From 84faeddda399e3a8368178995561baec6be2e10c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 5 Sep 2023 07:56:28 +0000 Subject: [PATCH 01/50] Bump actions/checkout from 2 to 4 Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 4. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v2...v4) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] CLA: trivial Reviewed-by: Hugo Landau Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21953) (cherry picked from commit d4231af60a8d04196b3b873c2fa8638daff36173) Signed-off-by: fly2x --- .github/workflows/ci.yml | 40 ++++++++++++------------- .github/workflows/compiler-zoo.yml | 2 +- .github/workflows/coveralls.yml | 2 +- .github/workflows/cross-compiles.yml | 2 +- .github/workflows/fips-checksums.yml | 4 +-- .github/workflows/fips-old.yml | 2 +- .github/workflows/fuzz-checker.yml | 2 +- .github/workflows/run-checker-ci.yml | 2 +- .github/workflows/run-checker-daily.yml | 2 +- .github/workflows/run-checker-merge.yml | 2 +- .github/workflows/windows.yml | 6 ++-- 11 files changed, 33 insertions(+), 33 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index cb95866020..73bfe285ee 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -29,7 +29,7 @@ jobs: run: | sudo apt-get update sudo apt-get -yq --no-install-suggests --no-install-recommends --force-yes install unifdef - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: fetch-depth: 0 - name: config @@ -44,7 +44,7 @@ jobs: check_docs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: config run: ./config --banner=Configured --strict-warnings enable-fips && perl configdata.pm --dump - name: make build_generated @@ -62,7 +62,7 @@ jobs: check-ansi: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: config run: CPPFLAGS=-ansi ./config --banner=Configured no-asm no-makedepend enable-buildtest-c++ enable-fips --strict-warnings -D_DEFAULT_SOURCE && perl configdata.pm --dump - name: make @@ -71,7 +71,7 @@ jobs: basic_gcc: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: localegen run: sudo locale-gen tr_TR.UTF-8 - name: config @@ -84,7 +84,7 @@ jobs: basic_clang: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: config run: CC=clang ./config --banner=Configured no-fips --strict-warnings && perl configdata.pm --dump - name: make @@ -95,7 +95,7 @@ jobs: minimal: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: config run: ./config --banner=Configured --strict-warnings no-bulk no-pic no-asm -DOPENSSL_NO_SECURE_MEMORY -DOPENSSL_SMALL_FOOTPRINT && perl configdata.pm --dump - name: make @@ -106,7 +106,7 @@ jobs: no-deprecated: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: config run: ./config --banner=Configured --strict-warnings no-deprecated enable-fips && perl configdata.pm --dump - name: make @@ -120,7 +120,7 @@ jobs: os: [ ubuntu-latest, macos-latest ] runs-on: ${{matrix.os}} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: config run: ./config --banner=Configured --strict-warnings no-shared no-fips && perl configdata.pm --dump - name: make @@ -131,7 +131,7 @@ jobs: non-caching: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: config run: ./config --banner=Configured --debug enable-asan enable-ubsan no-cached-fetch no-fips no-dtls no-tls1 no-tls1-method no-tls1_1 no-tls1_1-method no-async && perl configdata.pm --dump - name: make @@ -142,7 +142,7 @@ jobs: address_ub_sanitizer: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: config run: ./config --banner=Configured --debug enable-asan enable-ubsan enable-rc5 enable-md2 enable-ec_nistp_64_gcc_128 enable-fips -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION && perl configdata.pm --dump - name: make @@ -153,7 +153,7 @@ jobs: memory_sanitizer: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: config # --debug -O1 is to produce a debug build that runs in a reasonable amount of time run: CC=clang ./config --banner=Configured --debug -O1 -fsanitize=memory -DOSSL_SANITIZE_MEMORY -fno-optimize-sibling-calls