add CMP message validation and related tests; while doing so:
* add ERR_add_error_mem_bio() to crypto/err/err_prn.c
* move ossl_cmp_add_error_txt() as ERR_add_error_txt() to crypto/err/err_prn.c
* add X509_STORE_CTX_print_verify_cb() to crypto/x509/t_x509.c,
adding internally x509_print_ex_brief(), print_certs(), and print_store_certs()
* move {ossl_cmp_,}X509_STORE_get1_certs() to crypto/x509/x509_lu.c
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/10620)
in particular:
consolidate documentation of CMP logging and error reporting functions
fix compilation problem with clang on some platforms
rename OSSL_CMP_log etc. to ossl_cmp_log etc. since these macros are CMP-internal
move chopping of trailing separator to ossl_cmp_add_error_txt(), also fix handling of leading separator
internalize X509_print_ex_brief() as x509_print_ex_brief()
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/10620)
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10852)
fix also formatting nits w.r.t. #if indentations in ocsp.h
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11058)
This function is recently introduced and never called by the library or tests.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11053)
speed is updated to not support DSA instead of being removed.
The dhparam, dsaparam, dsa and gendsa commands are deprecated but still
exist without NO_DEPRECATED defined.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10977)
Use of the low level DSA functions has been informally discouraged for a
long time. We now formally deprecate them.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10977)
The new client has become an independent libcrpyto module in crypto/http/ and
* can handle any types of requests and responses (ASN.1-encoded and plain)
* does not include potentially busy loops when waiting for responses but
* makes use of a new timeout mechanism integrated with socket-based BIO
* supports the use of HTTP proxies and TLS, including HTTPS over proxies
* supports HTTP redirection via codes 301 and 302 for GET requests
* returns more useful diagnostics in various error situations
Also adapts - and strongly simplifies - hitherto uses of HTTP in crypto/ocsp/,
crypto/x509/x_all.c, apps/lib/apps.c, and apps/{ocsp,s_client,s_server}.c
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/10667)
Typedefs of CRYPTO malloc, realloc and free.
MEM_CHECK "modes" are used only as a CRYPTO_mem_ctrl() parameter
The CRYPTO_mem_ctrl is defined only if OPENSSL_NO_CRYPTO_MDEBUG is
defined, thus define the MEM_CHECK modes under the same condition.
Maybe the macros can be removed at all since:
1. CRYPTO_mem_ctrl() just returns -1 and ignores the parameter
2. CRYPTO_mem_ctr() is declared as DEPRECATED by 3.0
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11042)
The callback data allows passing context specific data from the
application of the DRBG to to the entropy callbacks.
This a rather specialized feature which is useful for implementing
known answer tests (KATs) or deterministic signatures (RFC6979),
which require passing a specified entropy and nonce for instantiating
the DRBG.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10950)
PR #10942 introduced the new function ASN1_item_verify_ctx(), but did
not document it with the promise that documentation would follow soon.
We temporarily add this function to missingcrypto.txt until it has been
done.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10980)
When we run "make doc-nits" (which happens during travis runs) it will
complain if we add any new symbols that aren't documented. However it
was suppressing anything starting with ASN1. There's no reason why we
should allow ASN1 symbols to go undocumented any more than any others.
Therefore we remove that exception.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10980)
Update CHANGES to have a complete and uniform description.
Fixes#9730
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/10972)
The various functions in bn_const.c return primes that are
specified for use in DH. However they were not being excluded from
a no-dh build - and was therefore causing the build to fail.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10990)
Use of the low level ECDSA and EC_KEY_METHOD functions has been informally discouraged for a
long time. We now formally deprecate them.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10960)
find-doc-nits can give a list of symbols that were added since 1.1.1 and
are undocumented (using -o). To do this it uses the missingcrypto111.txt
and missingssl111.txt files which give a snapshot of the undocumented
symbols at the time of the 1.1.1 release. Currently it complains about
symbols that are in those files that have subsequently been documented.
This isn't particularly helpful so we suppress that feature when "-o"
is being used.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10981)
The solution to incorporate the SM2 identity processing was an off
the side hack that more or less duplicated the ASN1_item_verify()
code with just a few lines being different. We replace this with
a new function ASN1_item_verify_ctx(), which takes an EVP_MD_CTX
pointer instead of an EVP_PKEY pointer, just like its sibling
ASN1_item_sign_ctx().
