because '-rand file...' is normally intepreted to mean that
'-rand file1 file2 file3' would be processed as three randomness
files, which makes no sense.

Rather than making things complicated with more elaborate syntax, we
change it to:

    B<-rand> I<files>

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10065)

5 years agoCommand docs: fix ellipses, the easy cases
Richard Levitte [Tue, 1 Oct 2019 07:57:37 +0000 (09:57 +0200)]
Command docs: fix ellipses, the easy cases

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10065)

5 years agoFix CMP test error on platforms which set OPENSSL_FUNC to '(unknown function)'
Shane Lontis [Tue, 8 Oct 2019 07:56:09 +0000 (17:56 +1000)]
Fix CMP test error on platforms which set OPENSSL_FUNC to '(unknown function)'

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10119)

5 years agoAdd rc2 ciphers to default provider
Shane Lontis [Tue, 8 Oct 2019 06:42:28 +0000 (16:42 +1000)]
Add rc2 ciphers to default provider

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9991)

5 years agoMove cipher ctx 'original iv' parameter into the provider
Shane Lontis [Mon, 7 Oct 2019 23:19:10 +0000 (09:19 +1000)]
Move cipher ctx 'original iv' parameter into the provider

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10026)

5 years agoAdd documentation for PEM_{read,write}_bio_Parameters()
Richard Levitte [Mon, 7 Oct 2019 05:23:32 +0000 (07:23 +0200)]
Add documentation for PEM_{read,write}_bio_Parameters()

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10113)

5 years agoFix typo in flag name
Rich Salz [Sun, 6 Oct 2019 17:38:52 +0000 (13:38 -0400)]
Fix typo in flag name

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10110)

5 years agoFix no-autoerrinit
Matt Caswell [Fri, 4 Oct 2019 10:12:04 +0000 (11:12 +0100)]
Fix no-autoerrinit

Don't run the test_CTX_print_errors test test in test_cmp_ctx if
no-autoerrinit has been configured.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10091)

5 years agoSend bad_record_mac instead of decryption_failed
Matt Caswell [Fri, 4 Oct 2019 13:01:21 +0000 (14:01 +0100)]
Send bad_record_mac instead of decryption_failed

The decryption failed alert was deprecated a long time ago. It can
provide an attacker too much information to be able to distinguish between
MAC failures and decryption failures and can lead to oracle attacks.
Instead we should always use the bad_record_mac alert for these issues.
This fixes one instance that still exists. It does not represent a
security issue in this case because it is only ever sent if the record is
publicly invalid, i.e. we have detected it is invalid without using any
secret material.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10093)

5 years agoSupport SM2 in apps/speed
Paul Yang [Sun, 29 Sep 2019 14:25:10 +0000 (22:25 +0800)]
Support SM2 in apps/speed

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10053)

5 years agoEVP_{CIPHER,MD}_CTX_ctrl(): make sure to return 0 or 1
Richard Levitte [Sun, 6 Oct 2019 08:45:17 +0000 (10:45 +0200)]
EVP_{CIPHER,MD}_CTX_ctrl(): make sure to return 0 or 1

Even thought the underlying calls might return something other than 0
or 1, EVP_CIPHER_CTX_ctrl() and EVP_MD_CTX_ctrl() were made to only
return those values regardless.  That behaviour was recently lost, so
we need to restore it.

Fixes #10106

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10108)

5 years agoDeprecate NCONF_WIN32() function
Rich Salz [Mon, 12 Aug 2019 20:55:25 +0000 (16:55 -0400)]
Deprecate NCONF_WIN32() function

Extensive documentation added in HISTORY section in doc/man5/config.pod

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9578)

5 years agoAlso mention -- flag and ignore if undocumented
Rich Salz [Wed, 2 Oct 2019 19:40:42 +0000 (15:40 -0400)]
Also mention -- flag and ignore if undocumented

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10077)

5 years agoFix typo in comment
Pauli [Sun, 6 Oct 2019 03:39:01 +0000 (13:39 +1000)]
Fix typo in comment

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10105)

5 years agoAdd missing help text for some options
Rich Salz [Mon, 23 Sep 2019 18:54:42 +0000 (14:54 -0400)]
Add missing help text for some options

Fixes: #9952

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/9989)

5 years agoRC4 is not a block cipher
Matt Caswell [Sat, 5 Oct 2019 01:42:32 +0000 (11:42 +1000)]
RC4 is not a block cipher

RC4 is a stream cipher therefore EVP_CIPHER_CTX_block_size() should
return 1.

