diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b9185fc4e9ef866e048ce3950a54a53e64b84aee..078864471cb0882d6d567ead4863484655c4a955 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -23,7 +23,7 @@ permissions: jobs: check_update: - runs-on: ubuntu-latest + runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} steps: - name: install unifdef run: | @@ -42,7 +42,7 @@ jobs: run: git diff --exit-code check_docs: - runs-on: ubuntu-latest + runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} steps: - uses: actions/checkout@v4 - name: config @@ -60,7 +60,7 @@ jobs: # We are not as strict with libraries, but rather adapt to what's # expected to be available in a certain version of each platform. check-ansi: - runs-on: ubuntu-latest + runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} steps: - uses: actions/checkout@v4 - name: config @@ -69,7 +69,7 @@ jobs: run: make -s -j4 basic_gcc: - runs-on: ubuntu-latest + runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} steps: - uses: actions/checkout@v4 - name: localegen @@ -82,7 +82,7 @@ jobs: run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} basic_clang: - runs-on: ubuntu-latest + runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} steps: - uses: actions/checkout@v4 - name: config @@ -112,7 +112,7 @@ jobs: run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} minimal: - runs-on: ubuntu-latest + runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} steps: - uses: actions/checkout@v4 - name: config @@ -123,7 +123,7 @@ jobs: run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} no-deprecated: - runs-on: ubuntu-latest + runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} steps: - uses: actions/checkout@v4 - name: config @@ -133,11 +133,20 @@ jobs: - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} - no-shared: - strategy: - matrix: - os: [ ubuntu-latest, macos-latest ] - runs-on: ${{matrix.os}} + no-shared-ubuntu: + runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} + steps: + - uses: actions/checkout@v4 + - name: config + run: ./config --banner=Configured --strict-warnings no-shared no-fips && perl configdata.pm --dump + - name: make + run: make -s -j4 + - name: make test + run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} + + no-shared-macos: + runs-on: macos-latest + if: github.server_url == 'https://github.com' steps: - uses: actions/checkout@v4 - name: config @@ -148,7 +157,7 @@ jobs: run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} non-caching: - runs-on: ubuntu-latest + runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} steps: - uses: actions/checkout@v4 - name: config @@ -159,7 +168,7 @@ jobs: run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} OPENSSL_TEST_RAND_ORDER=0 TESTS="-test_fuzz* -test_ssl_* -test_sslapi -test_evp -test_cmp_http -test_verify -test_cms -test_store -test_enc -[01][0-9]" address_ub_sanitizer: - runs-on: ubuntu-latest + runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} steps: - uses: actions/checkout@v4 - name: config @@ -170,7 +179,7 @@ jobs: run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} OPENSSL_TEST_RAND_ORDER=0 memory_sanitizer: - runs-on: ubuntu-latest + runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} steps: - uses: actions/checkout@v4 - name: config @@ -182,7 +191,7 @@ jobs: run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} OPENSSL_TEST_RAND_ORDER=0 threads_sanitizer: - runs-on: ubuntu-latest + runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} steps: - uses: actions/checkout@v4 - name: config @@ -193,7 +202,7 @@ jobs: run: make V=1 TESTS="test_threads test_internal_provider test_provfetch test_provider test_pbe test_evp_kdf test_pkcs12 test_store test_evp" test HARNESS_JOBS=${HARNESS_JOBS:-4} enable_non-default_options: - runs-on: ubuntu-latest + runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} steps: - uses: actions/checkout@v4 - name: modprobe tls @@ -206,7 +215,7 @@ jobs: run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} fips_and_ktls: - runs-on: ubuntu-latest + runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} steps: - uses: actions/checkout@v4 - name: modprobe tls @@ -219,7 +228,7 @@ jobs: run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} no-legacy: - runs-on: ubuntu-latest + runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} steps: - uses: actions/checkout@v4 - name: config @@ -230,7 +239,7 @@ jobs: run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} legacy: - runs-on: ubuntu-latest + runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} steps: - uses: actions/checkout@v4 - name: config @@ -256,11 +265,36 @@ jobs: # build tree # - That building, testing and installing works with a read-only source # tree - out-of-readonly-source-and-install: - strategy: - matrix: - os: [ubuntu-latest, macos-latest ] - runs-on: ${{matrix.os}} + out-of-readonly-source-and-install-ubuntu: + runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} + steps: + - uses: actions/checkout@v4 + with: + path: ./source + - name: make source read-only + run: chmod -R a-w ./source + - name: create build and install directories + run: | + mkdir ./build + mkdir ./install + - name: config + run: | + ../source/config --banner=Configured enable-fips enable-acvp-tests --strict-warnings --prefix=$(cd ../install; pwd) + perl configdata.pm --dump + working-directory: ./build + - name: make + run: make -s -j4 + working-directory: ./build + - name: make test + run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} + working-directory: ./build + - name: make install + run: make install + working-directory: ./build + + out-of-readonly-source-and-install-macos: + runs-on: macos-latest + if: github.server_url == 'https://github.com' steps: - uses: actions/checkout@v4 with: @@ -287,7 +321,7 @@ jobs: working-directory: ./build external-tests: - runs-on: ubuntu-latest + runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} steps: - uses: actions/checkout@v4 with: @@ -312,7 +346,7 @@ jobs: run: make test TESTS="test_external_krb5" external-test-pyca: - runs-on: ubuntu-latest + runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} strategy: matrix: RUST: @@ -328,7 +362,7 @@ jobs: - name: make run: make -s -j4 - name: Setup Python - uses: actions/setup-python@v4.7.1 + uses: actions/setup-python@v5.0.0 with: python-version: ${{ matrix.PYTHON }} - uses: actions-rs/toolchain@v1 diff --git a/.github/workflows/cross-compiles.yml b/.github/workflows/cross-compiles.yml index ef946545aa40a2e646a5eab1ddf5eaa3c13514f4..ca8558b74e6ace9144840621b11610f218eefa92 100644 --- a/.github/workflows/cross-compiles.yml +++ b/.github/workflows/cross-compiles.yml @@ -129,7 +129,7 @@ jobs: tests: none } ] - runs-on: ubuntu-latest + runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }} steps: - name: install packages run: | diff --git a/.github/workflows/fips-checksums.yml b/.github/workflows/fips-checksums.yml index 1b56755bfbb176882b0fe31839240f06bffe5d11..a9777a23943708bf7b3f619a590624e6c7447caa 