doc: support the roleSpecCertIdentifier X.509v3 extension

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/o

doc: support the roleSpecCertIdentifier X.509v3 extension

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25428)

show more ...

EVP_get_default_properties - make update

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/

EVP_get_default_properties - make update

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25434)

show more ...

feat: support the authorityAttributeIdentifier X.509v3 extension

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://githu

feat: support the authorityAttributeIdentifier X.509v3 extension

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25244)

show more ...

libcrypto/libssl.num: Set the numbers for 3_4_0 symbols

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <ppzg

libcrypto/libssl.num: Set the numbers for 3_4_0 symbols

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25393)

show more ...

EVP_MD_size() updates

For SHAKE algorithms we now return 0 from EVP_MD_size().
So all the places that check for < 0 needed to change to <= 0
(Otherwise the behaviour will be to diges

EVP_MD_size() updates

For SHAKE algorithms we now return 0 from EVP_MD_size().
So all the places that check for < 0 needed to change to <= 0
(Otherwise the behaviour will be to digest nothing in most cases).

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25285)

show more ...

feat: Implement EVP_PKEY_CTX_{set,get}_algor_params() and EVP_PKEY_CTX_get_algor()

This should be sufficient to cover the intent with the following legacy ctrls:

- EVP_PKEY_CTRL_PKC

feat: Implement EVP_PKEY_CTX_{set,get}_algor_params() and EVP_PKEY_CTX_get_algor()

This should be sufficient to cover the intent with the following legacy ctrls:

- EVP_PKEY_CTRL_PKCS7_ENCRYPT (through EVP_ASYM_CIPHER implementations)
- EVP_PKEY_CTRL_PKCS7_DECRYPT (through EVP_ASYM_CIPHER implementations)
- EVP_PKEY_CTRL_PKCS7_SIGN (through EVP_SIGNATURE implementations)
- EVP_PKEY_CTRL_CMS_ENCRYPT (through EVP_ASYM_CIPHER implementations)
- EVP_PKEY_CTRL_CMS_DECRYPT (through EVP_ASYM_CIPHER implementations)
- EVP_PKEY_CTRL_CMS_SIGN (through EVP_SIGNATURE implementations)

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25000)

show more ...

feat: Implement EVP_CIPHER_CTX_{set,get}_algor_params() and EVP_CIPHER_CTX_get_algor()

EVP_CIPHER_CTX_set_algor_params() and EVP_CIPHER_CTX_set_algor_params() can
be used instead of EVP_

feat: Implement EVP_CIPHER_CTX_{set,get}_algor_params() and EVP_CIPHER_CTX_get_algor()

EVP_CIPHER_CTX_set_algor_params() and EVP_CIPHER_CTX_set_algor_params() can
be used instead of EVP_CIPHER_asn1_to_param() and EVP_CIPHER_param_to_asn1().

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25000)

show more ...

Implement functionality for direct use of composite signature algorithms

The following API groups are extended with a new init function, as well
as an update and final function, to allow

Implement functionality for direct use of composite signature algorithms

The following API groups are extended with a new init function, as well
as an update and final function, to allow the use of explicitly fetched
signature implementations for any composite signature algorithm, like
"sha1WithRSAEncryption":

- EVP_PKEY_sign
- EVP_PKEY_verify
- EVP_PKEY_verify_recover

To support this, providers are required to add a few new functions, not
the least one that declares what key types an signature implementation
supports.

While at this, the validity check in evp_signature_from_algorithm() is
also refactored; the SIGNATURE provider functionality is too complex for
counters. It's better, or at least more readable, to check function
combinations.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23416)

show more ...

Implementation of the RFC 9579, PBMAC1 in PKCS#12

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openss

Implementation of the RFC 9579, PBMAC1 in PKCS#12

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24577)

show more ...

Add KeyManagement keygen parameter getter/gettable functions.

Added OSSL_FUNC_keymgmt_gen_get_params() and
OSSL_FUNC_keymgmt_gen_gettable_params()

This will allow a FIPS indicat

Add KeyManagement keygen parameter getter/gettable functions.

Added OSSL_FUNC_keymgmt_gen_get_params() and
OSSL_FUNC_keymgmt_gen_gettable_params()

This will allow a FIPS indicator parameter to be queried after keygen.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24978)

show more ...

doc: the basicAttConstraints X.509v3 extension

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/open

doc: the basicAttConstraints X.509v3 extension

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24847)

show more ...

Add an OPENSSL_strtoul wrapper

utility function to give us sane checking on strtoul conversions

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@o

Add an OPENSSL_strtoul wrapper

utility function to give us sane checking on strtoul conversions

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24861)

show more ...

