Fix no-ec build

Don't attempt to build ecx related source files in a "no-ec" build.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.o

Fix no-ec build

Don't attempt to build ecx related source files in a "no-ec" build.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11065)

show more ...

Add OSSL_SERIALIZER_PUBKEY_TO_DER_PQ and friends

It's already used internally, there's no reason the DER serializer
propqueries shouldn't be present alongside the PEM and TEXT ones.

Add OSSL_SERIALIZER_PUBKEY_TO_DER_PQ and friends

It's already used internally, there's no reason the DER serializer
propqueries shouldn't be present alongside the PEM and TEXT ones.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11055)

show more ...

fix build for new HTTP client in case OPENSSL_NO_CMP or OPENSSL_NO_OCSP

fix also formatting nits w.r.t. #if indentations in ocsp.h

Reviewed-by: Matt Caswell <matt@openssl.org>
R

fix build for new HTTP client in case OPENSSL_NO_CMP or OPENSSL_NO_OCSP

fix also formatting nits w.r.t. #if indentations in ocsp.h

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11058)

show more ...

Remove unused ossl_param_bld_to_param_ex() function.

The recently introduced ossl_param_bld_to_param_ex() function is only
called by the unit tests.

Reviewed-by: Matt Caswell <m

Remove unused ossl_param_bld_to_param_ex() function.

The recently introduced ossl_param_bld_to_param_ex() function is only
called by the unit tests.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11053)

show more ...

Remove unused OSSL_PARAM_construct_from_text() function.

This function is recently introduced and never called by the library or tests.

Reviewed-by: Matt Caswell <matt@openssl.org>

Remove unused OSSL_PARAM_construct_from_text() function.

This function is recently introduced and never called by the library or tests.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11053)

show more ...

Add NEWS entry about deprecation of command line public tools

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10977)

dsa: deprecate applications that depend on the low level DSA functions.

speed is updated to not support DSA instead of being removed.

The dhparam, dsaparam, dsa and gendsa commands

dsa: deprecate applications that depend on the low level DSA functions.

speed is updated to not support DSA instead of being removed.

The dhparam, dsaparam, dsa and gendsa commands are deprecated but still
exist without NO_DEPRECATED defined.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10977)

show more ...

app: add a deprecation warning to all deprecated commands.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10977)

test/recipes/80-test_ssl_old.t: Replace 'openssl gendsa'

Use 'openssl genpkey' instead.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com

test/recipes/80-test_ssl_old.t: Replace 'openssl gendsa'

Use 'openssl genpkey' instead.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10977)

show more ...

test_dsa: fix deprecation logic

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10977)

test/recipes/15-test_dsa.t: Deal with deprecation of 'openssl dsa'

Do not run programs that depend on deprecated APIs when
'no-deprecated' is configured.

We still retain the con

test/recipes/15-test_dsa.t: Deal with deprecation of 'openssl dsa'

Do not run programs that depend on deprecated APIs when
'no-deprecated' is configured.

We still retain the conversion tests that use 'openssl pkey', and add
the one that's missing.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10977)

show more ...

Deprecate the low level DSA functions.

Use of the low level DSA functions has been informally discouraged for a
long time. We now formally deprecate them.

Reviewed-by: Matt Casw

Deprecate the low level DSA functions.

Use of the low level DSA functions has been informally discouraged for a
long time. We now formally deprecate them.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10977)

show more ...

dsa.h: fix preprocessor indentation

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10977)

DSA: fix the DSA parameter logic in test.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10977)

Add S390 support for provider based X25519/X448

Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://githu

Add S390 support for provider based X25519/X448

Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10964)

show more ...

Add X25519/X448 Key Exchange to the default provider

Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://

Add X25519/X448 Key Exchange to the default provider

Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10964)

show more ...

Implement Provider side Key Management for X25519 and X448

Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from ht

Implement Provider side Key Management for X25519 and X448

Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10964)

show more ...

Implement a stricter ECX_KEY type

Add ref counting and control how we allocate storage for the private key.
We will need this type in following commits where we move the ecx code
to

Implement a stricter ECX_KEY type

Add ref counting and control how we allocate storage for the private key.
We will need this type in following commits where we move the ecx code
to be provider aware.

Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10964)

show more ...

Check that ed25519 and ed448 are allowed by the security level

Signature algorithms not using an MD weren't checked that they're
allowed by the security level.

Reviewed-by: Matt

Check that ed25519 and ed448 are allowed by the security level

Signature algorithms not using an MD weren't checked that they're
allowed by the security level.

Reviewed-by: Matt Caswell <matt@openssl.org>
GH: #10785

show more ...

Generate new Ed488 certificates

Create a whole chain of Ed488 certificates so that we can use it at security
level 4 (192 bit). We had an 2048 bit RSA (112 bit, level 2) root sign the

Generate new Ed488 certificates

Create a whole chain of Ed488 certificates so that we can use it at security
level 4 (192 bit). We had an 2048 bit RSA (112 bit, level 2) root sign the
Ed488 certificate using SHA256 (128 bit, level 3).

Reviewed-by: Matt Caswell <matt@openssl.org>
GH: #10785

show more ...

Add a minimal build target for Travis and Appveyor

[extended tests]

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9982)

X509_PUBKEY_set(): Fix memory leak

With the provided method of creating the new X509_PUBKEY, an extra
EVP_PKEY is created and needs to be properly cleaned away.

(note: we could

X509_PUBKEY_set(): Fix memory leak

With the provided method of creating the new X509_PUBKEY, an extra
EVP_PKEY is created and needs to be properly cleaned away.

(note: we could choose to keep it just as well, but there are
consequences, explained in a comment in the code)

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11038)

show more ...

Generalize the HTTP client so far implemented mostly in crypto/ocsp/ocsp_ht.c
The new client has become an independent libcrpyto module in crypto/http/ and
* can handle any types of requests

Generalize the HTTP client so far implemented mostly in crypto/ocsp/ocsp_ht.c
The new client has become an independent libcrpyto module in crypto/http/ and
* can handle any types of requests and responses (ASN.1-encoded and plain)
* does not include potentially busy loops when waiting for responses but
* makes use of a new timeout mechanism integrated with socket-based BIO
* supports the use of HTTP proxies and TLS, including HTTPS over proxies
* supports HTTP redirection via codes 301 and 302 for GET requests
* returns more useful diagnostics in various error situations
Also adapts - and strongly simplifies - hitherto uses of HTTP in crypto/ocsp/,
crypto/x509/x_all.c, apps/lib/apps.c, and apps/{ocsp,s_client,s_server}.c

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/10667)

show more ...

add BIO_socket_wait(), BIO_wait(), and BIO_connect_retry() improving timeout support

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.

add BIO_socket_wait(), BIO_wait(), and BIO_connect_retry() improving timeout support

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/10667)

show more ...

PROV: Ensure the AlgorithmIdentifier registers in DSA signature impl

When setting up the hash function for DSA signature, the encoded
AlgorithmIdentifier for the DSA+hash combination is

PROV: Ensure the AlgorithmIdentifier registers in DSA signature impl

When setting up the hash function for DSA signature, the encoded
AlgorithmIdentifier for the DSA+hash combination is queried, but not
stored, which leads to problems when signing ASN.1 items in libcrypto.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11037)

show more ...