Expand the CHANGES entry for SHA1 and libssl

As well as SSL 3, TLS 1.0, TLS 1.1 and DTLS 1.0 not working at
security level 1 we also document that TLS 1.2 connection will fail
if the

Expand the CHANGES entry for SHA1 and libssl

As well as SSL 3, TLS 1.0, TLS 1.1 and DTLS 1.0 not working at
security level 1 we also document that TLS 1.2 connection will fail
if the ClientHello does not have a signature algorithms extension.

Fixes #14447

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14465)

show more ...

Add a CHANGES for OSSL_STORE_INFO_get_type()

The function OSSL_STORE_INFO_get_type() may now return a new object
type. Applications may have to be amended accordingly.

Fixes #14

Add a CHANGES for OSSL_STORE_INFO_get_type()

The function OSSL_STORE_INFO_get_type() may now return a new object
type. Applications may have to be amended accordingly.

Fixes #14446

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14465)

show more ...

Add a missing CHANGES.md entry for the legacy provider

Numerous ciphers and digests have been moved to the legacy provider.
There should be a CHANGES.md entry pointing this out.

Add a missing CHANGES.md entry for the legacy provider

Numerous ciphers and digests have been moved to the legacy provider.
There should be a CHANGES.md entry pointing this out.

Fixes #14441

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14465)

show more ...

Non-const accessor to legacy keys

Fixes #14466.

Reverting the changes of the EVP_PKEY_get0 function.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://gi

Non-const accessor to legacy keys

Fixes #14466.

Reverting the changes of the EVP_PKEY_get0 function.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14468)

show more ...

EVP_KDF-KB man page: Fix typo in the example code

CLA: trivial
Signed-off-by: Arthur Gautier <baloo@superbaloo.net>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by:

EVP_KDF-KB man page: Fix typo in the example code

CLA: trivial
Signed-off-by: Arthur Gautier <baloo@superbaloo.net>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14455)

show more ...

Fixup support for io_pgetevents_time64 syscall

This is a fixup for the original commit 5b5e2985f355c8e99c196d9ce5d02c15bebadfbc
"Add support for io_pgetevents_time64 syscall" that didn't

Fixup support for io_pgetevents_time64 syscall

This is a fixup for the original commit 5b5e2985f355c8e99c196d9ce5d02c15bebadfbc
"Add support for io_pgetevents_time64 syscall" that didn't correctly
work for 32-bit architecutres with a 64-bit time_t that aren't RISC-V.

For a full discussion of the issue see:
https://github.com/openssl/openssl/commit/5b5e2985f355c8e99c196d9ce5d02c15bebadfbc

Signed-off-by: Alistair Francis <alistair.francis@wdc.com>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14432)

show more ...

cmp_hdr.c: Fix minor Coverity issue CID 1473605

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14460)

http_test.c: Fix minor Coverity issue CID 1473608

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14460)

Reword repeated words.

A trivial PR to remove some commonly repeated words. It looks like this is
not the first PR to do this.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Reword repeated words.

A trivial PR to remove some commonly repeated words. It looks like this is
not the first PR to do this.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14420)

show more ...

apps/pkcs12: Allow continuing on absent mac

Just print a warning in that case.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14

apps/pkcs12: Allow continuing on absent mac

Just print a warning in that case.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14445)

show more ...

apps/pkcs12: Detect missing PKCS12KDF support on import

Report error message with hint to use -nomacver if
MAC verification is not required.

Reviewed-by: Paul Dale <pauli@openss

apps/pkcs12: Detect missing PKCS12KDF support on import

Report error message with hint to use -nomacver if
MAC verification is not required.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14445)

show more ...

apps/pkcs12: Properly detect MAC setup failure

The MAC requires PKCS12KDF support which is not present
in FIPS provider as it is not an approved KDF algorithm.
Suggest using -nomac i

apps/pkcs12: Properly detect MAC setup failure

The MAC requires PKCS12KDF support which is not present
in FIPS provider as it is not an approved KDF algorithm.
Suggest using -nomac if MAC is not required.