This fixes a test failure in ssl_test_old when enable-weak-ssl-ciphers
has been configured.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10090)

5 years agoFix L<EVP_KDF-derive> to L<EVP_DEF_derive>
Rich Salz [Fri, 4 Oct 2019 17:40:14 +0000 (13:40 -0400)]
Fix L<EVP_KDF-derive> to L<EVP_DEF_derive>

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10096)

5 years agoMove MD5-SHA1 digest completely to the default provider
Richard Levitte [Tue, 4 Jun 2019 11:58:43 +0000 (13:58 +0200)]
Move MD5-SHA1 digest completely to the default provider

This leaves minimal implementations of EVP_md5_sha1, which is now only
there to provide a name for implicit fetches.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9076)

5 years agoRemove unused fields in method store structure.
Pauli [Thu, 3 Oct 2019 09:06:35 +0000 (19:06 +1000)]
Remove unused fields in method store structure.

The random bit caching was a residue of earlier code and isn't used any more.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10089)

5 years agoMove all SHA digests completely to the default provider
Richard Levitte [Mon, 30 Sep 2019 15:04:33 +0000 (17:04 +0200)]
Move all SHA digests completely to the default provider

This leaves minimal implementations of EVP_sha* and EVP_shake*, which
is now only there to provide a name for implicit fetches.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10059)

5 years agoRename "private" file, doc doc changes in CHANGES
Rich Salz [Fri, 27 Sep 2019 18:03:57 +0000 (14:03 -0400)]
Rename "private" file, doc doc changes in CHANGES

Use err() for find-doc-nits -e output
Doing this meant we could remove the -s flag, so we do so; move
option/help stuff to top of script.
Add a CHANGES entry.
Rename missing to other.syms

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10039)

5 years agoAdapt existing providers to posibly have name lists
Richard Levitte [Thu, 23 May 2019 01:39:15 +0000 (03:39 +0200)]
Adapt existing providers to posibly have name lists

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/8985)

5 years agoReplumbing: make it possible for providers to specify multiple names
Richard Levitte [Thu, 23 May 2019 01:36:21 +0000 (03:36 +0200)]
Replumbing: make it possible for providers to specify multiple names

This modifies the treatment of algorithm name strings to allow
multiple names separated with colons.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/8985)

5 years ago'init_buf' memory can be freed when DTLS is used over SCTP (not over UDP).
NaveenShivanna86 [Wed, 21 Aug 2019 06:28:29 +0000 (11:58 +0530)]
'init_buf' memory can be freed when DTLS is used over SCTP (not over UDP).

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/9653)

5 years agorsa: replace magic number '11' by RSA_PKCS1_PADDING_SIZE
Dr. Matthias St. Pierre [Thu, 3 Oct 2019 12:20:52 +0000 (14:20 +0200)]
rsa: replace magic number '11' by RSA_PKCS1_PADDING_SIZE

Suggested by Matt Hart

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10084)

5 years agoDon't follow legacy path if ctx->pctx is set
Matt Caswell [Thu, 3 Oct 2019 11:44:55 +0000 (12:44 +0100)]
Don't follow legacy path if ctx->pctx is set

EVP_DigestInit_ex forced following of the legacy path if ctx->pctx is
set (meaning we've actually been called via EVP_DigestSignInit_ex).

There is some code in the legacy path that calls the
EVP_PKEY_CTRL_DIGESTINIT ctrl on the pctx. Not going down the legacy path
if ctx->pctx is set means that ctrl message will neve get sent. However,
it turns out that all algs that understand that ctrl also set the
EVP_MD_CTX_FLAG_NO_INIT flag which forces legacy anyway. Therefore the
ctx->pctx check is not required and can be removed.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10082)

5 years agoFix no-err
Matt Caswell [Wed, 2 Oct 2019 09:50:57 +0000 (10:50 +0100)]
Fix no-err

Skip the test_CTX_print_errors in cmp_ctx_test if no-err has been
configured.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10071)

5 years agoFree a fetched digest during EVP_MD_CTX_reset() not EVP_MD_free()
Matt Caswell [Thu, 26 Sep 2019 13:55:00 +0000 (14:55 +0100)]
Free a fetched digest during EVP_MD_CTX_reset() not EVP_MD_free()

Otherwise a mem leak can occur since EVP_MD_free() calls
EVP_MD_CTX_reset() which then clears the contents of the ctx.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10013)

5 years agoDon't call EVP_MD_CTX_reset during EVP_DigestFinal
Matt Caswell [Thu, 26 Sep 2019 13:31:56 +0000 (14:31 +0100)]
Don't call EVP_MD_CTX_reset during EVP_DigestFinal

This resets the fields of the EVP_MD_CTX and means we can no longer
make calls using the EVP_MD_CTX, such as to query parameters.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10013)

5 years agoAdd a test for the newly added md params code
Matt Caswell [Wed, 25 Sep 2019 10:49:04 +0000 (11:49 +0100)]
Add a test for the newly added md params code

