property: move additional query functions to property_query.c

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com

property: move additional query functions to property_query.c

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15614)

show more ...

property: improve ossl_property_find_property() function

This function searches a property list for a specific property and returns
a pointer to the definition if found. The existing ve

property: improve ossl_property_find_property() function

This function searches a property list for a specific property and returns
a pointer to the definition if found. The existing version was O(n) time,
the improved O(log n).

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15614)

show more ...

Rename `n` field to `num_properties` in property definition structure.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://g

Rename `n` field to `num_properties` in property definition structure.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15614)

show more ...

PROV: drop get_params() and gettable_params() from all encoder implementatio

They aren't needed at all any more, since the properties contain the
same information.

This also dro

PROV: drop get_params() and gettable_params() from all encoder implementatio

They aren't needed at all any more, since the properties contain the
same information.

This also drops the parameter names OSSL_ENCODER_PARAM_OUTPUT_TYPE
and OSSL_ENCODER_PARAM_OUTPUT_STRUCTURE

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15570)

show more ...

ENCODER: use property definitions instead of getting implementation parameters

The OSSL_ENCODER library used to ask each encoder implementation for
certain data in form of parameters to

ENCODER: use property definitions instead of getting implementation parameters

The OSSL_ENCODER library used to ask each encoder implementation for
certain data in form of parameters to place them correctly in the
encoder chain, if at all. These parameters were duplicates of
properties of those same implementations, and therefore unnecessarily
redundant.

Now that we have functionality to query property definition values,
those duplicates are no longer needed, and are therefore not looked at
any more.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15570)

show more ...

ENCODER: Drop OSSL_ENCODER_PARAM_INPUT_TYPE

This was a poor substitute for using the name of the decoder implementation,
and since there is functionality to get the latter now, this para

ENCODER: Drop OSSL_ENCODER_PARAM_INPUT_TYPE

This was a poor substitute for using the name of the decoder implementation,
and since there is functionality to get the latter now, this parameter
can be dropped.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15570)

show more ...

PROV: drop get_params() and gettable_params() from all decoder implementations

They aren't needed at all any more, since the properties contain the
same information.

This also d

PROV: drop get_params() and gettable_params() from all decoder implementations

They aren't needed at all any more, since the properties contain the
same information.

This also drops the parameter names OSSL_DECODER_PARAM_INPUT_TYPE
and OSSL_DECODER_PARAM_INPUT_STRUCTURE.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15570)

show more ...

DECODER: use property definitions instead of getting implementation parameters

The OSSL_DECODER library used to ask each decoder implementation for
certain data in form of parameters to

DECODER: use property definitions instead of getting implementation parameters

The OSSL_DECODER library used to ask each decoder implementation for
certain data in form of parameters to place them correctly in the
decoder chain, if at all. These parameters were duplicates of
properties of those same implementations, and therefore unnecessarily
redundant.

Now that we have functionality to query property definition values,
those duplicates are no longer needed, and are therefore not looked at
any more.

This adds the "global" error reason ERR_R_INVALID_PROPERTY_DEFINITION,
which can be re-used elsewhere.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15570)

show more ...

property: Add functionality to query data from a property definition

This required making some OSSL_PROPERTY types a little less private.

Reviewed-by: Tomas Mraz <tomas@openssl.org>

property: Add functionality to query data from a property definition

This required making some OSSL_PROPERTY types a little less private.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15570)

show more ...

make update-fips-checksums

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15615)

FIPS: don't include crypto/passphrase.c in libfips.a

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/op

FIPS: don't include crypto/passphrase.c in libfips.a

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15615)

show more ...

Add documentation for newly added ASN1 functions

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openss

Add documentation for newly added ASN1 functions

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15591)

show more ...

Ensure libctx/propq is propagated when handling X509_REQ

When we create via d2i or dup an X509_REQ we should ensure that the libctx
is properly propagated. We also ensure we create X509_

Ensure libctx/propq is propagated when handling X509_REQ

When we create via d2i or dup an X509_REQ we should ensure that the libctx
is properly propagated. We also ensure we create X509_REQ objects with the
proper libctx assigned in the CMP tests.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15591)

show more ...

