diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 815f7c61b5a657604eac69705bb5d1b84b1aa0db..c5643fbf5c2b6920be7b03e36f3ebf6213e2653b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -283,117 +283,6 @@ jobs: - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} - enable_brotli_dynamic: - runs-on: ubuntu-latest - steps: - - name: install brotli - run: | - sudo apt-get update - sudo apt-get -yq --no-install-suggests --no-install-recommends --force-yes install brotli libbrotli1 libbrotli-dev - - name: checkout openssl - uses: actions/checkout@v4 - - name: checkout fuzz/corpora submodule - run: git submodule update --init --depth 1 fuzz/corpora - - name: config - run: ./config enable-comp enable-brotli enable-brotli-dynamic && perl configdata.pm --dump - - name: make - run: make -s -j4 - - name: get cpu info - run: | - cat /proc/cpuinfo - ./util/opensslwrap.sh version -c - - name: make test - run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} - - enable_zstd_dynamic: - runs-on: ubuntu-latest - steps: - - name: install zstd - run: | - sudo apt-get update - sudo apt-get -yq --no-install-suggests --no-install-recommends --force-yes install zstd libzstd1 libzstd-dev - - name: checkout openssl - uses: actions/checkout@v4 - - name: checkout fuzz/corpora submodule - run: git submodule update --init --depth 1 fuzz/corpora - - name: config - run: ./config enable-comp enable-zstd enable-zstd-dynamic && perl configdata.pm --dump - - name: make - run: make -s -j4 - - name: get cpu info - run: | - cat /proc/cpuinfo - ./util/opensslwrap.sh version -c - - name: make test - run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} - - enable_brotli_and_zstd_dynamic: - runs-on: ubuntu-latest - steps: - - name: install brotli and zstd - run: | - sudo apt-get update - sudo apt-get -yq --no-install-suggests --no-install-recommends --force-yes install brotli libbrotli1 libbrotli-dev - sudo apt-get -yq --no-install-suggests --no-install-recommends --force-yes install zstd libzstd1 libzstd-dev - - name: checkout openssl - uses: actions/checkout@v4 - - name: checkout fuzz/corpora submodule - run: git submodule update --init --depth 1 fuzz/corpora - - name: config - run: ./config enable-comp enable-brotli enable-brotli-dynamic enable-zstd enable-zstd-dynamic && perl configdata.pm --dump - - name: make - run: make -s -j4 - - name: get cpu info - run: | - cat /proc/cpuinfo - ./util/opensslwrap.sh version -c - - name: make test - run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} - - enable_brotli_and_asan_ubsan: - runs-on: ubuntu-latest - steps: - - name: install brotli - run: | - sudo apt-get update - sudo apt-get -yq --no-install-suggests --no-install-recommends --force-yes install brotli libbrotli1 libbrotli-dev - - name: checkout openssl - uses: actions/checkout@v4 - - name: checkout fuzz/corpora submodule - run: git submodule update --init --depth 1 fuzz/corpora - - name: config - run: ./config --banner=Configured --debug enable-asan enable-ubsan enable-comp enable-brotli -DPEDANTIC && perl configdata.pm --dump - - name: make - run: make -s -j4 - - name: get cpu info - run: | - cat /proc/cpuinfo - ./util/opensslwrap.sh version -c - - name: make test - run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} OPENSSL_TEST_RAND_ORDER=0 - - enable_zstd_and_asan_ubsan: - runs-on: ubuntu-latest - steps: - - name: install zstd - run: | - sudo apt-get update - sudo apt-get -yq --no-install-suggests --no-install-recommends --force-yes install zstd libzstd1 libzstd-dev - - name: checkout openssl - uses: actions/checkout@v4 - - name: checkout fuzz/corpora submodule - run: git submodule update --init --depth 1 fuzz/corpora - - name: config - run: ./config --banner=Configured --debug enable-asan enable-ubsan enable-comp enable-zstd -DPEDANTIC && perl configdata.pm --dump - - name: make - run: make -s -j4 - - name: get cpu info - run: | - cat /proc/cpuinfo - ./util/opensslwrap.sh version -c - - name: make test - run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} OPENSSL_TEST_RAND_ORDER=0 - no-legacy: runs-on: ubuntu-latest steps: @@ -428,41 +317,6 @@ jobs: - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} - enable-tfo: - strategy: - matrix: - os: [ ubuntu-latest, macos-latest ] - runs-on: ${{matrix.os}} - steps: - - uses: actions/checkout@v4 - - name: checkout fuzz/corpora submodule - run: git submodule update --init --depth 1 fuzz/corpora - - name: config - run: CC=gcc ./config --banner=Configured enable-tfo --strict-warnings && perl configdata.pm --dump - - name: make - run: make -s -j4 - - name: get cpu info - run: ./util/opensslwrap.sh version -c - - name: make test - run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} - - buildtest: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - name: checkout fuzz/corpora submodule - run: git submodule update --init --depth 1 fuzz/corpora - - name: config - run: ./config --banner=Configured no-asm no-makedepend enable-buildtest-c++ enable-fips --strict-warnings -D_DEFAULT_SOURCE && perl configdata.pm --dump - - name: make - run: make -s -j4 - - name: get cpu info - run: | - cat /proc/cpuinfo - ./util/opensslwrap.sh version -c - - name: make test - run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} - out-of-source-and-install: strategy: matrix: diff --git a/.github/workflows/fips-label.yml b/.github/workflows/fips-label.yml index bdc42e496d7f2e9b3246b9f1d7b54a6f7cd513c5..eed1d27cd79073794828addeb1622be172e27364 100644 --- a/.github/workflows/fips-label.yml +++ b/.github/workflows/fips-label.yml @@ -25,7 +25,7 @@ jobs: steps: - name: 'Download artifact' if: ${{ github.event.workflow_run.conclusion == 'success' }} - uses: actions/github-script@v6 + uses: actions/github-script@v7 with: script: | var artifacts = await github.rest.actions.listWorkflowRunArtifacts({ @@ -48,7 +48,7 @@ jobs: if: ${{ github.event.workflow_run.conclusion == 'success' }} - name: 'Check artifact and apply' if: ${{ github.event.workflow_run.conclusion == 'success' }} - uses: actions/github-script@v6 + uses: actions/github-script@v7 with: github-token: ${{secrets.GITHUB_TOKEN}} script: | diff --git a/.github/workflows/run-checker-ci.yml b/.github/workflows/run-checker-ci.yml index 2b7ca84d86e7694506608c5250e2672cd4d3a6eb..2ef91e802965ad25a69298075db01d1fe67e77c2 100644 --- a/.github/workflows/run-checker-ci.yml +++ b/.github/workflows/run-checker-ci.yml @@ -23,12 +23,12 @@ jobs: no-dh, no-dtls, no-ec, - no-ec2m, no-ecx, no-http, no-legacy, no-sock, enable-ssl-trace, + no-stdio, no-threads, no-thread-pool, no-default-thread-pool, @@ -53,6 +53,6 @@ jobs: - name: get cpu info run: | cat /proc/cpuinfo - ./util/opensslwrap.sh version -c + if [ -x apps/openssl ] ; then ./util/opensslwrap.sh version -c ; fi - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} diff --git a/.github/workflows/run-checker-daily-sctp.yml b/.github/workflows/run-checker-daily-sctp.yml deleted file mode 100644 index ba9a5178f02f1fe9bdcc6cc03e2559d463c0c490..0000000000000000000000000000000000000000 --- a/.github/workflows/run-checker-daily-sctp.yml +++ /dev/null @@ -1,53 +0,0 @@ -# Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. -# -# Licensed under the Apache License 2.0 (the "License"). You may not use -# this file except in compliance with the License. You can obtain a copy -# in the file LICENSE in the source distribution or at -# https://www.openssl.org/source/license.html - -name: Run-checker CI daily sctp -on: - schedule: - - cron: '0 6 * * *' -permissions: - contents: read - -jobs: - run-checker: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - name: checkout fuzz/corpora submodule - run: git submodule update --init --depth 1 fuzz/corpora - - name: Install Dependencies for sctp option - run: | - sudo apt-get update - sudo apt-get -yq install lksctp-tools libsctp-dev - - - name: Check SCTP and enable auth - id: sctp_auth - continue-on-error: true - run: | - checksctp - sudo sysctl -w net.sctp.auth_enable=1 - - - name: config - if: steps.sctp_auth.outcome == 'success' && steps.sctp_auth.conclusion == 'success' - run: CC=clang ./config --banner=Configured --strict-warnings enable-sctp - - - name: config dump - if: steps.sctp_auth.outcome == 'success' && steps.sctp_auth.conclusion == 'success' - run: ./configdata.pm --dump - - - name: make - if: