OpenSSL::ParseC: handle OSSL_CORE_MAKE_FUNC

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13074)

Add PEM declaration macros that take attributes

This makes it possible to easily deprecated selections of PEM
functions.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merge

Add PEM declaration macros that take attributes

This makes it possible to easily deprecated selections of PEM
functions.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13074)

show more ...

Add ASN1 declaration macros that take attributes

This makes it possible to easily deprecated selections of ASN1
functions.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Mer

Add ASN1 declaration macros that take attributes

This makes it possible to easily deprecated selections of ASN1
functions.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13074)

show more ...

Make OpenSSL::ParseC and OpenSSL::Ordinals treat deprecation consistently

The triggering macro that decides if a symbol is to be considered
deprecated is OPENSSL_NO_DEPRECATEDIN_x_y[_z].

Make OpenSSL::ParseC and OpenSSL::Ordinals treat deprecation consistently

The triggering macro that decides if a symbol is to be considered
deprecated is OPENSSL_NO_DEPRECATEDIN_x_y[_z]. OpenSSL::ParseC
renames any OPENSSL_NO_DEPRECATED_x_y[_z] by inserting "IN".

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13074)

show more ...

Add convenience macros OSSL_DEPRECATEDIN_{major}_{minor}

As opposed to DEPRECATEDIN_{major}_{minor}(), any use of these macros must
be guarded with a corresponding OPENSSL_NO_DEPRECATED_

Add convenience macros OSSL_DEPRECATEDIN_{major}_{minor}

As opposed to DEPRECATEDIN_{major}_{minor}(), any use of these macros must
be guarded with a corresponding OPENSSL_NO_DEPRECATED_{major}_{minor}:

#ifndef OPENSSL_NO_DEPRECATED_3_0
OSSL_DEPRECATEDIN_3_0 int RSA_size(const RSA *rsa);
#endif

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13074)

show more ...

Add definitions of OSSL_DEPRECATED[_FOR] for Microsoft VC

It turns out that they have __declspec(deprecated) that correspond
pretty much to GCC's __attribute__((deprecated)), including f

Add definitions of OSSL_DEPRECATED[_FOR] for Microsoft VC

It turns out that they have __declspec(deprecated) that correspond
pretty much to GCC's __attribute__((deprecated)), including for
messages.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13074)

show more ...

Change OSSL_DEPRECATED to take a version argument

The macro value is changed to use deprecation messages where whose are
supported.

We also add the macro OSSL_DEPRECATED_FOR(),

Change OSSL_DEPRECATED to take a version argument

The macro value is changed to use deprecation messages where whose are
supported.

We also add the macro OSSL_DEPRECATED_FOR(), to be used whenever an
additional message text is desirable, for example to tell the user
what the deprecated is replaced with. Example:

OSSL_DEPRECATED_FOR(3.0,"use EVP_PKEY and EVP_PKEY_size() instead")
int RSA_size(const RSA *rsa);

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13074)

show more ...

Add a macro OSSL_DEPRECATED for compiler dependent deprecation attributes

The diverse DEPRECATEDIN_x_y_z macros are rewritten in terms of this macro.

Reviewed-by: Paul Dale <paul.da

Add a macro OSSL_DEPRECATED for compiler dependent deprecation attributes

The diverse DEPRECATEDIN_x_y_z macros are rewritten in terms of this macro.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13074)

show more ...

coverity 1403324 negative array index: check for finding an unknown value and error if so (since it shouldn't happen).

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from http

coverity 1403324 negative array index: check for finding an unknown value and error if so (since it shouldn't happen).

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13091)

show more ...

coverity 1414446 out-of-bounds access: allocate \0 terminator byte to be safe

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13091)

vms: move otherwise dead code into the VMS relevant path.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13091)

Adapt some code to OSSL_ENCODER_to_data() / OSSL_DECODER_from_data()

The functions i2d_PrivateKey(), try_key_value() i store_result.c and
X509_PUBKEY_set() were all essentially duplicati

Adapt some code to OSSL_ENCODER_to_data() / OSSL_DECODER_from_data()

The functions i2d_PrivateKey(), try_key_value() i store_result.c and
X509_PUBKEY_set() were all essentially duplicating this functionality
to some degree.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13094)

show more ...

ENCODER / DECODER: Add functions to encode/decode to/from a buffer

This adds OSSL_ENCODER_to_data() and OSSL_DECODER_from_data(). These
functions allow fairly simple rewrites of type-sp

ENCODER / DECODER: Add functions to encode/decode to/from a buffer

This adds OSSL_ENCODER_to_data() and OSSL_DECODER_from_data(). These
functions allow fairly simple rewrites of type-specific i2d and d2i
calls.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13094)

show more ...

