Update documentation following changes of various types

The previous commit changed the types of various objects passed between
the core and providers. Therefore the documentation needs

Update documentation following changes of various types

The previous commit changed the types of various objects passed between
the core and providers. Therefore the documentation needs to be updated
to reflect that.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11758)

show more ...

Maintain strict type discipline between the core and providers

A provider could be linked against a different version of libcrypto than
the version of libcrypto that loaded the provider.

Maintain strict type discipline between the core and providers

A provider could be linked against a different version of libcrypto than
the version of libcrypto that loaded the provider. Different versions of
libcrypto could define opaque types differently. It must never occur that
a type created in one libcrypto is used directly by the other libcrypto.
This will cause crashes.

We can "cheat" for "built-in" providers that are part of libcrypto itself,
because we know that the two libcrypto versions are the same - but not for
other providers.

To ensure this does not occur we use different types names for the handful
of opaque types that are passed between the core and providers.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11758)

show more ...

CORE: Fix a couple of bugs in algorithm_do_this()

The call of ossl_provider_query_operation() used |data->operation_id|,
when |cur_operation| should be used.

If any ossl_provide

CORE: Fix a couple of bugs in algorithm_do_this()

The call of ossl_provider_query_operation() used |data->operation_id|,
when |cur_operation| should be used.

If any ossl_provider_query_operation() call returned NULL, the loop
was stopped, when it should just continue on to the next operation.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11837)

show more ...

Test TLSv1.3 out-of-band PSK with all 5 ciphersuites

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.

Test TLSv1.3 out-of-band PSK with all 5 ciphersuites

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/11785)

show more ...

Fix crash in early data send with out-of-band PSK using AES CCM

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Ben Kaduk

Fix crash in early data send with out-of-band PSK using AES CCM

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/11785)

show more ...

Fix all MD036 (emphasis used instead of heading)

The main fixes were errors in itemized lists "*)" instead of "*"

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by:

Fix all MD036 (emphasis used instead of heading)

The main fixes were errors in itemized lists "*)" instead of "*"

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/11770)

show more ...

Add "md-nits" make target

Also fix a nit in recent CHANGES.md update.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-

Add "md-nits" make target

Also fix a nit in recent CHANGES.md update.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/11770)

show more ...

Add 'methods' parameter to setup_engine() in apps.c for individual method defaults

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siem

Add 'methods' parameter to setup_engine() in apps.c for individual method defaults

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/4277)

show more ...

Clean up macro definitions of openssl_fdset() in apps.h and sockets.h

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>

Clean up macro definitions of openssl_fdset() in apps.h and sockets.h

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/4277)

show more ...

Use OSSL_STORE for load_{,pub}key() and load_cert() in apps/lib/apps.c

This also adds the more flexible and general load_key_cert_crl()
as well as helper functions get_passwd(), cleanse(

Use OSSL_STORE for load_{,pub}key() and load_cert() in apps/lib/apps.c

This also adds the more flexible and general load_key_cert_crl()
as well as helper functions get_passwd(), cleanse(), and clear_free()
to be used also in apps/cmp.c etc.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11755)

show more ...

Nit-fix: remove whitespace in doc/man3/EVP_PKEY_fromdata.pod causing warning

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.co

Nit-fix: remove whitespace in doc/man3/EVP_PKEY_fromdata.pod causing warning

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11755)

show more ...

Guard use of struct tms with #ifdef __TMS like done earlier in apps/lib/apps.c

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.

Guard use of struct tms with #ifdef __TMS like done earlier in apps/lib/apps.c

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11755)

show more ...

Build: make apps/progs.c depend on configdata.pm

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11824)

SSL: refactor ssl_cert_lookup_by_pkey() to work with provider side keys

Fixes #11720

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl

SSL: refactor ssl_cert_lookup_by_pkey() to work with provider side keys

Fixes #11720

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11828)

show more ...

Ignore some auto-generated DER files

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/ope

Ignore some auto-generated DER files

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11830)

show more ...

