Enable ssl-trace by default

There doesn't appear to be a good reason to omit protocol message tracing by default.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Ca

Enable ssl-trace by default

There doesn't appear to be a good reason to omit protocol message tracing by default.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15665)

show more ...

Optimize session cache flushing

Sort SSL_SESSION structures by timeout in the linked list.
Iterate over the linked list for timeout, stopping when no more
session can be flushed.

Optimize session cache flushing

Sort SSL_SESSION structures by timeout in the linked list.
Iterate over the linked list for timeout, stopping when no more
session can be flushed.
Do SSL_SESSION_free() outside of SSL_CTX lock
Update timeout upon use

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8687)

show more ...

Fix use after free in OSSL_HTTP_REQ_CTX_set1_req()

Fixes #15647

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merg

Fix use after free in OSSL_HTTP_REQ_CTX_set1_req()

Fixes #15647

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15648)

show more ...

err: clear flags better when clearing errors.

An attempt to clear an error with malloced data didn't clear the flags.
Now it clears all flags except the malloced flag.

Fixes #12

err: clear flags better when clearing errors.

An attempt to clear an error with malloced data didn't clear the flags.
Now it clears all flags except the malloced flag.

Fixes #12530

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15667)

show more ...

APPS: Restore the possibility to combine -pubout with -text

This applies to the 'openssl pkey' command.

Fixes #15645

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed

APPS: Restore the possibility to combine -pubout with -text

This applies to the 'openssl pkey' command.

Fixes #15645

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15658)

show more ...

util: convert SHA* one shots back to being functions

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from http

util: convert SHA* one shots back to being functions

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/15668)

show more ...

changes: fix woring that mentions SHA* one shot functions are deprecated

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>

changes: fix woring that mentions SHA* one shot functions are deprecated

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/15668)

show more ...

sha: convert SHA one shot macros back to being functions

Fixes #15655

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.

sha: convert SHA one shot macros back to being functions

Fixes #15655

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/15668)

show more ...

DECODER & ENCODER: Add better tracing

Now that we have functions to get the name and properties of the
diverse implementations, we can as well display them for clarity.

Reviewed

DECODER & ENCODER: Add better tracing

Now that we have functions to get the name and properties of the
diverse implementations, we can as well display them for clarity.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15498)

show more ...

DECODER: Adapt addition of extra decoder implementations

The new PKCS#8 decoder implementation decodes from DER to DER.
OSSL_DECODER_CTX_add_extra() wasn't suited for this case; we had t

DECODER: Adapt addition of extra decoder implementations

The new PKCS#8 decoder implementation decodes from DER to DER.
OSSL_DECODER_CTX_add_extra() wasn't suited for this case; we had to
modify it to walk through all existing decoder implementations, and
filter out those that aren't suitable.
This also turns out to fix the possibility to have more than one extra
decoder implementation that produces the same type of encoding, for
example several different wrapper formats that all decoder into DER.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15498)

show more ...

Decoding PKCS#8: separate decoding of encrypted and unencrypted PKCS#8

This has us switch from the 'structure' "pkcs8" to "PrivateKeyInfo",
which is sensible considering we already have

Decoding PKCS#8: separate decoding of encrypted and unencrypted PKCS#8

This has us switch from the 'structure' "pkcs8" to "PrivateKeyInfo",
which is sensible considering we already have "SubjectPublicKeyInfo".
We also add "EncryptedPrivateKeyInfo", and use it for a special decoder
that detects and decrypts an EncryptedPrivateKeyInfo structured DER
blob into a PrivateKeyInfo structured DER blob and passes that on to
the next decoder implementation.

The result of this change is that PKCS#8 decryption should only happen
once per decoding instead of once for every expected key type.
Furthermore, this new decoder implementation sets the data type to the
OID of the algorithmIdentifier field, thus reducing how many decoder
implementations are tentativaly run further down the call chain.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15498)

show more ...

