Remove double fetch of "OSSL_EX_DATA_GLOBAL" for global lock

Fetch once and just pass the global ex_data to the "get_and_lock" static
function.

Removed a redundant null pointer

Remove double fetch of "OSSL_EX_DATA_GLOBAL" for global lock

Fetch once and just pass the global ex_data to the "get_and_lock" static
function.

Removed a redundant null pointer check within the "get_and_lock" static
function (control already performed by the caller).

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11152)

show more ...

spkac: Check return values of NETSCAPE_SPKI functions

Fixes silently producing an invalid SPKAC with non-RSA keys.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmit

spkac: Check return values of NETSCAPE_SPKI functions

Fixes silently producing an invalid SPKAC with non-RSA keys.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11224)

show more ...

Document the new DigestSign provider functions

As well as the newly added "one shot" functions, we also document a number
of the other other digestsign functions which were missing docum

Document the new DigestSign provider functions

As well as the newly added "one shot" functions, we also document a number
of the other other digestsign functions which were missing documentation in
provider-signature.pod.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11261)

show more ...

Implement provider support for Ed25519 annd Ed448

At the moment we only provider support for these algorithms in the default
provider. These algorithms only support "one shot" EVP_Digest

Implement provider support for Ed25519 annd Ed448

At the moment we only provider support for these algorithms in the default
provider. These algorithms only support "one shot" EVP_DigestSign() and
EVP_DigestVerify() as per the existing libcrypto versions.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11261)

show more ...

Add provider awareness of EVP_DigestSign() and EVP_DigestVerify()

These "one-shot" functions are the only ones supported by Ed25519 and
Ed448, so we need to ensure that libcrypto can han

Add provider awareness of EVP_DigestSign() and EVP_DigestVerify()

These "one-shot" functions are the only ones supported by Ed25519 and
Ed448, so we need to ensure that libcrypto can handle provider
based implementations of these functions.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11261)

show more ...

Add Key Management support for EdDSA keys

Support added for Ed25519 and Ed448

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl

Add Key Management support for EdDSA keys

Support added for Ed25519 and Ed448

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11261)

show more ...

Refactor CRMF_poposigningkey_init() to work with provider keys

The code in this function was almost entirely a copy of the
functionality in ASN1_item_sign(), so it gets refactored to act

Refactor CRMF_poposigningkey_init() to work with provider keys

The code in this function was almost entirely a copy of the
functionality in ASN1_item_sign(), so it gets refactored to actually
call ASN1_item_sign(), and thereby automatically gets support for
EVP_PKEYs with only provider side keys.

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11126)

show more ...

doc: slightly reformulate 'openssl(1)/Random State Options' section

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11252)

Improve small block cipher performance

Avoid function calls we don't need to do.

In 1.1.1 we have:
aes-128-cbc 572267.80k 681197.08k 715430.74k 720508.59k 722359.64k

Improve small block cipher performance

Avoid function calls we don't need to do.

In 1.1.1 we have:
aes-128-cbc 572267.80k 681197.08k 715430.74k 720508.59k 722359.64k 723004.07k

Current master:
aes-128-cbc 460663.70k 631125.66k 701283.58k 719794.52k 724732.59k 726668.63k

new:
aes-128-cbc 582057.64k 684288.62k 715721.90k 724856.15k 717578.24k 727176.53k

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11102)

show more ...

Add -section option to 'req' command

This removes "req" as the hardwired section for the req command.
Doing this will let us merge some test configs.

Reviewed-by: Tomas Mraz <tm

Add -section option to 'req' command

This removes "req" as the hardwired section for the req command.
Doing this will let us merge some test configs.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11249)

show more ...

cmdline app: add provider commandline options.

Add a -provider option to allow providers to be loaded. This option can be
specified multiple times.

Add a -provider_path option t

cmdline app: add provider commandline options.

Add a -provider option to allow providers to be loaded. This option can be
specified multiple times.

Add a -provider_path option to allow the path to providers to be specified.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11167)

show more ...

man1: make all openssl command line tool documentation generated.

With the introduction of provider command line options which are applicable to
almost all of the command line tools, it

man1: make all openssl command line tool documentation generated.

