EVP: Modify the checks in EVP_PKEY_{set,get}_xxx_param() functions

The checks of the type of EVP_PKEY were from before we had the macro
evp_pkey_is_provided().

Reviewed-by: Paul

EVP: Modify the checks in EVP_PKEY_{set,get}_xxx_param() functions

The checks of the type of EVP_PKEY were from before we had the macro
evp_pkey_is_provided().

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14056)

show more ...

EVP: Adapt the other EVP_PKEY_set_xxx_param() functions

They were calling evp_keymgmt_set_params() directly. Those calls are
changed to go through EVP_PKEY_set_params().

We tak

EVP: Adapt the other EVP_PKEY_set_xxx_param() functions

They were calling evp_keymgmt_set_params() directly. Those calls are
changed to go through EVP_PKEY_set_params().

We take the opportunity to constify these functions. They have to
unconstify internally for the compiler to stop complaining when
placing those pointers in an OSSL_PARAM element, but that's still
better than forcing the callers to do that cast.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14056)

show more ...

EVP: Make EVP_PKEY_set_params() increment the dirty count

When the internal key is changed, we must count it as muted, so that
next time the affected key is considered for an operation,

EVP: Make EVP_PKEY_set_params() increment the dirty count

When the internal key is changed, we must count it as muted, so that
next time the affected key is considered for an operation, it gets
re-exported to the signing provider. In other words, this will clear
the EVP_PKEY export cache when the next export attempt occurs.

This also updates evp_keymgmt_util_export_to_provider() to actually
look at the dirty count for provider native origin keys, and act
appropriately.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14056)

show more ...

apps/openssl: add -propquery command line option

Fixes #13656. Right now all openssl commands use a NULL propq. This
patch adds a possibility to specify a custom propq.

The impl

apps/openssl: add -propquery command line option

Fixes #13656. Right now all openssl commands use a NULL propq. This
patch adds a possibility to specify a custom propq.

The implementation follows the example of set_nameopt/get_nameopt.

Various tools had to be modified to call app_get0_propq after it has
been populated. Otherwise the -propquery has no effect.

The tests then verify the -propquery affects the tool behaviour by
requesting a non-existing property.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13707)

show more ...

x509_vfy.c: Improve coding style and comments all over the file

No changes in semantics.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/open

x509_vfy.c: Improve coding style and comments all over the file

No changes in semantics.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13070)

show more ...

Remove a DSA related TODO

There are no instances of the macros that this comment is referring to
being used anywhere within current master. All of the macros were
deprecated by commi

Remove a DSA related TODO

There are no instances of the macros that this comment is referring to
being used anywhere within current master. All of the macros were
deprecated by commit f41ac0e. Therefore this TODO should just be removed.

Fixes #13020

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14038)

show more ...

Remove some TODO(OpenSSL1.2) references

We had a couple of stray references to OpenSSL1.2 in libssl. We just
reword the comments to remove those references without changing any
behav

Remove some TODO(OpenSSL1.2) references

We had a couple of stray references to OpenSSL1.2 in libssl. We just
reword the comments to remove those references without changing any
behaviour.

The first one in t1_lib.c is a technical non-compliance in the TLSv1.3
spec where, under some circumstances, we offer DSA sigalgs even in a
ClientHello that eventually negotiates TLSv1.3. We explicitly chose to
accept this behaviour in 1.1.1 and we're not planning to change it for
3.0.

The second one in s3_lib.c is regarnding the behaviour of
SSL_set_tlsext_host_name(). Technically you shouldn't be able to call
this from a server - but we allow it and just ignore it rather than
raising an error. The TODO suggest we consider raising an error instead.
However, with 3.0 we are trying to minimise breaking changes so I suggest
not making this change now.

Fixes #13161

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/14037)

show more ...