This allows us to refactor X509_verify() and X509_REQ_verify() to
simply create a local EVP_MD_CTX and an attached EVP_PKEY_CTX,
which gets to hold the SM2 identity, if there is one, and then let
ASN1_item_verify_ctx() to its job.
This will also make it easier to adapt ASN1_item_verify_ctx() for
provider based keys.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/10942)
Add cmd-nits make target.
Listing options should stop when it hits the "parameters" separator.
Add missing .pod.in files to doc/man1/build.info
Tweak find-doc-nits to try openssl-XXX before XXX for POD files and
change an error messavge to be more useful.
Fix the following pages: ca, cms, crl, dgst, enc,
engine, errstr, gendsa, genrsa, list, ocsp, passwd, pkcs7, pkcs12, rand,
rehash, req, rsautil, s_server, speed, s_time,
sess_id, smime, srp, ts, x509.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10873)
Backwards compatibility with the old ticket key call back is maintained.
This will be removed when the low level HMAC APIs are finally removed.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10836)
Use of the low level HMAC functions has been informally discouraged for a
long time. We now formally deprecate them.
Applications should instead use EVP_MAC_CTX_new(3), EVP_MAC_CTX_free(3),
EVP_MAC_init(3), EVP_MAC_update(3) and EVP_MAC_final(3).
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10836)
Use of the low level CMAC functions has been informally discouraged for a
long time. We now formally deprecate them.
Applications should instead use EVP_MAC_CTX_new(3), EVP_MAC_CTX_free(3),
EVP_MAC_init(3), EVP_MAC_update(3) and EVP_MAC_final(3).
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10836)
Because there was a bug in File::Spec::Unix' abs2rel when it was given
relative paths as both PATH and BASE arguments, the directories we
deal with were made to be all absolute. Unfortunately, this meant
getting paths in our verbose test output which are difficult to use
anywhere else (such as a separate test build made for comparison), due
to the constant need to edit all the paths all the time.
We're therefore getting back the relative paths, by doing an extra
abs2rel() in __srctop_file, __srctop_dir, __bldtop_file and
__bldtop_dir, with a 'Cwd::getcwd' call as BASE argument.
Fixes#10628
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10913)
This affects the following function, which can now deal with provider
side keys:
- EVP_SealInit()
- EVP_OpenInit()
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10808)
Use of the low level DES functions has been informally discouraged for a
long time. We now formally deprecate them.
Applications should instead use the EVP APIs, e.g. EVP_EncryptInit_ex,
EVP_EncryptUpdate, EVP_EncryptFinal_ex, and the equivalently named decrypt
functions.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10858)
This commit introduces functions PKCS8_pkey_add1_attr_by_OBJ and PKCS8_pkey_add1_attr
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10900)
It is the provider version of EVP_PKEY_get_default_digest_nid(). We make
sure to use it in the non-legacy section of do_sigver_init() (internal
implementation for EVP_DigestSignInit() and EVP_DigestVerifyInit())
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10824)
make doc-nits was failing due to a merge error on master in missingcrypto.txt.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10932)
Replace "=for openssl foreign manuals" with simpler syntax, it looks
like the "=for openssl ifdef" construct.
Fix some broken L<> links; add some missing foreign references and fixed
some typo's.
The WARNINGS in dhparam referred to non-existant commands so reword it.
Fixes#10109
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10256)
We add the ability to specify an OPENSSL_CTX (which may be NULL for the
default context) and a property query string for use during algorithm
fetch operations.
For example, in this way one SSL_CTX could be used the default provider,
and another one could be used with the FIPS provider.
At this stage we don't use these values. That will come later.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10866)
These were initially added as internal functions only. However they will
also need to be used by libssl as well. Therefore it make sense to move
them into the public API.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10864)
Use of the low level IDEA functions has been informally discouraged for a
long time. We now formally deprecate them.
Applications should instead use the EVP APIs, e.g. EVP_EncryptInit_ex,
EVP_EncryptUpdate, EVP_EncryptFinal_ex, and the equivalently named decrypt
functions.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10819)
Undo the changes to md5.h and sha.h so that the low level symbols are
exported from libcrypto again. This allows libssl to build and link.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10791)
Use of the low level MD5 functions has been informally discouraged for a long
time. We now formally deprecate them.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10791)
We change the description to be about the key rather than the
signature. How the key size is related to the signature is explained
in the description of EVP_SignFinal() anyway.