With the introduction of provider command line options which are applicable to
almost all of the command line tools, it seemed reasonable to make them all
generated. This simplifes the .gitignore and avoids having to keep two lists
in sync.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11167)

show more ...

Change DH_get_nid() to set the value of q if it is not already set

Fixes #11108.

It only sets q if a valid named group is found.
The function signature was recently changed to p

Change DH_get_nid() to set the value of q if it is not already set

Fixes #11108.

It only sets q if a valid named group is found.
The function signature was recently changed to pass a non const DH pointer
in order to allow the nid to be cached internally. As an extension of this
the value of q can now also be set as q is always known for named groups.
The length field is also set if q is set.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11114)

show more ...

Clarify the usage of EVP_PKEY_get_raw_[private|public]_key()

EVP_PKEY_get_raw_private_key() and EVP_PKEY_get_raw_public_key() expect
the size of the key buffer to be populated in the |*l

Clarify the usage of EVP_PKEY_get_raw_[private|public]_key()

EVP_PKEY_get_raw_private_key() and EVP_PKEY_get_raw_public_key() expect
the size of the key buffer to be populated in the |*len| parameter on
entry - but the docs made no mention of this.

Fixes #11245

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11254)

show more ...

Use .cnf for config files, not .conf

The default is openssl.cnf The project seems to prefer xxx.conf these
days, but we should use the default convention.

Rename all foo.conf (

Use .cnf for config files, not .conf

The default is openssl.cnf The project seems to prefer xxx.conf these
days, but we should use the default convention.

Rename all foo.conf (except for Configurations) to foo.cnf

Fixes #11174

Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11176)

show more ...

Remove unused files

Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11176)

fix a minor bug of s_client

CLA: trivial

-CAstore's option should be OPT_CASTORE, instead of OPT_CAFILE
correct also -no-CAstore option from OPT_NOCAPATH to OPT_NOCASTORE

fix a minor bug of s_client

CLA: trivial

-CAstore's option should be OPT_CASTORE, instead of OPT_CAFILE
correct also -no-CAstore option from OPT_NOCAPATH to OPT_NOCASTORE

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11215)

show more ...

Add CIFuzz action

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https

Add CIFuzz action

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11140)

show more ...

crypto/ec/curve448/eddsa.c: fix EBCDIC platforms

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://gith

crypto/ec/curve448/eddsa.c: fix EBCDIC platforms

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11229)

show more ...

aes-s390x.pl: fix stg offset caused by typo in perlasm

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from

aes-s390x.pl: fix stg offset caused by typo in perlasm

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11234)

show more ...

.github/PULL_REQUEST_TEMPLATE.md: Fix link to contributors guide

The file was converted to Markdown and renamed appropriately in
2e07506a12e126894cd820304465162bc0e732b4.

CLA: t

.github/PULL_REQUEST_TEMPLATE.md: Fix link to contributors guide

The file was converted to Markdown and renamed appropriately in
2e07506a12e126894cd820304465162bc0e732b4.

CLA: trivial

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11223)

show more ...

Add DSA Key validation to default provider

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10912)

Add DH key validation to default provider

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10911)

config, Configure: move the check of removed crypto/ sub-systems

The 'config' script checked for a bunch of crypto/ sub-system
directories, and added 'no-' options if they weren't there.

config, Configure: move the check of removed crypto/ sub-systems

The 'config' script checked for a bunch of crypto/ sub-system
directories, and added 'no-' options if they weren't there.

We move it to 'Configure' in an effort to simplify 'config' for
further work.

Note: this is pretty much a historical thing. In modern OpenSSL, it's
much simpler to edit the SUBDIRS statement in crypto/build.info.
However, it's been claimed the there are those who still remove some
of these sub-system sources.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11217)

show more ...

.travis.yml: where it matters, have build and source nesting levels differ

Where we build out of source, the source directory was _srcdist and
the build directory was _build. That gives

.travis.yml: where it matters, have build and source nesting levels differ

Where we build out of source, the source directory was _srcdist and
the build directory was _build. That gives the same nesting level for
both, which doesn't quite exercise all aspects of relative back
references from build to source tree.

Changing the build tree to be in _build/tree will challenge back
references a bit more, and ensure a bit more that we got it right.

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11186)

show more ...