Fixes #14057

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14445)

show more ...

fake_rand_finish should be called if "OPENSSL_NO_SM2" is NOT defined

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.

fake_rand_finish should be called if "OPENSSL_NO_SM2" is NOT defined

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14471)

show more ...

Fix the check for suitable groups and TLSv1.3

If we have TLSv1.3 enabled then we must have at least one TLSv1.3 capable
group available. This check was not always working

Review

Fix the check for suitable groups and TLSv1.3

If we have TLSv1.3 enabled then we must have at least one TLSv1.3 capable
group available. This check was not always working

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/14430)

show more ...

Make the EVP_PKEY_get0* functions have a const return type

OTC have decided that the EVP_PKEY_get0* functions should have a const
return type. This is a breaking change to emphasise that

Make the EVP_PKEY_get0* functions have a const return type

OTC have decided that the EVP_PKEY_get0* functions should have a const
return type. This is a breaking change to emphasise that these values
should be considered as immutable.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14319)

show more ...

Document the change in behaviour of the the low level key getters/setters

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Revie

Document the change in behaviour of the the low level key getters/setters

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14319)

show more ...

Ensure the various legacy key EVP_PKEY getters/setters are deprecated

Most of these were already deprecated but a few have been missed. This
commit corrects that.

Fixes #14303

Ensure the various legacy key EVP_PKEY getters/setters are deprecated

Most of these were already deprecated but a few have been missed. This
commit corrects that.

Fixes #14303
Fixes #14317

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14319)

show more ...

Cache legacy keys instead of downgrading them

If someone calls an EVP_PKEY_get0*() function then we create a legacy
key and cache it in the EVP_PKEY - but it doesn't become an "origin" a

Cache legacy keys instead of downgrading them

If someone calls an EVP_PKEY_get0*() function then we create a legacy
key and cache it in the EVP_PKEY - but it doesn't become an "origin" and
it doesn't ever get updated. This will be documented as a restriction of
the EVP_PKEY_get0*() function with provided keys.

Fixes #14020

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14319)

show more ...

Avoid a null pointer deref on a malloc failure

Make sure we were sucessful in creating an EVP_PKEY

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <

Avoid a null pointer deref on a malloc failure

Make sure we were sucessful in creating an EVP_PKEY

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14319)

show more ...

Add a multi thread test for downgrading keys

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@open

Add a multi thread test for downgrading keys

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14319)

show more ...

Restore GOST macros compatibility with 1.1.1

Fixes #14440

Before IANA assigned the official codes for the GOST signature
algorithms in TLS, the values from the Reserved for Priv

Restore GOST macros compatibility with 1.1.1

Fixes #14440

Before IANA assigned the official codes for the GOST signature
algorithms in TLS, the values from the Reserved for Private Use range
were in use in Russia. The old values were renamed.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14448)

show more ...

apps/x509.c: Rename -signkey to -key for consistency with the req app

Also because this better reflects that usually also the public portion is used.
Retaining the old -signkey as an ali

apps/x509.c: Rename -signkey to -key for consistency with the req app

Also because this better reflects that usually also the public portion is used.
Retaining the old -signkey as an alias for backward compatibility.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14007)

show more ...

HTTP: Fix BIO_mem_d2i() on NULL mem input

This fixes also failure behavior of OSSL_HTTP_REQ_CTX_sendreq_d2i(), OCSP_sendreq_nbio(), etc.
Fixes #14322

Reviewed-by: Tomas Mraz <to

HTTP: Fix BIO_mem_d2i() on NULL mem input

This fixes also failure behavior of OSSL_HTTP_REQ_CTX_sendreq_d2i(), OCSP_sendreq_nbio(), etc.
Fixes #14322

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14356)

show more ...

http_local.h: Remove unused declaration of HTTP_sendreq_bio()

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14356)

Simplify OCSP_sendreq_bio()

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14356)