Reviewed-by: NRichard Levitte <levitte@openssl.org>

Reviewed-by: NPaul Dale <pauli@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14710)

Add -client_renegotiation flag support.  The -client_renegotiation flag is
equivalent to SSL_OP_ALLOW_CLIENT_RENEGOTIATION. Add support to the app,
the config code, and the documentation.

Add SSL_OP_ALLOW_CLIENT_RENEGOTIATION to the SSL tests. We don't need to
always enable it, but there are so many tests so this is the easiest thing
to do.

Add a test where client tries to renegotiate and it fails as expected. Add
a test where server tries to renegotiate and it succeeds. The second test
is supported by a new flag, -immediate_renegotiation, which is ignored on
the client.
Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NTomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15184)

Fixes #12283
Reviewed-by: NNicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: NPaul Dale <pauli@openssl.org>
Reviewed-by: NShane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15282)

Reviewed-by: NTomas Mraz <tomas@openssl.org>
Reviewed-by: NPaul Dale <pauli@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15230)

This is a minimal version of pull request #15053 including all the
proposed improvements to the HTTP client API and its documentation
but only those code adaptations strictly needed for it.

The proposed new features include
* support for persistent connections (keep-alive),
* generalization to arbitrary request and response types, and
* support for streaming BIOs for request and response data.

The related API changes include:
* Split the monolithic OSSL_HTTP_transfer() into OSSL_HTTP_open(),
  OSSL_HTTP_set_request(), a lean OSSL_HTTP_transfer(), and OSSL_HTTP_close().
* Split the timeout functionality accordingly and improve default behavior.
* Extract part of OSSL_HTTP_REQ_CTX_new() to OSSL_HTTP_REQ_CTX_set_expected().
Reviewed-by: NTomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15147)

Add EVP_PKEY_gen(), EVP_PKEY_Q_gen(), EVP_RSA_gen(), and EVP_EC_gen().
Also export auxiliary function OSSL_EC_curve_nid2name()
and improve deprecation info on RSA and EC key generation/management functions.
Reviewed-by: NShane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14695)

Also add hints to SHA256_Init.pod and CHANGES.md how to replace SHA256() etc.
Reviewed-by: NPaul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14741)

This helps compensating for deprecated functions such as HMAC()
and reduces clutter in the crypto lib, apps, and tests.
Also fixes memory leaks in generate_cookie_callback() of apps/lib/s_cb.c.
and replaces 'B<...>' by 'I<...>' where appropriate in HMAC.pod

Partially fixes #14628.
Reviewed-by: NPaul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14664)

Fixes #13220
Reviewed-by: NTomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15168)

Reviewed-by: NTomas Mraz <tomas@openssl.org>

Reviewed-by: NTomas Mraz <tomas@openssl.org>

Reviewed-by: NPaul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15100)

This is done by making use of OCSP_REQ_CTX_nbio_d2i().
Reviewed-by: NTomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15131)

Previously we would set SSL_OP_LEGACY_SERVER_CONNECT by default in
SSL_CTX_new(), to allow connections to legacy servers that did not
implement RFC 5746.

It has been more than a decade since RFC 5746 was published, so
there has been plenty of time for implmentation support to roll out.

Change the default behavior to be to require peers to support
secure renegotiation.  Existing applications that already cleared
SSL_OP_LEGACY_SERVER_CONNECT will see no behavior change, as
re-clearing the flag is just a little bit of redundant work.
The old behavior is still available by explicitly setting the flag
in the application.

Also remove SSL_OP_LEGACY_SERVER_CONNECT from SSL_OP_ALL, for
similar reasons.

Document the behavior change in CHANGES.md, and update the
SSL_CTX_set_options() and SSL_CONF_cmd manuals to reflect the change
in default behavior.

Fixes: 14848
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15127)

Also add a negative test, and fix typo's.
Reviewed-by: NDmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: NTomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15090)

It was a mistake to allow relative paths for include files (just
like root shouldn't have "." in its PATH), but we probably can't
change it now. Add a new pragma "abspath" that someone can put
in the system-wide config file to require absolute paths.

Also update the config documentation to better explain how file
inclusion works.
Reviewed-by: NDmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: NTomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15090)

Reviewed-by: NTomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15103)

The EVP_PKEY_asn1_set_public and EVP_PKEY_meth_set_copy have
some API breaking constification changes in 3.0.

