Drop Travis

At this point, we have transitioned completely from Travis to GitHub Actions

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>

Drop Travis

At this point, we have transitioned completely from Travis to GitHub Actions

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13940)

show more ...

Github CI: Add a job for out-of-source build + install

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13935)

Unix Makefile generator: Fix empty basename calls

Fixes #13933

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13935)

bn: Deprecate the X9.31 RSA key generation related functions

This key generation method is obsolete.

Fixes #10111

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Me

bn: Deprecate the X9.31 RSA key generation related functions

This key generation method is obsolete.

Fixes #10111

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13921)

show more ...

OCSP HTTP: Restore API of undocumented and recently deprecated functions

Restore parameters of OCSP_REQ_CTX_new(), OCSP_REQ_CTX_http(), OCSP_REQ_CTX_i2d().
Fix a bug (wrong HTTP method s

OCSP HTTP: Restore API of undocumented and recently deprecated functions

Restore parameters of OCSP_REQ_CTX_new(), OCSP_REQ_CTX_http(), OCSP_REQ_CTX_i2d().
Fix a bug (wrong HTTP method selected on req == NULL in OCSP_sendreq_new().
Minor further fixes in OSSL_HTTP_REQ_CTX.pod

Fixes #13873

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13898)

show more ...

OSSL_HTTP_REQ_CTX.pod: minor addition and remove redundant paragraph

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13898)

OSSL_HTTP_REQ_CTX_new(): replace method_GET parameter by method_POST

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13898)

rename OSSL_HTTP_REQ_CTX_header to OSSL_HTTP_REQ_CTX_set_request_line

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13898)

Add check of HTTP method to OSSL_HTTP_REQ_CTX_content()

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13898)

Util/Pod.pm: Fix uninitialized $podinfo{lastsecttext} on empty input

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13898)

Fix no-dh and no-dsa

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13915)

Don't copy parameters on setting a key in libssl

Whenever we set a private key in libssl, we first found the certificate
that matched the key algorithm. Then we copied the key parameters

Don't copy parameters on setting a key in libssl

Whenever we set a private key in libssl, we first found the certificate
that matched the key algorithm. Then we copied the key parameters from the
private key into the public key for the certficate before finally checking
that the private key matched the public key in the certificate. This makes
no sense! Part of checking the private key is to make sure that the
parameters match. It seems that this code has been present since SSLeay.
Perhaps at some point it made sense to do this - but it doesn't any more.

We remove that piece of code altogether. The previous code also had the
undocumented side effect of removing the certificate if the key didn't
match. This makes sense if you've just overwritten the parameters in the
certificate with bad values - but doesn't seem to otherwise. I've also
removed that error logic.

Due to issue #13893, the public key associated with the certificate is
always a legacy key. EVP_PKEY_copy_parameters will downgrade the "from"
key to legacy if the target is legacy, so this means that in libssl all
private keys were always downgraded to legacy when they are first set
in the SSL/SSL_CTX. Removing the EVP_PKEY_copy_parameters code has the
added benefit of removing that downgrade.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13899)

show more ...

Ensure legacy_asn1_ctrl_to_param can handle MDs not in the OBJ database

The legacy_asn1_ctrl_to_param implementation of
ASN1_PKEY_CTRL_DEFAULT_MD_NID calls EVP_PKEY_get_default_digest_na

Ensure legacy_asn1_ctrl_to_param can handle MDs not in the OBJ database

The legacy_asn1_ctrl_to_param implementation of
ASN1_PKEY_CTRL_DEFAULT_MD_NID calls EVP_PKEY_get_default_digest_name()
which returns an mdname. Previously we were using OBJ_sn2nid/OBJ_ln2nid
to lookup that name in the OBJ database. However we might get an md name
back that only exists in the namemap, not in the OBJ database. In that
case we need to check the various aliases for the name, to see if one of
those matches the name we are looking for.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13899)

show more ...

Unix Makefile generator: separate "simple" shared libraries from import libraries

For Unix like environments, we may have so called "simple" shared
library names (libfoo.so as opposed to

Unix Makefile generator: separate "simple" shared libraries from import libraries

For Unix like environments, we may have so called "simple" shared
library names (libfoo.so as opposed to libfoo.so.1.2), or we may have
"import" library names associated with a DLL (libfoo.dll.a for
libfoo.dll on Mingw and derivatives).

So far, "import" library names were treated the same as "simple"
shared library names, as some kind of normalization for the Unix way
of doing things.

We now shift to treat them separately, to make it clearer what is
what.

Fixes #13414, incidently

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13875)

show more ...

Check input size before NULL pointer test inside mem_write()

Checking is performed after the read-only test so it catches such errors
earlier.

CLA: trivial

Reviewed-by:

Check input size before NULL pointer test inside mem_write()

Checking is performed after the read-only test so it catches such errors
earlier.

CLA: trivial

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13786)

show more ...

dh_cms_set_shared_info: Use explicit fetch to be able to provide libctx

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13869)

dh_cms_set_peerkey: The peer key is encoded as an ASN.1 integer

It must be decoded from the ASN.1 integer before setting
to the EVP_PKEY.

Reviewed-by: Matt Caswell <matt@openssl

dh_cms_set_peerkey: The peer key is encoded as an ASN.1 integer

It must be decoded from the ASN.1 integer before setting
to the EVP_PKEY.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13869)

show more ...

Make the smdh.pem test certificate usable with fips provider

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13869)

kdf_exch.c (kdf_derive): Proper handling of NULL secret

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13869)

Fixes related to broken DH support in CMS

- DH support should work with both DH and DHX keys
- UKM parameter is optional so it can have length 0

Fixes #13810

Reviewed-b

Fixes related to broken DH support in CMS

- DH support should work with both DH and DHX keys
- UKM parameter is optional so it can have length 0

Fixes #13810

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13869)

show more ...

Pass correct maximum output length to provider derive operation

And improve error checking in EVP_PKEY_derive* calls.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from h

Pass correct maximum output length to provider derive operation

And improve error checking in EVP_PKEY_derive* calls.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13869)

show more ...

CMP: Allow PKCS#10 input also for ir, cr, kur, and rr messages

Also update documentation regarding sources of certs and keys,
improve type of OSSL_CMP_exec_RR_ses(),
add tests for CS

CMP: Allow PKCS#10 input also for ir, cr, kur, and rr messages

Also update documentation regarding sources of certs and keys,
improve type of OSSL_CMP_exec_RR_ses(),
add tests for CSR-based cert revocation

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13841)

show more ...

X509_REQ_get_extensions(): Return empty stack if no extensions found

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13841)

apps/cmp.c: Check self-signature on CSR input and warn on failure

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13841)

apps/cmp.c: Improve diagnostics on loading private vs. public key for cert request

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13841)