diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2ba14153c28aab7bed122066b2a2bb6a9332643a..38ad82fe694525b758fd53ca6129938a26ba42e7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -336,21 +336,33 @@ jobs: - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} - out-of-source-and-install: + # out-of-source-and-install checks multiple things at the same time: + # - That building, testing and installing works from an out-of-source + # build tree + # - That building, testing and installing works with a read-only source + # tree + out-of-readonly-source-and-install: strategy: matrix: os: [ubuntu-latest, macos-latest ] runs-on: ${{matrix.os}} steps: - uses: actions/checkout@v4 + with: + path: ./source - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - - name: extra preparations + working-directory: ./source + - name: make source read-only + run: chmod -R a-w ./source + - name: create build and install directories run: | mkdir ./build mkdir ./install - name: config - run: ../config --banner=Configured enable-fips enable-acvp-tests --strict-warnings --prefix=$(cd ../install; pwd) && perl configdata.pm --dump + run: | + ../source/config --banner=Configured enable-fips enable-quic enable-acvp-tests --strict-warnings --prefix=$(cd ../install; pwd) + perl configdata.pm --dump working-directory: ./build - name: make run: make -s -j4 diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 11c31e0d696bd781655356e19aaf13892071a37a..9773af905f5be42403f3805f404765da45750815 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -9,19 +9,22 @@ Development is done on GitHub in the [openssl/openssl] repository. [openssl/openssl]: -To request new features or report bugs, please open an issue on GitHub +To request new a feature, ask a question, or report a bug, +please open an [issue on GitHub](https://github.com/openssl/openssl/issues). -To submit a patch, please open a pull request on GitHub. If you are thinking -of making a large contribution, open an issue for it before starting work, -to get comments from the community. Someone may be already working on -the same thing, or there may be reasons why that feature isn't implemented. +To submit a patch or implement a new feature, please open a +[pull request on GitHub](https://github.com/openssl/openssl/pulls). +If you are thinking of making a large contribution, +open an issue for it before starting work, to get comments from the community. +Someone may be already working on the same thing, +or there may be special reasons why a feature is not implemented. To make it easier to review and accept your pull request, please follow these guidelines: 1. Anything other than a trivial contribution requires a [Contributor License Agreement] (CLA), giving us permission to use your code. - If your contribution is too small to require a CLA (e.g. fixing a spelling + If your contribution is too small to require a CLA (e.g., fixing a spelling mistake), then place the text "`CLA: trivial`" on a line by itself below the rest of your commit message separated by an empty line, like this: @@ -64,22 +67,24 @@ guidelines: often. We do not accept merge commits, you will have to remove them (usually by rebasing) before it will be acceptable. - 4. Patches should follow our [coding style] and compile without warnings. + 4. Code provided should follow our [coding style] and compile without warnings. + There is a [Perl tool](util/check-format.pl) that helps + finding code formatting mistakes and other coding style nits. Where `gcc` or `clang` is available, you should use the `--strict-warnings` `Configure` option. OpenSSL compiles on many varied - platforms: try to ensure you only use portable features. Clean builds via - GitHub Actions and AppVeyor are required, and they are started automatically - whenever a PR is created or updated. + platforms: try to ensure you only use portable features. + Clean builds via GitHub Actions are required. They are started automatically + whenever a PR is created or updated by committers. [coding style]: https://www.openssl.org/policies/technical/coding-style.html - 5. When at all possible, patches should include tests. These can + 5. When at all possible, code contributions should include tests. These can either be added to an existing test, or completely new. Please see [test/README.md](test/README.md) for information on the test framework. 6. New features or changed functionality must include - documentation. Please look at the "pod" files in doc/man[1357] for - examples of our style. Run "make doc-nits" to make sure that your + documentation. Please look at the `.pod` files in `doc/man[1357]` for + examples of our style. Run `make doc-nits` to make sure that your documentation changes are clean. 