enable-rc5 enable-md2 enable-ec_nistp_64_gcc_128 enable-fips && perl configdata.pm --dump @@ -165,7 +165,7 @@ jobs: threads_sanitizer: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: config run: CC=clang ./config --banner=Configured no-fips --strict-warnings -fsanitize=thread && perl configdata.pm --dump - name: make @@ -176,7 +176,7 @@ jobs: enable_non-default_options: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: modprobe tls run: sudo modprobe tls - name: config @@ -189,7 +189,7 @@ jobs: fips_and_ktls: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: modprobe tls run: sudo modprobe tls - name: config @@ -202,7 +202,7 @@ jobs: no-legacy: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: config run: ./config --banner=Configured --strict-warnings no-legacy enable-fips && perl configdata.pm --dump - name: make @@ -213,7 +213,7 @@ jobs: legacy: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: config run: ./config --banner=Configured -Werror --debug no-afalgeng no-shared enable-crypto-mdebug enable-rc5 enable-md2 enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers enable-zlib enable-ec_nistp_64_gcc_128 no-fips && perl configdata.pm --dump - name: make @@ -224,7 +224,7 @@ jobs: buildtest: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: config run: ./config --banner=Configured no-asm no-makedepend enable-buildtest-c++ enable-fips --strict-warnings -D_DEFAULT_SOURCE && perl configdata.pm --dump - name: make @@ -238,7 +238,7 @@ jobs: os: [ubuntu-latest, macos-latest ] runs-on: ${{matrix.os}} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: extra preparations run: | mkdir ./build @@ -259,7 +259,7 @@ jobs: external-tests: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: submodules: recursive - name: package installs @@ -294,7 +294,7 @@ jobs: PYTHON: - 3.9 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: submodules: recursive - name: Configure OpenSSL diff --git a/.github/workflows/compiler-zoo.yml b/.github/workflows/compiler-zoo.yml index a20a84cffe..4f17322ec5 100644 --- a/.github/workflows/compiler-zoo.yml +++ b/.github/workflows/compiler-zoo.yml @@ -99,7 +99,7 @@ jobs: sudo apt-get update sudo apt-get -y install ${{ matrix.zoo.cc }} - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: config run: | diff --git a/.github/workflows/coveralls.yml b/.github/workflows/coveralls.yml index 3d7800a894..5aa595ce8d 100644 --- a/.github/workflows/coveralls.yml +++ b/.github/workflows/coveralls.yml @@ -22,7 +22,7 @@ jobs: contents: read # for actions/checkout to fetch code runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: package installs run: | sudo apt-get -yq install lcov diff --git a/.github/workflows/cross-compiles.yml b/.github/workflows/cross-compiles.yml index 51dc58a23a..ba6d82ddae 100644 --- a/.github/workflows/cross-compiles.yml +++ b/.github/workflows/cross-compiles.yml @@ -160,7 +160,7 @@ jobs: sudo apt-get -yq --force-yes install \ gcc-${{ matrix.platform.arch }} \ ${{ matrix.platform.libs }} - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: config with FIPS if: matrix.platform.fips != 'no' diff --git a/.github/workflows/fips-checksums.yml b/.github/workflows/fips-checksums.yml index 1f62ed45b3..002494f58c 100644 --- a/.github/workflows/fips-checksums.yml +++ b/.github/workflows/fips-checksums.yml @@ -26,7 +26,7 @@ jobs: mkdir ./build mkdir ./source mkdir ./artifact - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: repository: ${{ github.event.pull_request.base.repo.full_name }} ref: ${{ github.event.pull_request.base.ref }} @@ -43,7 +43,7 @@ jobs: - name: make fips-checksums pristine run: make fips-checksums working-directory: ./build-pristine - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: path: source - name: config diff --git a/.github/workflows/fips-old.yml b/.github/workflows/fips-old.yml index 8ff4d850d2..3589c83266 100644 --- a/.github/workflows/fips-old.yml +++ b/.github/workflows/fips-old.yml @@ -26,7 +26,7 @@ jobs: steps: - name: create directory run: mkdir ./current - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: path: current - name: download module source diff --git a/.github/workflows/fuzz-checker.yml b/.github/workflows/fuzz-checker.yml index 247389e518..ce6d894a98 100644 --- a/.github/workflows/fuzz-checker.yml +++ b/.github/workflows/fuzz-checker.yml @@ -48,7 +48,7 @@ jobs: run: | sudo apt-get update sudo apt-get -yq --force-yes install ${{ matrix.fuzzy.install }} - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: config run: | diff --git a/.github/workflows/run-checker-ci.yml b/.github/workflows/run-checker-ci.yml index 05d1426a39..73ee5f1f80 100644 --- a/.github/workflows/run-checker-ci.yml +++ b/.github/workflows/run-checker-ci.yml @@ -40,7 +40,7 @@ jobs: ] runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: config run: CC=clang ./config --banner=Configured --strict-warnings ${{ matrix.opt }} - name: config dump diff --git a/.github/workflows/run-checker-daily.yml b/.github/workflows/run-checker-daily.yml index 3303ca0d83..8b7252b128 100644 --- a/.github/workflows/run-checker-daily.yml +++ b/.github/workflows/run-checker-daily.yml @@ -133,7 +133,7 @@ jobs: ] runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: config run: CC=clang ./config --banner=Configured --strict-warnings ${{ matrix.opt }} - name: config dump diff --git a/.github/workflows/run-checker-merge.yml b/.github/workflows/run-checker-merge.yml index 456477b8c8..14dfa7c2d4 100644 --- a/.github/workflows/run-checker-merge.yml +++ b/.github/workflows/run-checker-merge.yml @@ -32,7 +32,7 @@ jobs: ] runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: config run: CC=clang ./config --banner=Configured --strict-warnings ${{ matrix.opt }} - name: config dump diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index 2d61ef8d24..8c518d17d9 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -27,7 +27,7 @@ jobs: config: --strict-warnings no-fips runs-on: ${{matrix.os}} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: ilammy/msvc-dev-cmd@v1 with: arch: ${{ matrix.platform.arch }} @@ -63,7 +63,7 @@ jobs: - windows-2022 runs-on: ${{matrix.os}} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: ilammy/msvc-dev-cmd@v1 - uses: shogo82148/actions-setup-perl@v1 - name: prepare the build directory @@ -87,7 +87,7 @@ jobs: - windows-2022 runs-on: ${{matrix.os}} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: ilammy/msvc-dev-cmd@v1 - uses: shogo82148/actions-setup-perl@v1 - name: prepare the build directory -- Gitee From c9816f52c07068a7c5bb79ba0ca07c060867f713 Mon Sep 17 00:00:00 2001 From: Bernd Edlinger Date: Mon, 4 Sep 2023 09:40:28 +0200 Subject: [PATCH 02/50] Fix internal memory leaks from OPENSSL_MALLOC_FAILURES There is a rarely used feature that can be enabled with `./config enable-crypto-mdebug` when additionally the environment variable OPENSSL_MALLOC_FAILURES is used. It turns out to be possible that CRYPTO_zalloc may create a leak when the memory is allocated and then the shouldfail happens, then the memory is lost. Likewise when OPENSSL_realloc is used with size=0, then the memory is to be free'd but here the shouldfail check is too early, and the failure may prevent the memory to be freed thus creating a bogus memory leak. Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz Reviewed-by: Hugo Landau (Merged from https://github.com/openssl/openssl/pull/21944) (cherry picked from commit e2cf38d5751d6b48c8625b622c3765d0a39958d7) Signed-off-by: fly2x --- crypto/mem.