25-test_verify.t: Add test case: accept trusted self-signed EE cert with key usage keyCertSign also when strict

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.co

25-test_verify.t: Add test case: accept trusted self-signed EE cert with key usage keyCertSign also when strict

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15656)

show more ...

test/certs/mkcert.sh: Correct description of geneealt parameters

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15656)

25-test_verify.t: Prevent expiration of test case 'Name constraints bad othername name constraint'

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/ope

25-test_verify.t: Prevent expiration of test case 'Name constraints bad othername name constraint'

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15656)

show more ...

80-test_cmp_http.t: Improve the way the test server is launched and killed

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15642)

80-test_cmp_http.t: Simplify and prevent hangs on server not launching/behaving correctly

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/

80-test_cmp_http.t: Simplify and prevent hangs on server not launching/behaving correctly

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15642)

show more ...

Remove I_CAN_LIVE_WITH_LNK4049

Fixes #9332

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org

Remove I_CAN_LIVE_WITH_LNK4049

Fixes #9332

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15649)

show more ...

keymgmt: better detect when a key manager can be reused

Fixes #14159

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15652)

OpenSSL::Test.pm: Replace all uses of rel2abs() with abs_path()

rel2abs() doesn't clean the path well enough, which may lead to odd
results when calculating new paths. abs_path() works

OpenSSL::Test.pm: Replace all uses of rel2abs() with abs_path()

rel2abs() doesn't clean the path well enough, which may lead to odd
results when calculating new paths. abs_path() works better for this
sort of thing.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15644)

show more ...

Correctly detect decode errors when checking if a key is supported

If we have an unsupported key type we may get a decode error and
therefore we should detect that.

Reviewed-by:

Correctly detect decode errors when checking if a key is supported

If we have an unsupported key type we may get a decode error and
therefore we should detect that.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)

show more ...

Simplify error reporting in X509_PUBKEY_get0()

The X509_PUBKEY_get0() was attempting to recreate any errors that might
have occurred from the earlier decode process when obtaining the EV

Simplify error reporting in X509_PUBKEY_get0()

The X509_PUBKEY_get0() was attempting to recreate any errors that might
have occurred from the earlier decode process when obtaining the EVP_PKEY.
This is brittle at best and the approach would only work with legacy keys.
We remove this and just report an error directly.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)

show more ...

Use the fips-and-base.cnf config file in CMP tests

Two CMP tests were using the fips.cnf config file. However to
ensure that decoders are available the fips-and-base.cnf config
file

Use the fips-and-base.cnf config file in CMP tests

Two CMP tests were using the fips.cnf config file. However to
ensure that decoders are available the fips-and-base.cnf config
file needs to be used instead.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)

show more ...

Mark some priv/public key paris as only available in the default provider

Now that we actually load public keys from providers we need to mark some
key paris in the evp tests as only ava

Mark some priv/public key paris as only available in the default provider

Now that we actually load public keys from providers we need to mark some
key paris in the evp tests as only available there. Otherwise we get test
failures when only the FIPS Provider is loaded.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)

show more ...

Actually use a legacy route in pem_read_bio_key_legacy()

The function pem_read_bio_key_legacy() is a fallback route if we
failed to load a key via a provider. We should be using the lega

Actually use a legacy route in pem_read_bio_key_legacy()

The function pem_read_bio_key_legacy() is a fallback route if we
failed to load a key via a provider. We should be using the legacy
specific d2i functions to force legacy otherwise we end up using a
provider anyway

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)

show more ...

Just look for "Unable to load Public Key" if no SM2

The X509 test was looking for some specific errors when printing an SM2
X509 certificate when SM2 is disabled. In fact these errors ap

Just look for "Unable to load Public Key" if no SM2

The X509 test was looking for some specific errors when printing an SM2
X509 certificate when SM2 is disabled. In fact these errors appear in the
middle of the certificate printing which is quite odd. There is also a
separate error "Unable to load Public Key" which is more cleanly printed.

With the recent change to using provided keys in certs the old errors are
no longer output. However printing them in the middle of the cert is
probably not right anyway. So we just rely on the "Unable to load Public
Key" message.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)

show more ...