7. For user visible changes (API changes, behaviour changes, ...), @@ -89,7 +94,7 @@ guidelines: Have a look through existing entries for inspiration. Please note that this is NOT simply a copy of git-log one-liners. Also note that security fixes get an entry in [CHANGES.md](CHANGES.md). - This file helps users get more in depth information of what comes + This file helps users get more in-depth information of what comes with a specific release without having to sift through the higher noise ratio in git-log. diff --git a/Configurations/50-nonstop.conf b/Configurations/50-nonstop.conf index 827a13b4eec20947c097135f19534808d0592eb6..873e398169bb7c0b820d60ac8203971029dffc90 100644 --- a/Configurations/50-nonstop.conf +++ b/Configurations/50-nonstop.conf @@ -170,24 +170,6 @@ '_REENTRANT', '_THREAD_SUPPORT_FUNCTIONS'], ex_libs => '-lput', }, - 'nonstop-model-spt' => { - template => 1, - cflags => add('-Wnowarn=140'), - defines => ['_SPT_MODEL_', - 'SPT_THREAD_AWARE_NONBLOCK', - '_REENTRANT'], - ex_libs => '-lspt', - }, - - # Additional floss model that can be combined with any of the other models. - # If used without any of the other models, the entry that does so must - # disable threads. - 'nonstop-model-floss' => { - template => 1, - defines => ['OPENSSL_TANDEM_FLOSS', '_ENABLE_FLOSS_THREADS'], - includes => ['/usr/local/include'], - ex_libs => '-lfloss', - }, ###################################################################### # Now for the entries themselves, let's combine things! @@ -225,25 +207,6 @@ multilib => '64-put', multibin => '64-put', }, - 'nonstop-nsx_spt' => { - inherit_from => [ 'nonstop-common', - 'nonstop-archenv-x86_64-oss', - 'nonstop-ilp32', - 'nonstop-efloat-x86_64', - 'nonstop-model-spt' ], - multilib => '-spt', - multibin => '-spt', - }, - 'nonstop-nsx_spt_floss' => { - inherit_from => [ 'nonstop-common', - 'nonstop-archenv-x86_64-oss', - 'nonstop-ilp32', - 'nonstop-efloat-x86_64', - 'nonstop-model-floss', - 'nonstop-model-spt'], - multilib => '-spt', - multibin => '-spt', - }, 'nonstop-nsx_g' => { inherit_from => [ 'nonstop-common', 'nonstop-archenv-x86_64-guardian', @@ -293,24 +256,6 @@ multilib => '64-put', multibin => '64-put', }, - 'nonstop-nse_spt' => { - inherit_from => [ 'nonstop-common', - 'nonstop-archenv-itanium-oss', - 'nonstop-ilp32', - 'nonstop-efloat-itanium', - 'nonstop-model-spt' ], - multilib => '-spt', - multibin => '-spt', - }, - 'nonstop-nse_spt_floss' => { - inherit_from => [ 'nonstop-common', - 'nonstop-archenv-itanium-oss', - 'nonstop-ilp32', - 'nonstop-efloat-itanium', - 'nonstop-model-floss', 'nonstop-model-spt' ], - multilib => '-spt', - multibin => '-spt', - }, 'nonstop-nse_g' => { inherit_from => [ 'nonstop-common', 'nonstop-archenv-itanium-guardian', diff --git a/Configurations/descrip.mms.tmpl b/Configurations/descrip.mms.tmpl index 828e1e91fbb26b348d8e6d40af79770308d67935..e9fb13f24fa57346099870bbb44e22fed17ec253 100644 --- a/Configurations/descrip.mms.tmpl +++ b/Configurations/descrip.mms.tmpl @@ -516,7 +516,8 @@ build_all_generated : $(GENERATED_MANDATORY) $(GENERATED) build_docs all : build_sw build_docs test : tests -{- dependmagic('tests'); -} : build_programs_nodep, build_modules_nodep run_tests +{- dependmagic('tests'); -} : build_programs_nodep, build_modules_nodep + $(MMS) $(MMSQUALIFIERS) run_tests run_tests : @ ! {- output_off() if $disabled{tests}; "" -} DEFINE SRCTOP "$(SRCDIR)" diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index 6714699178dd98d2b225ba8649030a225047b969..b3350a10486c78d264cb442527432d241ce00ab9 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -544,8 +544,9 @@ help: ## Show this help screen ##@ Testing test: tests ## Run tests (alias of "tests") -{- dependmagic('tests', 'Run tests'); -}: build_programs_nodep build_modules_nodep link-utils run_tests -run_tests: +{- dependmagic('tests', 'Run tests'); -}: build_programs_nodep build_modules_nodep link-utils + $(MAKE) run_tests +run_tests: FORCE @ : {- output_off() if $disabled{tests}; "" -} ( SRCTOP=$(SRCDIR) \ BLDTOP=$(BLDDIR) \ diff --git a/Configurations/windows-makefile.tmpl b/Configurations/windows-makefile.tmpl index 1f260e49d46b2601002f8e353f4a522ddef43d92..d09773e71ab9d97c068b35657bf508d9b2c72152 100644 --- a/Configurations/windows-makefile.tmpl +++ b/Configurations/windows-makefile.tmpl @@ -440,6 +440,8 @@ all: build_sw {- "build_docs" if !$disabled{docs}; -} test: tests {- dependmagic('tests'); -}: build_programs_nodep build_modules_nodep copy-utils + $(MAKE) /$(MAKEFLAGS) run_tests +run_tests: @{- output_off() if $disabled{tests}; "\@rem" -} cmd /C "set "SRCTOP=$(SRCDIR)" & set "BLDTOP=$(BLDDIR)" & set "PERL=$(PERL)" & set "FIPSKEY=$(FIPSKEY)" & "$(PERL)" "$(SRCDIR)\test\run_tests.pl" $(TESTS)" @{- if ($disabled{tests}) { output_on(); } else { output_off(); } "" -} diff --git a/Configure b/Configure index cbba1749b5a326211d15510ba0f03cb0c7cba332..cca1ac8d162ee448778411a30b37cdba5c3397fa 100755 --- a/Configure +++ b/Configure @@ -1891,11 +1891,12 @@ if ($builder eq "unified") { my $base = shift; my $dir = shift; my $relativeto = shift || "."; + my $no_mkpath = shift // 0; $dir = catdir($base,$dir) unless isabsolute($dir); # Make sure the directories we're building in exists - mkpath($dir); + mkpath($dir) unless $no_mkpath; my $res = abs2rel(absolutedir($dir), rel2abs($relativeto)); #print STDERR "DEBUG[cleandir]: $dir , $base => $res\n"; @@ -1906,6 +1907,7 @@ if ($builder eq "unified") { my $base = shift; my $file = shift; my $relativeto = shift || "."; + my $no_mkpath = shift // 0; $file = catfile($base,$file) unless isabsolute($file); @@ -1913,7 +1915,7 @@ if ($builder eq "unified") { my $f = basename($file); # Make sure the directories we're building in exists - mkpath($d); + mkpath($d) unless $no_mkpath; my $res = abs2rel(catfile(absolutedir($d), $f), rel2abs($relativeto)); #print STDERR "DEBUG[cleanfile]: $d , $f => $res\n"; @@ -1943,7 +1945,7 @@ if ($builder eq "unified") { } # Then, look in our standard directory push @build_file_templates, - ( map { cleanfile($srcdir, catfile("Configurations", $_), $blddir) } + ( map { cleanfile($srcdir, catfile("Configurations", $_), $blddir, 1) } @build_file_template_names ); my $build_file_template; @@ -1958,7 +1960,7 @@ if ($builder eq "unified") { } $config{build_file_templates} = [ cleanfile($srcdir, catfile("Configurations", "common0.tmpl"), - $blddir), + $blddir, 1), $build_file_template ]; my @build_dirs = ( [ ] ); # current directory @@ -1967,7 +1969,7 @@ if ($builder eq "unified") { # We want to detect configdata.pm in the source tree, so we # don't use it if the build tree is different. - my $src_configdata = cleanfile($srcdir, "configdata.pm", $blddir); + my $src_configdata = cleanfile($srcdir, "configdata.pm", $blddir, 1); # Any source file that we recognise is placed in this hash table, with # the list of its intended destinations as value. When everything has @@ -2320,7 +2322,7 @@ EOF my $dest = $_; my $ddest = cleanfile($buildd, $_, $blddir); foreach (@{$sources{$dest}}) { - my $s = cleanfile($sourced, $_, $blddir); + my $s = cleanfile($sourced, $_, $blddir, 1); # If it's generated or we simply don't find it in the source # tree, we assume it's in the build tree. @@ -2365,7 +2367,7 @@ EOF my $dest = $_; my $ddest = cleanfile($buildd, $_, $blddir); foreach (@{$shared_sources{$dest}}) { - my $s = cleanfile($sourced, $_, $blddir); + my $s = cleanfile($sourced, $_, $blddir, 1); # If it's generated or we simply don't find it in the source # tree, we assume it's in the build tree. @@ -2420,7 +2422,7 @@ EOF if scalar @{$generate{$_}} > 1; my @generator = split /\s+/, $generate{$dest}->[0]; my $gen = $generator[0]; - $generator[0] = cleanfile($sourced, $gen, $blddir); + $generator[0] = cleanfile($sourced, $gen, $blddir, 1); # If the generator is itself generated, it's in the build tree if ($generate{$gen} || ! -f $generator[0]) { @@ -2446,7 +2448,7 @@ EOF } elsif ($dest eq '') { $ddest = ''; } else { - $ddest = cleanfile($sourced, $dest, $blddir); + $ddest = cleanfile($sourced, $dest, $blddir, 1); # If the destination doesn't exist in source, it can only be # a generated file in the build tree. @@ -2471,12 +2473,12 @@ EOF && $f =~ m/^(.*?)\|(.*)$/) { $i = $1; $m = $2; - $i = cleanfile($sourced, $i, $blddir); + $i = cleanfile($sourced, $i, $blddir, 1); $i2 = cleanfile($buildd, $i, $blddir); - $d = cleanfile($sourced, "$i/$m", $blddir); + $d = cleanfile($sourced, "$i/$m", $blddir, 1); $d2 = cleanfile($buildd, "$i/$m", $blddir); } else { - $d = cleanfile($sourced, $f, $blddir); + $d = cleanfile($sourced, $f, $blddir, 1); $d2 = cleanfile($buildd, $f, $blddir); } @@ -2507,7 +2509,7 @@ EOF foreach (keys %includes) { my $dest = $_; - my $ddest = cleanfile($sourced, $_, $blddir); + my $ddest = cleanfile($sourced, $_, $blddir, 1); # If the destination doesn't exist in source, it can only be # a generated file in the build tree. @@ -2515,7 +2517,7 @@ EOF $ddest = cleanfile($buildd, $_, $blddir); } foreach (@{$includes{$dest}}) { - my $is = cleandir($sourced, $_, $blddir); + my $is = cleandir($sourced, $_, $blddir, 1); my $ib = cleandir($buildd, $_, $blddir); push @{$unified_info{includes}->{$ddest}->{source}}, $is unless grep { $_ eq $is } @{$unified_info{includes}->{$ddest}->{source}}; @@ -2528,7 +2530,7 @@ EOF my $ddest; if ($dest ne "") { - $ddest = cleanfile($sourced, $dest, $blddir); + $ddest = cleanfile($sourced, $dest, $blddir, 1); # If the destination doesn't exist in source, it can only # be a generated file in the build tree. @@ -2912,7 +2914,7 @@ my %template_vars = ( my $configdata_outname = 'configdata.pm'; open CONFIGDATA, ">$configdata_outname.new" or die "Trying to create $configdata_outname.new: $!"; -my $configdata_tmplname = cleanfile($srcdir, "configdata.pm.in", $blddir); +my $configdata_tmplname = cleanfile($srcdir, "configdata.pm.in", $blddir, 1); my $configdata_tmpl = OpenSSL::Template->new(TYPE => 'FILE', SOURCE => $configdata_tmplname); $configdata_tmpl->fill_in( diff --git a/NOTES-NONSTOP.md b/NOTES-NONSTOP.md index 68438b998884e2a068b7f93886867d8ad4c6f38b..65bfc1087dcabfaf6f941f68c513af0b810c1859 100644 --- a/NOTES-NONSTOP.md +++ b/NOTES-NONSTOP.md @@ -26,15 +26,16 @@ is the only FLOSS variant that has been broadly tested. Threading Models ---------------- -OpenSSL can be built using unthreaded, POSIX User Threads (PUT), or Standard -POSIX Threads (SPT). Select the following build configuration for each on -the TNS/X (L-Series) platform: +OpenSSL can be built either using the POSIX User Threads (PUT) threading model, +or with threading support disabled. Select the following build configuration +for each on the TNS/X (L-Series) platform: - * `nonstop-nsx` or default will select an unthreaded build. + * `nonstop-nsx` or default will select an unthreaded 32-bit build. + * `nonstop-nsx_64` selects an unthreaded 64-bit memory and file length build. * `nonstop-nsx_put` selects the PUT build. - * `nonstop-nsx_64_put` selects the 64 bit file length PUT build. - * `nonstop-nsx_spt_floss` selects the SPT build with FLOSS. FLOSS is - required for SPT builds because of a known hang when using SPT on its own. + * `nonstop-nsx_64_put` selects the 64-bit memory and file length PUT build. + +The SPT threading model is no longer supported as of OpenSSL 3.2. ### TNS/E Considerations @@ -145,9 +146,7 @@ update this list: - nonstop-nsx_64_put **Note:** Cross-compile builds for TNS/E have not been attempted, but should -follow the same considerations as for TNS/X above. SPT builds generally require -FLOSS, which is not available for workstation builds. As a result, SPT builds -of OpenSSL cannot be cross-compiled. +follow the same considerations as for TNS/X above. Also see the NSDEE discussion below for more historical information. @@ -223,9 +222,6 @@ assumes that your PWD is set according