steps.sctp_auth.outcome == 'success' && steps.sctp_auth.conclusion == 'success' - run: make -s -j4 - - - name: get cpu info - run: | - cat /proc/cpuinfo - ./util/opensslwrap.sh version -c - - - name: make test - if: steps.sctp_auth.outcome == 'success' && steps.sctp_auth.conclusion == 'success' - run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} diff --git a/.github/workflows/run-checker-daily.yml b/.github/workflows/run-checker-daily.yml index 0dbbac285f17c68a8f34d9d8b2d98ea37ae9c846..157746f39ff57d910167633e010beccee66e725b 100644 --- a/.github/workflows/run-checker-daily.yml +++ b/.github/workflows/run-checker-daily.yml @@ -112,7 +112,6 @@ jobs: no-ssl3-method, no-ssl-trace, no-static-engine no-shared, - no-stdio, no-tests, enable-tfo, no-tls1, @@ -150,3 +149,188 @@ jobs: if [ -x apps/openssl ] ; then ./util/opensslwrap.sh version -c ; fi - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} + + run-checker-sctp: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: checkout fuzz/corpora submodule + run: git submodule update --init --depth 1 fuzz/corpora + - name: Install Dependencies for sctp option + run: | + sudo apt-get update + sudo apt-get -yq install lksctp-tools libsctp-dev + + - name: Check SCTP and enable auth + id: sctp_auth + continue-on-error: true + run: | + checksctp + sudo sysctl -w net.sctp.auth_enable=1 + + - name: config + if: steps.sctp_auth.outcome == 'success' && steps.sctp_auth.conclusion == 'success' + run: CC=clang ./config --banner=Configured --strict-warnings enable-sctp + + - name: config dump + if: steps.sctp_auth.outcome == 'success' && steps.sctp_auth.conclusion == 'success' + run: ./configdata.pm --dump + + - name: make + if: steps.sctp_auth.outcome == 'success' && steps.sctp_auth.conclusion == 'success' + run: make -s -j4 + + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c + + - name: make test + if: steps.sctp_auth.outcome == 'success' && steps.sctp_auth.conclusion == 'success' + run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} + + enable_brotli_dynamic: + runs-on: ubuntu-latest + steps: + - name: install brotli + run: | + sudo apt-get update + sudo apt-get -yq --no-install-suggests --no-install-recommends --force-yes install brotli libbrotli1 libbrotli-dev + - name: checkout openssl + uses: actions/checkout@v4 + - name: checkout fuzz/corpora submodule + run: git submodule update --init --depth 1 fuzz/corpora + - name: config + run: ./config enable-comp enable-brotli enable-brotli-dynamic && perl configdata.pm --dump + - name: make + run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c + - name: make test + run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} + + enable_zstd_dynamic: + runs-on: ubuntu-latest + steps: + - name: install zstd + run: | + sudo apt-get update + sudo apt-get -yq --no-install-suggests --no-install-recommends --force-yes install zstd libzstd1 libzstd-dev + - name: checkout openssl + uses: actions/checkout@v4 + - name: checkout fuzz/corpora submodule + run: git submodule update --init --depth 1 fuzz/corpora + - name: config + run: ./config enable-comp enable-zstd enable-zstd-dynamic && perl configdata.pm --dump + - name: make + run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c + - name: make test + run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} + + enable_brotli_and_zstd_dynamic: + runs-on: ubuntu-latest + steps: + - name: install brotli and zstd + run: | + sudo apt-get update + sudo apt-get -yq --no-install-suggests --no-install-recommends --force-yes install brotli libbrotli1 libbrotli-dev + sudo apt-get -yq --no-install-suggests --no-install-recommends --force-yes install zstd libzstd1 libzstd-dev + - name: checkout openssl + uses: actions/checkout@v4 + - name: checkout fuzz/corpora submodule + run: git submodule update --init --depth 1 fuzz/corpora + - name: config + run: ./config enable-comp enable-brotli enable-brotli-dynamic enable-zstd enable-zstd-dynamic && perl configdata.pm --dump + - name: make + run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c + - name: make test + run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} + + enable_brotli_and_asan_ubsan: + runs-on: ubuntu-latest + steps: + - name: install brotli + run: | + sudo apt-get update + sudo apt-get -yq --no-install-suggests --no-install-recommends --force-yes install brotli libbrotli1 libbrotli-dev + - name: checkout openssl + uses: actions/checkout@v4 + - name: checkout fuzz/corpora submodule + run: git submodule update --init --depth 1 fuzz/corpora + - name: config + run: ./config --banner=Configured --debug enable-asan enable-ubsan enable-comp enable-brotli -DPEDANTIC && perl configdata.pm --dump + - name: make + run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c + - name: make test + run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} OPENSSL_TEST_RAND_ORDER=0 + + enable_zstd_and_asan_ubsan: + runs-on: ubuntu-latest + steps: + - name: install zstd + run: | + sudo apt-get update + sudo apt-get -yq --no-install-suggests --no-install-recommends --force-yes install zstd libzstd1 libzstd-dev + - name: checkout openssl + uses: actions/checkout@v4 + - name: checkout fuzz/corpora submodule + run: git submodule update --init --depth 1 fuzz/corpora + - name: config + run: ./config --banner=Configured --debug enable-asan enable-ubsan enable-comp enable-zstd -DPEDANTIC && perl configdata.pm --dump + - name: make + run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c + - name: make test + run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} OPENSSL_TEST_RAND_ORDER=0 + + enable_tfo: + strategy: + matrix: + os: [ ubuntu-latest, macos-latest ] + runs-on: ${{matrix.os}} + steps: + - uses: actions/checkout@v4 + - name: checkout fuzz/corpora submodule + run: git submodule update --init --depth 1 fuzz/corpora + - name: config + run: CC=gcc ./config --banner=Configured enable-tfo --strict-warnings && perl configdata.pm --dump + - name: make + run: make -s -j4 + - name: get cpu info + run: ./util/opensslwrap.sh version -c + - name: make test + run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} + + enable_buildtest: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: checkout fuzz/corpora submodule + run: git submodule update --init --depth 1 fuzz/corpora + - name: config + run: ./config --banner=Configured no-asm no-makedepend enable-buildtest-c++ enable-fips --strict-warnings -D_DEFAULT_SOURCE && perl configdata.pm --dump + - name: make + run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c + - name: make test + run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} diff --git a/.github/workflows/run-checker-merge.yml b/.github/workflows/run-checker-merge.yml index 461f16527d557a0d08411986abc09fbdde44deb0..c5958a5b99796c2ab6a34ab7c99999e16a88e97f 100644 --- a/.github/workflows/run-checker-merge.yml +++ b/.github/workflows/run-checker-merge.yml @@ -22,6 +22,7 @@ jobs: no-ct, no-dso, no-dynamic-engine, + no-ec2m, no-engine no-shared, no-err, no-filenames, @@ -49,6 +50,6 @@ jobs: - name: get cpu info run: | cat /proc/cpuinfo - ./util/opensslwrap.sh version -c + if [ -x apps/openssl ] ; then ./util/opensslwrap.sh version -c ; fi - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} diff --git a/Configurations/50-nonstop.conf b/Configurations/50-nonstop.conf index 53081576cc68c0ac8547cd22b3d0c6aa204ce8b4..827a13b4eec20947c097135f19534808d0592eb6 100644 --- a/Configurations/50-nonstop.conf +++ b/Configurations/50-nonstop.conf @@ -172,8 +172,10 @@ }, 'nonstop-model-spt' => { template => 1, + cflags => add('-Wnowarn=140'), defines => ['_SPT_MODEL_', - '_REENTRANT', '_ENABLE_FLOSS_THREADS'], + 'SPT_THREAD_AWARE_NONBLOCK', + '_REENTRANT'], ex_libs => '-lspt', }, @@ -182,7 +184,7 @@ # disable threads. 'nonstop-model-floss' => { template => 1, - defines => ['OPENSSL_TANDEM_FLOSS'], + defines => ['OPENSSL_TANDEM_FLOSS', '_ENABLE_FLOSS_THREADS'], includes => ['/usr/local/include'], ex_libs => '-lfloss', }, diff --git a/Configure b/Configure index d7f5ef8ce3316b616c1ee2c9e68ec947e4ff1edf..cbba1749b5a326211d15510ba0f03cb0c7cba332 100755 --- a/Configure +++ b/Configure @@ -980,8 +980,6 @@ while (@argvcopy) if (/^--prefix=(.*)$/) { $config{prefix}=$1; - die "Directory given with --prefix MUST be absolute\n" - unless file_name_is_absolute($config{prefix}); } elsif (/^--api=(.