Copyright year updates


Reviewed-by: Neil Horman <nhorman@openssl.org>
Release: yes

Remove trailing whitespace

Found by running the checkpatch.pl Linux script to enforce coding style.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: David von Oheimb

Remove trailing whitespace

Found by running the checkpatch.pl Linux script to enforce coding style.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22097)

show more ...

Copyright year updates


Reviewed-by: Richard Levitte <levitte@openssl.org>
Release: yes

Fix decoders so that they use the passed in propq.

Fixes #21198

decoder objects were setting propq as NULL.
Added a set_ctx/settable_ctx to all decoders that should supply
a

Fix decoders so that they use the passed in propq.

Fixes #21198

decoder objects were setting propq as NULL.
Added a set_ctx/settable_ctx to all decoders that should supply
a property query parameter to internal functions.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21219)

show more ...

configure: introduce no-ecx to remove ECX related feature

This can effectively reduce the binary size for platforms
that don't need ECX feature(~100KB).

Signed-off-by: Yi Li <yi

configure: introduce no-ecx to remove ECX related feature

This can effectively reduce the binary size for platforms
that don't need ECX feature(~100KB).

Signed-off-by: Yi Li <yi1.li@intel.com>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20781)

show more ...

Do not create DSA keys without parameters by decoder

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>

Stop raising ERR_R_MALLOC_FAILURE in most places

Since OPENSSL_malloc() and friends report ERR_R_MALLOC_FAILURE, and
at least handle the file name and line number they are called from,

Stop raising ERR_R_MALLOC_FAILURE in most places

Since OPENSSL_malloc() and friends report ERR_R_MALLOC_FAILURE, and
at least handle the file name and line number they are called from,
there's no need to report ERR_R_MALLOC_FAILURE where they are called
directly, or when SSLfatal() and RLAYERfatal() is used, the reason
`ERR_R_MALLOC_FAILURE` is changed to `ERR_R_CRYPTO_LIB`.

There were a number of places where `ERR_R_MALLOC_FAILURE` was reported
even though it was a function from a different sub-system that was
called. Those places are changed to report ERR_R_{lib}_LIB, where
{lib} is the name of that sub-system.
Some of them are tricky to get right, as we have a lot of functions
that belong in the ASN1 sub-system, and all the `sk_` calls or from
the CRYPTO sub-system.

Some extra adaptation was necessary where there were custom OPENSSL_malloc()
wrappers, and some bugs are fixed alongside these changes.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19301)

show more ...

libcrypto refactoring: introduce and use ossl_asn1_string_set_bits_left()

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by:

libcrypto refactoring: introduce and use ossl_asn1_string_set_bits_left()

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18668)

show more ...

libcrypto refactoring: make more use of ASN1_STRING_set0()

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: David von Ohei

libcrypto refactoring: make more use of ASN1_STRING_set0()

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18668)

show more ...

Add X509_PUBKEY_set0_public_key(), extracted from X509_PUBKEY_set0_param()

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by

Add X509_PUBKEY_set0_public_key(), extracted from X509_PUBKEY_set0_param()

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18668)

show more ...

Update copyright year

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Release: yes

Fix typos

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17392)

X509_PUBKEY_dup: Do not just up-ref the EVP_PKEY

We try EVP_PKEY_dup() and if it fails we re-decode it using the
legacy method as provided keys should be duplicable.

Reviewed-by

X509_PUBKEY_dup: Do not just up-ref the EVP_PKEY

We try EVP_PKEY_dup() and if it fails we re-decode it using the
legacy method as provided keys should be duplicable.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16648)

show more ...

coverity #1486531: return error properly from x509_pubkey_ex_new_ex()

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.co

coverity #1486531: return error properly from x509_pubkey_ex_new_ex()

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15942)

show more ...

x509: address NULL dereference and memory leaks

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15910)

Add a generic SubjectPublicKeyInfo decoder

Previously all the SubjectPublicKeyInfo decoders were specific to a key
type. We would iterate over all them until a match was found for the co

Add a generic SubjectPublicKeyInfo decoder

Previously all the SubjectPublicKeyInfo decoders were specific to a key
type. We would iterate over all them until a match was found for the correct
key type. Each one would fully decode the key before then testing whether
it was a match or not - throwing it away if not. This was very inefficient.

Instead we introduce a generic SubjectPublicKeyInfo decoder which figures
out what type of key is contained within it, before subsequently passing on
the data to a key type specific SubjectPublicKeyInfo decoder.

Fixes #15646

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15662)

show more ...

Simplify error reporting in X509_PUBKEY_get0()

The X509_PUBKEY_get0() was attempting to recreate any errors that might
have occurred from the earlier decode process when obtaining the EV

Simplify error reporting in X509_PUBKEY_get0()

The X509_PUBKEY_get0() was attempting to recreate any errors that might
have occurred from the earlier decode process when obtaining the EVP_PKEY.
This is brittle at best and the approach would only work with legacy keys.
We remove this and just report an error directly.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)

show more ...

Actually use a legacy route in pem_read_bio_key_legacy()

The function pem_read_bio_key_legacy() is a fallback route if we
failed to load a key via a provider. We should be using the lega

Actually use a legacy route in pem_read_bio_key_legacy()

The function pem_read_bio_key_legacy() is a fallback route if we
failed to load a key via a provider. We should be using the legacy
specific d2i functions to force legacy otherwise we end up using a
provider anyway

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)

show more ...

Only use the legacy route to decode a public key if we have to

We should use a provider to decode a SubjectPublicKeyInfo structure if
we can. We should only use the legacy route if we ar

Only use the legacy route to decode a public key if we have to

We should use a provider to decode a SubjectPublicKeyInfo structure if
we can. We should only use the legacy route if we are forcing legacy, or
if an ENGINE is in use.

Fixes #15393
Fixes #15327

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)

show more ...

Ensure that we consume all the data when decoding an SPKI

If we are decoding a SubjectPublicKeyInfo structure then we must use all
of the data and must not have bytes "left over".

Ensure that we consume all the data when decoding an SPKI

If we are decoding a SubjectPublicKeyInfo structure then we must use all
of the data and must not have bytes "left over".

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)

show more ...

Use the right class/tag when decoding an embedded key

When a key (SubjectPublicKeyInfo) is embedded in some other structure
it may use an implicit tag. However the decoders can only hand

Use the right class/tag when decoding an embedded key

When a key (SubjectPublicKeyInfo) is embedded in some other structure
it may use an implicit tag. However the decoders can only handle the
universal class and don't know how to interpret the implicit tag.
Therefore we modify the data into a form the decoders can handle.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)

show more ...

Use the new ASN.1 libctx aware capabilities in CMP

Make sure we pass the libctx/propq around everywhere that we need it to
ensure we get provider keys when needed.

Reviewed-by:

Use the new ASN.1 libctx aware capabilities in CMP

Make sure we pass the libctx/propq around everywhere that we need it to
ensure we get provider keys when needed.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15591)

show more ...

Teach the ASN.1 code how to create embedded objects with libctx/propq

An ASN.1 object such as an X509 may have embedded objects in it such as
an X509_PUBKEY. If there is a libctx/propq i

Teach the ASN.1 code how to create embedded objects with libctx/propq

An ASN.1 object such as an X509 may have embedded objects in it such as
an X509_PUBKEY. If there is a libctx/propq in use then we need to make sure
we pass these down to the constructors of these embedded objects.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15591)

show more ...

Provide the ability to create an X509_PUBKEY with a libctx/propq

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://g

Provide the ability to create an X509_PUBKEY with a libctx/propq

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15591)

show more ...

x509: remove TODOs

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15539)