100644 --- a/.github/workflows/fips-checksums.yml +++ b/.github/workflows/fips-checksums.yml @@ -69,7 +69,7 @@ jobs: - name: save PR number run: echo ${{ github.event.number }} > ./artifact/pr_num - name: save artifact - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: fips_checksum path: artifact/ diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 5850c0e4f3a639f3fd9254f91c32c9deb039b8f7..1d187f0dd221e00f3bd6aac5ea96cef3aa3f3747 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -26,7 +26,7 @@ jobs: fuzz-seconds: 600 dry-run: false - name: Upload Crash - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 if: failure() with: name: artifacts diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index a3274457c3cf02c3783e2494758dc8f8b7aef0d5..2e0f4fe0c90b078b75251ef0328f6e84a70c285a 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -25,7 +25,7 @@ jobs: config: enable-fips - arch: win32 config: --strict-warnings no-fips - runs-on: ${{matrix.os}} + runs-on: ${{ github.server_url == 'https://github.com' && matrix.os || format('{0}-self-hosted', matrix.os) }} steps: - uses: actions/checkout@v4 - uses: ilammy/msvc-dev-cmd@v1 @@ -61,7 +61,7 @@ jobs: os: - windows-2019 - windows-2022 - runs-on: ${{matrix.os}} + runs-on: ${{ github.server_url == 'https://github.com' && matrix.os || format('{0}-self-hosted', matrix.os) }} steps: - uses: actions/checkout@v4 - uses: ilammy/msvc-dev-cmd@v1 @@ -85,7 +85,7 @@ jobs: os: - windows-2019 - windows-2022 - runs-on: ${{matrix.os}} + runs-on: ${{ github.server_url == 'https://github.com' && matrix.os || format('{0}-self-hosted', matrix.os) }} steps: - uses: actions/checkout@v4 - uses: ilammy/msvc-dev-cmd@v1 diff --git a/crypto/asn1/asn_moid.c b/crypto/asn1/asn_moid.c index 526219c1a723c98e66c48430000d80b3b76289a6..9aaab8a269d30d390031f2e6bdf388127b6ce8cb 100644 --- a/crypto/asn1/asn_moid.c +++ b/crypto/asn1/asn_moid.c @@ -67,6 +67,10 @@ static int do_create(const char *value, const char *name) if (p == NULL) { ln = name; ostr = value; + } else if (p == value) { + /* we started with a leading comma */ + ln = name; + ostr = p + 1; } else { ln = value; ostr = p + 1; diff --git a/crypto/asn1/x_algor.c b/crypto/asn1/x_algor.c index c0a5f76803ee599209d9c28c17e2340cd49faa00..2c4a8d4b4ee8b9f237ca7a1d51c6eba10ecdee4c 100644 --- a/crypto/asn1/x_algor.c +++ b/crypto/asn1/x_algor.c @@ -179,7 +179,11 @@ int ossl_x509_algor_md_to_mgf1(X509_ALGOR **palg, const EVP_MD *mgf1md) *palg = X509_ALGOR_new(); if (*palg == NULL) goto err; - X509_ALGOR_set0(*palg, OBJ_nid2obj(NID_mgf1), V_ASN1_SEQUENCE, stmp); + if (!X509_ALGOR_set0(*palg, OBJ_nid2obj(NID_mgf1), V_ASN1_SEQUENCE, stmp)) { + X509_ALGOR_free(*palg); + *palg = NULL; + goto err; + } stmp = NULL; err: ASN1_STRING_free(stmp); diff --git a/doc/man3/OPENSSL_LH_COMPFUNC.pod b/doc/man3/OPENSSL_LH_COMPFUNC.pod index d3bb272c4a94b24933b84cce9e526d23321678d2..688ef0edcb91aefac9076db96e6d482729172594 100644 --- a/doc/man3/OPENSSL_LH_COMPFUNC.pod +++ b/doc/man3/OPENSSL_LH_COMPFUNC.pod @@ -8,10 +8,12 @@ LHASH_DOALL_ARG_FN_TYPE, IMPLEMENT_LHASH_HASH_FN, IMPLEMENT_LHASH_COMP_FN, lh_TYPE_new, lh_TYPE_free, lh_TYPE_flush, lh_TYPE_insert, lh_TYPE_delete, lh_TYPE_retrieve, -lh_TYPE_doall, lh_TYPE_doall_arg, lh_TYPE_error, +lh_TYPE_doall, lh_TYPE_doall_arg, lh_TYPE_num_items, lh_TYPE_get_down_load, +lh_TYPE_set_down_load, lh_TYPE_error, OPENSSL_LH_new, OPENSSL_LH_free, OPENSSL_LH_flush, OPENSSL_LH_insert, OPENSSL_LH_delete, OPENSSL_LH_retrieve, -OPENSSL_LH_doall, OPENSSL_LH_doall_arg, OPENSSL_LH_error +OPENSSL_LH_doall, OPENSSL_LH_doall_arg, OPENSSL_LH_num_items, +OPENSSL_LH_get_down_load, OPENSSL_LH_set_down_load, OPENSSL_LH_error - dynamic hash table =head1 SYNOPSIS @@ -34,6 +36,10 @@ OPENSSL_LH_doall, OPENSSL_LH_doall_arg, OPENSSL_LH_error void lh_TYPE_doall_arg(LHASH_OF(TYPE) *table, OPENSSL_LH_DOALL_FUNCARG func, TYPE *arg); + unsigned long lh_TYPE_num_items(OPENSSL_LHASH *lh); + unsigned long lh_TYPE_get_down_load(OPENSSL_LHASH *lh); + void lh_TYPE_set_down_load(OPENSSL_LHASH *lh, unsigned long dl); + int lh_TYPE_error(LHASH_OF(TYPE) *table); typedef int (*OPENSSL_LH_COMPFUNC)(const void *, const void *); @@ -52,8 +58,14 @@ OPENSSL_LH_doall, OPENSSL_LH_doall_arg, OPENSSL_LH_error void OPENSSL_LH_doall(OPENSSL_LHASH *lh, OPENSSL_LH_DOALL_FUNC func); void OPENSSL_LH_doall_arg(OPENSSL_LHASH *lh, OPENSSL_LH_DOALL_FUNCARG func, void *arg); + unsigned long OPENSSL_LH_num_items(OPENSSL_LHASH *lh); + unsigned long OPENSSL_LH_get_down_load(OPENSSL_LHASH *lh); + void OPENSSL_LH_set_down_load(OPENSSL_LHASH *lh, unsigned long dl); + int OPENSSL_LH_error(OPENSSL_LHASH *lh); + #define LH_LOAD_MULT /* integer constant */ + =head1 DESCRIPTION This library implements type-checked dynamic hash tables. The hash @@ -145,15 +157,6 @@ For example: /* Then the hash table itself can be deallocated */ lh_TYPE_free(hashtable); -When doing this, be careful if you delete entries from the hash table -in your callbacks: the table may decrease in size, moving the item -that you are currently on down lower in the hash table - this could -cause some entries to be skipped during the iteration. The second -best solution to this problem is to set hash-Edown_load=0 before -you start (which will stop the hash table ever decreasing in size). -The best solution is probably to avoid deleting items from the hash -table inside a "doall" callback! - B_doall_arg>() is the same as B_doall>() except that I will be called with I as the second argument and I should be of type B(B>) (a callback prototype @@ -175,21 +178,47 @@ that is provided by the caller): lh_TYPE_doall_arg(hashtable, LHASH_DOALL_ARG_FN(TYPE_print), BIO, logging_bio); +Note that it is by default B safe to use B_delete>() inside a +callback passed to B_doall>() or B_doall_arg>(). The +reason for this is that deleting an item from the hash table may result in the +hash table being contracted to a smaller size and rehashed. +B_doall>() and B_doall_arg>() are unsafe and will exhibit +undefined behaviour under these conditions, as these functions assume the hash +table size and bucket pointers do not change during the call. + +If it is desired to use B_doall>() or B_doall_arg>() with +B_delete>(), it is essential that you call +B_set_down_load>() with a I argument of 0 first. This +disables hash table contraction and guarantees that it will be safe to delete +items from a hash table during a call to B_doall>() or +B_doall_arg>(). + +It is never safe to call B_insert>() during a call to +B_doall>() or B_doall_arg>(). B_error>() can be used to determine if an error occurred in the last operation. +B_num_items>() returns the number of items in the hash table. + +B_get_down_load>() and B_set_down_load>() get and set the +factor used to determine when the hash table is contracted. The factor is the +load factor at or below which hash table contraction will occur, multiplied by +B, where the load factor is the number of items divided by the +number of nodes. Setting this value to 0 disables hash