Give ASN.1 objects the ability to report their libctx/propq

Some ASN.1 objects have an embedded libctx/propq. If they have one we
give the ASN.1 code the ability to find these values and

Give ASN.1 objects the ability to report their libctx/propq

Some ASN.1 objects have an embedded libctx/propq. If they have one we
give the ASN.1 code the ability to find these values and use them where
needed. This is used for OSSL_CMP_MSG_dup() and X509_dup().

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15591)

show more ...

Make sure X509_dup() also dup's any associated EVP_PKEY

Otherwise we can end up with a blank EVP_PKEY. If it is later recreated
it can end up with the wrong libctx/propq.

Review

Make sure X509_dup() also dup's any associated EVP_PKEY

Otherwise we can end up with a blank EVP_PKEY. If it is later recreated
it can end up with the wrong libctx/propq.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15591)

show more ...

Use the new ASN.1 libctx aware capabilities in CMP

Make sure we pass the libctx/propq around everywhere that we need it to
ensure we get provider keys when needed.

Reviewed-by:

Use the new ASN.1 libctx aware capabilities in CMP

Make sure we pass the libctx/propq around everywhere that we need it to
ensure we get provider keys when needed.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15591)

show more ...

Use the new ASN.1 libctx aware functions in CMS

Make sure we pass the libctx around when working with CMS structures

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed

Use the new ASN.1 libctx aware functions in CMS

Make sure we pass the libctx around when working with CMS structures

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15591)

show more ...

Teach more of the ASN.1 code about libctx/propq

Make sure we pass libctx/propq down to all the layers so that objects that
are created during parsing have the right values. Then use this

Teach more of the ASN.1 code about libctx/propq

Make sure we pass libctx/propq down to all the layers so that objects that
are created during parsing have the right values. Then use this new
capability for PKCS7.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15591)

show more ...

Teach the ASN.1 code how to create embedded objects with libctx/propq

An ASN.1 object such as an X509 may have embedded objects in it such as
an X509_PUBKEY. If there is a libctx/propq i

Teach the ASN.1 code how to create embedded objects with libctx/propq

An ASN.1 object such as an X509 may have embedded objects in it such as
an X509_PUBKEY. If there is a libctx/propq in use then we need to make sure
we pass these down to the constructors of these embedded objects.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15591)

show more ...

Fix evp_extra_test to use libctx in an X509_PUBKEY

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/open

Fix evp_extra_test to use libctx in an X509_PUBKEY

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15591)

show more ...

Provide the ability to create an X509_PUBKEY with a libctx/propq

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://g

Provide the ability to create an X509_PUBKEY with a libctx/propq

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15591)

show more ...

Test a bad SmtpUTF8Mailbox name constraint

We add a verify test with a cert with a SAN and a bad SmtpUTF8Mailbox
entry, with an intermediate certificate with email name constraints.

Test a bad SmtpUTF8Mailbox name constraint

We add a verify test with a cert with a SAN and a bad SmtpUTF8Mailbox
entry, with an intermediate certificate with email name constraints.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15611)

show more ...

Check that we got the expected name type when verifying name constraints

If a SAN field contains an SmtpUTF8Mailbox name then it is expected to
have a UTF8String type. We should verify t

Check that we got the expected name type when verifying name constraints

If a SAN field contains an SmtpUTF8Mailbox name then it is expected to
have a UTF8String type. We should verify that it really does before we
attempt to use the value in it.

Reported by Corey Bonnell

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15611)

show more ...

Update fips checksums to drop the ssl headers

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/

Update fips checksums to drop the ssl headers

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15609)

show more ...

Move libssl related defines used by fips provider to prov_ssl.h

This nicely reduces the number of files considered as fips
provider sources.

Reviewed-by: Matt Caswell <matt@open

Move libssl related defines used by fips provider to prov_ssl.h

This nicely reduces the number of files considered as fips
provider sources.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15609)

show more ...