req: detect a bad choice of digest early

This is a regression against 1.1.1 when an unknown digest was detected
early.

Fixes #15285

Reviewed-by: Matt Caswell <matt@open

req: detect a bad choice of digest early

This is a regression against 1.1.1 when an unknown digest was detected
early.

Fixes #15285

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15602)

show more ...

req: fix default bits handling for -newkey

Fixes #15569

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15582)

80-test_http.t: Rename to 79-test_http.t, add basic HTTP server ACCEPT test

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15592)

80-test_cmp_http.t: Improve comparison on server_port variable

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15592)

Add md-nits task

Assumes that Ruby is installed

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli

Add md-nits task

Assumes that Ruby is installed

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15590)

show more ...

Only call dtls1_start_timer() once

The function dtls1_handle_timeout() calls dtls1_double_timeout() which
was calling dtls1_start_timer(). However dtls1_start_timer() is also
called

Only call dtls1_start_timer() once

The function dtls1_handle_timeout() calls dtls1_double_timeout() which
was calling dtls1_start_timer(). However dtls1_start_timer() is also
called directly by dtls1_handle_timeout(). We only need to start the timer
once.

Fixes #15561

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15595)

show more ...

CI windows.yml: Silence 'nmake' builds except 'minimal'; ci.yml: make 'minimal' build verbose

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(

CI windows.yml: Silence 'nmake' builds except 'minimal'; ci.yml: make 'minimal' build verbose

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15594)

show more ...

Teach ASN1_item_verify_ctx() how to handle provided keys

We need to special case RSA-PSS because that uses X509_ALGOR style
parameters and we have no support for this on the provider sid

Teach ASN1_item_verify_ctx() how to handle provided keys

We need to special case RSA-PSS because that uses X509_ALGOR style
parameters and we have no support for this on the provider side at this
stage.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15527)

show more ...

openssl spkac: Fix reading SPKAC data from stdin

Fixes #15367

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://gi

openssl spkac: Fix reading SPKAC data from stdin

Fixes #15367

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15593)

show more ...

OPENSSL_init_crypto must return 0 when cleanup was done

Fixes #15581

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from htt

OPENSSL_init_crypto must return 0 when cleanup was done

Fixes #15581

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15589)

show more ...

Check the return value of ASN1_STRING_length

ASN1_STRING_length gets the field 'length' of msg, which
can be manipulated through a crafted input.
Add a check to avoid error execution

Check the return value of ASN1_STRING_length

ASN1_STRING_length gets the field 'length' of msg, which
can be manipulated through a crafted input.
Add a check to avoid error execution of OPENSSL_malloc().

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15583)

show more ...

80-test_cmp_http.t: Re-enable CMP tests for AIX, removing some inessential test cases

Remove negative test cases which simulate an attempt to write file contents to a directory
using a p

80-test_cmp_http.t: Re-enable CMP tests for AIX, removing some inessential test cases

Remove negative test cases which simulate an attempt to write file contents to a directory
using a path ending in '/' as this is not compatible with fopen on all platforms, e.g., AIX.

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15575)

show more ...

Deprecate EVP_CIPHER_impl_ctx_size and EVP_CIPHER_CTX_buf_noconst

Fixes #15519

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged

Deprecate EVP_CIPHER_impl_ctx_size and EVP_CIPHER_CTX_buf_noconst

Fixes #15519

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15584)

show more ...

Restore all the ? in util/libcrypto.num

They will become numbers again when beta1 is actually released.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.co

Restore all the ? in util/libcrypto.num

They will become numbers again when beta1 is actually released.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15578)

show more ...

util/mknum.pl: Really allow unset ordinals in development

Any pre-release tag that includes '-dev' is development. The ordinals
don't need to be finalized before '-dev' is removed (i.e.

util/mknum.pl: Really allow unset ordinals in development

Any pre-release tag that includes '-dev' is development. The ordinals
don't need to be finalized before '-dev' is removed (i.e. a release is
made).

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15578)

show more ...

Fix errors found by parfait static analyser.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/ope

Fix errors found by parfait static analyser.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15579)

show more ...

rsa: make the maximum key strength check FIPS only.

To be reverted once key generation checks are added everywhere and a way to
disable them implemented.

Fixes #15502

R

rsa: make the maximum key strength check FIPS only.

To be reverted once key generation checks are added everywhere and a way to
disable them implemented.

Fixes #15502

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15560)

show more ...

Add an EVP demo for signatures using EC

Fixes #14115

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://gith

Add an EVP demo for signatures using EC

Fixes #14115

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15429)

show more ...

update checksums

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15574)

util: update FIPS checksumming script to be more aggressive with whitespace

Fixes #15562

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/opens

util: update FIPS checksumming script to be more aggressive with whitespace

Fixes #15562

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15574)

show more ...

Add enable-fips to CI configuration

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>

Add enable-fips to CI configuration

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15537)

show more ...

Disable tracing within the FIPS module

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.co

Disable tracing within the FIPS module

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15537)

show more ...

ed25519 and ed448: fix incorrect OSSL_PKEY_PARAM_MAX_SIZE

Fixes #15552

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Review

ed25519 and ed448: fix incorrect OSSL_PKEY_PARAM_MAX_SIZE

Fixes #15552

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15566)

show more ...

80-test_cms.t: Replace use of ee-self-signed.pem by more suitable smrsa1.pem

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15499)

ee-self-signed.pem: Restore original version, adding -attime to 25-test_verify.t

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15499)