Fix change in behaviour of EVP_PKEY_CTRL_RSA_KEYGEN_BITS

In 1.1.1 the ctrl EVP_PKEY_CTRL_RSA_KEYGEN_BITS would fail immediately
if the number of bits was too small. In 3.0 it always succ

Fix change in behaviour of EVP_PKEY_CTRL_RSA_KEYGEN_BITS

In 1.1.1 the ctrl EVP_PKEY_CTRL_RSA_KEYGEN_BITS would fail immediately
if the number of bits was too small. In 3.0 it always succeeds, and only
fails later during the key generation stage.

We fix that so that it fails early like it used to in 1.1.1.

Note that in 1.1.1 it fails with a -2 return code. That is not the case
in 3.0 and has not been addressed here (see #14442)

Fixes #14443

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14702)

show more ...

doc: fix enc -z option documentation

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/op

doc: fix enc -z option documentation

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14499)

show more ...

Print correct error message in utils/mkdir-p.pl

Commit 70a56b914772e6b21cda2a5742817ae4bb7290f1 introduced a regression.

If utils/mkdir-p.pl fails to create a target dir because of

Print correct error message in utils/mkdir-p.pl

Commit 70a56b914772e6b21cda2a5742817ae4bb7290f1 introduced a regression.

If utils/mkdir-p.pl fails to create a target dir because of insufficient file system
permissions, the subsequent test for dir existence always fails and overwrites
the system error. As a result, a user is presented with a misleading error message.

E.g. if a user tries to create a dir under /usr/local and does not have permissions
for it, the reported error message is "Cannot create directory /usr/local/lib: No such file or directory",
whereas the expected error message is "Cannot create directory /usr/local/lib: Permission denied".

This commit introduces a fix by declaring an additional local variable to cache
the original error message from mkdir. If -d check fails and overwrites the system
error, the user is still presented with the original error from mkdir.

CLA: Trivial

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14487)

show more ...

Merge OFB encrypt and decrypt test vectors.

There's no point in specifying them separately, since they're the same.
Also the OFB-AES192.Decrypt vectors specified the wrong operation, so

Merge OFB encrypt and decrypt test vectors.

There's no point in specifying them separately, since they're the same.
Also the OFB-AES192.Decrypt vectors specified the wrong operation, so we
were running some encryption tests twice and missing some decryption
tests.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14625)

show more ...

Add explicit support in util/shlib_wrap.sh.in for NonStop DLL loading.

The NonStop platform uses a proprietary mechanism for specifying DLL
locations.

CLA: Permission is granted

Add explicit support in util/shlib_wrap.sh.in for NonStop DLL loading.

The NonStop platform uses a proprietary mechanism for specifying DLL
locations.

CLA: Permission is granted by the author to the OpenSSL team to use these modifications.

Fixes #14666

Signed-off-by: Randall S. Becker <rsbecker@nexbridge.com>

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14669)

show more ...

Increase minimum clang version requirement for rsaz-avx512.pl

The reason is that clang-6 does not enable proper -march flags by
default for assembly modules (rsaz-avx512.pl requires avx5

Increase minimum clang version requirement for rsaz-avx512.pl

The reason is that clang-6 does not enable proper -march flags by
default for assembly modules (rsaz-avx512.pl requires avx512ifma, avx512dq,
avx512vl, avx512f). This is not true for newer clang versions - clang-7 and
further work ok.

For older clang versions users who want to get optimization from this
file, we have a note in the OPENSSL_ia32cap.pod with the workaround that
proposes having a wrapper that forces using external assembler.

Fixes #14668: clang-6.0.0 build broken

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14671)

show more ...

Fix typos in bio.pod

CLA: trivial

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>

Fix typos in bio.pod

CLA: trivial

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14706)

show more ...

ssl: fix problem where MAC IDs were globally cached.

Instead, they should be cached per SSL_CTX.

This also addresses a threading issue where multiple attempts to write the
same

ssl: fix problem where MAC IDs were globally cached.

