various kdfs: Always reset buflen after clearing the buffer

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17165)

More detailed explanation how do engines work in 3.0

Related: #16868, #17081, #17107

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/p

More detailed explanation how do engines work in 3.0

Related: #16868, #17081, #17107

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17115)

show more ...

No EtM for GOST ciphers in TLS 1.2

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17150)

Return -1 properly from do_X509_REQ_verify and do_X509_verify

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/op

Return -1 properly from do_X509_REQ_verify and do_X509_verify

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17001)

show more ...

Don't include any TLSv1.3 ciphersuites that are disabled

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Paul Dale <pauli@openssl.org>

Don't include any TLSv1.3 ciphersuites that are disabled

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16925)

show more ...

doc: remove non-existent callbacks

These used to exist but were removed before release.
Updating the documentation was missed.

Fixes #17138

Reviewed-by: Tomas Mraz <tom

doc: remove non-existent callbacks

These used to exist but were removed before release.
Updating the documentation was missed.

Fixes #17138

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17141)

show more ...

Fix EVP_PKEY_CTX_get_rsa_pss_saltlen() not returning a value

When an integer value was specified, it was not being passed back via
the orig_p2 weirdness.

Regression test include

Fix EVP_PKEY_CTX_get_rsa_pss_saltlen() not returning a value

When an integer value was specified, it was not being passed back via
the orig_p2 weirdness.

Regression test included.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17136)

show more ...

TEST: Enable and fix test_bn2padded() in test/bntest.c

This looks like old code, written when the padded variety of BN_bn2bin()
was developped, and disabled by default... and forgotten.

TEST: Enable and fix test_bn2padded() in test/bntest.c

This looks like old code, written when the padded variety of BN_bn2bin()
was developped, and disabled by default... and forgotten.

A few simple changes to update it to the current API is all that was
needed to enable it.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17133)

show more ...

BIO_push.pod: fix confusing text and add details on corner cases

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.co

BIO_push.pod: fix confusing text and add details on corner cases

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17086)

show more ...

Enable brainpool curves for TLS1.3

See the recently assigned brainpool code points at:
https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml

Reviewed-by: Paul Dal

Enable brainpool curves for TLS1.3

See the recently assigned brainpool code points at:
https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7485)

show more ...

Detect arm64-*-*bsd and enable assembly optimizations

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/o

Detect arm64-*-*bsd and enable assembly optimizations

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17084)

show more ...

Don't delete the doc/html directories when cleaning

The doc/html sub-dirs get created by Configure. Therefore they should
not be cleaned away by "nmake clean". Otherwise the following se

Don't delete the doc/html directories when cleaning

The doc/html sub-dirs get created by Configure. Therefore they should
not be cleaned away by "nmake clean". Otherwise the following sequence
fails:

perl Configure VC-WIN64A
nmake clean
nmake
nmake install

Fixes #17114

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17128)

show more ...

check the return value of OPENSSL_strdup(CRYPTO_strdup) in apps/lib/app_rand.c:32

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merge

check the return value of OPENSSL_strdup(CRYPTO_strdup) in apps/lib/app_rand.c:32

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17124)

show more ...

doc: fix macro name

OSSL_STORE_INFO_X509 doesn't exist. It should be OSSL_STORE_INFO_CERT.

Fixes #17121

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from

doc: fix macro name

OSSL_STORE_INFO_X509 doesn't exist. It should be OSSL_STORE_INFO_CERT.

Fixes #17121

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17125)

show more ...

check the return value of OPENSSL_strdup(CRYPTO_strdup) to prevent potential memory access error

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>

check the return value of OPENSSL_strdup(CRYPTO_strdup) to prevent potential memory access error

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17113)

show more ...

check the return value of OPENSSL_strdup to prevent potential memory access error

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by

check the return value of OPENSSL_strdup to prevent potential memory access error

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17110)

show more ...

Allow sign extension in OSSL_PARAM_allocate_from_text()

This is done for the data type OSSL_PARAM_INTEGER by checking if the
most significant bit is set, and adding 8 to the number of bu

Allow sign extension in OSSL_PARAM_allocate_from_text()

This is done for the data type OSSL_PARAM_INTEGER by checking if the
most significant bit is set, and adding 8 to the number of buffer bits
if that is the case. Everything else is already in place.

Fixes #17103

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17104)

show more ...

Have OSSL_PARAM_allocate_from_text() raise error on unexpected neg number

When the parameter definition has the data type OSSL_PARAM_UNSIGNED_INTEGER,
negative input values should not be

Have OSSL_PARAM_allocate_from_text() raise error on unexpected neg number

When the parameter definition has the data type OSSL_PARAM_UNSIGNED_INTEGER,
negative input values should not be accepted.

Fixes #17103

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17104)

show more ...

Test the performance of OSSL_PARAM_allocate_from_text with arbitrary size ints

With arbitrary size ints, we get to know exactly how large the minimum
buffer must be.

Reviewed-by

Test the performance of OSSL_PARAM_allocate_from_text with arbitrary size ints

With arbitrary size ints, we get to know exactly how large the minimum
buffer must be.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17104)

show more ...

Add test for copying uninitialized EVP_MD_CTX

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/

Add test for copying uninitialized EVP_MD_CTX

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17118)

show more ...

EVP_MD_CTX_copy_ex: Allow copying uninitialized digest contexts

Fixes #17117

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged

EVP_MD_CTX_copy_ex: Allow copying uninitialized digest contexts

Fixes #17117

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17118)

show more ...

Clarify and correct the EVP_CTRL_AEAD_SET_TAG docs

The restriction about setting a tag length prior to setting the IV only
applies to OCB mode. We clarify when in the process EVP_CTRL_AE

Clarify and correct the EVP_CTRL_AEAD_SET_TAG docs

The restriction about setting a tag length prior to setting the IV only
applies to OCB mode. We clarify when in the process EVP_CTRL_AEAD_SET_TAG
can be called.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17111)

show more ...

x509: Return a nonzero exit code on error when checking ip/email/host

In the x509 app when doing the ip/email/host validation of a
certificate we return nonzero exit code if the validati

x509: Return a nonzero exit code on error when checking ip/email/host

In the x509 app when doing the ip/email/host validation of a
certificate we return nonzero exit code if the validation fails.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17022)

show more ...

Fix detection of ARMv7 and ARM64 CPU features on FreeBSD

OpenSSL assumes AT_HWCAP = 16 (as on Linux), but on FreeBSD AT_HWCAP = 25
Switch to using AT_HWCAP, and setting it to 16 if it is

Fix detection of ARMv7 and ARM64 CPU features on FreeBSD

OpenSSL assumes AT_HWCAP = 16 (as on Linux), but on FreeBSD AT_HWCAP = 25
Switch to using AT_HWCAP, and setting it to 16 if it is not defined.

OpenSSL calls elf_auxv_info() with AT_CANARY which returns ENOENT
resulting in all ARM acceleration features being disabled.

CLA: trivial

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17082)

show more ...

Support different R_BITS lengths for KBKDF

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull

Support different R_BITS lengths for KBKDF

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17063)

show more ...