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/10778)
Use of the low level RC5 functions has been informally discouraged for a long
time. We now formally deprecate them.
Applications should instead use the EVP APIs, e.g. EVP_EncryptInit_ex,
EVP_EncryptUpdate, EVP_EncryptFinal_ex and the equivalently named decrypt
functions.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10834)
Use of the low level RC4 functions has been informally discouraged for a long
time. We now formally deprecate them.
Applications should instead use the EVP APIs, e.g. EVP_EncryptInit_ex,
EVP_EncryptUpdate, EVP_EncryptFinal_ex and the equivalently named decrypt
functions.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10834)
Use of the low level RC2 functions has been informally discouraged for a
long time. We now formally deprecate them.
Applications should instead use the EVP APIs, e.g. EVP_EncryptInit_ex,
EVP_EncryptUpdate, EVP_EncryptFinal_ex, and the equivalently named decrypt
functions.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10834)
Use of the low level SEED functions has been informally discouraged for a
long time. We now formally deprecate them.
Applications should instead use the EVP APIs, e.g. EVP_EncryptInit_ex,
EVP_EncryptUpdate, EVP_EncryptFinal_ex, and the equivalently named decrypt
functions.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10833)
Added an API to optionally set a self test callback.
The callback has the following 2 purposes
(1) Output information about the KAT tests.
(2) Allow the ability to corrupt one of the KAT's
The fipsinstall program uses the API.
Some KATS are not included in this PR since the required functionality did not yet exist in the provider.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10374)
Applications should instead use the higher level EVP APIs, e.g.
EVP_Encrypt*() and EVP_Decrypt*().
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10742)
Applications should instead use the higher level EVP APIs, e.g.
EVP_Encrypt*() and EVP_Decrypt*().
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10741)
Use of the low level Whirlpool functions has been informally discouraged for a
long time. We now formally deprecate them.
Applications should instead use the EVP APIs, e.g. EVP_Digest,
EVP_DigestInit_ex, EVP_DigestUpdate and EVP_DigestFinal_ex.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10779)
Use of the low level RIPEMD160 functions has been informally discouraged for a
long time. We now formally deprecate them.
Applications should instead use the EVP APIs, e.g. EVP_Digest,
EVP_DigestInit_ex, EVP_DigestUpdate and EVP_DigestFinal_ex.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10789)
Applications should instead use the higher level EVP APIs, e.g.
EVP_Encrypt*() and EVP_Decrypt*().
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10740)
Use of the low level AES functions has been informally discouraged for a
long time. We now formally deprecate them.
Applications should instead use the EVP APIs, e.g. EVP_EncryptInit_ex,
EVP_EncryptUpdate, EVP_EncryptFinal_ex, and the equivalently named decrypt
functions.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10580)
It may be that some "missing" manuals have been written since their
insertion in the "missing" files. Make sure to alert when such manual
references are found.
This works, because we collect all existing manual references into
%name_map first.
Fixes#10681
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10683)
This should be very unusual, but we do have a case of a name we don't
want to display.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10621)
The names collected in util/missing*.txt are not file names, but
symbol names, and to compare properly with script data, the section
name must be included.
All symbols found in util/lib*.num are library functions, so we know
that they are in manual section 3 and can simply add that info. The
same goes for all macros found in C headers.
Finally, we get rid of getdocced() and its associated hash table
%docced. We already have the appropriate information in %name_map.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10621)
aes_platform.h
cmll_platform.h
des_platform.h
To make this possible, we must also define DES_ASM and CMLL_ASM to
indicate that we have the necessary internal support.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10662)
Fixes#8322
The leak-checking (and backtrace option, on some platforms) provided
by crypto-mdebug and crypto-mdebug-backtrace have been mostly neutered;
only the "make malloc fail" capability remains. OpenSSL recommends using
the compiler's leak-detection instead.
The OPENSSL_DEBUG_MEMORY environment variable is no longer used.