Previous commits added code for routing md related parameters via and
EVP_SIGNATURE implementation during a DigestSign operation. This adds a
test to make sure this works as expected.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10013)

5 years agoUpdate EVP_MD_CTX_get_params() et al to be EVP_DigestSign*() aware
Matt Caswell [Tue, 24 Sep 2019 11:07:48 +0000 (12:07 +0100)]
Update EVP_MD_CTX_get_params() et al to be EVP_DigestSign*() aware

If doing an EVP_DigestSign*() or EVP_DigestVerify*() operation we use
the embedded pctx for communication with the provider. Any MD params need
to use that ctx instead.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10013)

5 years agoUpdate documentation
Matt Caswell [Mon, 23 Sep 2019 15:43:08 +0000 (16:43 +0100)]
Update documentation

Add documentation for EVP_DigestSignInit_ex() and
EVP_DigestVerifyInit_ex(), and add an appropriate CHANGES entry.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10013)

5 years agoEnsure we look at EVP_MD_CTX_FLAG_KEEP_PKEY_CTX in non-legacy code
Matt Caswell [Tue, 24 Sep 2019 09:23:41 +0000 (10:23 +0100)]
Ensure we look at EVP_MD_CTX_FLAG_KEEP_PKEY_CTX in non-legacy code

This flag is still relevant even for non-legacy code so we should check
it where appropriate.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10013)

5 years agoAdd EVP_DigestSign/EVP_DigestVerify support for DSA
Matt Caswell [Mon, 23 Sep 2019 13:36:32 +0000 (14:36 +0100)]
Add EVP_DigestSign/EVP_DigestVerify support for DSA

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10013)

5 years agoAdd the provider function signatures for DigestSign*
Matt Caswell [Mon, 16 Sep 2019 16:14:21 +0000 (17:14 +0100)]
Add the provider function signatures for DigestSign*

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10013)

5 years agoAdd rc5 ciphers to default provider
Shane Lontis [Thu, 3 Oct 2019 06:05:49 +0000 (16:05 +1000)]
Add rc5 ciphers to default provider

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10006)

5 years agoAdd arm64 in test matrix on TravisCI.
Fangming.Fang [Sun, 29 Sep 2019 05:58:19 +0000 (05:58 +0000)]
Add arm64 in test matrix on TravisCI.

Change-Id: I5d2b729699cfd8e80c3df17db4a9d2edcbf64454

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10046)

5 years agodoc: EVP_DigestInit clears all flags
Christian Heimes [Fri, 27 Sep 2019 09:08:43 +0000 (11:08 +0200)]
doc: EVP_DigestInit clears all flags

Mention that EVP_DigestInit() also clears all flags.

Fixes: 10031
Signed-off-by: Christian Heimes <christian@python.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10032)

5 years agoFix errors found by new find-doc-nits
Rich Salz [Fri, 27 Sep 2019 17:17:09 +0000 (13:17 -0400)]
Fix errors found by new find-doc-nits

Also patch find-doc-nits to ignore a Microsoft trademark and not
flag it as a spelling error.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10023)

5 years agoAdd wordlist from man7.org
Rich Salz [Wed, 25 Sep 2019 19:39:03 +0000 (15:39 -0400)]
Add wordlist from man7.org

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10023)

5 years agoDo not print extensions in Certificate message for TLS1.2 and lower
Daniil Zotkin [Tue, 24 Sep 2019 08:08:23 +0000 (11:08 +0300)]
Do not print extensions in Certificate message for TLS1.2 and lower

According to RFC8446 CertificateEntry in Certificate message contains
extensions that were not present in the Certificate message in RFC5246.

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9994)

5 years agoFix Coverity issues
Shane Lontis [Wed, 2 Oct 2019 23:29:51 +0000 (09:29 +1000)]
Fix Coverity issues

CID 1453954 & 1453955

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9977)

5 years agoFix long name of some Microsoft objects
Michael Osipov [Fri, 27 Sep 2019 07:04:53 +0000 (09:04 +0200)]
Fix long name of some Microsoft objects

CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10029)

5 years agodoc/man1: fix malformed options
Richard Levitte [Wed, 2 Oct 2019 15:13:03 +0000 (17:13 +0200)]
doc/man1: fix malformed options

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10073)

5 years agoutil/find-doc-nits: more precise option and function name checker
Richard Levitte [Wed, 2 Oct 2019 11:16:48 +0000 (13:16 +0200)]
util/find-doc-nits: more precise option and function name checker

The checks for our uses of 'B<' and 'I<' for options, and possibly
function names, was over-reaching quite a bit.

So we fine-tune it a bit:

- by only checking for options in man1 pages, and only in SYNOPSIS
  and *OPTIONS sections.
- by only checking for function names in man3 pages.

The man1 option checker has the additional check that options found in
*OPTIONS are also found in SYNOPSIS andd vice versa.