Add FIPS indicators to evp_test

evp_test code needed to be modified to defer setting algorithm contexts
until the run phase. The parse functions also defer setting into the context
u

Add FIPS indicators to evp_test

evp_test code needed to be modified to defer setting algorithm contexts
until the run phase. The parse functions also defer setting into the context
until the run phase, which allows the context to initialize in a controlled order.
This allows params to be passed into the algorithm init function.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24623)

show more ...

add X509v3_add_extensions()

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24792)

Add and Update Documentation for TS_VERIFY_CTX Functions

Mark the existing `TS_VERIFY_CTX_set_certs` function as deprecated in the
documentation.
Add missing documentation for the de

Add and Update Documentation for TS_VERIFY_CTX Functions

Mark the existing `TS_VERIFY_CTX_set_certs` function as deprecated in the
documentation.
Add missing documentation for the deprecated functions `TS_VERIFY_CTX_set_data`,
`TS_VERIFY_CTX_set_imprint`, and `TS_VERIFY_CTX_set_store`.
Write missing documentation for the following functions:
- `TS_VERIFY_CTX_new`
- `TS_VERIFY_CTX_init`
- `TS_VERIFY_CTX_free`
- `TS_VERIFY_CTX_cleanup`
- `TS_VERIFY_CTX_set_flags`
- `TS_VERIFY_CTX_add_flags`
- `TS_VERIFY_CTX_set0_data`
- `TS_VERIFY_CTX_set0_imprint`
- `TS_VERIFY_CTX_set0_store`
- `TS_VERIFY_CTX_set0_certs`

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24701)

show more ...

feat: support userNotice X.509v3 extension

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/

feat: support userNotice X.509v3 extension

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24761)

show more ...

threads_win: fix build error with VS2010 x86

InterlockedAnd64 and InterlockedAdd64 are not available on VS2010 x86.
We already have implemented replacements for other functions, such as

threads_win: fix build error with VS2010 x86

InterlockedAnd64 and InterlockedAdd64 are not available on VS2010 x86.
We already have implemented replacements for other functions, such as
InterlockedOr64. Apply the same approach to fix the errors.
A CRYPTO_RWLOCK rw_lock is added to rcu_lock_st.

Replace InterlockedOr64 and InterlockedOr with CRYPTO_atomic_load and
CRYPTO_atomic_load_int, using the existing design pattern.

Add documentation and tests for the new atomic functions
CRYPTO_atomic_add64, CRYPTO_atomic_and

Fixes:
libcrypto.lib(libcrypto-lib-threads_win.obj) : error LNK2019: unresolved external symbol _InterlockedAdd64 referenced in function _get_hold_current_qp
libcrypto.lib(libcrypto-lib-threads_win.obj) : error LNK2019: unresolved external symbol _InterlockedOr referenced in function _get_hold_current_qp
libcrypto.lib(libcrypto-lib-threads_win.obj) : error LNK2019: unresolved external symbol _InterlockedAnd64 referenced in function _update_qp
libcrypto.lib(libcrypto-lib-threads_win.obj) : error LNK2019: unresolved external symbol _InterlockedOr64 referenced in function _ossl_synchronize_rcu

Signed-off-by: Georgi Valkov <gvalkov@gmail.com>

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24405)

show more ...

Support subjectDirectoryAttributes and associatedInformation exts

Added tests for SDA and AI extensions.
Added internal function ossl_print_attribute_value() with documentation.

Support subjectDirectoryAttributes and associatedInformation exts

Added tests for SDA and AI extensions.
Added internal function ossl_print_attribute_value() with documentation.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24669)

show more ...

CMP: add support for requesting cert template using genm/genp

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from ht

CMP: add support for requesting cert template using genm/genp

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24409)

show more ...

Add support for targetingInformation X.509v3 extension

Support for the targetingInformation X.509v3 extension defined in ITU-T
Recommendation X.509 (2019), Section 17.1.2.2. This extensi

Add support for targetingInformation X.509v3 extension

Support for the targetingInformation X.509v3 extension defined in ITU-T
Recommendation X.509 (2019), Section 17.1.2.2. This extension is used
in attribute certificates.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22206)

show more ...

Move stack of compression methods from libssl to OSSL_LIB_CTX

The compression methods are now a global variable in libssl.
This change moves it into OSSL library context.

It is

Move stack of compression methods from libssl to OSSL_LIB_CTX

The compression methods are now a global variable in libssl.
This change moves it into OSSL library context.

It is necessary to eliminate atexit call from libssl.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24414)

show more ...

Make conf_diagnostics apply also to the SSL conf errors

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/opens

Make conf_diagnostics apply also to the SSL conf errors

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24275)

show more ...

CMP: Improvements of the support for requesting CRL

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <

CMP: Improvements of the support for requesting CRL

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23768)

show more ...

CMP: add support for genm with crlStatusList and genp with crls

Introduce the capability to retrieve and update Certificate Revocation Lists
(CRLs) in the CMP client, as specified in sec

CMP: add support for genm with crlStatusList and genp with crls

Introduce the capability to retrieve and update Certificate Revocation Lists
(CRLs) in the CMP client, as specified in section 4.3.4 of RFC 9483.

To request a CRL update, the CMP client can send a genm message with the
option -infotype crlStatusList. The server will respond with a genp message
containing the updated CRL, using the -infoType id-it-crls. The client can
then save the CRL in a specified file using the -crlout parameter.

Co-authored-by: Rajeev Ranjan <ranjan.rajeev@siemens.com>

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23768)

show more ...

x509_acert: Load attributes from config file section

Several of the attribute values defined for use by attribute certificates
use multi-valued data in an ASN.1 SEQUENCE. Allow reading o

x509_acert: Load attributes from config file section

Several of the attribute values defined for use by attribute certificates
use multi-valued data in an ASN.1 SEQUENCE. Allow reading of these values
from a configuration file, similar to how generic X.509 extensions are
handled.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15857)

show more ...