CRYPTO_mem_ctrl(), CRYPTO_set_mem_debug(), CRYPTO_mem_leaks(),
CRYPTO_mem_leaks_fp() and CRYPTO_mem_leaks_cb() return a failure code.
CRYPTO_mem_debug_{malloc,realloc,free}() have been removed. All of the
above are now deprecated.
Merge (now really small) mem_dbg.c into mem.c
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10572)
Also, turn missing L<foo(3)> into foo(3)
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10104)
DECLARE_STACK_OF was renamed to DEFINE_STACK_OF in commit 8588571.
Expanded the only use of TYPEDEF_{D2I,I2D,D2I2D}_OF, so that they can
easily be removed in a future release
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10464)
The prototype checks shouldn't be performed on SYNOPSIS lines that
aren't function prototypes.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10394)
This also adds the missing accessor RSA_get0_pss_params(), so those
parameters can be included in the PKCS#8 data structure without
needing to know the inside of the RSA structure.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10394)
To support generic output of public keys wrapped in a X509_PUBKEY,
additional PEM and i2d/d2i routines are added for that type.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10394)
The following public functions is added:
- OSSL_SERIALIZER_CTX_new_by_EVP_PKEY()
- OSSL_SERIALIZER_CTX_set_cipher()
- OSSL_SERIALIZER_CTX_set_passphrase()
- OSSL_SERIALIZER_CTX_set_passphrase_cb()
- OSSL_SERIALIZER_CTX_set_passphrase_ui()
OSSL_SERIALIZER_CTX_new_by_EVP_PKEY() selects a suitable serializer
for the given EVP_PKEY, and sets up the OSSL_SERIALIZER_CTX to
function together with OSSL_SERIALIZER_to_bio() and
OSSL_SERIALIZER_to_fp().
OSSL_SERIALIZER_CTX_set_cipher() indicates what cipher should be used
to produce an encrypted serialization of the EVP_PKEY. This is passed
directly to the provider using OSSL_SERIALIZER_CTX_set_params().
OSSL_SERIALIZER_CTX_set_passphrase() can be used to set a pass phrase
to be used for the encryption. This is passed directly to the
provider using OSSL_SERIALIZER_CTX_set_params().
OSSL_SERIALIZER_CTX_set_passphrase_cb() and
OSSL_SERIALIZER_CTX_set_passphrase_ui() sets up a callback to be used
to prompt for a passphrase. This is stored in the context, and is
called via an internal intermediary at the time of serialization.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10394)
These functions are added:
- OSSL_SERIALIZER_to_bio()
- OSSL_SERIALIZER_to_fp() (unless 'no-stdio')
OSSL_SERIALIZER_to_bio() and OSSL_SERIALIZER_to_fp() work as wrapper
functions, and call an internal "do_output" function with the given
serializer context and a BIO to output the serialized result to.
The internal "do_output" function must have intimate knowledge of the
object being output. This will defined independently with context
creators for specific OpenSSL types.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10394)
Serialization is needed to be able to take a provider object (such as
the provider side key data) and output it in PEM form, DER form, text
form (for display), and possibly other future forms (XML? JSON? JWK?)
The idea is that a serializer should be able to handle objects it has
intimate knowledge of, as well as object data in OSSL_PARAM form. The
latter will allow libcrypto to serialize some object with a different
provider than the one holding the data, if exporting of that data is
allowed and there is a serializer that can handle it.
We will provide serializers for the types of objects we know about,
which should be useful together with any other provider that provides
implementations of the same type of object.
Serializers are selected by method name and a couple of additional
properties:
- format used to tell what format the output should be in.
Possibilities could include "format=text",
"format=pem", "format=der", "format=pem-pkcs1"
(traditional), "format=der-pkcs1" (traditional)
- type used to tell exactly what type of data should be
output, for example "type=public" (the public part of
a key), "type=private" (the private part of a key),
"type=domainparams" (domain parameters).
This also adds a passphrase callback function type,
OSSL_PASSPHRASE_CALLBACK, which is a bit like OSSL_CALLBACK, but it
takes a few extra arguments to place the result in.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10394)
The 'platform' module handles defaults fine, there's no need to add
extra conditions on it being loaded.
