Add cmd-nits to travis build

Update CHANGES to have a complete and uniform description.

Fixes #9730

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Revi

Add cmd-nits to travis build

Update CHANGES to have a complete and uniform description.

Fixes #9730

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/10972)

show more ...

The -hmac option to speed is now #ifdef'd

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://gith

The -hmac option to speed is now #ifdef'd

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/10972)

show more ...

Add missing s_client options

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openss

Add missing s_client options

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/10972)

show more ...

Prevent compiler warning for unused static function.

Prepend missing ossl_unused in front of lh_type_new to make the compiler
happy.

CLA: trivial

Reviewed-by: Richard L

Prevent compiler warning for unused static function.

Prepend missing ossl_unused in front of lh_type_new to make the compiler
happy.

CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10946)

show more ...

Removed unused ssl_dane struct declaration.

The actually used structure is named ssl_dane_st.

CLA: trivial

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>

Removed unused ssl_dane struct declaration.

The actually used structure is named ssl_dane_st.

CLA: trivial

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/10945)

show more ...

doc: Fix typo in EVP_DigestSignInit manpage

CLA: trivial

Signed-off-by: Jakub Jelen <jjelen@redhat.com>

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by:

doc: Fix typo in EVP_DigestSignInit manpage

CLA: trivial

Signed-off-by: Jakub Jelen <jjelen@redhat.com>

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10841)

show more ...

Fix small misspelling in doc for OCSP_response_status

CLA: trivial

Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: M

Fix small misspelling in doc for OCSP_response_status

CLA: trivial

Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10810)

show more ...

Fix no-sm2

Fix ecdsatest to not run the SM2 test if SM2 has been disabled.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pul

Fix no-sm2

Fix ecdsatest to not run the SM2 test if SM2 has been disabled.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11015)

show more ...

Add FFC param/key generation

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10909)

Fix no-tls1_3

The hostname_cb in sslapitest.c was originally only defined if TLSv1.3
was enabled. A recently added test now uses this unconditionally, so we
move the function impleme

Fix no-tls1_3

The hostname_cb in sslapitest.c was originally only defined if TLSv1.3
was enabled. A recently added test now uses this unconditionally, so we
move the function implementation earlier in the file, and always compile
it in.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11014)

show more ...

Fix builds with no-dh

The various functions in bn_const.c return primes that are
specified for use in DH. However they were not being excluded from
a no-dh build - and was therefore

Fix builds with no-dh

The various functions in bn_const.c return primes that are
specified for use in DH. However they were not being excluded from
a no-dh build - and was therefore causing the build to fail.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10990)

show more ...

Add a test for SSL_CTX_new_with_libctx()

We test that SSL_CTX_new_with_libctx() can be used to control the libctx
that is in use for SSL operations.

Reviewed-by: Paul Dale <paul

Add a test for SSL_CTX_new_with_libctx()

We test that SSL_CTX_new_with_libctx() can be used to control the libctx
that is in use for SSL operations.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10854)

show more ...

Use the OPENSSL_CTX and property query string in EVP_PKEY_CTX

When we use an EVP_PKEY_CTX in libssl we should be doing so with the
OPENSSL_CTX and property query string that were specifi

Use the OPENSSL_CTX and property query string in EVP_PKEY_CTX

When we use an EVP_PKEY_CTX in libssl we should be doing so with the
OPENSSL_CTX and property query string that were specified when the
SSL_CTX object was first created.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10854)

show more ...

Explicitly fetch ciphers and digests in libssl

We modify libssl to use explicitly fetched ciphers, digests and other
algorithms as required based on the configured library context and

Explicitly fetch ciphers and digests in libssl

We modify libssl to use explicitly fetched ciphers, digests and other
algorithms as required based on the configured library context and
property query string for the SSL_CTX that is being used.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10854)

show more ...

Params: change UTF8 construct calls to avoid explicit strlen(3) calls.

It is better, safer and smaller to let the library routine handle the
strlen(3) call.

Added a note to the

Params: change UTF8 construct calls to avoid explicit strlen(3) calls.

It is better, safer and smaller to let the library routine handle the
strlen(3) call.

Added a note to the documentation suggesting this.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11019)

show more ...

Stop accepting certificates signed using SHA1 at security level 1

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
GH: #10786

Create a new embeddedSCTs1 that's signed using SHA256

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
GH: #10786

Fix no-multiblock

Minor fixes to resolve compilation errors with the no-multiblock
Configure option.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://

Fix no-multiblock

Minor fixes to resolve compilation errors with the no-multiblock
Configure option.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11004)

show more ...

Author: Ross Kinsey <RossIKinsey@gmail.com>
Date: Wed Jan 29 00:19:40 2020 -0500

Removed unnecessary switch statements from bio/bf_* callback_ctrl functions

Reviewed-by: Matt

Author: Ross Kinsey <RossIKinsey@gmail.com>
Date: Wed Jan 29 00:19:40 2020 -0500

Removed unnecessary switch statements from bio/bf_* callback_ctrl functions

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10967)

show more ...

x86: Add endbranch to indirect branch targets for Intel CET

To support Intel CET, all indirect branch targets must start with
endbranch. Here is a patch to add endbranch to all function

x86: Add endbranch to indirect branch targets for Intel CET

To support Intel CET, all indirect branch targets must start with
endbranch. Here is a patch to add endbranch to all function entries
in x86 assembly codes which are indirect branch targets as discovered
by running openssl testsuite on Intel CET machine and visual inspection.

Since x86 cbc.pl uses indirect branch with a jump table, we also need
to add endbranch to all jump targets.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10984)

show more ...

Make minimum size for secure memory a size_t.

The minimum size argument to CRYPTO_secure_malloc_init() was an int but ought
to be a size_t since it is a size.

From an API perspe

Make minimum size for secure memory a size_t.

The minimum size argument to CRYPTO_secure_malloc_init() was an int but ought
to be a size_t since it is a size.

From an API perspective, this is a change. However, the minimum size is
verified as being a positive power of two and it will typically be a small
constant.

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from #11003)

show more ...

EVP_MD_CTX_ctrl(): Remove unnecessary control

A check was present as to what operation is performed with this
context. It may have been useful at some point, but isn't any more.

EVP_MD_CTX_ctrl(): Remove unnecessary control

A check was present as to what operation is performed with this
context. It may have been useful at some point, but isn't any more.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10947)

show more ...

PROV: Fix the DSA SIGNATURE implementation for better digests handling

Refactor the DSA SIGNATURE digest setup to be uniform, and to happen
in two places:

1. when given through

PROV: Fix the DSA SIGNATURE implementation for better digests handling

Refactor the DSA SIGNATURE digest setup to be uniform, and to happen
in two places:

1. when given through the digestsign and digestverify inits
2. when given through the set_ctx_params function.

When setting up the digest, we also check that the digest is one of
the officially accepted for DSA.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10947)

show more ...

PROV: Implement padding mode words in the RSA ASYM_CIPHER implementation

Because the libcrypto code has relinquished control of exact words to
express padding mode choices, we re-impleme

PROV: Implement padding mode words in the RSA ASYM_CIPHER implementation

Because the libcrypto code has relinquished control of exact words to
express padding mode choices, we re-implement them in the appropriate
provider implementation.

For the sake of legacy controls, we maintain support for the numeric
form of the padding mode, but leave that support otherwise undeclared.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10947)

show more ...

Don't pass a digest-size to signature implementations

It turns out this was never necessary, as the implementation should
always check the default digest size anyway.

Reviewed-b

Don't pass a digest-size to signature implementations

It turns out this was never necessary, as the implementation should
always check the default digest size anyway.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10947)

show more ...