doc: add references to digest life cycle documentation

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15637)

doc: add digest life cycle documentation

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15637)

doc: add digest lifecycle diagram

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15637)

life-cycles: update digest state table

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15637)

Add aix64-gcc-as architecture and p2align callback

This commit adds an architecture named aix64-gcc-as which can generate
assembler source code compatible with AIX assembler (as) instead

Add aix64-gcc-as architecture and p2align callback

This commit adds an architecture named aix64-gcc-as which can generate
assembler source code compatible with AIX assembler (as) instead of the
GNU Assembler (gas). This architecture name is then used in a callback
for the .p2align directive which is not available in AIX as.

The motivation for this addition came out of an issue we ran into when
working on upgrading OpenSSL in Node.js. We ran into the following
compilation error on one of the CI machines that uses AIX:

05:39:05 Assembler:
05:39:05 crypto/bn/ppc64-mont-fixed.s: line 4: Error In Syntax

This machine is using AIX Version 7.2 and does not have gas installed
and the .p2align directive is causing this error. After asking around if
it would be possible to install GAS on this machine I learned that AIX
GNU utils are not maintained as well as the native AIX ones and we
(Red Hat/IBM) have run into issues with the GNU utils in the past and if
possible it would be preferable to be able to use the AIX native
assembler.

Refs: https://github.com/nodejs/node/pull/38512

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15638)

show more ...

X509_digest_sig: Handle RSA-PSS and EDDSA certificates

Identify digest from sigalg params for RSA-PSS and fallback
to SHA-256 for EDDSA.

Fixes #15477

Reviewed-by: David

X509_digest_sig: Handle RSA-PSS and EDDSA certificates

Identify digest from sigalg params for RSA-PSS and fallback
to SHA-256 for EDDSA.

Fixes #15477

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/15618)

show more ...

Move trust-related decls from x509.h.in to x509_vfy.h.in

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13735)

x509.h.in: extended 'documenting' comment on X509_TRUST_OK_ANY_EKU

This hopefully alleviates the fact that the name is unclear/misleading.

Reviewed-by: Paul Dale <pauli@openssl.org>

x509.h.in: extended 'documenting' comment on X509_TRUST_OK_ANY_EKU

This hopefully alleviates the fact that the name is unclear/misleading.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13735)

show more ...

Improve the documentation of cert path building and validation

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13735)

X509_STORE_CTX_new.pod and x509_vfy.h.in: rename some params for clarity, improve their doc

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pul

X509_STORE_CTX_new.pod and x509_vfy.h.in: rename some params for clarity, improve their doc

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13735)

show more ...

x509_vfy.c: Improve a couple of internally documenting comments

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13735)

x509_trs.c: rename to x509_trust.c and correct comment in trust_compat()

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13735)

Fix AIX FIPS DEP.

The entry point needs the option 'binitfini', but it was not being
added since the perl code to detect the match did not work.

The entry point for AIX is no lo

Fix AIX FIPS DEP.

The entry point needs the option 'binitfini', but it was not being
added since the perl code to detect the match did not work.

The entry point for AIX is no longer static - so a wrapper has been
added to call the static version.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15636)

show more ...

BIO_write-ex(): Improve behavior in corner cases and documentation

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.

BIO_write-ex(): Improve behavior in corner cases and documentation

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15608)

show more ...

Add a gettable for provider ciphers to return the EVP_CIPH_RAND_KEY flag

Fixes #15531

DES and TDES set this flag which could possibly be used by applications.
The gettable ciphe

Add a gettable for provider ciphers to return the EVP_CIPH_RAND_KEY flag

Fixes #15531

DES and TDES set this flag which could possibly be used by applications.
The gettable cipher param OSSL_CIPHER_PARAM_HAS_RAND_KEY has been added.

Note that EVP_CIPHER_CTX_rand_key() uses this flag.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15606)

show more ...

