Skip GOST engine tests in out of tree builds

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15028)

Prefer fetch over legacy get_digestby/get_cipherby

Fixes #14198

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15028)

Rename some globals, add ossl prefix.

Fixes: 13562

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/ope

Rename some globals, add ossl prefix.

Fixes: 13562

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15035)

show more ...

Add system guessing for linux64-riscv64 target

CLA: trivial

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levit

Add system guessing for linux64-riscv64 target

CLA: trivial

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15023)

show more ...

Test that we don't have a memory leak in d2i_ASN1_OBJECT.

Fixes #14667

Reworked test supplied by @smcpeak into a unit test.

Reviewed-by: Richard Levitte <levitte@openssl.or

Test that we don't have a memory leak in d2i_ASN1_OBJECT.

Fixes #14667

Reworked test supplied by @smcpeak into a unit test.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14938)

(cherry picked from commit 7c65179ad95d0f6f598ee82e763fce2567fe5802)

show more ...

ASN1: Ensure that d2i_ASN1_OBJECT() frees the strings on ASN1_OBJECT reuse

The 'sn' and 'ln' strings may be dynamically allocated, and the
ASN1_OBJECT flags have a bit set to say this.

ASN1: Ensure that d2i_ASN1_OBJECT() frees the strings on ASN1_OBJECT reuse

The 'sn' and 'ln' strings may be dynamically allocated, and the
ASN1_OBJECT flags have a bit set to say this. If an ASN1_OBJECT with
such strings is passed to d2i_ASN1_OBJECT() for reuse, the strings
must be freed, or there is a memory leak.

Fixes #14667

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14938)

(cherry picked from commit 65b88a75921533ada8b465bc8d5c0817ad927947)

show more ...

add verbosity for pyca job

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-b

add verbosity for pyca job

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15018)

show more ...

re-add pyca/cryptography testing

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Revi

re-add pyca/cryptography testing

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15018)

show more ...

add wycheproof submodule

This is used with the pyca/cryptography test suite

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed

add wycheproof submodule

This is used with the pyca/cryptography test suite

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15018)

show more ...

updated pyca/cryptography submodule version

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.co

updated pyca/cryptography submodule version

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15018)

show more ...

Avoid #include with inline function on C++Builder

Commit 6b2978406 exposed a bug with C++Builder's Clang-based compilers,
which cause inline function definitions in C translation units t

Avoid #include with inline function on C++Builder

Commit 6b2978406 exposed a bug with C++Builder's Clang-based compilers,
which cause inline function definitions in C translation units to not
be found by the linker. Disable the inclusion of the triggering header.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15025)

show more ...

Deprecate EVP_PKEY_cmp() and EVP_PKEY_cmp_parameters().

The replacement functions EVP_PKEY_eq() and EVP_PKEY_parameters_eq()
already exist.

Reviewed-by: Richard Levitte <levitte

Deprecate EVP_PKEY_cmp() and EVP_PKEY_cmp_parameters().

The replacement functions EVP_PKEY_eq() and EVP_PKEY_parameters_eq()
already exist.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/14997)

show more ...

Doc updates for DH/DSA examples

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14936)

Fixes related to separation of DH and DHX types

Fix dh_rfc5114 option in genpkey.

Fixes #14145
Fixes #13956
Fixes #13952
Fixes #13871
Fixes #14054
Fixes #14444

Fixes related to separation of DH and DHX types

Fix dh_rfc5114 option in genpkey.

Fixes #14145
Fixes #13956
Fixes #13952
Fixes #13871
Fixes #14054
Fixes #14444

Updated documentation for app to indicate what options are available for
DH and DHX keys.

DH and DHX now have different keymanager gen_set_params() methods.

Added CHANGES entry to indicate the breaking change.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14883)

show more ...

Add type_name member to provided methods and use it

Fixes #14701

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14898)

Documentation fix for openssl-verify certificates

`openssl verify` silently ignores any but the first certificate in the
`certificates` argument.

See #14675

Reviewed-by

Documentation fix for openssl-verify certificates

`openssl verify` silently ignores any but the first certificate in the
`certificates` argument.

See #14675

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14754)

show more ...

APPS: Improve diagnostics for string options and options expecting int >= 0

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14970)

APPS: Prevent ASAN hickup on idempotent strncpy() in opt_progname()

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14970)

TEST: correct test/recipes/30-test_evp_data/evppkey_ecdh.txt

Some keys with groups that aren't supported by FIPS were still used
for Derive stanzas, even when testing with the FIPS provi

TEST: correct test/recipes/30-test_evp_data/evppkey_ecdh.txt

Some keys with groups that aren't supported by FIPS were still used
for Derive stanzas, even when testing with the FIPS provider.
This was due to the flaw in evp_keymgmt_util_try_import() that meant
that even though the key was invalid for FIPS, it could still come
through, because the imported keydata wasn't cleared on import error.
With that flaw corrected, these few Derive stanzas start failing.

We mitigate this by making of "offending" Derive stanzas only
available with the default provider.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/15008)

show more ...

STORE: Simplify error filtering in der2obj_decode()

We do here like in all other decoder implementations, drop all errors
that were caused by a failing asn1_d2i_read_bio(), as it's most

STORE: Simplify error filtering in der2obj_decode()

We do here like in all other decoder implementations, drop all errors
that were caused by a failing asn1_d2i_read_bio(), as it's most likely
to mean that the input isn't DER, and another decoder implementation,
if there is any left, should have a go.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/15008)

show more ...

crypto/store/ossl_result.c: Better filtering of errors

The diverse variants of try_XXX() were filtering errors independently
of each other. It's better done in ossl_store_handle_load_re

crypto/store/ossl_result.c: Better filtering of errors

The diverse variants of try_XXX() were filtering errors independently
of each other. It's better done in ossl_store_handle_load_result()
itself, where we have control over the overall success and failure of
the attempts.

Fixes #14973

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/15008)

show more ...

EVP: evp_keymgmt_util_try_import() should clean up on failed import

If evp_keymgmt_util_try_import() allocated keydata, and the import
itself fails, it should deallocate keydata.

EVP: evp_keymgmt_util_try_import() should clean up on failed import

If evp_keymgmt_util_try_import() allocated keydata, and the import
itself fails, it should deallocate keydata.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/15008)

show more ...

Don't remove $(TARFILE) when cleaning

This file is outside the source tree, so we have no business removing
it. This is especially concerning if that was the tarball the user
had to

Don't remove $(TARFILE) when cleaning

This file is outside the source tree, so we have no business removing
it. This is especially concerning if that was the tarball the user
had to create the source tree.

Fixes #14981

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14985)

show more ...

test: separate some DES based tests out to permit a no-des build to work

One of the KDFs and one of the MACs use DES as an underlying algorithm in some
tests. Separate these out into th

test: separate some DES based tests out to permit a no-des build to work

One of the KDFs and one of the MACs use DES as an underlying algorithm in some
tests. Separate these out into their own files which are conditionally excluded.

Fixes #14958

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14975)

show more ...

test: fix test_evp_kdf when DES is disabled.

Fixes #14958

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://githu

test: fix test_evp_kdf when DES is disabled.

Fixes #14958

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14975)

show more ...