*)$/) { @@ -1440,6 +1438,11 @@ foreach (keys %useradd) { # At this point, we can forget everything about %user and %useradd, # because it's now all been merged into the corresponding $config entry +if ($config{prefix} && !$config{CROSS_COMPILE}) { + die "Directory given with --prefix MUST be absolute\n" + unless file_name_is_absolute($config{prefix}); +} + if (grep { $_ =~ /(?:^|\s)-static(?:\s|$)/ } @{$config{LDFLAGS}}) { disable('static', 'pic', 'threads'); } diff --git a/README.md b/README.md index aa1a233ab112c540576deb95304e1641785703fd..c3dac35096616694571e74075d0a7456812bbf2e 100644 --- a/README.md +++ b/README.md @@ -154,6 +154,7 @@ available online. - [OpenSSL master](https://www.openssl.org/docs/manmaster) - [OpenSSL 3.0](https://www.openssl.org/docs/man3.0) - [OpenSSL 3.1](https://www.openssl.org/docs/man3.1) +- [OpenSSL 3.2](https://www.openssl.org/docs/man3.2) Demos ----- diff --git a/crypto/bio/bio_sock.c b/crypto/bio/bio_sock.c index 7aa7bdc65ee90d579655a6c9fa9c6e20994b1806..9f2ae7306369d71cb8df4a4cc7a8dd9e90953165 100644 --- a/crypto/bio/bio_sock.c +++ b/crypto/bio/bio_sock.c @@ -354,7 +354,7 @@ int BIO_socket_nbio(int s, int mode) int l; l = mode; -# ifdef FIONBIO +# if defined(FIONBIO) && !defined(OPENSSL_SYS_TANDEM) l = mode; ret = BIO_socket_ioctl(s, FIONBIO, &l); diff --git a/demos/cms/Makefile b/demos/cms/Makefile new file mode 100644 index 0000000000000000000000000000000000000000..7c8f30d63207a3f89a82755918eb72633c964f5b --- /dev/null +++ b/demos/cms/Makefile @@ -0,0 +1,35 @@ +# +# To run the demos when linked with a shared library (default) ensure that +# libcrypto is on the library path. For example, to run the +# cms_enc demo: +# +# LD_LIBRARY_PATH=../.. ./cms_enc + +TESTS = cms_comp \ + cms_ddec \ + cms_dec \ + cms_denc \ + cms_enc \ + cms_sign \ + cms_sign2 \ + cms_uncomp \ + cms_ver + +CFLAGS = -I../../include -g +LDFLAGS = -L../.. +LDLIBS = -lcrypto + +all: $(TESTS) + +clean: + $(RM) $(TESTS) *.o + +cms_%: cms_%.c + $(CC) $(CFLAGS) $(LDFLAGS) -o "$@" "$<" $(LDLIBS) + +test: all + @echo "\nCMS tests:" + LD_LIBRARY_PATH=../.. ./cms_enc + LD_LIBRARY_PATH=../.. ./cms_dec + LD_LIBRARY_PATH=../.. ./cms_sign2 + LD_LIBRARY_PATH=../.. ./cms_ver diff --git a/demos/cms/cms_dec.c b/demos/cms/cms_dec.c index ebc34a5f94cbba169ed6b67d9e503122961b9475..f64a68ab42bc8100a1ef3ef9bdf1165dc7f19ba6 100644 --- a/demos/cms/cms_dec.c +++ b/demos/cms/cms_dec.c @@ -59,6 +59,8 @@ int main(int argc, char **argv) if (!CMS_decrypt(cms, rkey, rcert, NULL, out, 0)) goto err; + printf("Decryption Successful\n"); + ret = EXIT_SUCCESS; err: diff --git a/demos/cms/cms_enc.c b/demos/cms/cms_enc.c index a0af2c47742a5e2efd6390238067f5358495afbc..1f69571a17fc5e00a01f371807fc1d5020a59537 100644 --- a/demos/cms/cms_enc.c +++ b/demos/cms/cms_enc.c @@ -73,6 +73,8 @@ int main(int argc, char **argv) if (!SMIME_write_CMS(out, cms, in, flags)) goto err; + printf("Encryption Successful\n"); + ret = EXIT_SUCCESS; err: if (ret != EXIT_SUCCESS) { diff --git a/demos/cms/cms_sign2.c b/demos/cms/cms_sign2.c index b10043f92137ffe15c06163ccf341e34d6fe99fb..61d9f8bbe83ed83bad60aac582766b3a8c5ef045 100644 --- a/demos/cms/cms_sign2.c +++ b/demos/cms/cms_sign2.c @@ -77,6 +77,8 @@ int main(int argc, char **argv) if (!SMIME_write_CMS(out, cms, in, CMS_STREAM)) goto err; + printf("Signing Successful\n"); + ret = EXIT_SUCCESS; err: if (ret != EXIT_SUCCESS) { diff --git a/demos/cms/cms_ver.c b/demos/cms/cms_ver.c index f7d3a9bc854318c95bb634c6ac18e0113286bf0a..43e9d0985408dfde81eb9f7852f7465185ae7237 100644 --- a/demos/cms/cms_ver.c +++ b/demos/cms/cms_ver.c @@ -12,6 +12,49 @@ #include #include +/* + * print any signingTime attributes. + * signingTime is when each party purportedly signed the message. + */ +static void print_signingTime(CMS_ContentInfo *cms) +{ + STACK_OF(CMS_SignerInfo) *sis; + CMS_SignerInfo *si; + X509_ATTRIBUTE *attr; + ASN1_TYPE *t; + ASN1_UTCTIME *utctime; + ASN1_GENERALIZEDTIME *gtime; + BIO *b; + int i, loc; + + b = BIO_new_fp(stdout, BIO_NOCLOSE | BIO_FP_TEXT); + sis = CMS_get0_SignerInfos(cms); + for (i = 0; i < sk_CMS_SignerInfo_num(sis); i++) { + si = sk_CMS_SignerInfo_value(sis, i); + loc = CMS_signed_get_attr_by_NID(si, NID_pkcs9_signingTime, -1); + attr = CMS_signed_get_attr(si, loc); + t = X509_ATTRIBUTE_get0_type(attr, 0); + if (t == NULL) + continue; + switch (t->type) { + case V_ASN1_UTCTIME: + utctime = t->value.utctime; + ASN1_UTCTIME_print(b, utctime); + break; + case V_ASN1_GENERALIZEDTIME: + gtime = t->value.generalizedtime; + ASN1_GENERALIZEDTIME_print(b, gtime); + break; + default: + fprintf(stderr, "unrecognized signingTime type\n"); + break; + } + BIO_printf(b, ": signingTime from SignerInfo %i\n", i); + } + BIO_free(b); + return; +} + int main(int argc, char **argv) { BIO *in = NULL, *out = NULL, *tbio = NULL, *cont = NULL; @@ -56,6 +99,8 @@ int main(int argc, char **argv) if (cms == NULL) goto err; + print_signingTime(cms); + /* File to output verified content to */ out = BIO_new_file("smver.txt", "w"); if (out == NULL) @@ -66,9 +111,10 @@ int main(int argc, char **argv) goto err; } - fprintf(stderr, "Verification Successful\n"); + printf("Verification Successful\n"); ret = EXIT_SUCCESS; + err: if (ret != EXIT_SUCCESS) { fprintf(stderr, "Error Verifying Data\n"); diff --git a/doc/man7/EVP_MD-BLAKE2.pod b/doc/man7/EVP_MD-BLAKE2.pod index ba0658206ce022e5a3c0f2da88b24d3cbd497bc9..a490ed8ec04e7abff59c82ab4d34e145a9081e69 100644 --- a/doc/man7/EVP_MD-BLAKE2.pod +++ b/doc/man7/EVP_MD-BLAKE2.pod @@ -32,16 +32,20 @@ in L. =head2 Settable Context Parameters -The BLAKE2B-512 implementation supports the following L entries, -settable for an B with L: +The BLAKE2B-512 implementation supports the following L entries +which are settable for an B with L or +L: =over 4 =item "size" (B) Sets a different digest length for the L output. -The value of the "size" parameter should not exceed 255 and it must be set -during the L call. +The value of the "size" parameter must not exceed the default digest length +(64 for BLAKE2B-512). The parameter must be set with the +L call to have an immediate effect. When set with +L it will have an effect only if the B +context is reinitialized. =back @@ -49,6 +53,12 @@ during the L call. L, L +=head1 HISTORY + +This functionality was added in OpenSSL 3.0. + +The variable size support was added in OpenSSL 3.2 for BLAKE2B-512. + =head1 COPYRIGHT Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. diff --git a/include/internal/quic_fc.h b/include/internal/quic_fc.h index 7a8273d54288f03215e2e51596a1d7aa668a76e1..49b448a3a489e72da0b4128529e10d7e98e0841a 100644 --- a/include/internal/quic_fc.h +++ b/include/internal/quic_fc.h @@ -61,16 +61,18 @@ int ossl_quic_txfc_bump_cwm(QUIC_TXFC *txfc, uint64_t cwm); * * If called on a stream-level TXFC, ossl_quic_txfc_get_credit is called on * the connection-level TXFC as well, and the lesser of the two values is - * returned. + * returned. The consumed value is the amount already consumed on the connection + * level TXFC. */ -uint64_t ossl_quic_txfc_get_credit(QUIC_TXFC *txfc); +uint64_t ossl_quic_txfc_get_credit(QUIC_TXFC *txfc, uint64_t consumed); /* * Like ossl_quic_txfc_get_credit(), but when called on a stream-level TXFC, * retrieves only the stream-level credit value and does not clamp it based on - * connection-level flow control. + * connection-level flow control. Any credit value is reduced by the consumed + * amount. */ -uint64_t ossl_quic_txfc_get_credit_local(QUIC_TXFC *txfc); +uint64_t ossl_quic_txfc_get_credit_local(QUIC_TXFC *txfc, uint64_t consumed); /* * Consume num_bytes of credit. This is the 'On TX' operation. This should be diff --git a/providers/implementations/digests/blake2b_prov.c b/providers/implementations/digests/blake2b_prov.c index ee61de8a72b501ac9c9a54e124c0358509a15cca..1917990c446a67bea313dc921b4feec0b8cdb629 100644 --- a/providers/implementations/digests/blake2b_prov.c +++ b/providers/implementations/digests/blake2b_prov.c @@ -82,7 +82,7 @@ int ossl_blake2b_set_ctx_params(void *vctx, const OSSL_PARAM params[]) ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); return 0; } - if (size < 1 || size > UINT8_MAX) { + if (size < 1 || size > BLAKE2B_OUTBYTES) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_SIZE); return 0; } diff --git