Windows makefile generator: Don't delete long lists of files in one go

The Windows command line has its limits, and we're hitting it hard.
We therefore generate one 'del' command for eac

Windows makefile generator: Don't delete long lists of files in one go

The Windows command line has its limits, and we're hitting it hard.
We therefore generate one 'del' command for each explicit file for the
'clean' target.

Fixes #11163

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/11171)

show more ...

Give a better error if we can't find a sig alg

Some scenarios where we could not find a suitable sig alg just
gave "internal error" as the reason - which isn't very helpful. A
more s

Give a better error if we can't find a sig alg

Some scenarios where we could not find a suitable sig alg just
gave "internal error" as the reason - which isn't very helpful. A
more suitable reason code already exists - so we use that.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11425)

show more ...

Fix off-by-1 bug on provider_activate with custom error strings

Starting `cnt` from 1 would work if we weren't using cnt itself to
access elements of the array returned calling the provi

Fix off-by-1 bug on provider_activate with custom error strings

Starting `cnt` from 1 would work if we weren't using cnt itself to
access elements of the array returned calling the provider callback.

As it is before this commit, we have 2 problems:
- first, in the unlikely case that the incoming array was "empty" (only
contains the terminator item) we would skip past it and potentially
end up with oob reads;
- otherwise, at the end of the while loop, `cnt` will be equal to the
number of items in the input array, not 1 more. We then add 1 more to
the zalloc call to account for the library name item, and we fill all
of it (relying on zalloc to have zeroed the terminator item).
The first read access that will read the list up to the terminator
will result in a OOB read as we did not allocate enough space to also
contain the terminator.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11427)

show more ...

Add test for providers exposing OSSL_FUNC_PROVIDER_GET_REASON_STRINGS

This test currently fails, next commit has the description of the bug
and the fix.

Reviewed-by: Richard Lev

Add test for providers exposing OSSL_FUNC_PROVIDER_GET_REASON_STRINGS

This test currently fails, next commit has the description of the bug
and the fix.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11427)

show more ...

Document the new X509v3_cache_extensions() function

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11409)

Explicitly cache X509v3 extensions in libssl

Caching the X509v3 extensions requires an explicit libctx. We do that
where required in libssl.

Reviewed-by: Tomas Mraz <tmraz@fedor

Explicitly cache X509v3 extensions in libssl

Caching the X509v3 extensions requires an explicit libctx. We do that
where required in libssl.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11409)

show more ...

Add the X509v3_cache_extensions() function

Various functions cause the results of processing extensions to be
cached. The processing itself requires a libctx, and so this implicit
ca

Add the X509v3_cache_extensions() function

Various functions cause the results of processing extensions to be
cached. The processing itself requires a libctx, and so this implicit
caching means that the default ctx is used which can lead to failures.
By explicitly caching the extensions we can specify the libctx to be used.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11409)

show more ...

Don't attempt to up-ref an EVP_CIPHER if it is NULL

EVP_CIPHERs in the ssl_cipher_methods table can be NULL if
they are not available. We shouldn't attempt to up-ref a
cipher if it i

Don't attempt to up-ref an EVP_CIPHER if it is NULL

EVP_CIPHERs in the ssl_cipher_methods table can be NULL if
they are not available. We shouldn't attempt to up-ref a
cipher if it is NULL.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11426)

show more ...

Describe the "want" parameter in int create_bare_ssl_connection()

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://gith

Describe the "want" parameter in int create_bare_ssl_connection()

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/11406)

show more ...

Display errors if a test TLS connection fails

If a connection fails it is useful during debugging to have any errors
that are on the OpenSSL error stack at the time of the failure.

Display errors if a test TLS connection fails

If a connection fails it is useful during debugging to have any errors
that are on the OpenSSL error stack at the time of the failure.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/11406)

show more ...

Param builder: Remove the static size limit.

Prior to this, the param builder had a statically sized array internally.
This changes it so that it uses a stack instead.

Reviewed-

Param builder: Remove the static size limit.

Prior to this, the param builder had a statically sized array internally.
This changes it so that it uses a stack instead.

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11390)

show more ...

Param build: make structures opaque.

Since this is public, it is best to make the underlying structure opaque.
This means converting from stack allocation to dynamic allocation for all

Param build: make structures opaque.

Since this is public, it is best to make the underlying structure opaque.
This means converting from stack allocation to dynamic allocation for all
usages.

