Make EVP_PKEY_missing_parameters work properly on provided RSA keys

This requires changing semantics of the keymgmt_has()
function a little in the sense that it now returns 1
if the

Make EVP_PKEY_missing_parameters work properly on provided RSA keys

This requires changing semantics of the keymgmt_has()
function a little in the sense that it now returns 1
if the selection has no meaning for the key type. It
was already doing so for ECX keys for example.

The keymgmt_validate function semantics is changed
similarly to allow passing validation on the same
selection that the key returns 1 for.

Fixes #14509

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14511)

show more ...

evp_keymgmt_util_copy: Fix possible leak on copy failure

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14511)

apps/crl: Print just the hash value if printing just hash

This partially reverts the output format change for
openssl crl -hash output.

Fixes #14546

Reviewed-by: David

apps/crl: Print just the hash value if printing just hash

This partially reverts the output format change for
openssl crl -hash output.

Fixes #14546

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14553)

show more ...

Convert some TODO(3.0) comments in init.c to normal comments

There is no need to make the suggested changes in the 3.0 timescale.
These are just suggested improvements for the future.

Convert some TODO(3.0) comments in init.c to normal comments

There is no need to make the suggested changes in the 3.0 timescale.
These are just suggested improvements for the future.

Fixes #14375

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14556)

show more ...

Remove a TODO(3.0) from EVP_PKEY_derive_set_peer()

The TODO described a case where a legacy derive operation is called, but
the peer key is provider based. In practice this will almost n

Remove a TODO(3.0) from EVP_PKEY_derive_set_peer()

The TODO described a case where a legacy derive operation is called, but
the peer key is provider based. In practice this will almost never be a
problem. We should never end up in our own legacy EVP_PKEY_METHOD
implementations if no ENGINE has been configured. If an ENGINE has been
configured then we we will be using a third party EVP_PKEY_METHOD
implementation and public APIs will be used to obtain the key data from the
peer key so there will be no "reaching inside" the pkey.

There is a theoretical case where a third party ENGINE wraps our own
internal EVP_PKEY_METHODs using EVP_PKEY_meth_find() or
EVP_PKEY_meth_get0(). For these cases we just ensure all our
EVP_PKEY_METHODs never reach "inside" the implementation of a peer key. We
can never assume that it is a legacy key.

Fixes #14399

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14555)

show more ...

Fix up issues found when running evp_extra_test with a non-default library context

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from

Fix up issues found when running evp_extra_test with a non-default library context

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14478)

show more ...

Add testing for non-default library context into evp_extra_test

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com

Add testing for non-default library context into evp_extra_test

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14478)

show more ...

EVP_KDF-KB man page: fixup ABI/API change

fixup 7c75f2daf8b50c92bfb5c17fa62136e61f6eb515
https://github.com/openssl/openssl/pull/14310

Previous commit changes the api, one

EVP_KDF-KB man page: fixup ABI/API change

fixup 7c75f2daf8b50c92bfb5c17fa62136e61f6eb515
https://github.com/openssl/openssl/pull/14310

Previous commit changes the api, one code sample was left with previous
API.

CLA: trivial
Signed-off-by: Arthur Gautier <baloo@superbaloo.net>

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14551)

show more ...

Remove TODOs from digest.c

They aren't relevant:
. Digest Sign isn't supported in the FIPS provider.
. Remove legacy NID use.

Fixes #14394
Fixes #14395

Reviewed

Remove TODOs from digest.c

They aren't relevant:
. Digest Sign isn't supported in the FIPS provider.
. Remove legacy NID use.

Fixes #14394
Fixes #14395

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14565)

show more ...

params: clean up TODO

The TODO being reworked to just be a comment.

Fixes #14374

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/ope

params: clean up TODO

The TODO being reworked to just be a comment.

Fixes #14374

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14565)

show more ...

doc: remove TODOs about redesigning the AEAD API

The changes would be significant and the benefits not likely to be too great.

Fixes #14368

Reviewed-by: Shane Lontis <shane

doc: remove TODOs about redesigning the AEAD API

The changes would be significant and the benefits not likely to be too great.

Fixes #14368

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14565)

show more ...

prov: remove todos in rsa_keymgmt.c

The TODOs are about OAEP and aren't relevant.

Fixes #14361

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://

prov: remove todos in rsa_keymgmt.c

The TODOs are about OAEP and aren't relevant.