Fixes#10513
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10514)
When checking links, we need to peal away stuff that aren't part of
the link proper first. That makes it easier to check the link
itself.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10507)
This also removes the incorrect documentation comments by those
functions, and fixes a bug in SSL_add_store_cert_subjects_to_stack(),
where the condition for recursive addition was 'depth == 0' when it
should be 'depth > 0'.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10402)
Because KDF errors are deprecated and only conserved for backward
compatibilty, we must make sure that they remain untouched. A simple
way to signal that is by modifying crypto/err/openssl.ec and replace
the main header file (include/openssl/kdf.h in this case) with 'NONE',
while retaining the error table file (crypto/kdf/kdf_err.c).
util/mkerr.pl is modified to silently ignore anything surrounding a
conserved lib when such a .ec line is found.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10368)
Not only deprecate, but also remove the reason strings and make
ERR_load_KDF_strings() do nothing.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10368)
The parser expected an 'extern "C"' followed by a single declaration
to always end with a semicolon. Then came along something like this:
extern "C" DEPRECATEDIN_3_0(int ERR_load_KDF_strings(void))
This change adjusts the detector of 'extern "C"' to also take in
accound a declaration that ends with a parenthesis.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10368)
This is the EVP operation that corresponds to creating direct RSA, DH
and DSA keys and set their numbers, to then assign them to an EVP_PKEY,
but done entirely using an algorithm agnostic EVP interface.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10187)
Previous macros suggested that from 3.0, we're only allowed to
deprecate things at a major version. However, there's no policy
stating this, but there is for removal, saying that to remove
something, it must have been deprecated for 5 years, and that removal
can only happen at a major version.
Meanwhile, the semantic versioning rule is that deprecation should
trigger a MINOR version update, which is reflected in the macro names
as of this change.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10364)
At some point in time, there was a 'no-deprecated' configuration
option, which had the effect of hiding all declarations of deprecated
stuff, i.e. make the public API look like they were all removed.
At some point in time, there was a '--api' configuration option, which
had the effect of having the public API look like it did in the version
given as value, on a best effort basis. In practice, this was used to
get different implementations of BN_zero(), depending on the desired
API compatibility level.
At some later point in time, '--api' was changed to mean the same as
'no-deprecated', but only for the deprecations up to and including the
desired API compatibility level. BN_zero() has been set to the
pre-1.0.0 implementation ever since, unless 'no-deprecation' has been
given.
This change turns these options back to their original meaning, but
with the slight twist that when combined, i.e. both '--api' and
'no-deprecated' is given, the declarations that are marked deprecated
up to an including the desired API compatibility level are hidden,
simulating that they have been removed.
If no desired API compatibility level has been given, then
configuration sets the current OpenSSL version by default.
Furthermore, the macro OPENSSL_API_LEVEL is now used exclusively to
check what API compatibility level is desired. For checking in code
if `no-deprecated` has been configured for the desired API
compatibility level, macros for each supported level is generated,
such as OPENSSL_NO_DEPRECATED_1_1_1, corresponding to the use of
DEPRECATEDIN_ macros, such as DEPRECATEDIN_1_1_1().
Just like before, to set an API compatibility level when building an
application, define OPENSSL_API_COMPAT with an appropriate value. If
it's desirable to hide deprecated functions up to and including that
level, additionally define OPENSSL_NO_DEPRECATED (the value is
ignored).
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10364)
When the source isn't in development any more (the version number
doesn't the tags 'dev' or 'alpha'), we renumber the unassigned symbols
to ensure that we have fixed numbers on all.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10348)
If a script wants to display how many symbols have assigned numbers
and how many don't, this gives them those numbers.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10348)
This should be used when it's time to assign constant numbers to the
unassigned symbols.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10348)
We preserve the number or '?' or '?+', but assign numbers internally
on the latter, to ensure we keep the order of the input.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10348)
Symbols that have appeared since 1.1.1 was released are considered
unassigned in the development branch. This is marked by having a
question mark as its ordinal number.
This introduces two new markers to be used instead of ordinal numbers:
? signifying it gets the previous symbol's number plus one
?+ signifying it gets the same number as the previous symbol
'?+' should remain rare, but is useful to create aliases when needed
(for example when two different symbols clash because they only differ
in character case, see include/openssl/symhacks.h)
The intention is that a development branch won't have set numbers for
new symbols, and that the final numbers will only get allocated when
making beta or final releases.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10348)
Because the algorithm to use is decided already when creating an
EVP_PKEY_CTX regardless of how it was created, it turns out that it's
unnecessary to provide the SIGNATURE method explicitly, and rather
always have it be fetched implicitly.