In all cases, this also handles options and function names with
additional markup, such as 'B<-I<cipher>>' and 'B<sk_I<TYPE>_push>'.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10073)

5 years agoUpdate "missing documentation" function lists
Rich Salz [Tue, 1 Oct 2019 20:15:22 +0000 (16:15 -0400)]
Update "missing documentation" function lists

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10064)

5 years agoAdd '=for comment ifdef' to pod pages
Rich Salz [Sun, 22 Sep 2019 23:49:25 +0000 (19:49 -0400)]
Add '=for comment ifdef' to pod pages

Make find-doc-nits understand that
        =for comment ifdef ssl3 ...
in a POD page means that the "-ssl3" flag might be ifdef'd out in the
local environment, and not to complain about it.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9974)

5 years agoMake EVP_CIPHER_is_a() work with legacy cipher implementations too
Richard Levitte [Wed, 25 Sep 2019 07:15:42 +0000 (09:15 +0200)]
Make EVP_CIPHER_is_a() work with legacy cipher implementations too

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10008)

5 years agoRemove EVP_CIPH_FLAG_DEFAULT_ASN1 from all provided implementations
Richard Levitte [Wed, 25 Sep 2019 07:07:20 +0000 (09:07 +0200)]
Remove EVP_CIPH_FLAG_DEFAULT_ASN1 from all provided implementations

Since that flag has lost its relevance, don't use it any more.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10008)

5 years agoAdapt EVP_CIPHER_{param_to_asn1,asn1_to_param} for use with provider.
Richard Levitte [Wed, 25 Sep 2019 06:56:14 +0000 (08:56 +0200)]
Adapt EVP_CIPHER_{param_to_asn1,asn1_to_param} for use with provider.

So far, these two funtions have depended on legacy EVP_CIPHER
implementations to be able to do their work.  This change adapts them
to work with provided implementations as well, in one of two possible
ways:

1.  If the implementation's set_asn1_parameters or get_asn1_parameters
    function pointers are non-NULL, this is a legacy implementation,
    and that function is called.
2.  Otherwise, if the cipher doesn't have EVP_CIPH_FLAG_CUSTOM_ASN1
    set, the default AlgorithmIdentifier parameter code in libcrypto
    is executed.
3.  Otherwise, if the cipher is a provided implementation, the ASN1
    type structure is converted to a DER blob which is then passed to
    the implementation as a parameter (param_to_asn1) or the DER blob
    is retrieved from the implementation as a parameter and converted
    locally to a ASN1_TYPE (asn1_to_param).

With this, the old flag EVP_CIPH_FLAG_DEFAULT_ASN1 has become
irrelevant and is simply ignored.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10008)

5 years agoMake manuals with TYPE conform with man-pages(7)
Richard Levitte [Sat, 28 Sep 2019 05:33:38 +0000 (07:33 +0200)]
Make manuals with TYPE conform with man-pages(7)

Details from man-pages(7) that are used:

    Formatting conventions for manual pages describing functions

        ...
        Variable names should, like argument names, be specified in italics.
        ...

    Formatting conventions (general)

        ...
        Special macros, which are usually in uppercase, are in bold.
        Exception: don't boldface NULL.
        ...

Furthermore, for TYPE used as a placeholder for types and correponding
part of function names, we extrapolate that it's both a type and a
variable, and should therefore be bold (typical for types and function
names) and italic (typical for variables).  POD processors don'e know
this, so we have to help them along.  Therefore:

   SPARSE_ARRAY_OF(TYPE)        => B<SPARSE_ARRAY_OF>(B<I<TYPE>>)
   ossl_sa_TYPE_num()           => B<ossl_sa_I<TYPE>_num>()
   TYPE                         => B<I<TYPE>>

There are some other less typical uses where one simply has to give
formatting some extra though.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10041)

5 years agoMake ASN1 manuals conform with man-pages(7)
Richard Levitte [Sat, 28 Sep 2019 06:07:18 +0000 (08:07 +0200)]
Make ASN1 manuals conform with man-pages(7)

Details from man-pages(7) that are used:

    Formatting conventions for manual pages describing functions

        ...
        Variable names should, like argument names, be specified in italics.
        ...

    Formatting conventions (general)

        ...
        Special macros, which are usually in uppercase, are in bold.
        Exception: don't boldface NULL.
        ...

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10042)

5 years agoConsistent formatting of flags with args
Rich Salz [Wed, 25 Sep 2019 19:20:11 +0000 (15:20 -0400)]
Consistent formatting of flags with args

For documentation of all commands with "-flag arg" format them
consistently: "B<-flag> I<arg>", except when arg is literal
(for example "B<-inform> B<PEM>|B<DER>")
Update find-doc-nits to complain if badly formatted strings are found.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10022)