Fixes #14361

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14565)

show more ...

prov: remove TODO in der_rsa_key.c

Fixes #14365

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14565)

Add some encoder and decoder code examples

Fixes #14373

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14557)

Fix a TODO(3.0) in the siphash code

All 3 files that included crypto/siphash.h also included siphash_local.h,
and no other files included siphash_local.h independently. They probably

Fix a TODO(3.0) in the siphash code

All 3 files that included crypto/siphash.h also included siphash_local.h,
and no other files included siphash_local.h independently. They probably
should be just one header file.

Fixes #14360

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14558)

show more ...

p_lib.c: Remove TODO comments

The comments are either about legacy stuff that is going to be
removed in later releases or about a safety check that can
be kept.

Reviewed-by:

p_lib.c: Remove TODO comments

The comments are either about legacy stuff that is going to be
removed in later releases or about a safety check that can
be kept.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14554)

show more ...

property_test: use property values that are not used elsewhere

In test_property_query_value_create() we depend on the property
values to not be created by other test cases. Use such

property_test: use property values that are not used elsewhere

In test_property_query_value_create() we depend on the property
values to not be created by other test cases. Use such
values.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14573)

show more ...

core_get_libctx: use assert() instead of ossl_assert()

Using ossl_assert makes the build fail with --strict-warnings
because the ossl_assert is declared with warn_unused_result.

core_get_libctx: use assert() instead of ossl_assert()

Using ossl_assert makes the build fail with --strict-warnings
because the ossl_assert is declared with warn_unused_result.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14571)

show more ...

provider_core: Remove two TODO 3.0

We need to keep the check for prov == NULL in ossl_provider_libctx
but it is not needed in core_get_libctx as there it can happen only when
there i

provider_core: Remove two TODO 3.0

We need to keep the check for prov == NULL in ossl_provider_libctx
but it is not needed in core_get_libctx as there it can happen only when
there is a serious coding error in a third party provider and returning
NULL as libctx would be seriously wrong as that has a special meaning.

The second TODO is valid but not something that is relevant
for 3.0. Change it into a normal comment.

Fixes #14377

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14535)

show more ...

decoder_process: data_structure can be NULL

Check it before dereferencing.

Fixes #14530

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.

decoder_process: data_structure can be NULL

Check it before dereferencing.

Fixes #14530

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14531)

show more ...

property: default queries create the property values.

Without this, it is necessary to query an algorithm before setting the default
property query. With this, the value will be created

property: default queries create the property values.

Without this, it is necessary to query an algorithm before setting the default
property query. With this, the value will be created and the default will
work.

Fixes #14516

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14542)

show more ...

Use --debug with no-caching build as sanitizers need it

The memleak test otherwise fails.

Also disable async, dtls, and old tls versions to test some
different combination of di

Use --debug with no-caching build as sanitizers need it

The memleak test otherwise fails.

Also disable async, dtls, and old tls versions to test some
different combination of disableables and speed up tests.

Fixes #14337

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14536)

show more ...

Add a CHANGES entry for EVP_PKEY_public_check() and EVP_KEY_param_check()

These functions now work for more key types than they did in 1.1.1

Fixes #14477

Reviewed-by: Paul

Add a CHANGES entry for EVP_PKEY_public_check() and EVP_KEY_param_check()

These functions now work for more key types than they did in 1.1.1

Fixes #14477

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14485)

show more ...

Ensure that ECX keys pass EVP_PKEY_param_check()

RSA keys have no parameters and pass EVP_PKEY_param_check(). Previously,
ECX keys had no parammeters and failed EVP_PKEY_param_check(). W

Ensure that ECX keys pass EVP_PKEY_param_check()

RSA keys have no parameters and pass EVP_PKEY_param_check(). Previously,
ECX keys had no parammeters and failed EVP_PKEY_param_check(). We should
be consistent. It makes more sense to always pass, and therefore this
commit implements that behaviour.

Fixes #14482

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14485)

show more ...

Add a CHANGES entry for the cosmetic differences in textual output

Numerous functions have had their textual output amended. We add
a CHANGES entry for this.

Fixes #14476

Add a CHANGES entry for the cosmetic differences in textual output

Numerous functions have had their textual output amended. We add
a CHANGES entry for this.

Fixes #14476

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14485)

show more ...