DH/DHX parameter check using pkeyparam

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13930)

Allow NULL arg to OPENSSL_sk_{dup,deep_copy} returning empty stack

This simplifies many usages

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openss

Allow NULL arg to OPENSSL_sk_{dup,deep_copy} returning empty stack

This simplifies many usages

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14040)

show more ...

run_tests.pl: Improve diagnostics on the use of HARNESS_JOBS

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13551)

test/recipes: split 81_test_cmp_cli.t, add test using -engine loader_attic

The HTTP-based tests are now in 80_test_cmp_http.t, to start a little earlier.
This should decrease total test

test/recipes: split 81_test_cmp_cli.t, add test using -engine loader_attic

The HTTP-based tests are now in 80_test_cmp_http.t, to start a little earlier.
This should decrease total test run time due to better parallelization.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13551)

show more ...

apps/cmp.c: check and exit on engine load error

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13551)

openssl.pod: Add documentation for using the loader_attic engine

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13551)

Fix a use after free issue when a provider context is being used and isn't cached

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merg

Fix a use after free issue when a provider context is being used and isn't cached

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14053)

show more ...

EC: Reverse the default asn1_flag in a new EC_GROUP

The default was OPENSSL_EC_NAMED_CURVE, but that's not true until a
curve name has been set, so we change the initial value to
OPE

EC: Reverse the default asn1_flag in a new EC_GROUP

The default was OPENSSL_EC_NAMED_CURVE, but that's not true until a
curve name has been set, so we change the initial value to
OPENSSL_EC_EXPLICIT_CURVE and let EC_GROUP_set_curve_name() change it
to OPENSSL_EC_NAMED_CURVE.

Submitted by Matt Caswell

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13973)

show more ...

EVP: Fix evp_pkey_ctx_store_cached_data() to handle provider backed EVP_PKEY_CTX

It assumed there would always be a non-NULL ctx->pmeth, leading to a
crash when that isn't the case. Sin

EVP: Fix evp_pkey_ctx_store_cached_data() to handle provider backed EVP_PKEY_CTX

It assumed there would always be a non-NULL ctx->pmeth, leading to a
crash when that isn't the case. Since it needs to check 'keytype'
when that one isn't -1, we also add a corresponding check for the
provider backed EVP_PKEY_CTX case.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13973)

show more ...

EVP: Don't find standard EVP_PKEY_METHODs automatically

EVP_PKEY_meth_find() got called automatically any time a new
EVP_PKEY_CTX allocator was called with some sort of key type data.

EVP: Don't find standard EVP_PKEY_METHODs automatically

EVP_PKEY_meth_find() got called automatically any time a new
EVP_PKEY_CTX allocator was called with some sort of key type data.
Since we have now moved all our standard algorithms to our providers,
this is no longer necessary.

We do retain looking up EVP_PKEY_METHODs that are added by the calling
application.

Fixes #11424

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13973)

show more ...

CORE & PROV: clean away OSSL_FUNC_mac_size()

There was a remaining function signature declaration, but no
OSSL_DISPATCH number for it nor any way it's ever used. It did exist
once,

CORE & PROV: clean away OSSL_FUNC_mac_size()

There was a remaining function signature declaration, but no
OSSL_DISPATCH number for it nor any way it's ever used. It did exist
once, but was replaced with an OSSL_PARAM item to retrieve.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14048)

show more ...

apps/ecparam: Avoid crash when parameters fail to load

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14043)

apps/ca: Properly handle certificate expiration times in do_updatedb

Fixes #13944

+ changed ASN1_UTCTIME to ASN1_TIME
+ removed all Y2K code from do_updatedb
+ chan

apps/ca: Properly handle certificate expiration times in do_updatedb

Fixes #13944

+ changed ASN1_UTCTIME to ASN1_TIME
+ removed all Y2K code from do_updatedb
+ changed compare to ASN1_TIME_compare

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14026)

(cherry picked from commit dabea5447dc487983a50a40856f731db0db17a8e)

show more ...

Deprecate EVP_MD_CTX_{set_}update_fn()

They are still used internally in legacy code.

Also fixed up some minor things in EVP_DigestInit.pod

Fixes: #14003

Reviewed-

Deprecate EVP_MD_CTX_{set_}update_fn()

They are still used internally in legacy code.

Also fixed up some minor things in EVP_DigestInit.pod

Fixes: #14003

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14008)

show more ...

Add diacritics to my name in CHANGES.md

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <pau

Add diacritics to my name in CHANGES.md

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14044)

show more ...

dh_cms_set_peerkey: Pad the public key to p size

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13958)

Add some missing committers to the AUTHORS list

Fixes #13815

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https

Add some missing committers to the AUTHORS list

Fixes #13815

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14029)

show more ...

Add a CI job to run the threads test with threads sanitizer on

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13987)