Add SSL_get[01]_peer_certificate()

Deprecate SSL_get_peer_certificte() and replace with
SSL_get1_peer_certificate().
Add SSL_get0_peer_certificate.

Reviewed-by: Paul Dale <p

Add SSL_get[01]_peer_certificate()

Deprecate SSL_get_peer_certificte() and replace with
SSL_get1_peer_certificate().
Add SSL_get0_peer_certificate.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/8730)

show more ...

Configure: fix minor typo in apitable comment

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl

Configure: fix minor typo in apitable comment

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12398)

show more ...

Add FIPS related configuration data to the default openssl application configuration file

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/opens

Add FIPS related configuration data to the default openssl application configuration file

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12333)

show more ...

Make -provider_name and -section_name optional

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https:

Make -provider_name and -section_name optional

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12311)

show more ...

Use defaults FIPSKEY if not given on command line

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from htt

Use defaults FIPSKEY if not given on command line

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12311)

show more ...

Add AES_CBC_CTS ciphers to providers

Added Algorithm names AES-128-CBC-CTS, AES-192-CBC-CTS and AES-256-CBC-CTS.
CS1, CS2 and CS3 variants are supported.
Only single shot updates are

Add AES_CBC_CTS ciphers to providers

Added Algorithm names AES-128-CBC-CTS, AES-192-CBC-CTS and AES-256-CBC-CTS.
CS1, CS2 and CS3 variants are supported.
Only single shot updates are supported.
The cipher returns the mode EVP_CIPH_CBC_MODE (Internally it shares the aes_cbc cipher code). This
would allow existing code that uses AES_CBC to switch to the CTS variant without breaking code that
tests for this mode. Because it shares the aes_cbc code the cts128.c functions could not be used directly.
The cipher returns the flag EVP_CIPH_FLAG_CTS.
EVP_CIPH_FLAG_FIPS & EVP_CIPH_FLAG_NON_FIPS_ALLOW have been deprecated.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12094)

show more ...

Enable WinCE build without deceiving _MSC_VER.

Reviewed-by: Mark J. Cox <mark@awe.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/open

Enable WinCE build without deceiving _MSC_VER.

Reviewed-by: Mark J. Cox <mark@awe.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11526)

show more ...

To generate makefile with correct parameters for WinCE.

Reviewed-by: Mark J. Cox <mark@awe.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/ope

To generate makefile with correct parameters for WinCE.

Reviewed-by: Mark J. Cox <mark@awe.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11526)

show more ...

Disable optimiization of BN_num_bits_word() for VS2005 ARM compiler due to
its miscompilation of the function.
https://mta.openssl.org/pipermail/openssl-users/2018-August/008465.html

Disable optimiization of BN_num_bits_word() for VS2005 ARM compiler due to
its miscompilation of the function.
https://mta.openssl.org/pipermail/openssl-users/2018-August/008465.html

Reviewed-by: Mark J. Cox <mark@awe.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11526)

show more ...

Changed uintptr_t to size_t. WinCE6 doesn't seem it have the definition.

Reviewed-by: Mark J. Cox <mark@awe.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https

Changed uintptr_t to size_t. WinCE6 doesn't seem it have the definition.

Reviewed-by: Mark J. Cox <mark@awe.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11526)

show more ...

DRBG: rename the DRBG taxonomy.

The existing wording didn't capture the reality of the default setup, this new
nomenclature attempts to improve the situation.

Reviewed-by: Mark

DRBG: rename the DRBG taxonomy.

The existing wording didn't capture the reality of the default setup, this new
nomenclature attempts to improve the situation.

Reviewed-by: Mark J. Cox <mark@awe.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12366)

show more ...

Configurations: make Makefile tmpl files non-links

This commit updates Configurations/README.md and turns the Makefile
templates into non-links.

The motivation for this is that

Configurations: make Makefile tmpl files non-links

This commit updates Configurations/README.md and turns the Makefile
templates into non-links.

The motivation for this is that not all template exist in the directory
leading to 404 Not found errors when accessed.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12401)

show more ...

[test] ectest: check custom generators

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/opens

[test] ectest: check custom generators

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12096)

show more ...

Providerized libssl fallout: cleanup init

Since libssl is entirely using fetched cipher/digest implementations
from providers, we don't need to register the libcrypto cipher/digest
i

Providerized libssl fallout: cleanup init

Since libssl is entirely using fetched cipher/digest implementations
from providers, we don't need to register the libcrypto cipher/digest
implementations in ossl_init_ssl_base().

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12418)

show more ...

BN: Check endianness in run-time, in BN_native2bn() and BN_bn2nativepad()

The code relied on B_ENDIAN being defined on all big-endian platform,
which turned out to not always be the case

BN: Check endianness in run-time, in BN_native2bn() and BN_bn2nativepad()

The code relied on B_ENDIAN being defined on all big-endian platform,
which turned out to not always be the case.

Fixes #12387

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/12390)

show more ...

Add and use internal header that implements endianness check

This moves test/ossl_test_endian.h to include/internal/endian.h and
thereby makes the macros in there our standard way to che

Add and use internal header that implements endianness check

This moves test/ossl_test_endian.h to include/internal/endian.h and
thereby makes the macros in there our standard way to check endianness
in run-time.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/12390)

show more ...

DOC: install documentation without execution permissions.

Fixes #12350

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/1

DOC: install documentation without execution permissions.

Fixes #12350

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12373)

show more ...

ocsp.h: Fix backward compatibility decl for OCSP_parse_url() by including http.h

Fixes #12386

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/

ocsp.h: Fix backward compatibility decl for OCSP_parse_url() by including http.h

Fixes #12386

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12399)

show more ...

Fix wrong fipsinstall key used in test

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/124

Fix wrong fipsinstall key used in test

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12402)

show more ...

Makefile template: fix incorrect treatment of produced document files

Documentation files were treated as programs when assigning to the
make variables HTMLDOCS{1,3,5,7} and MANDOCS{1,3,

Makefile template: fix incorrect treatment of produced document files

Documentation files were treated as programs when assigning to the
make variables HTMLDOCS{1,3,5,7} and MANDOCS{1,3,5,7}, which is is
incorrect on POSIX sub-systems where executables have an extension
(.exe).

Fixes #11937

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12374)

show more ...

Add multiple fixes for ffc key generation using invalid p,q,g parameters.

Fixes #11864

- The dsa keygen assumed valid p, q, g values were being passed. If this is not correct then i

Add multiple fixes for ffc key generation using invalid p,q,g parameters.

Fixes #11864

- The dsa keygen assumed valid p, q, g values were being passed. If this is not correct then it is
possible that dsa keygen can either hang or segfault.
The fix was to do a partial validation of p, q, and g inside the keygen.
- Fixed a potential double free in the dsa keypair test in the case when in failed (It should never fail!).
It freed internal object members without setting them to NULL.
- Changed the FFC key validation to accept 1024 bit keys in non fips mode.
- Added tests that use both the default provider & fips provider to test these cases.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12176)

show more ...

Fix CID 1454808: Error handling issues NEGATIVE_RETURNS (PKCS7_dataDecode())

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/1237

Fix CID 1454808: Error handling issues NEGATIVE_RETURNS (PKCS7_dataDecode())

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12379)

show more ...

Fix CID 1454806: NEGATIVE_RETURNS (cms_enc.c)

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12379)

Fix CID 1465213: Integer handling issues (evp_extra_test.c)

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12379)

Fix CID 1463883 Dereference after null check (in ess_find_cert_v2())

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12379)