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/crypto/mem.c b/crypto/mem.c index 3d67d9256a..e146f31b21 100644 --- a/crypto/mem.c +++ b/crypto/mem.c @@ -195,7 +195,6 @@ void *CRYPTO_zalloc(size_t num, const char *file, int line) void *ret; ret = CRYPTO_malloc(num, file, line); - FAILTEST(); if (ret != NULL) memset(ret, 0, num); @@ -208,7 +207,6 @@ void *CRYPTO_realloc(void *str, size_t num, const char *file, int line) if (realloc_impl != CRYPTO_realloc) return realloc_impl(str, num, file, line); - FAILTEST(); if (str == NULL) return CRYPTO_malloc(num, file, line); @@ -217,6 +215,7 @@ void *CRYPTO_realloc(void *str, size_t num, const char *file, int line) return NULL; } + FAILTEST(); return realloc(str, num); } -- Gitee From 10d95162aeb1dc9e36609598c383c9dd04280cfd Mon Sep 17 00:00:00 2001 From: Kai Pastor Date: Sun, 3 Sep 2023 10:52:41 +0200 Subject: [PATCH 03/50] Use armv8 .quad instead of .dword Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21938) Signed-off-by: fly2x --- crypto/sm4/asm/vpsm4-armv8.pl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto/sm4/asm/vpsm4-armv8.pl b/crypto/sm4/asm/vpsm4-armv8.pl index edb6b04c9a..a945056ab9 100755 --- a/crypto/sm4/asm/vpsm4-armv8.pl +++ b/crypto/sm4/asm/vpsm4-armv8.pl @@ -470,9 +470,9 @@ _vpsm4_consts: .long 0xA0A7AEB5, 0xBCC3CAD1, 0xD8DFE6ED, 0xF4FB0209 .long 0x10171E25, 0x2C333A41, 0x484F565D, 0x646B7279 .Lfk: - .dword 0x56aa3350a3b1bac6,0xb27022dc677d9197 + .quad 0x56aa3350a3b1bac6,0xb27022dc677d9197 .Lshuffles: - .dword 0x0B0A090807060504,0x030201000F0E0D0C + .quad 0x0B0A090807060504,0x030201000F0E0D0C .size _vpsm4_consts,.-_vpsm4_consts ___ -- Gitee From 4e44996b3753da575b74973b219d6e7643684590 Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Thu, 3 Aug 2023 16:52:49 +0200 Subject: [PATCH 04/50] apps.c: fix error messages (newline and needless text) in load_key_certs_crls() Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale Reviewed-by: Hugo Landau (Merged from https://github.com/openssl/openssl/pull/21659) (cherry picked from commit 81d037b8adb0232c8a4d4654f79c883dafb102bc) Signed-off-by: fly2x --- apps/lib/apps.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/apps/lib/apps.c b/apps/lib/apps.c index bbaecb8c72..9d65333ec4 100644 --- a/apps/lib/apps.c +++ b/apps/lib/apps.c @@ -940,7 +940,7 @@ int load_key_certs_crls(const char *uri, int format, int maybe_stdin, BIO *bio; if (!maybe_stdin) { - BIO_printf(bio_err, "No filename or uri specified for loading"); + BIO_printf(bio_err, "No filename or uri specified for loading\n"); goto end; } uri = ""; @@ -956,10 +956,8 @@ int load_key_certs_crls(const char *uri, int format, int maybe_stdin, ctx = OSSL_STORE_open_ex(uri, libctx, propq, get_ui_method(), &uidata, params, NULL, NULL); } - if (ctx == NULL) { - BIO_printf(bio_err, "Could not open file or uri for loading"); + if (ctx == NULL) goto end; - } if (expect > 0 && !OSSL_STORE_expect(ctx, expect)) goto end; -- Gitee From e9beb53638875dcfced3e61c81debc395b33ea1f Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Fri, 4 Aug 2023 08:23:58 +0200 Subject: [PATCH 05/50] apps.c: improve warning texts of parse_name() when skipping RDN input Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale Reviewed-by: Hugo Landau (Merged from https://github.com/openssl/openssl/pull/21659) (cherry picked from commit 49e097344ba51a8b25016794d482813b9c1e137f) Signed-off-by: fly2x --- apps/lib/apps.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/apps/lib/apps.c b/apps/lib/apps.c index 9d65333ec4..7052b11e52 100644 --- a/apps/lib/apps.c +++ b/apps/lib/apps.c @@ -1938,16 +1938,17 @@ X509_NAME *parse_name(const char *cp, int chtype, int canmulti, nid = OBJ_txt2nid(typestr); if (nid == NID_undef) { BIO_printf(bio_err, - "%s: Skipping unknown %s name attribute \"%s\"\n", + "%s warning: Skipping unknown %s name attribute \"%s\"\n", opt_getprog(), desc, typestr); if (ismulti) BIO_printf(bio_err, - "Hint: a '+' in a value string needs be escaped using '\\' else a new member of a multi-valued RDN is expected\n"); + "%s hint: a '+' in a value string needs be escaped using '\\' else a new member of a multi-valued RDN is expected\n", + opt_getprog()); continue; } if (*valstr == '\0') { BIO_printf(bio_err, - "%s: No value provided for %s name attribute \"%s\", skipped\n", + "%s warning: No value provided for %s name attribute \"%s\", skipped\n", opt_getprog(), desc, typestr); continue; } -- Gitee