table contraction. + OPENSSL_LH_new() is the same as the B_new>() except that it is not type specific. So instead of returning an B)> value it returns a B. In the same way the functions OPENSSL_LH_free(), OPENSSL_LH_flush(), OPENSSL_LH_insert(), OPENSSL_LH_delete(), -OPENSSL_LH_retrieve(), OPENSSL_LH_doall(), OPENSSL_LH_doall_arg(), and -OPENSSL_LH_error() are equivalent to the similarly named B> functions -except that they return or use a B where the equivalent B> -function returns or uses a B *> or B) *>. B> -functions are implemented as type checked wrappers around the B -functions. Most applications should not call the B functions -directly. +OPENSSL_LH_retrieve(), OPENSSL_LH_doall(), OPENSSL_LH_doall_arg(), +OPENSSL_LH_num_items(), OPENSSL_LH_get_down_load(), OPENSSL_LH_set_down_load() +and OPENSSL_LH_error() are equivalent to the similarly named B> +functions except that they return or use a B where the equivalent +B> function returns or uses a B *> or B) *>. +B> functions are implemented as type checked wrappers around the +B functions. Most applications should not call the B +functions directly. =head1 RETURN VALUES diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c index 5146cedb96ecd8f347e5b0aa8b3113893369f401..698280288e9d3b5bd49db9344b212b76829a48d7 100644 --- a/ssl/ssl_conf.c +++ b/ssl/ssl_conf.c @@ -870,9 +870,12 @@ static int ctrl_switch_option(SSL_CONF_CTX *cctx, const ssl_conf_cmd_tbl * cmd) /* Find index of command in table */ size_t idx = cmd - ssl_conf_cmds; const ssl_switch_tbl *scmd; + /* Sanity check index */ - if (idx >= OSSL_NELEM(ssl_cmd_switches)) + if (idx >= OSSL_NELEM(ssl_cmd_switches)) { + ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); return 0; + } /* Obtain switches entry with same index */ scmd = ssl_cmd_switches + idx; ssl_set_option(cctx, scmd->name_flags, scmd->option_value, 1); @@ -888,28 +891,33 @@ int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value) } if (!ssl_conf_cmd_skip_prefix(cctx, &cmd)) - return -2; + goto unknown_cmd; runcmd = ssl_conf_cmd_lookup(cctx, cmd); if (runcmd) { - int rv; + int rv = -3; + if (runcmd->value_type == SSL_CONF_TYPE_NONE) { return ctrl_switch_option(cctx, runcmd); } if (value == NULL) - return -3; + goto bad_value; rv = runcmd->cmd(cctx, value); if (rv > 0) return 2; - if (rv == -2) - return -2; + if (rv != -2) + rv = 0; + + bad_value: if (cctx->flags & SSL_CONF_FLAG_SHOW_ERRORS) ERR_raise_data(ERR_LIB_SSL, SSL_R_BAD_VALUE, - "cmd=%s, value=%s", cmd, value); - return 0; + "cmd=%s, value=%s", cmd, + value != NULL ? value : ""); + return rv; } + unknown_cmd: if (cctx->flags & SSL_CONF_FLAG_SHOW_ERRORS) ERR_raise_data(ERR_LIB_SSL, SSL_R_UNKNOWN_CMD_NAME, "cmd=%s", cmd); diff --git a/ssl/ssl_mcnf.c b/ssl/ssl_mcnf.c index c2366e41e365db7cb4529e8395f41c8a78dd780a..8bccce84d465dbef6b1fb74859d747fb755ec367 100644 --- a/ssl/ssl_mcnf.c +++ b/ssl/ssl_mcnf.c @@ -24,7 +24,7 @@ static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name, int system) { SSL_CONF_CTX *cctx = NULL; size_t i, idx, cmd_count; - int rv = 0; + int err = 1; unsigned int flags; const SSL_METHOD *meth; const SSL_CONF_CMD *cmds; @@ -66,24 +66,22 @@ static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name, int system) flags |= SSL_CONF_FLAG_CLIENT; SSL_CONF_CTX_set_flags(cctx, flags); prev_libctx = OSSL_LIB_CTX_set0_default(libctx); + err = 0; for (i = 0; i < cmd_count; i++) { char *cmdstr, *arg; + int rv; conf_ssl_get_cmd(cmds, i, &cmdstr, &arg); rv = SSL_CONF_cmd(cctx, cmdstr, arg); - if (rv <= 0) { - int errcode = rv == -2 ? SSL_R_UNKNOWN_COMMAND : SSL_R_BAD_VALUE; - - ERR_raise_data(ERR_LIB_SSL, errcode, - "section=%s, cmd=%s, arg=%s", name, cmdstr, arg); - goto err; - } + if (rv <= 0) + ++err; } - rv = SSL_CONF_CTX_finish(cctx); + if (!SSL_CONF_CTX_finish(cctx)) + ++err; err: OSSL_LIB_CTX_set0_default(prev_libctx); SSL_CONF_CTX_free(cctx); - return rv <= 0 ? 