x509_vfy.c: Rename CHECK_CB() to the more intuitively readable CB_FAIL_IF()

Also improve list layout of some comments.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from ht

x509_vfy.c: Rename CHECK_CB() to the more intuitively readable CB_FAIL_IF()

Also improve list layout of some comments.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13895)

show more ...

Remove pkey_downgrade from PKCS7 code

Fixes #12991

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13435)

util/check-format.pl: Minor improvements of whitespace checks

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13710)

Deprecate OCSP_xxx API for OSSL_HTTP_xxx

Deprecations made:
OCSP_REQ_CTX typedef->OSSL_HTTP_REQ_CTX
OCSP_REQ_CTX_new->OSSL_HTTP_REQ_CTX_new
OCSP_REQ_CTX_free->OSSL_HT

Deprecate OCSP_xxx API for OSSL_HTTP_xxx

Deprecations made:
OCSP_REQ_CTX typedef->OSSL_HTTP_REQ_CTX
OCSP_REQ_CTX_new->OSSL_HTTP_REQ_CTX_new
OCSP_REQ_CTX_free->OSSL_HTTP_REQ_CTX_free
OCSP_REQ_CTX_http-> OSSL_HTTP_REQ_CTX_header
OCSP_REQ_CTX_add1_header->OSSL_HTTP_REQ_CTX_add1_header
OCSP_REQ_CTX_i2d->OSSL_HTTP_REQ_CTX_i2d
OCSP_REQ_CTX_get0_mem_bio->OSSL_HTTP_REQ_CTX_get0_mem_bio
OCSP_set_max_response_length->OSSL_HTTP_REQ_CTX_set_max_response_length
OCSP_REQ_CTX_nbio_d2i->OSSL_HTTP_REQ_CTX_sendreq_d2i
OCSP_REQ_CTX_nbio->OSSL_HTTP_REQ_CTX_nbio

Made some editorial changes to man3/OCSP_sendreq.pod; move the NOTES
text inline. Some of the original functions had no documentation:
OCSP_REQ_CTX_new, OCSP_REQ_CTX_http, OCSP_REQ_CTX_get0_mem_bio,
OCSP_REQ_CTX_nbio_d2i, and OCSP_REQ_CTX_nbio. Their new counterparts
are now documented in doc/man3/OSSL_HTTP_REQ_CTX.pod

Fixes #12234

Co-authored-by: Richard Levitte <levitte@openssl.org>

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13742)

show more ...

DOCS: Fix the last few remaining pass phrase options references

There were a few lingering older style references to the pass phrase
options section, now streamlined with all the others.

DOCS: Fix the last few remaining pass phrase options references

There were a few lingering older style references to the pass phrase
options section, now streamlined with all the others.

Fixes #13883

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13885)

show more ...

Fix memory leak in mac_newctx() on error

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openss

Fix memory leak in mac_newctx() on error

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13702)

show more ...

Fix PKCS7 potential segfault

As the code that handles libctx, propq for PKCS7 is very similar to CMS
code, a similiar fix for issue #13624 needs to be applied.

Reviewed-by: Tim

Fix PKCS7 potential segfault

As the code that handles libctx, propq for PKCS7 is very similar to CMS
code, a similiar fix for issue #13624 needs to be applied.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13668)

show more ...

CMS: Fix NULL access if d2i_CMS_bio() is not passed a CMS_ContentInfo**.

Fixes #13624

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(

CMS: Fix NULL access if d2i_CMS_bio() is not passed a CMS_ContentInfo**.

Fixes #13624

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13668)

show more ...

Rename EVP_CIPHER_CTX_get_iv and EVP_CIPHER_CTX_get_iv_state for clarity

To clarify the purpose of these two calls rename them to
EVP_CIPHER_CTX_get_original_iv and EVP_CIPHER_CTX_get_up

Rename EVP_CIPHER_CTX_get_iv and EVP_CIPHER_CTX_get_iv_state for clarity

To clarify the purpose of these two calls rename them to
EVP_CIPHER_CTX_get_original_iv and EVP_CIPHER_CTX_get_updated_iv.

Also rename the OSSL_CIPHER_PARAM_IV_STATE to OSSL_CIPHER_PARAM_UPDATED_IV
to better align with the function name.

Fixes #13411

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13870)

show more ...

