Make more use of X509_add_certs(); minor related code & comments cleanup

This is a follow-up on #12615.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.co

Make more use of X509_add_certs(); minor related code & comments cleanup

This is a follow-up on #12615.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14436)

show more ...

OCSP_resp_find_status.pod: Complete the RETURN VALUES section

Supersedes #11877. Also make order in NAME section consistent.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged f

OCSP_resp_find_status.pod: Complete the RETURN VALUES section

Supersedes #11877. Also make order in NAME section consistent.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14347)

show more ...

crypto/ocsp/ocsp_cl.c: coding style improvements

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14347)

Update the demos/README file because it is really old. New demos should provide best practice for API use.
Add demonstration for computing a SHA3-512 digest - digest/EVP_MD_demo

Reviewed

Update the demos/README file because it is really old. New demos should provide best practice for API use.
Add demonstration for computing a SHA3-512 digest - digest/EVP_MD_demo

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/14150)

show more ...

CI external tests: separate each external test into its own phase

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from h

CI external tests: separate each external test into its own phase

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/14416)

show more ...

CI external test: for now run only the krb5 and gost_engine tests

The boringssl (https://github.com/openssl/openssl/issues/14424)
and pyca-cryptography (https://github.com/openssl/openss

CI external test: for now run only the krb5 and gost_engine tests

The boringssl (https://github.com/openssl/openssl/issues/14424)
and pyca-cryptography (https://github.com/openssl/openssl/issues/14425)
tests are currently broken.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/14416)

show more ...

gost_engine test: further cleanups and fixes

Allow absolute paths for $SRCTOP and $BLDTOP.

Do not build the gost_engine in tree.

Reviewed-by: Richard Levitte <levitte@opens

gost_engine test: further cleanups and fixes

Allow absolute paths for $SRCTOP and $BLDTOP.

Do not build the gost_engine in tree.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/14416)

show more ...

gost_engine test: Run also perl and tcl tests

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/op

gost_engine test: Run also perl and tcl tests

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/14416)

show more ...

CI: add job with external tests

Update gost-engine submodule.
Update pyca-cryptography submodule.

Fix condition for skipping krb5 test.

Reviewed-by: Richard Levitte <le

CI: add job with external tests

Update gost-engine submodule.
Update pyca-cryptography submodule.

Fix condition for skipping krb5 test.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/14416)

show more ...

DOCS: Document OSSL_STORE_INFO_PUBKEY in doc/man3/OSSL_STORE_INFO.pod

Fixes #14414

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(M

DOCS: Document OSSL_STORE_INFO_PUBKEY in doc/man3/OSSL_STORE_INFO.pod

Fixes #14414

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14415)

show more ...

Make provider provider_init thread safe, and flag checking/setting too

provider_init() makes changes in the provider structure, and needs a
bit of protection to ensure that doesn't happe

Make provider provider_init thread safe, and flag checking/setting too

provider_init() makes changes in the provider structure, and needs a
bit of protection to ensure that doesn't happen concurrently with race
conditions.

This also demands a bit of protection of the flags, since they are
bits and presumably occupy the same byte in memory.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14354)

show more ...

Make ossl_provider_disable_fallback_loading() thread safe

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/open

Make ossl_provider_disable_fallback_loading() thread safe

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14354)

show more ...

test/threadstest.c: Add a test to load providers concurrently

If we don't synchronize properly in the core provider code, and build
with a thread sanitizer, this should cause a crash.

test/threadstest.c: Add a test to load providers concurrently

If we don't synchronize properly in the core provider code, and build
with a thread sanitizer, this should cause a crash.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14354)

show more ...

ecx_set_priv_key: Try to obtain libctx from the pkey's keymgmt

We can try to do that although for legacy keys the keymgmt
will not be set. This function will disappear with legacy suppor

ecx_set_priv_key: Try to obtain libctx from the pkey's keymgmt

We can try to do that although for legacy keys the keymgmt
will not be set. This function will disappear with legacy support
removed.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14404)

show more ...

bn_ctx.c: Remove TODO 3.0 related to tracing in FIPS module

We do not want tracing in the FIPS module.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com

bn_ctx.c: Remove TODO 3.0 related to tracing in FIPS module

We do not want tracing in the FIPS module.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14404)

show more ...

ecx_set_priv_key: Remove TODO 3.0 related to setting libctx

This function is used only for legacy keys so the TODO is
not relevant.

Reviewed-by: Paul Dale <pauli@openssl.org>

ecx_set_priv_key: Remove TODO 3.0 related to setting libctx

This function is used only for legacy keys so the TODO is
not relevant.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14404)

show more ...

do_sigver_init: Remove fallback for missing provider implementations.

We now have everything implemented in providers.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from ht

do_sigver_init: Remove fallback for missing provider implementations.

We now have everything implemented in providers.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14404)

show more ...

Remove some of the TODO 3.0 in crypto/evp related to legacy support.

The legacy support stays in 3.0. The TODOs are dropped.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged f

Remove some of the TODO 3.0 in crypto/evp related to legacy support.

The legacy support stays in 3.0. The TODOs are dropped.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14404)

show more ...

crypto/param_build_set.c: Remove irrelevant TODO 3.0

The OSSL_PARAM_set_BN() pads to data_size so there is no
need for OSSL_PARAM_set_BN_pad().

Reviewed-by: Paul Dale <pauli@ope

crypto/param_build_set.c: Remove irrelevant TODO 3.0

The OSSL_PARAM_set_BN() pads to data_size so there is no
need for OSSL_PARAM_set_BN_pad().

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14404)

show more ...

crypto/ppccap.c: Remove useless TODO 3.0

The chacha and poly1305 algorithms are not FIPS approved so
they should stay out of FIPS module.

Reviewed-by: Paul Dale <pauli@openssl.o

crypto/ppccap.c: Remove useless TODO 3.0

The chacha and poly1305 algorithms are not FIPS approved so
they should stay out of FIPS module.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14404)

show more ...

include/crypto: Remove TODOs that are irrelevant for 3.0

The legacy support will not be removed in 3.0. Remove the
related TODO 3.0 marks.

Reviewed-by: Paul Dale <pauli@openssl.

include/crypto: Remove TODOs that are irrelevant for 3.0

The legacy support will not be removed in 3.0. Remove the
related TODO 3.0 marks.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14404)

show more ...

include/internal: Remove TODOs that are irrelevant for 3.0

The sha3 and sm3 legacy support requires these headers.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https:

include/internal: Remove TODOs that are irrelevant for 3.0

The sha3 and sm3 legacy support requires these headers.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14404)

show more ...

test/x509: Test for issuer being overwritten when printing.

The regression from commit 05458fd was fixed, but there is
no test for that regression. This adds it simply by having
a ce

test/x509: Test for issuer being overwritten when printing.

The regression from commit 05458fd was fixed, but there is
no test for that regression. This adds it simply by having
a certificate that we compare for -text output having
a different subject and issuer.

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/14353)

show more ...

OSSL_STORE: restore diagnostics on decrypt error; provide password hints

Fixes #13493

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/

OSSL_STORE: restore diagnostics on decrypt error; provide password hints

Fixes #13493

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13525)

show more ...

crypto: rename error flags in internal structures

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl

crypto: rename error flags in internal structures

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14405)

show more ...