a/ssl/quic/quic_fc.c b/ssl/quic/quic_fc.c index 1a9c5890f80a985c81dafbb6f0206d1db29e97b1..750e896306f7e9d123c00f12652ae019342cebe0 100644 --- a/ssl/quic/quic_fc.c +++ b/ssl/quic/quic_fc.c @@ -46,21 +46,21 @@ int ossl_quic_txfc_bump_cwm(QUIC_TXFC *txfc, uint64_t cwm) return 1; } -uint64_t ossl_quic_txfc_get_credit_local(QUIC_TXFC *txfc) +uint64_t ossl_quic_txfc_get_credit_local(QUIC_TXFC *txfc, uint64_t consumed) { - assert(txfc->swm <= txfc->cwm); - return txfc->cwm - txfc->swm; + assert((txfc->swm + consumed) <= txfc->cwm); + return txfc->cwm - (consumed + txfc->swm); } -uint64_t ossl_quic_txfc_get_credit(QUIC_TXFC *txfc) +uint64_t ossl_quic_txfc_get_credit(QUIC_TXFC *txfc, uint64_t consumed) { uint64_t r, conn_r; - r = ossl_quic_txfc_get_credit_local(txfc); + r = ossl_quic_txfc_get_credit_local(txfc, 0); if (txfc->parent != NULL) { assert(txfc->parent->parent == NULL); - conn_r = ossl_quic_txfc_get_credit_local(txfc->parent); + conn_r = ossl_quic_txfc_get_credit_local(txfc->parent, consumed); if (conn_r < r) r = conn_r; } @@ -71,7 +71,7 @@ uint64_t ossl_quic_txfc_get_credit(QUIC_TXFC *txfc) int ossl_quic_txfc_consume_credit_local(QUIC_TXFC *txfc, uint64_t num_bytes) { int ok = 1; - uint64_t credit = ossl_quic_txfc_get_credit_local(txfc); + uint64_t credit = ossl_quic_txfc_get_credit_local(txfc, 0); if (num_bytes > credit) { ok = 0; diff --git a/ssl/quic/quic_record_tx.c b/ssl/quic/quic_record_tx.c index 4f86c68e1773b558dd5ce4eb4d8c4ee0e76f4fd8..c01abed0d66a4d42d60f6bcb533a610185b43a1e 100644 --- a/ssl/quic/quic_record_tx.c +++ b/ssl/quic/quic_record_tx.c @@ -422,7 +422,7 @@ int ossl_qtx_calculate_plaintext_payload_len(OSSL_QTX *qtx, uint32_t enc_level, tag_len = ossl_qrl_get_suite_cipher_tag_len(el->suite_id); - if (ciphertext_len < tag_len) { + if (ciphertext_len <= tag_len) { *plaintext_len = 0; return 0; } diff --git a/ssl/quic/quic_stream_map.c b/ssl/quic/quic_stream_map.c index 0f41b03da58d61d2ad44ade4aa99ccee5c245107..f8278c9913239c537863e6b06b42e4081b5cd515 100644 --- a/ssl/quic/quic_stream_map.c +++ b/ssl/quic/quic_stream_map.c @@ -269,7 +269,7 @@ static int stream_has_data_to_send(QUIC_STREAM *s) &num_iov)) return 0; - fc_credit = ossl_quic_txfc_get_credit(&s->txfc); + fc_credit = ossl_quic_txfc_get_credit(&s->txfc, 0); fc_swm = ossl_quic_txfc_get_swm(&s->txfc); fc_limit = fc_swm + fc_credit; diff --git a/ssl/quic/quic_txp.c b/ssl/quic/quic_txp.c index 5500c9b3f60fcac8768e3c4167ea0e9d5e5a242e..f26f1e81a1bf6e2d3b5023a2fc1284878fb8d3a1 100644 --- a/ssl/quic/quic_txp.c +++ b/ssl/quic/quic_txp.c @@ -2111,7 +2111,8 @@ static int txp_plan_stream_chunk(OSSL_QUIC_TX_PACKETISER *txp, QUIC_SSTREAM *sstream, QUIC_TXFC *stream_txfc, size_t skip, - struct chunk_info *chunk) + struct chunk_info *chunk, + uint64_t consumed) { uint64_t fc_credit, fc_swm, fc_limit; @@ -2130,7 +2131,7 @@ static int txp_plan_stream_chunk(OSSL_QUIC_TX_PACKETISER *txp, chunk->orig_len = chunk->shdr.len; /* Clamp according to connection and stream-level TXFC. */ - fc_credit = ossl_quic_txfc_get_credit(stream_txfc); + fc_credit = ossl_quic_txfc_get_credit(stream_txfc, consumed); fc_swm = ossl_quic_txfc_get_swm(stream_txfc); fc_limit = fc_swm + fc_credit; @@ -2166,7 +2167,8 @@ static int txp_generate_stream_frames(OSSL_QUIC_TX_PACKETISER *txp, QUIC_STREAM *next_stream, int *have_ack_eliciting, int *packet_full, - uint64_t *new_credit_consumed) + uint64_t *new_credit_consumed, + uint64_t conn_consumed) { int rc = 0; struct chunk_info chunks[2] = {0}; @@ -2194,7 +2196,8 @@ static int txp_generate_stream_frames(OSSL_QUIC_TX_PACKETISER *txp, * determining when we can use an implicit length in a STREAM frame. */ for (i = 0; i < 2; ++i) { - if (!txp_plan_stream_chunk(txp, h, sstream, stream_txfc, i, &chunks[i])) + if (!txp_plan_stream_chunk(txp, h, sstream, stream_txfc, i, &chunks[i], + conn_consumed)) goto err; if (i == 0 && !chunks[i].valid) { @@ -2232,7 +2235,7 @@ static int txp_generate_stream_frames(OSSL_QUIC_TX_PACKETISER *txp, if (i > 0) /* Load next chunk for lookahead. */ if (!txp_plan_stream_chunk(txp, h, sstream, stream_txfc, i + 1, - &chunks[(i + 1) % 2])) + &chunks[(i + 1) % 2], conn_consumed)) goto