Add tests for (non-)default SKID and AKID inclusion by apps/{req,x509,ca}.c

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13658)

apps/req.c: add -CA and -CAkey options; improve code and doc

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13658)

APPS: Allow OPENSSL_CONF to be empty, not loading a config file

Also document the function CONF_get1_default_config_file()

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Mer

APPS: Allow OPENSSL_CONF to be empty, not loading a config file

Also document the function CONF_get1_default_config_file()

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13658)

show more ...

apps/{req,x509,ca}.c Make sure certs have SKID and AKID X.509 extensions by default

Fixes #13603

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.co

apps/{req,x509,ca}.c Make sure certs have SKID and AKID X.509 extensions by default

Fixes #13603

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13658)

show more ...

X509_cmp(): Fix comparison in case x509v3_cache_extensions() failed to due to invalid cert

This is the upstream fix for #13698 reported for v1.1.1

Reviewed-by: Tomas Mraz <tmraz@fed

X509_cmp(): Fix comparison in case x509v3_cache_extensions() failed to due to invalid cert

This is the upstream fix for #13698 reported for v1.1.1

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13755)

show more ...

d2i_X509(): Make deallocation behavior consistent with d2i_X509_AUX()

Partly fixes #13754

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/opens

d2i_X509(): Make deallocation behavior consistent with d2i_X509_AUX()

Partly fixes #13754

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13755)

show more ...

Fix incorrect use of BN_CTX API

In some edge cases BN_CTX_end was being called without first calling
BN_CTX_start. This creates a situation where the state of the big
number allocato

Fix incorrect use of BN_CTX API

In some edge cases BN_CTX_end was being called without first calling
BN_CTX_start. This creates a situation where the state of the big
number allocator is corrupted and may lead to crashes.

Fixes #13812

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13813)

show more ...

Fix enable-weak-ssl-ciphers

Commit e260bee broke the enable-weak-ssl-ciphers option. The stitched
rc4-hmac-md5 cipher implementation did not recognise the tls_version
parameter, and

Fix enable-weak-ssl-ciphers

Commit e260bee broke the enable-weak-ssl-ciphers option. The stitched
rc4-hmac-md5 cipher implementation did not recognise the tls_version
parameter, and therefore was being incorrectly handled.

Fixes #13795

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/13803)

show more ...

x509_vfy.c: Fix a regression in find_issuer()

...in case the candidate issuer cert is identical to the target cert.

This is the v3.0.0 variant of #13749 fixing #13739 for v1.1.1.

x509_vfy.c: Fix a regression in find_issuer()

...in case the candidate issuer cert is identical to the target cert.

This is the v3.0.0 variant of #13749 fixing #13739 for v1.1.1.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13762)

show more ...

Make PEM_X509_INFO_read_bio_ex() conservative on the error queue

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13762)

TEST: move cert, key, and CSR loading aux functions to new testutil/load.c

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13762)

Add X509_NAME_hash_ex() to be able to check if it failed due to unsupported SHA1

Deprecate X509_NAME_hash()
Document X509_NAME_hash_ex(), X509_NAME_hash(), X509_{subject,issuer}_name_has

Add X509_NAME_hash_ex() to be able to check if it failed due to unsupported SHA1

Deprecate X509_NAME_hash()
Document X509_NAME_hash_ex(), X509_NAME_hash(), X509_{subject,issuer}_name_hash()

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13762)

show more ...

Clean away extraneous library specific FETCH_FAILED reason codes

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13467)

Use centralized fetching errors

We've spread around FETCH_FAILED errors in quite a few places, and
that gives somewhat crude error records, as there's no way to tell if
the error was

Use centralized fetching errors

We've spread around FETCH_FAILED errors in quite a few places, and
that gives somewhat crude error records, as there's no way to tell if
the error was unavailable algorithms or some other error at such high
levels.

As an alternative, we take recording of these kinds of errors down to
the fetching functions, which are in a much better place to tell what
kind of error it was, thereby relieving the higher level calls from
having to guess.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13467)

show more ...

Remove duplicate GENERATE declarations for .pod files

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13824)

Configure: warn about duplicate GENERATE declarations in build.info files

This sort of duplication is permitted, as the end result will be a single
item anyway, but we might as well warn

Configure: warn about duplicate GENERATE declarations in build.info files

This sort of duplication is permitted, as the end result will be a single
item anyway, but we might as well warn to avoid future confusion.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13824)

show more ...

Configure: clean away perl syntax faults

The faults aren't fatal (i.e. perl just shrugs), but are curious.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https:/

Configure: clean away perl syntax faults

The faults aren't fatal (i.e. perl just shrugs), but are curious.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13824)

show more ...

Configure: Check all SOURCE declarations, to ensure consistency

If the given sources are GENERATEd, we check those generators as well.

This ensures that the declarations in the dive

Configure: Check all SOURCE declarations, to ensure consistency

If the given sources are GENERATEd, we check those generators as well.

This ensures that the declarations in the diverse build.info files are
consistent with existing files.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13824)

show more ...

v3_ocsp.c: fix indentation of include directives

Fixes #13820

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13822)

Close /dev/crypto file descriptor after CRIOGET ioctl().

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/o

Close /dev/crypto file descriptor after CRIOGET ioctl().

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/13807)

show more ...

APPS: Print help also on -h and --h; print high-level help when no cmd given

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13799)

APPS: Fix confusion between program and app/command name used in diagnostic/help output

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/

APPS: Fix confusion between program and app/command name used in diagnostic/help output

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13799)

show more ...

apps/pkey.c: Forther improve user guidance, also on non-sensical option combinations

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pul

apps/pkey.c: Forther improve user guidance, also on non-sensical option combinations

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13712)

show more ...

apps/pkey.c: Re-order help output and option documentation

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13712)

apps/pkey.c: Make clear that -passout is not supported for DER output

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13712)