This means fewer changes for applications that want to use new
signature algorithms / implementations.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10303)
Because the algorithm to use is decided already when creating an
EVP_PKEY_CTX regardless of how it was created, it turns out that it's
unnecessary to provide the KEYEXCH method explicitly, and rather
always have it be fetched implicitly.
This means fewer changes for applications that want to use new key
exchange algorithms / implementations.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10305)
This is a wrapper around OSSL_STORE.
This also adds necessary support functions:
- X509_STORE_load_file
- X509_STORE_load_path
- X509_STORE_load_store
- SSL_add_store_cert_subjects_to_stack
- SSL_CTX_set_default_verify_store
- SSL_CTX_load_verify_file
- SSL_CTX_load_verify_dir
- SSL_CTX_load_verify_store
and deprecates X509_STORE_load_locations and SSL_CTX_load_verify_locations,
as they aren't extensible.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8442)
Add sections (almost always "(3)" to L<> references that were missing
them. Among other things, this
Fixes: #10226
Also remove two references to non-existant manpages that have never
existed, and with the 3.0 structure, are unlikely to do so.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10240)
Use new doc-build capabilities
Add -i flag to dofile.
Add doc/man1 to SUBDIRS for the new templated doc files
Rewrite commit a397aca (merged from PR 10118) to use the doc-template stuff.
Put template references in common place
Template options and text come at the end of command-specific options:
opt_x, opt_trust, opt_r (in that order).
Refactor xchain options.
Do doc-nits after building generated sources.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10159)
Also tweak find-doc-nits while fixing a bug (don't need .in files)
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10239)
Documenting the macros removes 14 undocumented items.
Merged three separate manpages into one.
Rename the DRBG CRYPTO_EX define into RAND_DRBG, but keep the old one
for API compatibility.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10216)
The added benefit is that the result becomes much simple, and easier to
digest for those that still rely on the pre-3.0 opensslv.h contents.
Fixes#10203
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10205)
The following new functions all do the same thing; they traverse
the set of names assigned to implementations of each algorithm type:
EVP_MD_names_do_all(), EVP_CIPHER_names_do_all(),
EVP_MAC_names_do_all(), EVP_KEYMGMT_names_do_all(),
EVP_KEYEXCH_names_do_all(), EVP_KDF_names_do_all(),
EVP_SIGNATURE_names_do_all()
We add a warning to the documentation of EVP_CIPHER_name() and
EVP_MD_name(), as they aren't suitable to use with multiple-name
implementation.
We also remove EVP_MAC_name() and evp_KDF_name(), as they serve no
useful purpose.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9979)
This adds the missing functions that should be common for all
fetchable EVP sub-APIs:
EVP_KEYMGMT_is_a(), EVP_KEYMGMT_do_all_provided(), EVP_KEYEXCH_is_a(),
EVP_KEYEXCH_do_all_provided(), EVP_KDF_is_a(), EVP_MD_is_a(),
EVP_SIGNATURE_do_all_provided(), EVP_SIGNATURE_is_a().
This also renames EVP_MD_do_all_ex(), EVP_CIPHER_do_all_ex(),
EVP_KDF_do_all_ex(), EVP_MAC_do_all_ex() to change '_ex'
to '_provided'.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9979)
This works as much as possible EVP_PKEY_CTX_new_id(), except it takes
data that's relevant for providers, algorithm name and property query
string instead of NID and engine.
Additionally, if EVP_PKEY_CTX_new() or EVP_PKEY_CTX_new_id() was
called, the algorithm name in the EVP_PKEY context will be set to the
short name of the given NID (explicit or the one of the given
EVP_PKEY), thereby giving an easier transition from legacy methods to
provided methods.
The intent is that operations will use this information to fetch
provider methods implicitly as needed.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10184)
CLA:trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/9472)
Options moved: -rand, -writerand, -CApath, -CAfile, -no-CApath, -no-CAfile
Added rand to dgst and srp manpages (they were missing them).
New sections in openssl.pod: Random State Options, Trusted Certificate
Options.