to your installation standards. ./Configure nonstop-nsx_put --prefix=${PWD} \ --openssldir=${PWD}/ssl threads "-D_REENTRANT" \ --with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS} - ./Configure nonstop-nsx_spt_floss --prefix=${PWD} \ - --openssldir=${PWD}/ssl threads "-D_REENTRANT" \ - --with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS} ./Configure nonstop-nsx_64 --prefix=${PWD} \ --openssldir=${PWD}/ssl no-threads \ --with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS} @@ -245,9 +241,6 @@ assumes that your PWD is set according to your installation standards. ./Configure nonstop-nse_put --prefix=${PWD} \ --openssldir=${PWD}/ssl threads "-D_REENTRANT" \ --with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS} - ./Configure nonstop-nse_spt_floss --prefix=${PWD} \ - --openssldir=${PWD}/ssl threads "-D_REENTRANT" \ - --with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS} ./Configure nonstop-nse_64 --prefix=${PWD} \ --openssldir=${PWD}/ssl no-threads \ --with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS} diff --git a/apps/asn1parse.c b/apps/asn1parse.c index 097b0cc1eddfb49274ffe16a9e115aa0b34f2892..bf62f8594790759a5db9e8837b4c9a4a6d9c00f5 100644 --- a/apps/asn1parse.c +++ b/apps/asn1parse.c @@ -178,7 +178,7 @@ int asn1parse_main(int argc, char **argv) if ((buf = BUF_MEM_new()) == NULL) goto end; - if (informat == FORMAT_PEM) { + if (genconf == NULL && genstr == NULL && informat == FORMAT_PEM) { if (PEM_read_bio(in, &name, &header, &str, &num) != 1) { BIO_printf(bio_err, "Error reading PEM file\n"); ERR_print_errors(bio_err); diff --git a/apps/cms.c b/apps/cms.c index a16318f37c106fa8f280b3a458f5a02064161799..f93c98ac92c4164bfbc2b10953e2ce62d8e9655d 100644 --- a/apps/cms.c +++ b/apps/cms.c @@ -628,7 +628,8 @@ int cms_main(int argc, char **argv) "recipient certificate file"); if (cert == NULL) goto end; - sk_X509_push(encerts, cert); + if (!sk_X509_push(encerts, cert)) + goto end; cert = NULL; } else { recipfile = opt_arg(); @@ -837,7 +838,8 @@ int cms_main(int argc, char **argv) "recipient certificate file"); if (cert == NULL) goto end; - sk_X509_push(encerts, cert); + if (!sk_X509_push(encerts, cert)) + goto end; cert = NULL; } } diff --git a/apps/errstr.c b/apps/errstr.c index 782705a78a33d27d0139ae7dbaa4fa86b4ad9505..21349d21cb4207436dcfc2db95e193e4e925e0e7 100644 --- a/apps/errstr.c +++ b/apps/errstr.c @@ -62,7 +62,7 @@ int errstr_main(int argc, char **argv) /* All remaining arg are error code. */ ret = 0; for (argv = opt_rest(); *argv != NULL; argv++) { - if (sscanf(*argv, "%lx", &l) == 0) { + if (sscanf(*argv, "%lx", &l) <= 0) { ret++; } else { ERR_error_string_n(l, buf, sizeof(buf)); diff --git a/apps/lib/opt.c b/apps/lib/opt.c index 2d61ac9a7865ec4f155c2810554e3bdb4703e5f9..0490c39c251669e20a978d6cfad4e8eaa2d581c5 100644 --- a/apps/lib/opt.c +++ b/apps/lib/opt.c @@ -726,7 +726,12 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm) opt_printf_stderr("%s: Invalid Policy %s\n", prog, opt_arg()); return 0; } - X509_VERIFY_PARAM_add0_policy(vpm, otmp); + if (!X509_VERIFY_PARAM_add0_policy(vpm, otmp)) { + ASN1_OBJECT_free(otmp); + opt_printf_stderr("%s: Internal error adding Policy %s\n", + prog, opt_arg()); + return 0; + } break; case OPT_V_PURPOSE: /* purpose name -> purpose index */ diff --git a/apps/pkcs12.c b/apps/pkcs12.c index 1fa0abd3d4c61015bbf053e90ecddde0317d5258..117b6736436f0c70e9776cd73f1d93f1032a2092 100644 --- a/apps/pkcs12.c +++ b/apps/pkcs12.c @@ -14,7 +14,6 @@ #include #include "apps.h" #include "progs.h" -#include #include #include #include @@ -535,7 +534,6 @@ int pkcs12_main(int argc, char **argv) EVP_MD *macmd = NULL; unsigned char *catmp = NULL; int i; - CONF *conf = NULL; ASN1_OBJECT *obj = NULL; if ((options & (NOCERTS | NOKEYS)) == (NOCERTS | NOKEYS)) { @@ -681,12 +679,6 @@ int pkcs12_main(int argc, char **argv) if (!twopass) OPENSSL_strlcpy(macpass, pass, sizeof(macpass)); - /* Load the config file */ - if ((conf = app_load_config(default_config_file)) == NULL) - goto export_end; - if (!app_load_modules(conf)) - goto export_end; - if (jdktrust != NULL) { obj = OBJ_txt2obj(jdktrust, 0); } @@ -731,7 +723,6 @@ int pkcs12_main(int argc, char **argv) OSSL_STACK_OF_X509_free(certs); OSSL_STACK_OF_X509_free(untrusted_certs); X509_free(ee_cert); - NCONF_free(conf); ASN1_OBJECT_free(obj); ERR_print_errors(bio_err); goto end; diff --git a/apps/rehash.c b/apps/rehash.c index 4fea16fa38b21ca3c56a040308dc7466579c0bbd..56a6ccea0928a6d913e299d55d6844845cc5e4d9 100644 --- a/apps/rehash.c +++ b/apps/rehash.c @@ -383,6 +383,7 @@ static int do_dir(const char *dirname, enum Hash h) if ((copy = OPENSSL_strdup(filename)) == NULL || sk_OPENSSL_STRING_push(files, copy) == 0) { OPENSSL_free(copy); + OPENSSL_DIR_end(&d); BIO_puts(bio_err, "out of memory\n"); errs = 1; goto err; diff --git a/apps/smime.c b/apps/smime.c index 88b0475d2d4fd03c242c09a544406934dca1a5ab..b59e14b0b5ed6fe57867d92d2752e8dacd3a6b4e 100644 --- a/apps/smime.c +++ b/apps/smime.c @@ -484,7 +484,8 @@ int smime_main(int argc, char **argv) "recipient certificate file"); if (cert == NULL) goto end; - sk_X509_push(encerts, cert); + if (!sk_X509_push(encerts, cert)) + goto end; cert = NULL; argv++; } diff --git a/crypto/asn1/asn_moid.c b/crypto/asn1/asn_moid.c index 6f816307afd4d69f937a9fd07477bd4bf9cf9dfc..1e183f4f18aa5cd51534daa20db97e2ee7323e34 100644 --- a/crypto/asn1/asn_moid.c +++ b/crypto/asn1/asn_moid.c @@ -67,6 +67,10 @@ static int do_create(const char *value, const char *name) if (p == NULL) { ln = name; ostr = value; + } else if (p == value) { + /* we started with a leading comma */ + ln = name; + ostr = p + 1; } else { ln = value; ostr = p + 1; diff --git a/crypto/bio/bio_sock.c b/crypto/bio/bio_sock.c index 3c8b28501ca8a82f1a6f5803332fd1c59a1e6d8c..ee3ee5b78fda222fb31573373559e4e34a5f0231 100644 --- a/crypto/bio/bio_sock.c +++ b/crypto/bio/bio_sock.c @@ -354,7 +354,7 @@ int BIO_socket_nbio(int s, int mode) int l; l = mode; -# if defined(FIONBIO) && !defined(OPENSSL_SYS_TANDEM) +# ifdef FIONBIO l = mode; ret = BIO_socket_ioctl(s, FIONBIO, &l); diff --git a/crypto/bn/bn_gf2m.c b/crypto/bn/bn_gf2m.c index 83e1f11e181ce2f5273b1f1842a6ad955ba6f36c..444c5ca7a37554f24b3d9cca83a330c7b5e1757e 100644 --- a/crypto/bn/bn_gf2m.c +++ b/crypto/bn/bn_gf2m.c @@ -730,14 +730,20 @@ int BN_GF2m_mod_inv(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) { BIGNUM *b = NULL; int ret = 0; + int numbits; BN_CTX_start(ctx); if ((b = BN_CTX_get(ctx)) == NULL) goto err; + /* Fail on a non-sensical input p value */ + numbits = BN_num_bits(p); + if (numbits <= 1) + goto err; + /* generate blinding value */ do { - if (!BN_priv_rand_ex(b, BN_num_bits(p) - 1, + if (!BN_priv_rand_ex(b, numbits - 1, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY, 0, ctx)) goto err; } while (BN_is_zero(b)); diff --git a/crypto/http/http_lib.c b/crypto/http/http_lib.c index 3164d01d9e48fe1fd4841598f5bb47605eac1d9d..cd0e25c85e4e1f5b1019380b3689c74443bf6cd9 100644 --- a/crypto/http/http_lib.c +++ b/crypto/http/http_lib.c @@ -118,7 +118,7 @@ int OSSL_parse_url(const char *url, char **pscheme, char **puser, char **phost, port = ++p; /* remaining port spec handling is also done for the default values */ /* make sure a decimal port number is given */ - if (!sscanf(port, "%u", &portnum) || portnum > 65535) { + if (sscanf(port, "%u", &portnum) <= 0 || portnum > 65535) { ERR_raise_data(ERR_LIB_HTTP, HTTP_R_INVALID_PORT_NUMBER, "%s", port); goto err; } diff --git a/crypto/md5/asm/md5-aarch64.pl b/crypto/md5/asm/md5-aarch64.pl index 3200a0fa9bff08c6da24129dd0c7e83e49566d95..5a8608069691d13c2470de4dc5710c38f49cc19d 100755 --- a/crypto/md5/asm/md5-aarch64.pl +++ b/crypto/md5/asm/md5-aarch64.pl @@ -28,10 +28,13 @@ open OUT,"| \"$^X\" $xlate $flavour \"$output\"" *STDOUT=*OUT; $code .= < INT_MAX) { + if (bsize > INT_MAX) { ERR_raise(ERR_LIB_CRYPTO, CRYPTO_R_STRING_TOO_LONG); return 0; } @@ -274,9 +274,9 @@ int OSSL_PARAM_BLD_push_utf8_ptr(OSSL_PARAM_BLD *bld, const char *key, { OSSL_PARAM_BLD_DEF *pd; - if (bsize == 0) { + if (bsize == 0) bsize = strlen(buf); - } else if (bsize > INT_MAX) { + if (bsize > INT_MAX) { ERR_raise(ERR_LIB_CRYPTO, CRYPTO_R_STRING_TOO_LONG); return 0; } diff --git a/crypto/property/property_parse.c b/crypto/property/property_parse.c index 8ba42a0dcb8adea72409841e9d49760c9208ec9d..f94d0d3d41db41b41c65ac52e30a9ad1e56f2ad3 100644 --- a/crypto/property/property_parse.c +++ b/crypto/property/property_parse.c @@ -97,9 +97,18 @@ static int parse_number(const char *t[], OSSL_PROPERTY_DEFINITION *res) const char *s = *t; int64_t v = 0; - if (!ossl_isdigit(*s)) - return 0; do { + if (!ossl_isdigit(*s)) { + ERR_raise_data(ERR_LIB_PROP, PROP_R_NOT_A_DECIMAL_DIGIT, + "HERE-->%s", *t); + return 0; + } + /* overflow check */ + if (v > ((INT64_MAX - (*s - '0')) / 10)) { + ERR_raise_data(ERR_LIB_PROP, PROP_R_PARSE_FAILED, + "Property %s overflows", *t); + return 0; + } v = v * 10 + (*s++ - '0'); } while (ossl_isdigit(*s)); if (!ossl_isspace(*s) && *s != '\0' && *s != ',') { @@ -117,15 +126,27 @@ static int parse_hex(const char *t[], OSSL_PROPERTY_DEFINITION *res) { const char *s = *t; int64_t v = 0; + int sval; - if (!ossl_isxdigit(*s)) - return 0; do { + if (ossl_isdigit(*s)) { + sval = *s - '0'; + } else if (ossl_isxdigit(*s)) { + sval = ossl_tolower(*s) - 'a' + 10; + } else { + ERR_raise_data(ERR_LIB_PROP, PROP_R_NOT_AN_HEXADECIMAL_DIGIT, + "%s", *t); + return 0; + } + + if (v > ((INT64_MAX - sval) / 16)) { + ERR_raise_data(ERR_LIB_PROP, PROP_R_PARSE_FAILED, + "Property %s overflows", *t); + return 0; + } + v <<= 4; - if (ossl_isdigit(*s)) - v += *s - '0'; - else - v += ossl_tolower(*s) - 'a'; + v += sval; } while (ossl_isxdigit(*++s)); if (!ossl_isspace(*s) && *s != '\0' && *s != ',') { ERR_raise_data(ERR_LIB_PROP, PROP_R_NOT_AN_HEXADECIMAL_DIGIT, @@ -143,9 +164,18 @@ static int parse_oct(const char *t[], OSSL_PROPERTY_DEFINITION *res) const char *s = *t; int64_t v = 0; - if (*s == '9' || *s == '8' || !ossl_isdigit(*s)) - return 0; do { + if (*s == '9' || *s == '8' || !ossl_isdigit(*s)) { + ERR_raise_data(ERR_LIB_PROP, PROP_R_NOT_AN_OCTAL_DIGIT, + "HERE-->%s", *t); + return 0; + } + if (v > ((INT64_MAX - (*s - '0')) / 8)) { + ERR_raise_data(ERR_LIB_PROP, PROP_R_PARSE_FAILED, + "Property %s overflows", *t); + return 0; + } + v = (v << 3) + (*s - '0'); } while (ossl_isdigit(*++s) && *s != '9' && *s != '8'); if (!ossl_isspace(*s) && *s != '\0' && *s != ',') { diff --git a/crypto/x509/v3_san.c b/crypto/x509/v3_san.c index 7798505eec6e8f1ce0ce8776d2cb5b6923cb2968..9adf4947071c8ca0d5a1b2081cb2b897aa782174 100644 --- a/crypto/x509/v3_san.c +++ b/crypto/x509/v3_san.c @@ -581,6 +581,8 @@ GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out, if ((gen->d.ia5 = ASN1_IA5STRING_new()) == NULL || !ASN1_STRING_set(gen->d.ia5, (unsigned char *)value, strlen(value))) { + ASN1_IA5STRING_free(gen->d.ia5); + gen->d.ia5 = NULL; ERR_raise(ERR_LIB_X509V3, ERR_R_ASN1_LIB); goto err; } @@ -651,16 +653,21 @@ static int do_othername(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx) */ ASN1_TYPE_free(gen->d.otherName->value); if ((gen->d.otherName->value = ASN1_generate_v3(p + 1, ctx)) == NULL) - return 0; + goto err; objlen = p - value; objtmp = OPENSSL_strndup(value, objlen); if (objtmp == NULL) - return 0; + goto err; gen->d.otherName->type_id = OBJ_txt2obj(objtmp, 0); OPENSSL_free(objtmp); if (!gen->d.otherName->type_id) - return 0; + goto err; return 1; + + err: + OTHERNAME_free(gen->d.otherName); + gen->d.otherName = NULL; + return 0; } static int do_dirname(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx) diff --git a/doc/man3/EVP_EncryptInit.pod b/doc/man3/EVP_EncryptInit.pod index a04e6d102f1ad9ba395da425e8dc14f7e5669803..955340b94d4a05fd3c936f9c391a875ffd97b58d 100644 --- a/doc/man3/EVP_EncryptInit.pod +++ b/doc/man3/EVP_EncryptInit.pod @@ -373,7 +373,12 @@ exists. =item EVP_EncryptUpdate() Encrypts I bytes from the buffer I and writes the encrypted version to -I. This function can be called multiple times to encrypt successive blocks +I. The pointers I and I may point to the same location, in which +case the encryption will be done in-place. If I and I point to different +locations, the two buffers must be disjoint, otherwise the operation might fail +or the outcome might be undefined. + +This function can be called multiple times to encrypt successive blocks of data. The amount of data written depends on the block alignment of the encrypted data. For most ciphers and modes, the amount of data written can be anything @@ -382,10 +387,9 @@ For wrap cipher modes, the amount of data written can be anything from zero bytes to (inl + cipher_block_size) bytes. For stream ciphers, the amount of data written can be anything from zero bytes to inl bytes. -Thus, I should contain sufficient room for the operation being performed. -The actual number of bytes written is placed in I. It also -checks if I and I are partially overlapping, and if they are -0 is returned to indicate failure. +Thus, the buffer pointed to by I must contain sufficient room for the +operation being performed. +The actual number of bytes written is placed in I. If padding is enabled (the default) then EVP_EncryptFinal_ex() encrypts the "final" data, that is any data that remains in a partial block. diff --git a/doc/man3/OSSL_PARAM_int.pod b/doc/man3/OSSL_PARAM_int.pod index 29cefe673cc34f41aafdf351a5a9fd0d53f2245e..dae0de083a62de0f5cc0b5484b617d5488e88bdb 100644 --- a/doc/man3/OSSL_PARAM_int.pod +++ b/doc/man3/OSSL_PARAM_int.pod @@ -112,7 +112,7 @@ OSSL_PARAM_UNMODIFIED, OSSL_PARAM_modified, OSSL_PARAM_set_all_unmodified A collection of utility functions that simplify and add type safety to the L arrays. The following B> names are supported: -=over 1 +=over 2 =item * diff --git a/doc/man7/provider-cipher.pod b/doc/man7/provider-cipher.pod index 14ff581c72c492f47f3a49fca951eb6b34cd5379..eaad3cf2ff021abeee1c7f44e7e0ec760d59e206 100644 --- a/doc/man7/provider-cipher.pod +++ b/doc/man7/provider-cipher.pod @@ -148,9 +148,13 @@ It is the responsibility of the cipher implementation to handle input lengths that are not multiples of the block length. In such cases a cipher implementation will typically cache partial blocks of input data until a complete block is obtained. -I may be the same location as I but it should not partially overlap. -The same expectations apply to I as documented for -L and L. +The pointers I and I may point to the same location, in which +case the encryption must be done in-place. If I and I point to different +locations, the requirements of L and L +guarantee that the two buffers are disjoint. +Similarly, the requirements of L and L +ensure that the buffer pointed to by I contains sufficient room for the +operation being performed. OSSL_FUNC_cipher_final() completes an encryption or decryption started through previous OSSL_FUNC_cipher_encrypt_init() or OSSL_FUNC_cipher_decrypt_init(), and OSSL_FUNC_cipher_update() diff --git a/doc/man7/provider-storemgmt.pod b/doc/man7/provider-storemgmt.pod index 81d407a4b8b91051bd2a2801c911d5a77c940bf7..221060021721bed2161a638889ca6ac522dcd6df 100644 --- a/doc/man7/provider-storemgmt.pod +++ b/doc/man7/provider-storemgmt.pod @@ -184,12 +184,12 @@ fingerprint, computed with the given digest. Indicates that the caller wants to search for an object with the given alias (some call it a "friendly name"). -=item "properties" (B +=item "properties" (B) Property string to use when querying for algorithms such as the B decoder implementations. -=item "input-type" (B +=item "input-type" (B) Type of the input format as a hint to use when decoding the objects in the store. diff --git a/providers/implementations/ciphers/cipher_aes_ccm_hw.c b/providers/implementations/ciphers/cipher_aes_ccm_hw.c index 575a8ba88d8e34c75456349ddf89e628cbb94c5b..b050cf3edd88683ba36db3ee23d7a7d8b6499ea8 100644 --- a/providers/implementations/ciphers/cipher_aes_ccm_hw.c +++ b/providers/implementations/ciphers/cipher_aes_ccm_hw.c @@ -61,9 +61,9 @@ static const PROV_CCM_HW aes_ccm = { # include "cipher_aes_ccm_hw_aesni.inc" #elif defined(SPARC_AES_CAPABLE) # include "cipher_aes_ccm_hw_t4.inc" -#elif defined(__riscv) && __riscv_xlen == 64 +#elif defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 64 # include "cipher_aes_ccm_hw_rv64i.inc" -#elif defined(__riscv) && __riscv_xlen == 32 +#elif defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 32 # include "cipher_aes_ccm_hw_rv32i.inc" #else const PROV_CCM_HW *ossl_prov_aes_hw_ccm(size_t keybits) diff --git