From 0baae1f4f0b7b93371d756b2f6a6ceb06fd8d237 Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Fri, 4 Aug 2023 19:02:28 +0200 Subject: [PATCH 06/50] apps/cmp.c: fix bug not allowing to reset -csr and -serial option values Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale Reviewed-by: Hugo Landau (Merged from https://github.com/openssl/openssl/pull/21659) (cherry picked from commit 374945a9aa545d4d6f015de0b48cbed6a90258e0) Signed-off-by: fly2x --- apps/cmp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/cmp.c b/apps/cmp.c index d81199f082..ffcd86dba8 100644 --- a/apps/cmp.c +++ b/apps/cmp.c @@ -2512,7 +2512,7 @@ static int get_opts(int argc, char **argv) } break; case OPT_CSR: - opt_csr = opt_arg(); + opt_csr = opt_str(); break; case OPT_OUT_TRUSTED: opt_out_trusted = opt_str(); -- Gitee From 761bef522547a39f06d2307b93a1d67ff44e65a9 Mon Sep 17 00:00:00 2001 From: Min Zhou Date: Wed, 6 Sep 2023 11:52:26 +0800 Subject: [PATCH 07/50] test/chacha: replace CPUID_OBJ with OPENSSL_CPUID_OBJ Fixes #21977 Signed-off-by: Min Zhou Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21978) (cherry picked from commit e6b6b18af3e85a6b5f0d8ea1070f7070557d6357) Signed-off-by: fly2x --- test/chacha_internal_test.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/chacha_internal_test.c b/test/chacha_internal_test.c index 878bd752e0..d52479b658 100644 --- a/test/chacha_internal_test.c +++ b/test/chacha_internal_test.c @@ -181,7 +181,7 @@ static int test_cha_cha_internal(int n) int setup_tests(void) { -#ifdef CPUID_OBJ +#ifdef OPENSSL_CPUID_OBJ OPENSSL_cpuid_setup(); #endif -- Gitee From de2d9d0cddae68e888083753a8a94f2628d821ec Mon Sep 17 00:00:00 2001 From: wangcheng Date: Wed, 6 Sep 2023 21:29:38 +0800 Subject: [PATCH 08/50] Modify the dkeyform type to support engine The valtype value of dkeyform defined in the s_server_options structure is F, which leads to the judgment that the engine is not supported when processing parameters in the opt_next function. This the valtype value of dkeyform should be changed to "f". CLA: trivial Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/21982) (cherry picked from commit b9a189ce87fde1de4bf691031624538262f005c5) Signed-off-by: fly2x --- apps/s_server.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/s_server.c b/apps/s_server.c index 4760893355..8daa58f9f6 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -788,7 +788,7 @@ const OPTIONS s_server_options[] = { "second server certificate chain file in PEM format"}, {"dkey", OPT_DKEY, '<', "Second private key file to use (usually for DSA)"}, - {"dkeyform", OPT_DKEYFORM, 'F', + {"dkeyform", OPT_DKEYFORM, 'f', "Second key file format (ENGINE, other values ignored)"}, {"dpass", OPT_DPASS, 's', "Second private key and cert file pass phrase source"}, -- Gitee From 04a8eb9eec4d5d9fb24253263aa71c07d200cce8 Mon Sep 17 00:00:00 2001 From: Pauli Date: Thu, 7 Sep 2023 09:27:37 +1000 Subject: [PATCH 09/50] Check error return from cms_sd_asn1_ctrl() correctly. Fixes #21986 Reviewed-by: Tomas Mraz Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/21988) (cherry picked from commit 00a413e2483257a17239cef5dde52df14926284c) Signed-off-by: fly2x --- crypto/cms/cms_sd.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/crypto/cms/cms_sd.c b/crypto/cms/cms_sd.c index fcaffea003..e7028d6736 100644 --- a/crypto/cms/cms_sd.c +++ b/crypto/cms/cms_sd.c @@ -264,13 +264,13 @@ static int cms_sd_asn1_ctrl(CMS_SignerInfo *si, int cmd) int i; if (EVP_PKEY_is_a(pkey, "DSA") || EVP_PKEY_is_a(pkey, "EC")) - return cms_generic_sign(si, cmd); + return cms_generic_sign(si, cmd) > 0; else if (EVP_PKEY_is_a(pkey, "RSA") || EVP_PKEY_is_a(pkey, "RSA-PSS")) - return ossl_cms_rsa_sign(si, cmd); + return ossl_cms_rsa_sign(si, cmd) > 0; /* Now give engines, providers, etc a chance to handle this */ if (pkey->ameth == NULL || pkey->ameth->pkey_ctrl == NULL) - return cms_generic_sign(si, cmd); + return