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11390)

show more ...

NEWS: note OSSL_PARAM_BLD API as public.

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11390)

Param builder: make the OSSL_PARAM_BLD APIs public.

The catalyst for this is the difficult of passing BNs through the other
OSSL_PARAM APIs.

Reviewed-by: Nicola Tuveri <nic.tuv@

Param builder: make the OSSL_PARAM_BLD APIs public.

The catalyst for this is the difficult of passing BNs through the other
OSSL_PARAM APIs.

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11390)

show more ...

s_server: Properly indicate ALPN protocol mismatch

Return SSL_TLSEXT_ERR_ALERT_FATAL from alpn_select_cb so that
an alert is sent to the client on ALPN protocol mismatch.

Fixes:

s_server: Properly indicate ALPN protocol mismatch

Return SSL_TLSEXT_ERR_ALERT_FATAL from alpn_select_cb so that
an alert is sent to the client on ALPN protocol mismatch.

Fixes: #2708

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11415)

show more ...

PROV: Fix EC_KEY exporters to allow domain parameter keys

The provider key export functions for EC_KEY assumed that a public key
is always present, and would fail if not. This blocks an

PROV: Fix EC_KEY exporters to allow domain parameter keys

The provider key export functions for EC_KEY assumed that a public key
is always present, and would fail if not. This blocks any attempt to
export a key structure with only domain parameters.

This is similar to earlier work done in EVP_PKEY_ASN1_METHODs.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11394)

show more ...

Document various SRP related APIs

This includes the newly added *_ex() variants that take a libctx/property
query string.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merg

Document various SRP related APIs

This includes the newly added *_ex() variants that take a libctx/property
query string.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11410)

show more ...

Use the new library context aware SRP functions in sslapitest

For the moment this still just uses the default library context, but a
future version of sslapitest will specify a non-defau

Use the new library context aware SRP functions in sslapitest

For the moment this still just uses the default library context, but a
future version of sslapitest will specify a non-default library context.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11410)

show more ...

Update libssl to use the new library context aware SRP functions

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11410)

Make SRP library context aware

In order for the TLS SRP tests to pass when using a non-default library
context the underlying SRP calls need to be library context aware.

Reviewe

Make SRP library context aware

In order for the TLS SRP tests to pass when using a non-default library
context the underlying SRP calls need to be library context aware.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11410)

show more ...

Use the new OCSP functions in sslapitest.c

At the moment we just use the default libctx - but a future PR will add
support for running sslapitest with a non-default libctx.

Revi

Use the new OCSP functions in sslapitest.c

At the moment we just use the default libctx - but a future PR will add
support for running sslapitest with a non-default libctx.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11407)

show more ...

Add OCSP_RESPID_set_by_key_ex() and OCSP_RESPID_match_ex()

OCSP_RESPID_set_by_key() calculates a SHA1 hash of the supplied
certificate. We need to be able to specify which libctx and pro

Add OCSP_RESPID_set_by_key_ex() and OCSP_RESPID_match_ex()

OCSP_RESPID_set_by_key() calculates a SHA1 hash of the supplied
certificate. We need to be able to specify which libctx and property
query string is used to fetch that algorithm so we introduce
OCSP_RESPID_set_by_key_ex() which does the same thing but enables you to
speicfy the library context and propery query string explicitly.

OCSP_RESPID_match() matches with certificates based on the SHA1 hash.
Therefore for the same reason we introduce OCSP_RESPID_match_ex().

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11407)

show more ...

Ignore some fetch failures

Some fetch failurs are ok and should be ignored.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>

Ignore some fetch failures

Some fetch failurs are ok and should be ignored.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11405)

show more ...

Put an error on the stack in the event of a fetch failure

Fetch failures are a common problem and it is useful to have detailed
information about what was requested in the event of a fai

Put an error on the stack in the event of a fetch failure

Fetch failures are a common problem and it is useful to have detailed
information about what was requested in the event of a failure.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11405)

show more ...

Use a fetched cipher for the TLSv1.3 early secret

We should use an explicitly fetched cipher to ensure that we are using
the correct libctx and property query.

Reviewed-by: Toma

Use a fetched cipher for the TLSv1.3 early secret

We should use an explicitly fetched cipher to ensure that we are using
the correct libctx and property query.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11402)

show more ...