Fix diverse ERR code conflicts

There was a number of potential range conflicts between reason codes
from different places. Library specific reason codes are allowed to
start at 100,

Fix diverse ERR code conflicts

There was a number of potential range conflicts between reason codes
from different places. Library specific reason codes are allowed to
start at 100, so it means that anything "global" is limited to the
range 1..99.
At the same time, we have the ERR_R_LIB_xxx reason codes, which have
the same numbers as ERR_LIB_xxx, potential range 1..255.
And then we have the common ERR_R_ reason codes, potential range in
OpenSSL 1.1.1 is 1..99, where fatal reasons occupy 64..99. For
OpenSSL 3.0-dev, the range for the common reason codes was pushed up
to 64..99 in an attempt to reduce the conflicts with the ERR_R_LIB_xxx
reason codes.

Currently existing conflicts in OpenSSL 1.1.1:

ERR_R_BUF_LIB and ERR_R_PASSED_INVALID_ARGUMENT have the same code.

There are currently no existing conflicts in OpenSSL 3.0-dev, but
considering that ERR_LIB_HTTP is 61, a few more modules and associated
ERR_R_LIB_xxx are going to sniff awfully close to 64, where the
common ERR_R_ codes currently start.

To avoid these range conflicts, the strategy to recognise common
reason codes is change to depend on a reason flag, ERR_RFLAG_COMMON,
and the common error codes themselves have moved start at 256, giving
them the potential range 256..2^18-1, and thus allowing ERR_R_LIB_xxx
the full range of library codes, 1..255.

The dual purpose ERR_R_FATAL is also handled in this change, by
allowing the rflags and reason codes to overlap by 1 bit, and make
both ERR_R_FATAL and ERR_RFLAG_FATAL have the same value, 2^18.

With this change, there's no need to worry about reason code conflicts
any more, every library specific range as well as the common range is
1..2^18-1.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13093)

show more ...

make ordinals

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13092)

Modify util/mknum.pl to drop new symbols that don't exist any more

This makes use of the writer filters in OpenSSL::Ordinals.

Fixes #10395

Reviewed-by: Paul Dale <paul.dale

Modify util/mknum.pl to drop new symbols that don't exist any more

This makes use of the writer filters in OpenSSL::Ordinals.

Fixes #10395

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13092)

show more ...

OpenSSL::Ordinals: Add options for the writing functions

OpenSSL::Ordinals::rewrite() and OpenSSL::Ordinals::write() now take
options, that are simply passed to OpenSSL::Ordinals::items(

OpenSSL::Ordinals: Add options for the writing functions

OpenSSL::Ordinals::rewrite() and OpenSSL::Ordinals::write() now take
options, that are simply passed to OpenSSL::Ordinals::items(). The
'sort' option is forbidden, though, since write() already uses it, but
that means it's possible to filter the output.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13092)

show more ...

INSTALL.md: Drop trailing spaces on a line

Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
(Merged from https://github.com/openssl/openssl/pull/13097)

Disabled symbol_presence test on NonStop due to different nm format.

CLA: trivial
Fixes #12996

Signed-off-by: Randall S. Becker <rsbecker@nexbridge.com>

Reviewed-by: Ri

Disabled symbol_presence test on NonStop due to different nm format.

CLA: trivial
Fixes #12996

Signed-off-by: Randall S. Becker <rsbecker@nexbridge.com>

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13036)

show more ...

Set mark and pop error in d2i_PrivateKey_ex

This commit sets the error mark before calling old_priv_decode and if
old_priv_decode returns false, and if EVP_PKCS82PKEY is successful, the

Set mark and pop error in d2i_PrivateKey_ex

This commit sets the error mark before calling old_priv_decode and if
old_priv_decode returns false, and if EVP_PKCS82PKEY is successful, the
errors are popped to the previously set mark.

The motivation for this is an issue we found when linking Node.js
against OpenSSL 3.0. Details can be found in the link below and the
test case provided in this commit attempts cover this.

Refs: https://github.com/danbev/learning-libcrypto#asn1-wrong-tag-issue
Refs: https://github.com/nodejs/node/issues/29817

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13073)

show more ...

Fix zero-length content verification in S/MIME format

Fixes #13082

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13087)

Tests for processing zero-length content in SMIME format

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13087)

Correct and simplify use of ERR_clear_error() etc. for loading DSO libs

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13045)

Allow to continue on UNABLE_TO_VERIFY_LEAF_SIGNATURE

This unifies the behaviour of a single certificate with
an unknown CA certificate with a self-signed certificate.
The user callba

Allow to continue on UNABLE_TO_VERIFY_LEAF_SIGNATURE

This unifies the behaviour of a single certificate with
an unknown CA certificate with a self-signed certificate.
The user callback can mask that error to retrieve additional
error information. So the user application can decide to
abort the connection instead to be forced by openssl.

This change in behaviour is backward compatible as user callbacks
who don't want to ignore UNABLE_TO_VERIFY_LEAF_SIGNATURE will
still abort the connection by default.

CLA: trivial
Fixes #11297

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13083)

show more ...

Fix the decoder start type handling

If an explicit decoder start type was provided then it wasn't being
handled correctly in all cases. Specifically if a PEM start type was
provided

Fix the decoder start type handling

If an explicit decoder start type was provided then it wasn't being
handled correctly in all cases. Specifically if a PEM start type was
provided then the decoder would fail.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13050)

show more ...