a/ssl/record/methods/ssl3_meth.c b/ssl/record/methods/ssl3_meth.c index 76a108e44328fbce925a878a86b6f2d887d3f3b2..810dc0716bc9ec729bdf4ef535cbbe2c1b88ce1d 100644 --- a/ssl/record/methods/ssl3_meth.c +++ b/ssl/record/methods/ssl3_meth.c @@ -64,7 +64,11 @@ static int ssl3_set_crypto_state(OSSL_RECORD_LAYER *rl, int level, return OSSL_RECORD_RETURN_FATAL; } - if (EVP_CIPHER_get0_provider(ciph) != NULL + /* + * The cipher we actually ended up using in the EVP_CIPHER_CTX may be + * different to that in ciph if we have an ENGINE in use + */ + if (EVP_CIPHER_get0_provider(EVP_CIPHER_CTX_get0_cipher(ciph_ctx)) != NULL && !ossl_set_tls_provider_parameters(rl, ciph_ctx, ciph, md)) { /* ERR_raise already called */ return OSSL_RECORD_RETURN_FATAL; diff --git a/ssl/record/methods/tls1_meth.c b/ssl/record/methods/tls1_meth.c index 46a83ad8f42aa2218e38a1da5f877bf2d3c89259..f13d530a05d9c33c39e2101cf3a4cede5a905dc0 100644 --- a/ssl/record/methods/tls1_meth.c +++ b/ssl/record/methods/tls1_meth.c @@ -117,9 +117,16 @@ static int tls1_set_crypto_state(OSSL_RECORD_LAYER *rl, int level, ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); return OSSL_RECORD_RETURN_FATAL; } - if (EVP_CIPHER_get0_provider(ciph) != NULL - && !ossl_set_tls_provider_parameters(rl, ciph_ctx, ciph, md)) + + /* + * The cipher we actually ended up using in the EVP_CIPHER_CTX may be + * different to that in ciph if we have an ENGINE in use + */ + if (EVP_CIPHER_get0_provider(EVP_CIPHER_CTX_get0_cipher(ciph_ctx)) != NULL + && !ossl_set_tls_provider_parameters(rl, ciph_ctx, ciph, md)) { + /* ERR_raise already called */ return OSSL_RECORD_RETURN_FATAL; + } /* Calculate the explicit IV length */ if (RLAYER_USE_EXPLICIT_IV(rl)) { diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index d1ef358932e00dae7785fad0035e8a7f8597818c..0d3acfbe66f35cf6b46f098a687d778a843f4ca5 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -2927,10 +2927,6 @@ const EVP_MD *ssl_evp_md_fetch(OSSL_LIB_CTX *libctx, int ssl_evp_md_up_ref(const EVP_MD *md); void ssl_evp_md_free(const EVP_MD *md); -int tls_provider_set_tls_params(SSL_CONNECTION *s, EVP_CIPHER_CTX *ctx, - const EVP_CIPHER *ciph, - const EVP_MD *md); - void tls_engine_finish(ENGINE *e); const EVP_CIPHER *tls_get_cipher_from_engine(int nid); const EVP_MD *tls_get_digest_from_engine(int nid); diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index 673a53ad36a4bb0d1d0b3f88cbe74c397a8bfd9a..94f68eb999782d5796926cfa3b4de99d1da706cd 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -101,44 +101,6 @@ static int tls1_generate_key_block(SSL_CONNECTION *s, unsigned char *km, return ret; } -int tls_provider_set_tls_params(SSL_CONNECTION *s, EVP_CIPHER_CTX *ctx, - const EVP_CIPHER *ciph, - const EVP_MD *md) -{ - /* - * Provided cipher, the TLS padding/MAC removal is performed provider - * side so we need to tell the ctx about our TLS version and mac size - */ - OSSL_PARAM params[3], *pprm = params; - size_t macsize = 0; - int imacsize = -1; - - if ((EVP_CIPHER_get_flags(ciph) & EVP_CIPH_FLAG_AEAD_CIPHER) == 0 - /* - * We look at s->ext.use_etm instead of SSL_READ_ETM() or - * SSL_WRITE_ETM() because this test applies to both reading - * and writing. - */ - && !s->ext.use_etm) - imacsize = EVP_MD_get_size(md); - if (imacsize >= 0) - macsize = (size_t)imacsize; - - *pprm++ = OSSL_PARAM_construct_int(OSSL_CIPHER_PARAM_TLS_VERSION, - &s->version); - *pprm++ = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_TLS_MAC_SIZE, - &macsize); - *pprm = OSSL_PARAM_construct_end(); - - if (!EVP_CIPHER_CTX_set_params(ctx, params)) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - return 0; - } - - return 1; -} - - static int tls_iv_length_within_key_block(const EVP_CIPHER *c) { /* If GCM/CCM mode only part of IV comes from PRF */ diff --git a/test/bntest.c b/test/bntest.c index 2ffff10ef1c29f20c365df3bbd3a5ec86eea0939..20020cac42feea60972e466f8b71f56a16734d08 100644 --- a/test/bntest.c +++ b/test/bntest.c @@ -910,6 +910,14 @@ static int test_gf2m_modinv(void) || !TEST_ptr(d = BN_new())) goto err; + /* Test that a non-sensical, too small value causes a failure */ + if (!TEST_true(BN_one(b[0]))) + goto err; + if (!TEST_true(BN_bntest_rand(a, 512, 0, 0))) + goto err; + if (!TEST_false(BN_GF2m_mod_inv(c, a, b[0], ctx))) + goto err; + if (!(TEST_true(BN_GF2m_arr2poly(p0, b[0])) && TEST_true(BN_GF2m_arr2poly(p1, b[1])))) goto err; diff --git a/test/http_test.c b/test/http_test.c index 49e770cd886bcca3f630f55600c0e18d038cdcdd..3f70f6223ac87664cb30ffc9e06458fb2a08c71f 100644 --- a/test/http_test.c +++ b/test/http_test.c @@ -347,7 +347,8 @@ static int test_http_url_invalid_prefix(void) static int test_http_url_invalid_port(void) { - return test_http_url_invalid("https://1.2.3.4:65536/pkix"); + return test_http_url_invalid("https://1.2.3.4:65536/pkix") + && test_http_url_invalid("https://1.2.3.4:"); } static int test_http_url_invalid_path(void) diff --git a/test/property_test.c b/test/property_test.c index bba96fac0a0191613a181805a6c1dfafacb0a7a6..18f8cc8740e0d3d2236a33d8579ac9e55a64e0b7 100644 --- a/test/property_test.c +++ b/test/property_test.c @@ -136,6 +136,10 @@ static const struct { { "n=0x3", "n=3", 1 }, { "n=0x3", "n=-3", -1 }, { "n=0x33", "n=51", 1 }, + { "n=0x123456789abcdef", "n=0x123456789abcdef", 1 }, + { "n=0x7fffffffffffffff", "n=0x7fffffffffffffff", 1 }, /* INT64_MAX */ + { "n=9223372036854775807", "n=9223372036854775807", 1 }, /* INT64_MAX */ + { "n=0777777777777777777777", "n=0777777777777777777777", 1 }, /* INT64_MAX */ { "n=033", "n=27", 