Document missing EC/SM2 params

Fixes #15548

Document OSSL_PKEY_PARAM_EC_PUB_X, OSSL_PKEY_PARAM_EC_PUB_Y and OSSL_PKEY_PARAM_DEFAULT_DIGEST
Added a section related to parameters

Document missing EC/SM2 params

Fixes #15548

Document OSSL_PKEY_PARAM_EC_PUB_X, OSSL_PKEY_PARAM_EC_PUB_Y and OSSL_PKEY_PARAM_DEFAULT_DIGEST
Added a section related to parameters for SM2.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15601)

show more ...

Test EVP_CipherInit sequences and resets

Various EVP_CipherInit sequences including partial inits and initializations
with different "enc" flags caused problems on s390x. Similarly, cip

Test EVP_CipherInit sequences and resets

Various EVP_CipherInit sequences including partial inits and initializations
with different "enc" flags caused problems on s390x. Similarly, cipher
reinitialization and especially GCM reinitialization with different tag length
led to wrong results. Add some unit tests to cover these rather exotic use
cases.

Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15521)

show more ...

Fix CipherInit on s390x.

Various different initialization sequences led to bugs on s390x due to caching
and processing during key setting. Since, e.g., the direction does not
necess

Fix CipherInit on s390x.

Various different initialization sequences led to bugs on s390x due to caching
and processing during key setting. Since, e.g., the direction does not
necessarily have to be correct during initialization, this produced bugs in
s390x which were not present on other architectures. Fix this by recomputing
the function codes on the fly during updates and final operations.

Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15521)

show more ...

Use rd instead rmdir

to avoid collision with rmdir.exe from cygwin or msys

Original idea by Mladen Turk @mturk

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by:

Use rd instead rmdir

to avoid collision with rmdir.exe from cygwin or msys

Original idea by Mladen Turk @mturk

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15610)

show more ...

Fix generate_ssl_tests.pl

Fix the generate_ssl_tests.pl script so that it can be run standalone from
the command line according to the instructions in test/README.ssltest.md

Fix

Fix generate_ssl_tests.pl

Fix the generate_ssl_tests.pl script so that it can be run standalone from
the command line according to the instructions in test/README.ssltest.md

Fixes #11430

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15617)

show more ...

Elimination of some sources not needed in the FIPS_MODULE

Unfortunately in terms of fips.sources this does not mean much
given the way how the .h files are added via the dependency
i

Elimination of some sources not needed in the FIPS_MODULE

Unfortunately in terms of fips.sources this does not mean much
given the way how the .h files are added via the dependency
information from the compiler.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15622)

show more ...

test/recipes/80-test_cmp_http.t: Don't trust $server_port in start_mock_server()

Even if $server_port isn't touched, it's still a number coming from
configuration. It's therefore not tr

test/recipes/80-test_cmp_http.t: Don't trust $server_port in start_mock_server()

Even if $server_port isn't touched, it's still a number coming from
configuration. It's therefore not trustable as an indicator that the
ACCEPT line delivered a port number or an error indication.

$accept_msg is used instead to capture the port if there is one, and
be a better indicator of error.

Fixes #15557
Fixes #15571

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/15580)

show more ...

test/recipes/80-test_cmp_http.t: Simplify test_cmp_http()

test_cmp_http() made some assumptions about what values that exit_checker
could get that aren't quite right.

Furthermor

test/recipes/80-test_cmp_http.t: Simplify test_cmp_http()

test_cmp_http() made some assumptions about what values that exit_checker
could get that aren't quite right.

Furthermore, the expected result isn't about exit codes, but about
true or false. This is better served by getting the value from
OpenSSL::Test::run(), and checking that value against $expected_result
with Test::More::is().

Fixes #15557
Fixes #15571

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/15580)

show more ...

doc: update generated image files

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/

doc: update generated image files

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15616)

show more ...

doc: update Graphviz images to have a transparent background

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://githu

doc: update Graphviz images to have a transparent background

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15616)

show more ...