Instead, they should be cached per SSL_CTX.

This also addresses a threading issue where multiple attempts to write the
same location occur. The last one winning. Under 1.1.1, this wasn't an issue
but under 3.0 with library contexts, the results can and will be different.

Fixes #13456

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14715)

show more ...

apps: fix coverity 1474463, 1474465 & 1474467: resource leaks

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14716)

test: fix coverity 1474468: resource leak

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14716)

evp: fix coverity 1474469: negative return

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14716)

x509: fix coverity 1474470: NULL pointer dereference

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14716)

x509: fix coverity 1474471: NULL pointer dereference

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14716)

Fix typo in BIO_push.pod

CLA: trivial

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/

Fix typo in BIO_push.pod

CLA: trivial

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14718)

show more ...

Fix BIO_new_ssl_connect() to not leak memory

CLA: trivial

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.

Fix BIO_new_ssl_connect() to not leak memory

CLA: trivial

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14719)

show more ...

Android config targets: don't include the SO version in the shlib file name

Reports say that the Android platform(s) don't have the SO version
number in the shared library file name. Re

Android config targets: don't include the SO version in the shlib file name

Reports say that the Android platform(s) don't have the SO version
number in the shared library file name. Reportedly, Android package
managers do complain that our shared libraries do include the SO
version number. That's easy enough to fix.

Fixes #14711

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14727)

show more ...

Unix build file template: symlink "simple" to "full" shlib selectively

On Unix-like platforms where the shared library comes in a form with
and a form without SO version number, the one

Unix build file template: symlink "simple" to "full" shlib selectively

On Unix-like platforms where the shared library comes in a form with
and a form without SO version number, the one without is symbolically
linked to the one with.

However, we have Unix-like platforms where we don't deal with SO
version numbers, and where the "simple" shlib thereby ends up being
symbolically linked to itself. A simple check of the two shlib file
names is enough to ensure that we only do the symbolic link when
actually necessary.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14726)

show more ...

Fix DH gettable OSSL_PKEY_PARAM_DH_PRIV_LEN so that it has the correct
type.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14564)

Update deprecated API's in the documentation.

The reported issue related to EC_KEY deprecations
Fixes #14545

Searches were done in the pod files for all libcrypto.num
entrie

Update deprecated API's in the documentation.

The reported issue related to EC_KEY deprecations
Fixes #14545

Searches were done in the pod files for all libcrypto.num
entries containing DEPRECATEDIN_3_0 to find additional missing entries.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14564)

show more ...

Moved build instructions from the man page

Some requirements and build hints for assembler modules compilation were
moved from doc/man3/OPENSSL_ia32cap.pod to INSTALL.md.

Fixes

Moved build instructions from the man page

Some requirements and build hints for assembler modules compilation were
moved from doc/man3/OPENSSL_ia32cap.pod to INSTALL.md.

Fixes #14674

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14683)

show more ...

Add $(PERL) to util/wrap.pl execution to avoid env incompatibilities

Using /usr/bin/env on the NonStop ia64 and x86 platforms
causes a translation of - to -i as part of the implicit inte

Add $(PERL) to util/wrap.pl execution to avoid env incompatibilities

Using /usr/bin/env on the NonStop ia64 and x86 platforms
causes a translation of - to -i as part of the implicit interpretation
by env of its arguments prior to handing off the arguments to perl.
This causes the FIPS module configuration to be written to a file
named -i instead of going to stdout.

CLA: Trivial

Fixes: #14612

Signed-off-by: Randall S. Becker <rsbecker@nexbridge.com>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14613)

show more ...

Fix typo in bio.h.in

CLA: trivial

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged

Fix typo in bio.h.in

CLA: trivial

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14705)

show more ...

Implement EVP_PKEY_dup() function

Fixes #14501

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14624)

Remove RSA bignum_data that is not used anywhere

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14624)

doc: fix style problems with this man page

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14642)