Update SERVER_HELLO_MAX_LENGTH

Update constant to maximum permitted by RFC 8446

Fixes #13868

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt

Update SERVER_HELLO_MAX_LENGTH

Update constant to maximum permitted by RFC 8446

Fixes #13868

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13874)

show more ...

replace all BIO_R_NULL_PARAMETER by ERR_R_PASSED_NULL_PARAMETER

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13713)

bio_lib.c: Fix error queue entries and return codes on NULL args etc.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13713)

X509V3_EXT_CRL_add_nconf(): Fix mem leak on error and simplify it

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13713)

Allow EVP_PKEY private key objects to be created without a public component

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merg

Allow EVP_PKEY private key objects to be created without a public component

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13855)

show more ...

Fix incomplete deprecation guard in test/sslapitest.c

OPENSSL_NO_DEPRECATED_3_0 should be used rather than OPENSSL_NO_DEPRECATED,
as the latter doesn't take the configuration option '--a

Fix incomplete deprecation guard in test/sslapitest.c

OPENSSL_NO_DEPRECATED_3_0 should be used rather than OPENSSL_NO_DEPRECATED,
as the latter doesn't take the configuration option '--api=' in account.

Fixes #13865

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13866)

show more ...

Fix crypto/des/build.info

!$disabled{mdc2} was used to determine if DES files should be included
in providers/liblegacy.a. Use !$disabled{des} instead.

Fixes #13865

Re

Fix crypto/des/build.info

!$disabled{mdc2} was used to determine if DES files should be included
in providers/liblegacy.a. Use !$disabled{des} instead.

Fixes #13865

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13866)

show more ...

Document openssl thread-safety

Also discuss reference-counting, mutability and safety.

Thanks to David Benjamin for pointing to comment text he added
to boringSSL's header files

Document openssl thread-safety

Also discuss reference-counting, mutability and safety.

Thanks to David Benjamin for pointing to comment text he added
to boringSSL's header files.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13788)

show more ...

Remove unused DRBG tests.

The DRBG known answer tests are performed by evp_test and the old vectors
are not used.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged

Remove unused DRBG tests.

The DRBG known answer tests are performed by evp_test and the old vectors
are not used.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13867)

show more ...

Correct typo in rsa_oaep.c

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13861)

Enhance default provider documentation

Bring Wiki and man page documentation in line regarding default provider
fall-back behaviour.

Fixes #13844

Reviewed-by: Tomas Mra

Enhance default provider documentation

Bring Wiki and man page documentation in line regarding default provider
fall-back behaviour.

Fixes #13844

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13859)

show more ...

Fix a failure where fetches can return NULL in multi-threaded code

When a fetch is attempted simultaneously from multiple threads then both
threads can attempt to construct the method. H

Fix a failure where fetches can return NULL in multi-threaded code

When a fetch is attempted simultaneously from multiple threads then both
threads can attempt to construct the method. However only one of those
will get added to the global evp method store. The one that "lost" the
race to add the method to the global evp method store ended up with the
fetch call returning NULL, instead of returning the method that was
already available.

Fixes #13682

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13660)

show more ...

Fix an issue in provider_activate_fallbacks()

The above function was running while holding the store lock with a read
lock. Unfortunately it actually modifies the store, so a write lock

Fix an issue in provider_activate_fallbacks()

The above function was running while holding the store lock with a read
lock. Unfortunately it actually modifies the store, so a write lock is
required instead.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13660)

show more ...

Extend the threads test to add simple fetch from multi threads

Issue #13682 suggests that doing a simple fetch from multi-threads may
result in issues so we add a test for that.

Extend the threads test to add simple fetch from multi threads

Issue #13682 suggests that doing a simple fetch from multi-threads may
result in issues so we add a test for that.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13660)

show more ...

Enable locking on the primary DRBG when we create it

The primary DRBG may be shared across multiple threads and therefore
we must use locking to access it. Previously we were enabling th

Enable locking on the primary DRBG when we create it

The primary DRBG may be shared across multiple threads and therefore
we must use locking to access it. Previously we were enabling that locking
lazily when we attempted to obtain one of the child DRBGs. Part of the
process of enabling the lock, is to create the lock. But if we create the
lock lazily then it is too late - we may race with other threads where each
thread is independently attempting to enable the locking. This results
in multiple locks being created - only one of which "sticks" and the rest
are leaked.

Instead we enable locking on the primary when we first create it. This is
already locked and therefore we cannot race.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13660)

show more ...

Make sure we take the ctx->lock in ossl_lib_ctx_generic_new()

The function ossl_lib_ctx_generic_new() modifies the exdata. This may
be simultaneously being modified by other threads and

Make sure we take the ctx->lock in ossl_lib_ctx_generic_new()

The function ossl_lib_ctx_generic_new() modifies the exdata. This may
be simultaneously being modified by other threads and therefore we need
to make sure we take the lock before doing so.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13660)

show more ...