x509: improve error reporting

Distinguish between not being able to extract a public key versus not knowing
the key's type.

Alternative to #15921

Reviewed-by: Matt Casw

x509: improve error reporting

Distinguish between not being able to extract a public key versus not knowing
the key's type.

Alternative to #15921

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15944)

show more ...

Missing link to fips_config documentation

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/

Missing link to fips_config documentation

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15940)

show more ...

coverity #1486532: fix potential NULL dereference in test_mk_file_path()

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github

coverity #1486532: fix potential NULL dereference in test_mk_file_path()

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15942)

show more ...

coverity #1486531: return error properly from x509_pubkey_ex_new_ex()

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.co

coverity #1486531: return error properly from x509_pubkey_ex_new_ex()

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15942)

show more ...

EVP: Have EVP_PKCS82PKEY_ex() pass a correct selection to OSSL_DECODER

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://git

EVP: Have EVP_PKCS82PKEY_ex() pass a correct selection to OSSL_DECODER

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15934)

show more ...

DECODER & ENCODER: Make sure to pass around the original selection bits

When decoding a key and asking the keymgmt to import the key data, it
was told that the key data includes everythi

DECODER & ENCODER: Make sure to pass around the original selection bits

When decoding a key and asking the keymgmt to import the key data, it
was told that the key data includes everything. This may not be true,
since the user may have specified a different selection, and some
keymgmts may want to be informed.

Our key decoders' export function, on the other hand, didn't care
either, and simply export anything they could, regardless.

In both cases, the selection that was specified by the user is now
passed all the way.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15934)

show more ...

ossl_cmp_error_new(): Fix Coverity issue 1486534, and consequently also issues 1486536 and 1486533

The issues are due to an integer overflow that may happen on '(ERR_SYSTEM_FLAG << 1)'.

ossl_cmp_error_new(): Fix Coverity issue 1486534, and consequently also issues 1486536 and 1486533

The issues are due to an integer overflow that may happen on '(ERR_SYSTEM_FLAG << 1)'.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15938)

show more ...

doc: make error checking in ticket handling code explicit

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas

doc: make error checking in ticket handling code explicit

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15918)

show more ...

darwin platform replacing getentropy usage by platform api instead.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github

darwin platform replacing getentropy usage by platform api instead.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15924)

show more ...

OSSL_STORE: Fix crash when tracing STORE

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openss

OSSL_STORE: Fix crash when tracing STORE

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15931)

show more ...

ENCODER & DECODER: Make a tighter coupling between en/decoders and keymgmt

If there are keymgmts and en/decoders from the same provider, try to
combine them first.

This avoids u

ENCODER & DECODER: Make a tighter coupling between en/decoders and keymgmt

If there are keymgmts and en/decoders from the same provider, try to
combine them first.

This avoids unnecessary export/import dances, and also tries to avoid
issues where the keymgmt doesn't fully support exporting and importing,
which we can assume will be the case for HSM protected keys.

Fixes #15932

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15933)

show more ...

PROV: Have our PEM->DER decoder only recognise our PEM names

This is to avoid creating confusion where other PEM decoder
implementations may know better what PEM names that are unknown t

PROV: Have our PEM->DER decoder only recognise our PEM names

This is to avoid creating confusion where other PEM decoder
implementations may know better what PEM names that are unknown to us
actually mean.

Fixes #15929

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15930)

show more ...

Ensure ordinals are created during release process

We introduce a new makefile target "make release-update" that forces
ordinal file renumbering, and also does the fips checksum updates.

Ensure ordinals are created during release process

We introduce a new makefile target "make release-update" that forces
ordinal file renumbering, and also does the fips checksum updates. We
then call that from the release script.

Fixes #15806

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15901)

show more ...

Update config.pm

Missing '(' added into a PowerPC-specific command

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https

Update config.pm

Missing '(' added into a PowerPC-specific command

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15911)

show more ...

evp_test: use correct size in memory clear

Fixes #15917

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15920)

DOC: Clarify the role of EKUs including defaults for TLS client and server use

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14199)

Fix 'openssl req' to correctly use the algorithm from '-newkey algo:nnnn'

We used the original string, which meant fetching for, for example,
'rsa:2048'. That was, of course, doomed to

Fix 'openssl req' to correctly use the algorithm from '-newkey algo:nnnn'

We used the original string, which meant fetching for, for example,
'rsa:2048'. That was, of course, doomed to fail.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15912)

show more ...

ENCODER & DECODER: Allow en/decoders to have multiple names

We had prepared for this a little bit, but apparently not completed it.

Reviewed-by: Paul Dale <pauli@openssl.org>
(M

ENCODER & DECODER: Allow en/decoders to have multiple names

We had prepared for this a little bit, but apparently not completed it.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15904)

show more ...

doc: update up call documentation

Some of the BIO functions weren't included in the provider-base documentation.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https:

doc: update up call documentation

Some of the BIO functions weren't included in the provider-base documentation.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15909)

show more ...

test/recipes/90-test_includes_data/vms-includes.cnf: correct the directory

... to mimic includes.cnf

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/o

test/recipes/90-test_includes_data/vms-includes.cnf: correct the directory

... to mimic includes.cnf

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15823)

show more ...

apps/CA.pl.in: restore the quotes around -CAfile, they were there for a reason

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15823)

test/recipes/80-test_ca.t: Don't force quotes around the config file in $cnf

However, when passing it through the OPENSSL_CONFIG environment
variable, we still need the quotes, just to m

test/recipes/80-test_ca.t: Don't force quotes around the config file in $cnf

However, when passing it through the OPENSSL_CONFIG environment
variable, we still need the quotes, just to make sure.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15823)

show more ...

test/recipes/66-test_ossl_store.t: ensure native paths

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15823)

testutil: teach test_mk_file_path() how to merge VMS file specs

This isn't a full solution, it only handles current use cases.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged

testutil: teach test_mk_file_path() how to merge VMS file specs

This isn't a full solution, it only handles current use cases.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15823)

show more ...

test/ossl_store_test.c: Adapt the use of datadir for VMS paths

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15823)