0 : 1; + return err == 0; } int SSL_config(SSL *s, const char *name) diff --git a/test/README.md b/test/README.md index 9a5c91953ddb78e78648749fde98e52daf45a2c9..14ce32ecd62e5a2218fc386bb3a662c0ea4c36ad 100644 --- a/test/README.md +++ b/test/README.md @@ -42,7 +42,7 @@ the make variable TESTS to specify them, like this: $ make TESTS='test_rsa test_dsa' test # Unix $ mms/macro="TESTS=test_rsa test_dsa" test ! OpenVMS - $ nmake TESTS='test_rsa test_dsa' test # Windows + $ nmake TESTS="test_rsa test_dsa" test # Windows And of course, you can combine (Unix examples shown): diff --git a/test/evp_test.c b/test/evp_test.c index ed555766c0bfd15c5127d9bb8998cff7478fdede..e81213e2f845bb58b23ac4f6d62a04dbd80ab4c5 100644 --- a/test/evp_test.c +++ b/test/evp_test.c @@ -1408,7 +1408,7 @@ static int mac_test_run_mac(EVP_TEST *t) EVP_MAC_CTX *ctx = NULL; unsigned char *got = NULL; size_t got_len = 0, size = 0; - size_t size_before_init, size_after_init, size_val = 0; + size_t size_before_init = 0, size_after_init, size_val = 0; int i, block_size = -1, output_size = -1; OSSL_PARAM params[21], sizes[3], *psizes = sizes; size_t params_n = 0; @@ -1516,7 +1516,8 @@ static int mac_test_run_mac(EVP_TEST *t) t->err = "MAC_CREATE_ERROR"; goto err; } - size_before_init = EVP_MAC_CTX_get_mac_size(ctx); + if (fips_provider_version_gt(libctx, 3, 0, 12)) + size_before_init = EVP_MAC_CTX_get_mac_size(ctx); if (!EVP_MAC_init(ctx, expected->key, expected->key_len, params)) { t->err = "MAC_INIT_ERROR"; goto err; diff --git a/test/recipes/04-test_asn1_parse.t b/test/recipes/04-test_asn1_parse.t new file mode 100644 index 0000000000000000000000000000000000000000..f3af4365920ac3861a4526233bf89e7d23214dbd --- /dev/null +++ b/test/recipes/04-test_asn1_parse.t @@ -0,0 +1,26 @@ +#! /usr/bin/env perl +# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +use strict; +use OpenSSL::Test qw(:DEFAULT srctop_file); +use OpenSSL::Test::Utils; + +setup("test_asn1_parse"); + +plan tests => 3; + +$ENV{OPENSSL_CONF} = srctop_file("test", "test_asn1_parse.cnf"); + +ok(run(app(([ 'openssl', 'asn1parse', + '-genstr', 'OID:1.2.3.4.1'])))); + +ok(run(app(([ 'openssl', 'asn1parse', + '-genstr', 'OID:1.2.3.4.2'])))); + +ok(run(app(([ 'openssl', 'asn1parse', + '-genstr', 'OID:1.2.3.4.3'])))); diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t index be779233130e20a1df3c7728f525aa53189b8c47..31f9fbd1280ac1a9be5d339d8a88b209fb71865f 100644 --- a/test/recipes/80-test_cms.t +++ b/test/recipes/80-test_cms.t @@ -50,7 +50,7 @@ my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib) $no_rc2 = 1 if disabled("legacy"); -plan tests => 18; +plan tests => 19; ok(run(test(["pkcs7_test"])), "test pkcs7"); @@ -222,13 +222,15 @@ my @smime_pkcs7_tests = ( \&final_compare ], - [ "enveloped content test streaming S/MIME format, DES, 3 recipients, key only used", + [ "enveloped content test streaming S/MIME format, DES, 3 recipients, cert and key files used", [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont, "-stream", "-out", "{output}.cms", $smrsa1, catfile($smdir, "smrsa2.pem"), - catfile($smdir, "smrsa3.pem") ], - [ "{cmd2}", @defaultprov, "-decrypt", "-inkey", catfile($smdir, "smrsa3.pem"), + catfile($smdir, "smrsa3-cert.pem") ], + [ "{cmd2}", @defaultprov, "-decrypt", + "-recip", catfile($smdir, "smrsa3-cert.pem"), + "-inkey", catfile($smdir, "smrsa3-key.pem"), "-in", "{output}.cms", "-out", "{output}.txt" ], \&final_compare ], @@ -1019,3 +1021,51 @@ with({ exit_checker => sub { return shift == 3; } }, ])), "Check for failure when cipher does not have an assigned OID (issue#22225)"); }); + +# Test encrypt to three recipients, and decrypt using key-only; +# i.e. do not follow the recommended practice of providing the +# recipient cert in the decrypt op. +# +# Use RSAES-OAEP for key-transport, not RSAES-PKCS-v1_5. +# +# Because the cert is not provided during decrypt, all RSA ciphertexts +# are decrypted in turn, and when/if there is a valid decryption, it +# is assumed the correct content-key has been recovered. +# +# That process may fail with RSAES-PKCS-v1_5 b/c there is a +# non-negligible chance that decrypting a random input using +# RSAES-PKCS-v1_5 can result in a valid plaintext (so two content-keys +# could be recovered and the wrong one might be used). +# +# See https://github.com/openssl/project/issues/380 +subtest "encrypt to three recipients with RSA-OAEP, key only decrypt" => sub { + plan tests => 3; + + my $pt = srctop_file("test", "smcont.txt"); + my $ct = "smtst.cms"; + my $ptpt = "smtst.txt"; + + ok(run(app(['openssl', 'cms', + @defaultprov, + '-encrypt', '-aes128', + '-in', $pt, + '-out', $ct, + '-stream', + '-recip', catfile($smdir, "smrsa1.pem"), + '-keyopt', 'rsa_padding_mode:oaep', + '-recip', catfile($smdir, "smrsa2.pem"), + '-keyopt', 'rsa_padding_mode:oaep', + '-recip', catfile($smdir, "smrsa3-cert.pem"), + '-keyopt', 'rsa_padding_mode:oaep', + ])), + "encrypt to three recipients with RSA-OAEP (avoid openssl/project issue#380)"); + ok(run(app(['openssl', 'cms', + @defaultprov, + '-decrypt', '-aes128', + '-in', $ct, + '-out', $ptpt, + '-inkey', catfile($smdir, "smrsa3-key.pem"), + ])), + "decrypt with key only"); + is(compare($pt, $ptpt), 0, "compare original message with decrypted ciphertext"); +}; diff --git a/test/smime-certs/smrsa3-cert.pem b/test/smime-certs/smrsa3-cert.pem new file mode 100644 index 0000000000000000000000000000000000000000..70004acb86988e15ca51448d1e61f1a659487bf1 --- /dev/null +++ b/test/smime-certs/smrsa3-cert.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDeTCCAmGgAwIBAgIUIDyc//j/LoNDesZTGbPBoVarv4EwDQYJKoZIhvcNAQEL +BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV +BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMDYwMjE1MzMxM1oYDzIxMjIw +NTA5MTUzMzEzWjBFMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91 +cDEeMBwGA1UEAwwVVGVzdCBTL01JTUUgRUUgUlNBICMzMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEA+QP7d56K4/9eu7aChtWILYNxvqWeDcJeWvX5Z5vC +XUjFuUxBD9U0rw1SBLgFYu8aqAJ+oXsqaGjJARifgKEqPUe7pnYYatr55lhTbHR+ +qA88p1V4sclEaPNWKzd7J/V3eeYr04kqWV5XYhAq9k9AWLzsNIePe2z7OoGPS6oK +wRzWFRd5RYXTpmFr/tqknbYvtYFd7duKb9QqytgHV+RKXXeY0fnjZ7frLmaqDwtI +U3DY7MyS3Hw2BVx72vQXBNA364HGEpqEgVOdzI7et0wpSumaFXDye714xUR53L7N +f3fp3PQXS/RbBiNXs7KUsHCR6nsdsIKO+sg66gxOLNt6zwIDAQABo2AwXjAMBgNV +HRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIF4DAdBgNVHQ4EFgQUN9pGq/UFS3o50rTi +V+AYgAk+3R4wHwYDVR0jBBgwFoAUFcETIWviVV+nah1XINbP86lzZFkwDQYJKoZI +hvcNAQELBQADggEBAGcOh380/6aJqMpYBssuf2CB3DX/hGKdvEF7fF8iNSfl5HHq +112kHl3MhbL9Th/safJq9sLDJqjXRNdVCUJJbU4YI2P2gsi04paC0qxWxMLtzQLd +CE7ki2xH94Fuu/dThbpzZBABROO1RrdI24GDGt9t4Gf0WVkobmT/zNlwGppKTIB2 +iV/Ug30iKr/C49UzwUIa+XXXujkjPTmGSnrKwVQNxQh81rb+iTL7GEnNuqDsatHW +ZyLS2SaVdG5tMqDkITPMDGjehUzJcAbVc8Bv4m8Ukuov3uDj2Doc6MxlvrVkV0AE +BcSCb/bWQJJ/X4LQZlx9cMk4NINxV9UeFPZOefg= +-----END CERTIFICATE----- diff --git a/test/smime-certs/smrsa3-key.pem b/test/smime-certs/smrsa3-key.pem new file mode 100644 index 0000000000000000000000000000000000000000..216d70b61b74c2038afd5fbbf612e7cf54956fec --- /dev/null +++ b/test/smime-certs/smrsa3-key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQD5A/t3norj/167 +toKG1Ygtg3G+pZ4Nwl5a9flnm8JdSMW5TEEP1TSvDVIEuAVi7xqoAn6heypoaMkB +GJ+AoSo9R7umdhhq2vnmWFNsdH6oDzynVXixyURo81YrN3sn9Xd55ivTiSpZXldi +ECr2T0BYvOw0h497bPs6gY9LqgrBHNYVF3lFhdOmYWv+2qSdti+1gV3t24pv1CrK +2AdX5Epdd5jR+eNnt+suZqoPC0hTcNjszJLcfDYFXHva9BcE0DfrgcYSmoSBU53M +jt63TClK6ZoVcPJ7vXjFRHncvs1/d+nc9BdL9FsGI1ezspSwcJHqex2wgo76yDrq +DE4s23rPAgMBAAECggEAEDi+VWD5VUpjD5zWOoPQiRDGBJBhtMAKkl6okxEmXvWb +Xz3STFnjHgA1JFHW3bRU9BHI9k8vSHmnlnkfKb3V/ZX5IHNcKCHb/x9NBak+QLVQ +0zLtfE9vxiTC0B/oac+MPaiD4hYFQ81pFwK6VS0Poi8ZCBJtOkRqfUvsyV8zZrgh +/6cs4mwOVyZPFRgF9eWXYv7PJz8pNRizhII0iv9H/r2I3DzsZLPCg7c29mP+I/SG +A7Pl82UXjtOc0KurGY2M5VheZjxJT/k/FLMkWY2GS5n6dfcyzsVSKb25HoeuvQsI +vs1mKs+Onbobdc17hCcKVJzbi3DwXs5XDhrEzfHccQKBgQD88uBxVCRV31PsCN6I +pKxQDGgz+1BqPqe7KMRiZI7HgDUK0eCM3/oG089/jsBtJcSxnScLSVNBjQ+xGiFi +YCD4icQoJSzpqJyR6gDq5lTHASAe+9LWRW771MrtyACQWNXowYEyu8AjekrZkCUS +wIKVpw57oWykzIoS7ixZsJ8gxwKBgQD8BPWqJEsLiQvOlS5E/g88eV1KTpxm9Xs+ +BbwsDXZ7m4Iw5lYaUu5CwBB/2jkGGRl8Q/EfAdUT7gXv3t6x5b1qMXaIczmRGYto +NuI3AH2MPxAa7lg5TgBgie1r7PKwyPMfG3CtDx6n8W5sexgJpbIy5u7E+U6d8s1o +c7EcsefduQKBgCkHJAx9v18GWFBip+W2ABUDzisQSlzRSNd8p03mTZpiWzgkDq4K +7j0JQhDIkMGjbKH6gYi9Hfn17WOmf1+7g92MSvrP/NbxeGPadsejEIEu14zu/6Wt +oXDLdRbYZ+8B2cBlEpWuCl42yck8Lic6fnPTou++oSah3otvglYR5d2lAoGACd8L +3FE1m0sP6lSPjmZBJIZAcDOqDqJY5HIHD9arKGZL8CxlfPx4lqa9PrTGfQWoqORk +YmmI9hHhq6aYJHGyPKGZWfjhbVyJyFg1/h+Hy2GA+P0S+ZOjkiR050BNtTz5wOMr +Q6wO8FcVkywzIdWaqEHBYne9a5RiFVBKxKv3QAkCgYBxmCBKajFkMVb4Uc55WqJs +Add0mctGgmZ1l5vq81eWe3wjM8wgfJgaD3Q3gwx2ABUX/R+OsVWSh4o5ZR86sYoz +TviknBHF8GeDLjpT49+04fEaz336J2JOptF9zIpz7ZK1nrOEjzaZGtumReVjUP7X +fNcb5iDYqZRzD8ixBbLxUw== +-----END PRIVATE KEY----- diff --git a/test/sysdefault.cnf b/test/sysdefault.cnf index 20712b5bda40cd7878927ccbf74b54206f10a418..1c8915074a7829c671f1986481fdbc2bda24f899 100644 --- a/test/sysdefault.cnf +++ b/test/sysdefault.cnf @@ -18,5 +18,6 @@ new-sig-oid = 1.1.1.1.1.1.1.1.1.1.1.1.1.1 system_default = ssl_default_sect [ssl_default_sect] +SignatureAlgorithms = RSA+SHA256:nonex MaxProtocol = TLSv1.2 MinProtocol = TLSv1.2 diff --git a/test/test_asn1_parse.cnf b/test/test_asn1_parse.cnf new file mode 100644 index 0000000000000000000000000000000000000000..5f0305657e83d1d59c3b2adc6479672e6aa94ead --- /dev/null +++ b/test/test_asn1_parse.cnf @@ -0,0 +1,12 @@ +openssl_conf = openssl_init + +# Comment out the next line to ignore configuration errors +config_diagnostics = 1 + +[openssl_init] +oid_section = oids + +[oids] +testoid1 = 1.2.3.4.1 +testoid2 = A Very Long OID Name, 1.2.3.4.2 +testoid3 = ,1.2.3.4.3 diff --git a/util/missingcrypto.txt b/util/missingcrypto.txt index 27c8018c24db93e9fbd0e416d0366112370d449c..ab60764a4f2d9237a3bbb4571bc4f1b451d592fc 100644 --- a/util/missingcrypto.txt +++ b/util/missingcrypto.txt @@ -763,9 +763,6 @@ OCSP_response_status_str(3) OCSP_url_svcloc_new(3) OPENSSL_DIR_end(3) OPENSSL_DIR_read(3) -OPENSSL_LH_get_down_load(3) -OPENSSL_LH_num_items(3) -OPENSSL_LH_set_down_load(3) OPENSSL_LH_strhash(3) OPENSSL_asc2uni(3) OPENSSL_die(3)