1 }, { "n=0", "n=00", 1 }, { "n=0x0", "n=0", 1 }, @@ -198,6 +202,9 @@ static const struct { { 1, "a=2, n=012345678" }, /* Bad octal digit */ { 0, "n=0x28FG, a=3" }, /* Bad hex digit */ { 0, "n=145d, a=2" }, /* Bad decimal digit */ + { 0, "n=0x8000000000000000, a=3" }, /* Hex overflow */ + { 0, "n=922337203000000000d, a=2" }, /* Decimal overflow */ + { 0, "a=2, n=1000000000000000000000" }, /* Octal overflow */ { 1, "@='hello'" }, /* Invalid name */ { 1, "n0123456789012345678901234567890123456789" "0123456789012345678901234567890123456789" diff --git a/test/recipes/04-test_asn1_parse.t b/test/recipes/04-test_asn1_parse.t new file mode 100644 index 0000000000000000000000000000000000000000..f3af4365920ac3861a4526233bf89e7d23214dbd --- /dev/null +++ b/test/recipes/04-test_asn1_parse.t @@ -0,0 +1,26 @@ +#! /usr/bin/env perl +# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +use strict; +use OpenSSL::Test qw(:DEFAULT srctop_file); +use OpenSSL::Test::Utils; + +setup("test_asn1_parse"); + +plan tests => 3; + +$ENV{OPENSSL_CONF} = srctop_file("test", "test_asn1_parse.cnf"); + +ok(run(app(([ 'openssl', 'asn1parse', + '-genstr', 'OID:1.2.3.4.1'])))); + +ok(run(app(([ 'openssl', 'asn1parse', + '-genstr', 'OID:1.2.3.4.2'])))); + +ok(run(app(([ 'openssl', 'asn1parse', + '-genstr', 'OID:1.2.3.4.3'])))); diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t index 32dc4ded8c89961525b916bada32f2db7f8d47c9..20e338b46f4f507480474606964a2527c5aba15a 100644 --- a/test/recipes/25-test_req.t +++ b/test/recipes/25-test_req.t @@ -15,7 +15,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/; setup("test_req"); -plan tests => 104; +plan tests => 106; require_ok(srctop_file('test', 'recipes', 'tconversion.pl')); @@ -40,10 +40,14 @@ my @addext_args = ( "openssl", "req", "-new", "-out", "testreq.pem", "-key", srctop_file(@certs, "ee-key.pem"), "-config", srctop_file("test", "test.cnf"), @req_new ); my $val = "subjectAltName=DNS:example.com"; +my $val1 = "subjectAltName=otherName:1.2.3.4;UTF8:test,email:info\@example.com"; my $val2 = " " . $val; my $val3 = $val; $val3 =~ s/=/ =/; ok( run(app([@addext_args, "-addext", $val]))); +ok( run(app([@addext_args, "-addext", $val1]))); +$val1 =~ s/UTF8/XXXX/; # execute the error handling in do_othername +ok(!run(app([@addext_args, "-addext", $val1]))); ok(!run(app([@addext_args, "-addext", $val, "-addext", $val]))); ok(!run(app([@addext_args, "-addext", $val, "-addext", $val2]))); ok(!run(app([@addext_args, "-addext", $val, "-addext", $val3]))); diff --git a/test/sslapitest.c b/test/sslapitest.c index 88294af16a2d7f064dc0ff1b8b290286ba1118da..7e01b72328a4ae3ed71ca3748d7f6fca2fe0543b 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -10586,6 +10586,27 @@ end: #endif /* OSSL_NO_USABLE_TLS1_3 */ #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) + +static ENGINE *load_dasync(void) +{ + ENGINE *e; + + if (!TEST_ptr(e = ENGINE_by_id("dasync"))) + return NULL; + + if (!TEST_true(ENGINE_init(e))) { + ENGINE_free(e); + return NULL; + } + + if (!TEST_true(ENGINE_register_ciphers(e))) { + ENGINE_free(e); + return NULL; + } + + return e; +} + /* * Test TLSv1.2 with a pipeline capable cipher. TLSv1.3 and DTLS do not * support this yet. The only pipeline capable cipher that we have is in the @@ -10601,6 +10622,8 @@ end: * Test 4: Client has pipelining enabled, server does not: more data than all * the available pipelines can take * Test 5: Client has pipelining enabled, server does not: Maximum size pipeline + * Test 6: Repeat of test 0, but the engine is loaded late (after the SSL_CTX + * is created) */ static int test_pipelining(int idx) { @@ -10613,25 +10636,28 @@ static int test_pipelining(int idx) size_t written, readbytes, offset, msglen, fragsize = 10, numpipes = 5; size_t expectedreads; unsigned char *buf = NULL; - ENGINE *e; - - if (!TEST_ptr(e = ENGINE_by_id("dasync"))) - return 0; + ENGINE *e = NULL; - if (!TEST_true(ENGINE_init(e))) { - ENGINE_free(e); - return 0; + if (idx != 6) { + e = load_dasync(); + if (e == NULL) + return 0; } - if (!TEST_true(ENGINE_register_ciphers(e))) - goto end; - if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(), 0, TLS1_2_VERSION, &sctx, &cctx, cert, privkey))) goto end; + if (idx == 6) { + e = load_dasync(); + if (e == NULL) + goto end; + /* Now act like test 0 */ + idx = 0; + } + if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL))) goto end; @@ -10767,9 +10793,11 @@ end: SSL_free(clientssl); SSL_CTX_free(sctx); SSL_CTX_free(cctx); - ENGINE_unregister_ciphers(e); - ENGINE_finish(e); - ENGINE_free(e); + if (e != NULL) { + ENGINE_unregister_ciphers(e); + ENGINE_finish(e); + ENGINE_free(e); + } OPENSSL_free(buf); if (fragsize == SSL3_RT_MAX_PLAIN_LENGTH) OPENSSL_free(msg); @@ -11489,7 +11517,7 @@ int setup_tests(void) ADD_ALL_TESTS(test_serverinfo_custom, 4); #endif #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) - ADD_ALL_TESTS(test_pipelining, 6); + ADD_ALL_TESTS(test_pipelining, 7); #endif ADD_ALL_TESTS(test_version, 6); ADD_TEST(test_rstate_string); diff --git a/test/test_asn1_parse.cnf b/test/test_asn1_parse.cnf new file mode 100644 index 0000000000000000000000000000000000000000..5f0305657e83d1d59c3b2adc6479672e6aa94ead --- /dev/null +++ b/test/test_asn1_parse.cnf @@ -0,0 +1,12 @@ +openssl_conf = openssl_init + +# Comment out the next line to ignore configuration errors +config_diagnostics = 1 + +[openssl_init] +oid_section = oids + +[oids] +testoid1 = 1.2.3.4.1 +testoid2 = A Very Long OID Name, 1.2.3.4.2 +testoid3 = ,1.2.3.4.3