Fixes #9296
Reviewed-by: NPaul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15068)

Reviewed-by: NTomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14434)

Reviewed-by: NTomas Mraz <tomas@openssl.org>
Reviewed-by: NPaul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14434)

Reviewed-by: NTomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13684)

The replacement functions EVP_PKEY_eq() and EVP_PKEY_parameters_eq()
already exist.
Reviewed-by: NRichard Levitte <levitte@openssl.org>
Reviewed-by: NDavid von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/14997)

Fix dh_rfc5114 option in genpkey.

Fixes #14145
Fixes #13956
Fixes #13952
Fixes #13871
Fixes #14054
Fixes #14444

Updated documentation for app to indicate what options are available for
DH and DHX keys.

DH and DHX now have different keymanager gen_set_params() methods.

Added CHANGES entry to indicate the breaking change.
Reviewed-by: NTomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14883)

Raja added support for FFDHE in TLS 1.3 in commits 9aaecbfc,
8e63900a, dfa1f547 in 2019, reflect this in the changelog.
Reviewed-by: NPaul Dale <pauli@openssl.org>
Reviewed-by: NDmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/14972)

Reviewed-by: NTomas Mraz <tomas@openssl.org>

Reviewed-by: NTomas Mraz <tomas@openssl.org>

We now use the MANSUFFIX "ossl" by default.

Fixes #14318
Reviewed-by: NRichard Levitte <levitte@openssl.org>
Reviewed-by: NPaul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14847)

Providers do not distinguish between invalid and other errors via the return
code.

Fixes #14442
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14864)

These functions are deprecated with no replacement specified:

    DH_clear_flags, DH_get_1024_160, DH_get_2048_224, DH_get_2048_256,
    DH_set_flags, DH_test_flags, DSA_clear_flags, DSA_dup_DH,
    DSAparams_dup, DSA_set_flags, DSA_test_flags, RSA_blinding_off,
    RSA_blinding_on, RSA_clear_flags, RSA_get_version, RSAPrivateKey_dup,
    RSAPublicKey_dup, RSA_set_flags, RSA_setup_blinding and
    RSA_test_flags.

The flags that are going are:

    DH_FLAG_CACHE_MONT_P, DSA_FLAG_CACHE_MONT_P,
    RSA_FLAG_BLINDING, RSA_FLAG_CACHE_PRIVATE, RSA_FLAG_CACHE_PUBLIC,
    RSA_FLAG_EXT_PKEY, RSA_FLAG_NO_BLINDING, RSA_FLAG_THREAD_SAFE and
    RSA_METHOD_FLAG_NO_CHECK.

These two flags are "readable" via EVP_is_a().  They are not writable:

    DH_FLAG_TYPE_DHX and DH_FLAG_TYPE_DH.

Fixes #14616
Reviewed-by: NShane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14824)

OTC recently voted that EVP_PKEY types will be immutable in 3.0. This
means that EVP_PKEY_set_alias_type can no longer work and should be
removed entirely (applications will need to be rewritten not to use it).

It was primarily used for SM2 which no longer needs this call.
Applications should generate SM2 keys directly (without going via an EC
key first), or otherwise when loading keys they should automatically be
detected as SM2 keys.

Fixes #14379
Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14803)

KTLS support has been changed to be off by default, and configuration is
via a single "option" rather two "modes". Documentation is updated
accordingly.
Reviewed-by: NTomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14799)

Reviewed-by: NTomas Mraz <tomas@openssl.org>

Reviewed-by: NTomas Mraz <tomas@openssl.org>

Improve the ossl_rsa_check_key() to prevent non-signature
operations with PSS keys.

Do not invoke the EVP_PKEY controls for CMS and PKCS#7 anymore
as they are not needed anymore and deprecate them.

Fixes #14276
Reviewed-by: NDmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/14760)

Fixes #14401

Note that this moves the public key check out of DH compute_key() since
key validation does not belong inside this primitive..
The check has been moved to the EVP_PKEY_derive_set_peer() function so that
it generally applies to all exchange operations.. Use EVP_PKEY_derive_set_peer_ex()
to disable this behaviour.
Reviewed-by: NTomas Mraz <tomas@openssl.org>
Reviewed-by: NPaul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14717)

Reviewed-by: NTomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14630)

Reviewed-by: NTomas Mraz <tomas@openssl.org>

with AVX512_IFMA + AVX512_VL instructions, primarily for RSA CRT private key
operations. It uses 256-bit registers to avoid CPU frequency scaling issues.
The performance speedup for RSA2k signature on ICL is ~2x.
Reviewed-by: NPaul Dale <pauli@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13750)

Also constify related CMS/PKCS7 functions and improve error codes thrown.
Reviewed-by: NTomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14503)