Cleanup and add comments to find-doc-nits
Remove ".in" file support; unless giving specific arguments, this
only runs after configuration
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10118)
Add a new API to test for primes that can't be misused, deprecated the
old APIs.
Suggested by Jake Massimo and Kenneth Paterson
Reviewed-by: Paul Dale <paul.dale@oracle.com>
GH: #9272
OpenSSL uses some POD directives masquerading as 'comment'
('=for comment' etc). This is abusive and confusing. Instead, we use
our own keyword.
=for openssl whatever
=begin openssl
whatever
=end openssl
(we have never used the multiline form, but might start one day)
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10048)
Extensive documentation added in HISTORY section in doc/man5/config.pod
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9578)
Use err() for find-doc-nits -e output
Doing this meant we could remove the -s flag, so we do so; move
option/help stuff to top of script.
Add a CHANGES entry.
Rename missing to other.syms
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10039)
Also patch find-doc-nits to ignore a Microsoft trademark and not
flag it as a spelling error.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10023)
The checks for our uses of 'B<' and 'I<' for options, and possibly
function names, was over-reaching quite a bit.
So we fine-tune it a bit:
- by only checking for options in man1 pages, and only in SYNOPSIS
and *OPTIONS sections.
- by only checking for function names in man3 pages.
The man1 option checker has the additional check that options found in
*OPTIONS are also found in SYNOPSIS andd vice versa.
In all cases, this also handles options and function names with
additional markup, such as 'B<-I<cipher>>' and 'B<sk_I<TYPE>_push>'.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10073)
Make find-doc-nits understand that
=for comment ifdef ssl3 ...
in a POD page means that the "-ssl3" flag might be ifdef'd out in the
local environment, and not to complain about it.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9974)
For documentation of all commands with "-flag arg" format them
consistently: "B<-flag> I<arg>", except when arg is literal
(for example "B<-inform> B<PEM>|B<DER>")
Update find-doc-nits to complain if badly formatted strings are found.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10022)
All instances of EVP_*_CTX_gettable_params functions have been renamed
to EVP_*_gettable_ctx_params. Except for the EVP_MD ones which were changed
already.
These functions do not take EVP_*_CTX arguments so their prior naming was
misleading.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10052)
This script contains all adjustments to header files which were made
during the reorganization of the header files. It is meant as an aid
for other contributors which encounter preprocessor #include errors
after rebasing over this pull request. Simply running
util/fix-includes
from the root of the source directory should hopefully fix the problem.
Note: such #include errors are expected only for pull requests which
add a lot of new code, in particular new compilation modules.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9333)
Make the include guards consistent by renaming them systematically according
to the naming conventions below
For the public header files (in the 'include/openssl' directory), the guard
names try to match the path specified in the include directives, with
all letters converted to upper case and '/' and '.' replaced by '_'. For the
private header files files, an extra 'OSSL_' is added as prefix.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9333)
Also includes CRMF (RFC 4211) and HTTP transfer (RFC 6712)
CMP and CRMF API is added to libcrypto, and the "cmp" app to the openssl CLI.
Adds extensive man pages and tests. Integration into build scripts.
Incremental pull request based on OpenSSL commit 8869ad4a39 of 2019-04-02
4th chunk: CMP context/parameters and utilities
in crypto/cmp/cmp_ctx.c, crypto/cmp/cmp_util.c, and related files
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9107)
Commit b6b66573 (PR #9679) renamed most POD files. This change causes
find-doc-nits to flag misnamed files.
Also fix the two misnamed files that it found.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10000)
EVP_MD_CTX_gettable_params() and EVP_MD_CTX_settable_params() were
confusingly named because they did not take an EVP_MD_CTX parameter.
In addition we add the functions EVP_MD_gettable_ctx_params() and
EVP_MD_settable_ctx_params() which do the same thing but are passed
an EVP_MD object instead.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9998)
Filter all output to a new &err() routine, which sets the global
exit status, $status.
Also, fix all subroutine definitions and references to be consistent:
no prototypes, no & before function calls.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
(Merged from https://github.com/openssl/openssl/pull/9733)
Actually, for transition, they're not really deprecated. Remove the
"1 ||" from the ifdef line (in include/openssl/err.h) when ready to
do this in production/"for real"
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9441)