err; /* @@ -2382,6 +2385,7 @@ static int txp_generate_stream_related(OSSL_QUIC_TX_PACKETISER *txp, uint64_t cwm; QUIC_STREAM *stream, *snext; struct tx_helper *h = &pkt->h; + uint64_t conn_consumed = 0; for (ossl_quic_stream_iter_init(&it, txp->args.qsm, 1); it.stream != NULL;) { @@ -2517,11 +2521,13 @@ static int txp_generate_stream_related(OSSL_QUIC_TX_PACKETISER *txp, snext, have_ack_eliciting, &packet_full, - &stream->txp_txfc_new_credit_consumed)) { + &stream->txp_txfc_new_credit_consumed, + conn_consumed)) { /* Fatal error (allocation, etc.) */ txp_enlink_tmp(tmp_head, stream); return 0; } + conn_consumed += stream->txp_txfc_new_credit_consumed; if (packet_full) { txp_enlink_tmp(tmp_head, stream); diff --git a/test/quic_fc_test.c b/test/quic_fc_test.c index e624d81b7344c1614f092d9c49f4749f05688cbc..6b2de7fdff2d7389435f6b8524de7da70f7eadd5 100644 --- a/test/quic_fc_test.c +++ b/test/quic_fc_test.c @@ -37,23 +37,30 @@ static int test_txfc(int is_stream) if (!TEST_uint64_t_eq(ossl_quic_txfc_get_cwm(txfc), 2000)) goto err; - if (!TEST_uint64_t_eq(ossl_quic_txfc_get_credit_local(txfc), 2000)) + if (!TEST_uint64_t_eq(ossl_quic_txfc_get_credit_local(txfc, 0), 2000)) goto err; - if (is_stream && !TEST_uint64_t_eq(ossl_quic_txfc_get_credit(txfc), - 2000)) + if (!TEST_uint64_t_eq(ossl_quic_txfc_get_credit_local(txfc, 100), 1900)) goto err; + if (is_stream) { + if ( !TEST_uint64_t_eq(ossl_quic_txfc_get_credit(txfc, 0), 2000)) + goto err; + + if ( !TEST_uint64_t_eq(ossl_quic_txfc_get_credit(txfc, 100), 1900)) + goto err; + } + if (!TEST_false(ossl_quic_txfc_has_become_blocked(txfc, 0))) goto err; if (!TEST_true(ossl_quic_txfc_consume_credit(txfc, 500))) goto err; - if (!TEST_uint64_t_eq(ossl_quic_txfc_get_credit_local(txfc), 1500)) + if (!TEST_uint64_t_eq(ossl_quic_txfc_get_credit_local(txfc, 0), 1500)) goto err; - if (is_stream && !TEST_uint64_t_eq(ossl_quic_txfc_get_credit(txfc), + if (is_stream && !TEST_uint64_t_eq(ossl_quic_txfc_get_credit(txfc, 0), 1500)) goto err; @@ -69,10 +76,10 @@ static int test_txfc(int is_stream) if (!TEST_uint64_t_eq(ossl_quic_txfc_get_swm(txfc), 600)) goto err; - if (!TEST_uint64_t_eq(ossl_quic_txfc_get_credit_local(txfc), 1400)) + if (!TEST_uint64_t_eq(ossl_quic_txfc_get_credit_local(txfc, 0), 1400)) goto err; - if (is_stream && !TEST_uint64_t_eq(ossl_quic_txfc_get_credit(txfc), + if (is_stream && !TEST_uint64_t_eq(ossl_quic_txfc_get_credit(txfc, 0), 1400)) goto err; @@ -82,10 +89,10 @@ static int test_txfc(int is_stream) if (!TEST_true(ossl_quic_txfc_consume_credit(txfc, 1400))) goto err; - if (!TEST_uint64_t_eq(ossl_quic_txfc_get_credit_local(txfc), 0)) + if (!TEST_uint64_t_eq(ossl_quic_txfc_get_credit_local(txfc, 0), 0)) goto err; - if (is_stream && !TEST_uint64_t_eq(ossl_quic_txfc_get_credit(txfc), + if (is_stream && !TEST_uint64_t_eq(ossl_quic_txfc_get_credit(txfc, 0), 0)) goto err; @@ -131,20 +138,23 @@ static int test_txfc(int is_stream) if (!TEST_uint64_t_eq(ossl_quic_txfc_get_swm(txfc), 2000)) goto err; - if (!TEST_uint64_t_eq(ossl_quic_txfc_get_credit_local(txfc), 500)) + if (!TEST_uint64_t_eq(ossl_quic_txfc_get_credit_local(txfc, 0), 500)) goto err; if (is_stream) ossl_quic_txfc_has_become_blocked(parent_txfc, 1); if (is_stream) { + if (!TEST_uint64_t_eq(ossl_quic_txfc_get_credit(txfc, 400), 0)) + goto err; + if (!TEST_true(ossl_quic_txfc_consume_credit(txfc, 399))) goto err; if (!TEST_false(ossl_quic_txfc_has_become_blocked(txfc, 0))) goto err; - if (!TEST_uint64_t_eq(ossl_quic_txfc_get_credit(txfc), 1)) + if (!TEST_uint64_t_eq(ossl_quic_txfc_get_credit(txfc, 0), 1)) goto err; if (!TEST_true(ossl_quic_txfc_consume_credit(txfc, 1))) diff --git a/test/recipes/30-test_evp_data/evpmd_blake.txt b/test/recipes/30-test_evp_data/evpmd_blake.txt index 474e659142981bae07ca455e3cdc03671ed11766..5fdb574d450b5a754707be8fd29ba6ac9296773f 100644 --- a/test/recipes/30-test_evp_data/evpmd_blake.txt +++ b/test/recipes/30-test_evp_data/evpmd_blake.txt @@ -99,3 +99,8 @@ Digest = BLAKE2b512 Input = 61 OutputSize = 32 Output = 8928aae63c84d87ea098564d1e03ad813f107add474e56aedd286349c0c03ea4 + +Digest = BLAKE2b512 +Input = 61 +OutputSize = 65 +Result = DIGESTINIT_ERROR