Prepare for 3.0 alpha 15

Reviewed-by: Tomas Mraz <tomas@openssl.org>

Prepare for release of 3.0 alpha 14

Reviewed-by: Tomas Mraz <tomas@openssl.org>

Deprecate the EVP_PKEY controls for CMS and PKCS#7

Improve the ossl_rsa_check_key() to prevent non-signature
operations with PSS keys.

Do not invoke the EVP_PKEY controls for CM

Deprecate the EVP_PKEY controls for CMS and PKCS#7

Improve the ossl_rsa_check_key() to prevent non-signature
operations with PSS keys.

Do not invoke the EVP_PKEY controls for CMS and PKCS#7 anymore
as they are not needed anymore and deprecate them.

Fixes #14276

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/14760)

show more ...

Add a range check (from SP800-56Ar3) to DH key derivation.

Fixes #14401

Note that this moves the public key check out of DH compute_key() since
key validation does not belong in

Add a range check (from SP800-56Ar3) to DH key derivation.

Fixes #14401

Note that this moves the public key check out of DH compute_key() since
key validation does not belong inside this primitive..
The check has been moved to the EVP_PKEY_derive_set_peer() function so that
it generally applies to all exchange operations.. Use EVP_PKEY_derive_set_peer_ex()
to disable this behaviour.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14717)

show more ...

CHANGES.md: reflect OSSL_HTTP_REQ_CTX_i2d renamed to OSSL_HTTP_REQ_CTX_set1_req

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14630)

Update CHANGES.md and NEWS.md for new release

Reviewed-by: Tomas Mraz <tomas@openssl.org>

Dual 1024-bit exponentiation optimization for Intel IceLake CPU
with AVX512_IFMA + AVX512_VL instructions, primarily for RSA CRT private key
operations. It uses 256-bit registers to avoid CPU

Dual 1024-bit exponentiation optimization for Intel IceLake CPU
with AVX512_IFMA + AVX512_VL instructions, primarily for RSA CRT private key
operations. It uses 256-bit registers to avoid CPU frequency scaling issues.
The performance speedup for RSA2k signature on ICL is ~2x.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13750)

show more ...

TS and CMS CAdES-BES: Refactor check_signing_certs() funcs into common ESS func

Also constify related CMS/PKCS7 functions and improve error codes thrown.

Reviewed-by: Tomas Mraz <to

TS and CMS CAdES-BES: Refactor check_signing_certs() funcs into common ESS func

Also constify related CMS/PKCS7 functions and improve error codes thrown.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14503)

show more ...

ts_check_signing_certs(): Make sure both ESSCertID and ESSCertIDv2 are checked

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14503)

TS ESS: Invert the search logic of ts_check_signing_certs() to correctly cover cert ID list

Fixes #14190

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.

TS ESS: Invert the search logic of ts_check_signing_certs() to correctly cover cert ID list

Fixes #14190

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14503)

show more ...

Add a CHANGES entry for the cosmetic differences in textual output

Numerous functions have had their textual output amended. We add
a CHANGES entry for this.

Fixes #14476

Add a CHANGES entry for the cosmetic differences in textual output

Numerous functions have had their textual output amended. We add
a CHANGES entry for this.

Fixes #14476

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14485)

show more ...

Update CHANGES with info about AuthEnvelopedData addition

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/opens

Update CHANGES with info about AuthEnvelopedData addition

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14456)

show more ...

Prepare for 3.0 alpha 14

Reviewed-by: Richard Levitte <levitte@openssl.org>

Prepare for release of 3.0 alpha 13

Reviewed-by: Richard Levitte <levitte@openssl.org>

Use read/write locking on Windows

Fixes #13914

The "SRWLock" synchronization primitive is available in Windows Vista
and later. CRYPTO_THREAD functions now use SRWLock function

Use read/write locking on Windows

Fixes #13914

The "SRWLock" synchronization primitive is available in Windows Vista
and later. CRYPTO_THREAD functions now use SRWLock functions when the
target operating system supports them.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14381)

show more ...

Add new filter BIO BIO_f_readbuffer()

This allows BIO_tell() and BIO_seek() to work for BIO's that do
not support these methods. The main use case for this is file/fd BIO's
that use

Add new filter BIO BIO_f_readbuffer()

This allows BIO_tell() and BIO_seek() to work for BIO's that do
not support these methods. The main use case for this is file/fd BIO's
that use stdin.

This works for stdin taken from input redirection (command < file),
and stdin via pipe (cat file | command).

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14407)

show more ...

Change default algorithms in PKCS12_create() and PKCS12_set_mac()

Use the modern defaults as now set in the pkcs12 app. This also
allows modifying the application to not override the def

Change default algorithms in PKCS12_create() and PKCS12_set_mac()

Use the modern defaults as now set in the pkcs12 app. This also
allows modifying the application to not override the default values
when calling the API.

Fixes #14034

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/14450)

show more ...

Mention the change of licence in NEWS.md

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14

Mention the change of licence in NEWS.md

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14465)

show more ...

Expand the CHANGES entry for SHA1 and libssl

As well as SSL 3, TLS 1.0, TLS 1.1 and DTLS 1.0 not working at
security level 1 we also document that TLS 1.2 connection will fail
if the

Expand the CHANGES entry for SHA1 and libssl

As well as SSL 3, TLS 1.0, TLS 1.1 and DTLS 1.0 not working at
security level 1 we also document that TLS 1.2 connection will fail
if the ClientHello does not have a signature algorithms extension.

Fixes #14447

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14465)

show more ...

Add a CHANGES for OSSL_STORE_INFO_get_type()

The function OSSL_STORE_INFO_get_type() may now return a new object
type. Applications may have to be amended accordingly.

Fixes #14

Add a CHANGES for OSSL_STORE_INFO_get_type()

The function OSSL_STORE_INFO_get_type() may now return a new object
type. Applications may have to be amended accordingly.

Fixes #14446

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14465)

show more ...

Add a missing CHANGES.md entry for the legacy provider

Numerous ciphers and digests have been moved to the legacy provider.
There should be a CHANGES.md entry pointing this out.

Add a missing CHANGES.md entry for the legacy provider

Numerous ciphers and digests have been moved to the legacy provider.
There should be a CHANGES.md entry pointing this out.

Fixes #14441

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14465)

show more ...

Non-const accessor to legacy keys

Fixes #14466.

Reverting the changes of the EVP_PKEY_get0 function.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://gi

Non-const accessor to legacy keys

Fixes #14466.

Reverting the changes of the EVP_PKEY_get0 function.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14468)

show more ...

Make the EVP_PKEY_get0* functions have a const return type

OTC have decided that the EVP_PKEY_get0* functions should have a const
return type. This is a breaking change to emphasise that

Make the EVP_PKEY_get0* functions have a const return type

OTC have decided that the EVP_PKEY_get0* functions should have a const
return type. This is a breaking change to emphasise that these values
should be considered as immutable.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14319)

show more ...

Document the change in behaviour of the the low level key getters/setters

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Revie

Document the change in behaviour of the the low level key getters/setters

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14319)

show more ...

Ensure the various legacy key EVP_PKEY getters/setters are deprecated

Most of these were already deprecated but a few have been missed. This
commit corrects that.

Fixes #14303

Ensure the various legacy key EVP_PKEY getters/setters are deprecated

Most of these were already deprecated but a few have been missed. This
commit corrects that.

Fixes #14303
Fixes #14317

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14319)

show more ...