obj_xref: rsassaPss must map to 'undef rsassaPss' (not 'undef rsaEncryption')

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13968)

Prepare for 3.0 alpha 12

Reviewed-by: Tomas Mraz <tomas@openssl.org>

Prepare for release of 3.0 alpha 11

Reviewed-by: Tomas Mraz <tomas@openssl.org>

Update copyright year

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13999)

Update NEWS.md before alpha11 release

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13

Update NEWS.md before alpha11 release

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13996)

show more ...

APPS: Restore inclusions

An '#include <string.h>' was mistakenly removed from apps/ec.c and
apps/ecparam.c

Fixes #13986

Reviewed-by: Tomas Mraz <tomas@openssl.org>

APPS: Restore inclusions

An '#include <string.h>' was mistakenly removed from apps/ec.c and
apps/ecparam.c

Fixes #13986

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13989)

show more ...

Fix running mingw dhparam test under wine

The dhparam test was failing to properly handle line endings when
running a mingw configured build under wine.

Fixes #13557

Re

Fix running mingw dhparam test under wine

The dhparam test was failing to properly handle line endings when
running a mingw configured build under wine.

Fixes #13557

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13923)

show more ...

Fix typo in thread_once comments

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13964)

Fix OSSL_PARAM_allocate_from_text() for EBCDIC

OSSL_PARAM_allocate_from_text() converted text values to UTF-8
OSSL_PARAMs with a simple strncpy(). However, if the text is EBCDIC,
th

Fix OSSL_PARAM_allocate_from_text() for EBCDIC

OSSL_PARAM_allocate_from_text() converted text values to UTF-8
OSSL_PARAMs with a simple strncpy(). However, if the text is EBCDIC,
that won't become UTF-8. Therefore, it's made to convert from EBCDIC
to ASCII on platforms where the native character encoding is the
former.

One might argue that the conversion should be the responsibility of
the application. However, this is a helper function, and the calling
application can't easily know what sort of OSSL_PARAM the input values
are going to be used for.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13961)

show more ...

TLS client: allow cert verify callback return -1 for SSL_ERROR_WANT_RETRY_VERIFY

The client-side cert verification callback function may not only return
as usual for success or 0 for fai

TLS client: allow cert verify callback return -1 for SSL_ERROR_WANT_RETRY_VERIFY

The client-side cert verification callback function may not only return
as usual for success or 0 for failure, but also -1,
typically on failure verifying the server certificate.
This makes the handshake suspend and return control to the calling application
with SSL_ERROR_WANT_RETRY_VERIFY.
The app can for instance fetch further certificates or cert status information
needed for the verification.
Calling SSL_connect() again resumes the connection attempt
by retrying the server certificate verification step.
This process may even be repeated if need be.

The core implementation of the feature is in ssl/statem/statem_clnt.c,
splitting tls_process_server_certificate() into a preparation step
that just copies the certificates received from the server to s->session->peer_chain
(rather than having them in a local variable at first) and returns to the state machine,
and a post-processing step in tls_post_process_server_certificate() that can be repeated:
Try verifying the current contents of s->session->peer_chain basically as before,
but give the verification callback function the chance to pause connecting and
make the TLS state machine later call tls_post_process_server_certificate() again.
Otherwise processing continues as usual.

The documentation of the new feature is added to SSL_CTX_set_cert_verify_callback.pod
and SSL_want.pod.

This adds two tests:
* A generic test in test/helpers/handshake.c
on the usability of the new server cert verification retry feature.
It is triggered via test/ssl-tests/03-custom_verify.cnf.in (while the bulky auto-
generated changes to test/ssl-tests/03-custom_verify.cnf can be basically ignored).
* A test in test/sslapitest.c that demonstrates the effectiveness of the approach
for augmenting the cert chain provided by the server in between SSL_connect() calls.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13906)

show more ...

params: OSSL_PARAM_utf8_ptr: don't automatically reference `address`

Since the pointer can be later be modified, the caller should have the
responsibility to supply the address of that.

params: OSSL_PARAM_utf8_ptr: don't automatically reference `address`

Since the pointer can be later be modified, the caller should have the
responsibility to supply the address of that.

Signed-off-by: Daiki Ueno <dueno@redhat.com>

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13951)

show more ...

DOC: Fix a few minor issues in OSSL_ENCODER / OSSL_DECODER docs

Partially fixes #13949

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openss

DOC: Fix a few minor issues in OSSL_ENCODER / OSSL_DECODER docs

Partially fixes #13949

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13954)

show more ...

Clean away unnecessary length related OSSL_PARAM key names

This cleans away old misunderstandings of what can be done with OSSL_PARAM.

Reviewed-by: Paul Dale <pauli@openssl.org>

Clean away unnecessary length related OSSL_PARAM key names

This cleans away old misunderstandings of what can be done with OSSL_PARAM.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13946)

show more ...

Check that the ecparam and pkeyparam do not mangle the parameters

Just comparison of the original parameter file with the -out output.

Some test files have non-canonical encoding, s

Check that the ecparam and pkeyparam do not mangle the parameters

Just comparison of the original parameter file with the -out output.

Some test files have non-canonical encoding, so they are moved
to a different directory.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13139)

show more ...

Add checks for NULL return from EC_KEY_get0_group()

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13139)

ec: Document that -conv_form and -no_public are not supported with engine

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13139)

ssl_old_test.c: Replace use of deprecated EC functions

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13139)

EVP_PKEY_get_group_name works with public keys as well

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13139)

Add manpage for EVP_PKEY_get_field_type and EVP_PKEY_get_point_conv_form

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13139)

Avoid using OSSL_PKEY_PARAM_GROUP_NAME when the key might be legacy

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13139)

Disable the test-ec completely when building with no-ec

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13139)

Add EVP_PKEY functions to get EC conv form and field type

libssl at the moment downgrades an EVP_PKEY to an EC_KEY object in order
to get the conv form and field type. Instead we provide

Add EVP_PKEY functions to get EC conv form and field type

libssl at the moment downgrades an EVP_PKEY to an EC_KEY object in order
to get the conv form and field type. Instead we provide EVP_PKEY level
functions to do this.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13139)

show more ...

Deprecate EC_KEY + Update ec apps to use EVP_PKEY

Co-author: Richard Levitte <levitte@openssl.org>
Co-author: Tomas Mraz <tmraz@openssl.org>

Reviewed-by: Matt Caswell <matt@open

Deprecate EC_KEY + Update ec apps to use EVP_PKEY

Co-author: Richard Levitte <levitte@openssl.org>
Co-author: Tomas Mraz <tmraz@openssl.org>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13139)

show more ...

Add functions to set values into an EVP_PKEY

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/

Add functions to set values into an EVP_PKEY

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13139)

show more ...

krb5kdf: Do not dereference NULL ctx when allocation fails

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13953)