Prepare for 3.0 alpha 3

Reviewed-by: Richard Levitte <levitte@openssl.org>

Prepare for release of 3.0 alpha 2

Reviewed-by: Richard Levitte <levitte@openssl.org>

Update copyright year

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11839)

If SOURCE_DATE_EPOCH is defined, use it for copyright year

Using the date from SOURCE_DATE_EPOCH instead of the current date makes
it possible to reproduce a build that was built on a di

If SOURCE_DATE_EPOCH is defined, use it for copyright year

Using the date from SOURCE_DATE_EPOCH instead of the current date makes
it possible to reproduce a build that was built on a different year:
https://reproducible-builds.org/specs/source-date-epoch/

This is fixing an issue we had while building Tor Browser:
https://trac.torproject.org/projects/tor/ticket/33535

CLA: trivial

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/11296)

show more ...

Correct alignment calculation in ssl3_setup_write

The alignment calculation in ssl3_setup_write incorrectly results in an
alignment allowance of
(-SSL3_RT_HEADER_LENGTH) & (SSL3_ALIG

Correct alignment calculation in ssl3_setup_write

The alignment calculation in ssl3_setup_write incorrectly results in an
alignment allowance of
(-SSL3_RT_HEADER_LENGTH) & (SSL3_ALIGN_PAYLOAD - 1) bytes. This equals 3
in almost all cases. The maximum alignment actually used in do_ssl3_write
is (SSL3_ALIGN_PAYLOAD - 1). This equals 7 bytes in almost all cases. So
there is a potential to overrun the buffer by up to 4 bytes.

Fortunately, the encryption overhead allowed for is 80 bytes which
consists of 16 bytes for the cipher block size and 64 bytes for the MAC
output. However the biggest MAC that we ever produce is HMAC-384 which is
48 bytes - so we have a headroom of 16 bytes (i.e. more than the 4 bytes
of potential overrun).

Thanks to Nagesh Hegde for reporting this.

Fixes #11766

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/11768)

show more ...

Configure: Avoid SIXTY_FOUR_BIT for linux-mips64

This is a 32-bit ABI build (as opposed to linux64-mips64).
Setting SIXTY_FOUR_BIT breaks hardware optimizations, at least on
octeon p

Configure: Avoid SIXTY_FOUR_BIT for linux-mips64

This is a 32-bit ABI build (as opposed to linux64-mips64).
Setting SIXTY_FOUR_BIT breaks hardware optimizations, at least on
octeon processors.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11725)

show more ...

dev/release.sh: Add --reviewer to set reviewers

Doing this is kind of contrary to how we normally do things, as this
constitutes a kind of pre-approval. However, without this, the norma

dev/release.sh: Add --reviewer to set reviewers

Doing this is kind of contrary to how we normally do things, as this
constitutes a kind of pre-approval. However, without this, the normal
review process will modify the reviewed commits, and render the
annotated release tag invalid, which forces the person doing the
release to re-tag manually.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11630)

show more ...

Pass "-z defs" to the linker via "-Wl,-z,defs" rather than with gcc's -z
flag (which is not supported by older compilers).

CLA: trivial

Reviewed-by: Richard Levitte <levitte@ope

Pass "-z defs" to the linker via "-Wl,-z,defs" rather than with gcc's -z
flag (which is not supported by older compilers).

CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11815)

show more ...

test/evp_extra_test.c: Add OPENSSL_NO_CMAC around CMAC test

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github

test/evp_extra_test.c: Add OPENSSL_NO_CMAC around CMAC test

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11833)

show more ...

PROV: make some DER AID arrays non-static, to avoid clang complaints

The problem encountered is that some arrays were deemed unnecessary by
clang, for example:

providers/com

PROV: make some DER AID arrays non-static, to avoid clang complaints

The problem encountered is that some arrays were deemed unnecessary by
clang, for example:

providers/common/der/der_rsa.c:424:28: error: variable 'der_aid_sha224Identifier' is not needed and will not be emitted [-Werror,-Wunneeded-internal-declaration]
static const unsigned char der_aid_sha224Identifier[] = {
^

However, these arrays are used in sizeof() expressions in other parts
of the code that's actually used, making that warning-turned-error a
practical problem. We solve this by making the array non-static,
which guarantees that the arrays will be emitted, even though
unnecessarily. Fortunately, they are very small.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11710)

show more ...