apps: Make load_key_certs_crls to read only what is expected

The load_key_certs_crls tried to read the whole input stream
instead of returning once expected data is obtained.

Re

apps: Make load_key_certs_crls to read only what is expected

The load_key_certs_crls tried to read the whole input stream
instead of returning once expected data is obtained.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14449)

show more ...

apps: Add maybe_stdin argument to load_certs and set it in pkcs12

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://

apps: Add maybe_stdin argument to load_certs and set it in pkcs12

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14449)

show more ...

Tiny clarification of comment for RSA_sign

CLA: trivial

On line 136, a period is added. I think this is what was intended.

Reviewed-by: Shane Lontis <shane.lontis@oracle.co

Tiny clarification of comment for RSA_sign

CLA: trivial

On line 136, a period is added. I think this is what was intended.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14540)

show more ...

Fix DSA EVP_PKEY_param_check() when defaults are used for param generation.

Fixes #14480

An internal flag that is set during param gen was not being tested, so
the wrong type wa

Fix DSA EVP_PKEY_param_check() when defaults are used for param generation.

Fixes #14480

An internal flag that is set during param gen was not being tested, so
the wrong type was used to select the dsa domain param validation method.

In the default provider - if no gen_type is set then by default the fips186_4 gentype
will be selected when pbits >=2048 otherwise it selects fips186_2.
The fips provider ignores the gen_type and always uses fips186_4.

Before this change dsa used fips186_2 by default in the default
provider.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14508)

show more ...

keymgmt_meth: remove two TODO 3.0

The first TODO 3.0 is not really a TODO, just a comment.

The second one is something that is needed for compatibility
with existing application

keymgmt_meth: remove two TODO 3.0

The first TODO 3.0 is not really a TODO, just a comment.

The second one is something that is needed for compatibility
with existing applications. There is no major reason in
trying to change this behavior right now.

Fixes #14400

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14534)

show more ...

Fix option description for PKCS#12 export

Refs: https://github.com/openssl/openssl/pull/4930

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.or

Fix option description for PKCS#12 export

Refs: https://github.com/openssl/openssl/pull/4930

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14520)

show more ...

Convert a TODO(3.0) in OPENSSL_thread_stop_ex to a comment

The TODO is describing something that would be nice to fix. In fact the
problem exists even in 1.1.1. It would be nice to fix i

Convert a TODO(3.0) in OPENSSL_thread_stop_ex to a comment

The TODO is describing something that would be nice to fix. In fact the
problem exists even in 1.1.1. It would be nice to fix it, but it does
not need to be done in the 3.0 timeframe.

Fixes #14376

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14533)

show more ...

Remove a TODO from async_delete_thread_state()

There is nothing to be done here for the time being. If at some point
we make the async code libctx aware then we might need to make a chan

Remove a TODO from async_delete_thread_state()

There is nothing to be done here for the time being. If at some point
we make the async code libctx aware then we might need to make a change
but there are no plans to do that at the moment.

Fixes #14402

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14532)

show more ...

Remove TODO in rsa_ameth.c

Fixes #14390

The only caller of this function tests EVP_KEYMGMT_is_a() beforehand
which will fail if the RSA key types do not match. So the test is no

Remove TODO in rsa_ameth.c

Fixes #14390

The only caller of this function tests EVP_KEYMGMT_is_a() beforehand
which will fail if the RSA key types do not match. So the test is not
necessary. The assert has been removed when it does the test.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14524)

show more ...

Remove TODO in test/acvp_test.c related to setting AES-GCM iv.

Fixes #14330

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14525)

Always check CRYPTO_LOCK_{read,write}_lock

Some functions that lock things are void, so we just return early.

Also make ossl_namemap_empty return 0 on error. Updated the docs, and

Always check CRYPTO_LOCK_{read,write}_lock

Some functions that lock things are void, so we just return early.

Also make ossl_namemap_empty return 0 on error. Updated the docs, and added
some code to ossl_namemap_stored() to handle the failure, and updated the
tests to allow for failure.

Fixes: #14230

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14238)

show more ...

apps/ts.c: Allow -untrusted arg to refer to multiple sources

This requires moving generally useful functions from apps/cmp.c to apps/lib/apps.c

Reviewed-by: Tomas Mraz <tomas@openss

apps/ts.c: Allow -untrusted arg to refer to multiple sources

This requires moving generally useful functions from apps/cmp.c to apps/lib/apps.c

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14504)

show more ...

TS ESS: Let TS_RESP_verify_signature() make use of untrusted certs also from token response

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pu

TS ESS: Let TS_RESP_verify_signature() make use of untrusted certs also from token response

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14504)

show more ...

ssl: fix format specifier for size_t argument to BIO_printf

Fixes #14519

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merge

ssl: fix format specifier for size_t argument to BIO_printf

Fixes #14519

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14521)

show more ...

acvp_test: Do not expect exact number of self tests

There might be more because internal instances of the DRBG
might be initialized for the first time and thus
self-tested as well.

acvp_test: Do not expect exact number of self tests

There might be more because internal instances of the DRBG
might be initialized for the first time and thus
self-tested as well.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14497)

show more ...

Remove the RAND_get0_public() from fips provider initialization

It is not needed anymore and it causes leaks because
it is called when the FIPS provider libctx is not yet
properly se

Remove the RAND_get0_public() from fips provider initialization

It is not needed anymore and it causes leaks because
it is called when the FIPS provider libctx is not yet
properly set up.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14497)

show more ...

Use OPENSSL_init_crypto(OPENSSL_INIT_BASE_ONLY, NULL) in libcrypto

Calling OPENSSL_init_crypto(0, NULL) is a no-op and will
not properly initialize thread local handling.

Only t

Use OPENSSL_init_crypto(OPENSSL_INIT_BASE_ONLY, NULL) in libcrypto

Calling OPENSSL_init_crypto(0, NULL) is a no-op and will
not properly initialize thread local handling.

Only the calls that are needed to initialize thread locals
are kept, the rest of the no-op calls are removed.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14497)

show more ...

Update CHANGES with info about AuthEnvelopedData addition

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/opens

Update CHANGES with info about AuthEnvelopedData addition

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14456)

show more ...

rename ossl_provider_forall_loaded to ossl_provider_doall_activated

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14489)

doc: describe the return from ossl_provider_forall_loaded()

Also correct an incorrect statement about non-activated providers.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>

doc: describe the return from ossl_provider_forall_loaded()

Also correct an incorrect statement about non-activated providers.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14489)

show more ...

core: modify ossl_provider_forall_loaded() to avoid locking for the callbacks

To avoid recursive lock issues, a copy is taken of the provider list and
the callbacks are made without hold

core: modify ossl_provider_forall_loaded() to avoid locking for the callbacks

To avoid recursive lock issues, a copy is taken of the provider list and
the callbacks are made without holding the store lock.

Fixes #14251

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14489)

show more ...

Don't crash if the pkeyopt doesn't have a value

All pkeyopt's must have a ":" and a value for the option. Not supplying
one can cause a crash

Fixes #14494

Reviewed-by:

Don't crash if the pkeyopt doesn't have a value

All pkeyopt's must have a ":" and a value for the option. Not supplying
one can cause a crash

Fixes #14494

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14496)

show more ...

update set_ctx_param store management calls to return 1 for a NULL params

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)

update set_ctx_param DRBG calls to return 1 for a NULL params

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)

update set_ctx_param MAC calls to return 1 for a NULL params

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)