Fix PKCS12_create() so that a fetch error is not added to the error stack.

Fixes #15392

PBE algorithms such as NID_pbe_WithSHA1And3_Key_TripleDES_CBC will
currently always fail

Fix PKCS12_create() so that a fetch error is not added to the error stack.

Fixes #15392

PBE algorithms such as NID_pbe_WithSHA1And3_Key_TripleDES_CBC will
currently always fail to the EVP_CIPHER_fetch() call, so the fallback to
a legacy algorithm always happens. In this case the error stack should
ignore the fetch error.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15473)

show more ...

Fix typo about SSL_CONF_FLAG_CMDLINE

change SSL_CONF_CMDLINE to SSL_CONF_FLAG_CMDLINE
CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <sh

Fix typo about SSL_CONF_FLAG_CMDLINE

change SSL_CONF_CMDLINE to SSL_CONF_FLAG_CMDLINE
CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15489)

show more ...

Fix issues found by md-nits

Fixes #15460

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/open

Fix issues found by md-nits

Fixes #15460

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15461)

show more ...

Fix memory leak in OSSL_CMP_CTX

The ctx->propq is strdup'ed, so it must be free'd too.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Me

Fix memory leak in OSSL_CMP_CTX

The ctx->propq is strdup'ed, so it must be free'd too.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15458)

show more ...

Rework and make DEBUG macros consistent.

Remove unused -DCONF_DEBUG and -DBN_CTX_DEBUG.

Rename REF_PRINT to REF_DEBUG for consistency, and add a new
tracing category and use it

Rework and make DEBUG macros consistent.

Remove unused -DCONF_DEBUG and -DBN_CTX_DEBUG.

Rename REF_PRINT to REF_DEBUG for consistency, and add a new
tracing category and use it for printing reference counts.

Rename -DDEBUG_UNUSED to -DUNUSED_RESULT_DEBUG

Fix BN_DEBUG_RAND so it compiles and, when set, force DEBUG_RAND to
be set also.

Rename engine_debug_ref to be ENGINE_REF_PRINT also for consistency.

Fixes #15357

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15353)

show more ...

Fix doc typos.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://git

Fix doc typos.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15483)

show more ...

Initialise OPENSSL_armcap_P to 0 before setting it based on capabilities, not after

Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>

Reviewed-by: Tomas Mraz <tomas@openssl.org>

Initialise OPENSSL_armcap_P to 0 before setting it based on capabilities, not after

Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15486)

show more ...

FIPS Checksums: checkout the head of the base repo as pristine

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15503)

Call SSLfatal when the generate_ticket_cb returns 0

Otherwise, the state machine ends up being in a bad state:
```
SSL routines:write_state_machine:missing fatal:ssl/statem/statem.c:

Call SSLfatal when the generate_ticket_cb returns 0

Otherwise, the state machine ends up being in a bad state:
```
SSL routines:write_state_machine:missing fatal:ssl/statem/statem.c:XXX:
```

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/15487)

show more ...

FIPS Checksums CI: use separate directories for the checkouts

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15481)

generate_fips_sources: properly include providers/common/der/*.in

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15481)

Fix compilation warning with GCC11.

Parameter "header" of ssl3_cbc_digest_record was fixed to a 13 bytes header
but used as a pointer. This caused a warning about out-of-bounds array ac

Fix compilation warning with GCC11.

Parameter "header" of ssl3_cbc_digest_record was fixed to a 13 bytes header
but used as a pointer. This caused a warning about out-of-bounds array access
with GCC 11.

Fixes #15462.

Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15463)

show more ...

coverity 1484912: Null pointer dereferences (NULL_RETURNS)

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15425)

coverity 1484913: Null pointer dereferences (REVERSE_INULL)

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15425)

TEST: Prefer using precomputed RSA and DH keys for more efficient tests

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://gi

TEST: Prefer using precomputed RSA and DH keys for more efficient tests

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13715)

show more ...

APPS req: Extend the -keyout option to be respected also with -key

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.

APPS req: Extend the -keyout option to be respected also with -key

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13715)

show more ...

DOC: Improve description of 'req' app: -new, -newkey, and -keyout options

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://

DOC: Improve description of 'req' app: -new, -newkey, and -keyout options

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13715)

show more ...

Fix spelling mistake in d2i_PrivateKey.pod

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15423)

Add demo for EC keygen

Fixes #14112

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15423)

Fix OCSP_sendreq_nbio arg order

Fixes #15470

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/op

Fix OCSP_sendreq_nbio arg order

Fixes #15470

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15471)

show more ...

test: test MP genrsa in deprecated builds

These multi-prime tests were omitted when genrsa was deprecated but not
returned when it was restored.

Reviewed-by: Shane Lontis <shane

test: test MP genrsa in deprecated builds

These multi-prime tests were omitted when genrsa was deprecated but not
returned when it was restored.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15472)

show more ...

test: add test for key generation strength > RNG strength

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.

test: add test for key generation strength > RNG strength

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15472)

show more ...

test: test genrsa in deprecated builds

These tests were omitted when genrsa was deprecated but not returned when
it was restored.

Reviewed-by: Shane Lontis <shane.lontis@oracle.

test: test genrsa in deprecated builds

These tests were omitted when genrsa was deprecated but not returned when
it was restored.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15472)

show more ...

errors: update error message (to be squashed)

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/

errors: update error message (to be squashed)

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15472)

show more ...

rsa: check that the RNG is capable of producing a key of the specified size

During key generation, any sized key can be asked for. Attempting to generate
a key with a security strength

rsa: check that the RNG is capable of producing a key of the specified size

During key generation, any sized key can be asked for. Attempting to generate
a key with a security strength larger than the RNG strength now fails.

Fixes #15421

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15472)

show more ...