cms_generic_sign(si, cmd) > 0; i = pkey->ameth->pkey_ctrl(pkey, ASN1_PKEY_CTRL_CMS_SIGN, cmd, si); if (i == -2) { ERR_raise(ERR_LIB_CMS, CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE); -- Gitee From 28a1c5fe2ef560e06ea443a75622ca3b32227a85 Mon Sep 17 00:00:00 2001 From: Pauli Date: Thu, 7 Sep 2023 12:35:10 +1000 Subject: [PATCH 10/50] Add test case for #21986 Reviewed-by: Tomas Mraz Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/21988) (cherry picked from commit c870a465864259f0bdec0953ad085da31941bc27) Signed-off-by: fly2x --- test/recipes/80-test_cms.t | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t index 40dd585c18..165cbbe98b 100644 --- a/test/recipes/80-test_cms.t +++ b/test/recipes/80-test_cms.t @@ -50,7 +50,7 @@ my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib) $no_rc2 = 1 if disabled("legacy"); -plan tests => 16; +plan tests => 17; ok(run(test(["pkcs7_test"])), "test pkcs7"); @@ -1046,3 +1046,13 @@ with({ exit_checker => sub { return shift == 6; } }, ])), "Check failure during BIO setup with -stream is handled correctly"); }); + +# Test case for return value mis-check reported in #21986 +with({ exit_checker => sub { return shift == 3; } }, + sub { + ok(run(app(['openssl', 'cms', '-sign', + '-in', srctop_file("test", "smcont.txt"), + '-signer', srctop_file("test/smime-certs", "smdsa1.pem"), + '-md', 'SHAKE256'])), + "issue#21986"); + }); -- Gitee From 739b0469cb0882d6c15acf5fd4b6355d43a9b3d9 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Wed, 6 Sep 2023 07:13:26 +0200 Subject: [PATCH 11/50] OSSL_STORE: Fix error flag clearing and setting (provider path only) When the provider's load function returned with an error, the libcrypto error flag was only set if EOF hadn't been reached. This is troublesome, as an error can very well occur during the last load before EOF is reached! Also, the error flag was never reset, even though documentation specifies that it should indicate an error in the last load (i.e. not the one before that). Fixes #21968 Reviewed-by: Dmitry Belyavskiy Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/21976) (cherry picked from commit 17dd9a2c6262c00800301fddd9441a9c590a630e) Signed-off-by: fly2x --- crypto/store/store_lib.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto/store/store_lib.c b/crypto/store/store_lib.c index f6e4821233..428ac64748 100644 --- a/crypto/store/store_lib.c +++ b/crypto/store/store_lib.c @@ -428,14 +428,14 @@ OSSL_STORE_INFO *OSSL_STORE_load(OSSL_STORE_CTX *ctx) load_data.v = NULL; load_data.ctx = ctx; + ctx->error_flag = 0; if (!ctx->fetched_loader->p_load(ctx->loader_ctx, ossl_store_handle_load_result, &load_data, ossl_pw_passphrase_callback_dec, &ctx->pwdata)) { - if (!OSSL_STORE_eof(ctx)) - ctx->error_flag = 1; + ctx->error_flag = 1; return NULL; } v = load_data.v; -- Gitee From a4549d86d5f203008fb7d733b7f853f071f9f801 Mon Sep 17 00:00:00 2001 From: Bernd Edlinger Date: Wed, 6 Sep 2023 14:06:52 +0200 Subject: [PATCH 12/50] Fix a possible memleak in SRP_VBASE_new In the error handling case the memory in vb->users_pwd was accidentally not released. Reviewed-by: Paul Dale Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21981) (cherry picked from commit 68e95f7840d0d8ac4e5e03381cf9d305578dd1c7) Signed-off-by: fly2x --- crypto/srp/srp_vfy.c | 1 + 1 file changed, 1 insertion(+) diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c index e8beb60d27..edcfb0c76e 100644 --- a/crypto/srp/srp_vfy.c +++ b/crypto/srp/srp_vfy.c @@ -283,6 +283,7 @@ SRP_VBASE *SRP_VBASE_new(char *seed_key) return NULL; if ((vb->users_pwd = sk_SRP_user_pwd_new_null()) == NULL || (vb->gN_cache = sk_SRP_gN_cache_new_null()) == NULL) { + sk_SRP_user_pwd_free(vb->users_pwd); OPENSSL_free(vb); return NULL; } -- Gitee From d5a89729632d4970794f02aecbc61cc997d77c4e Mon Sep 17 00:00:00 2001 From: Bernd Edlinger Date: Fri, 8 Sep 2023 10:33:24 +0200 Subject: [PATCH 13/50] Fix output corruption in req command when used in conjunction with -out and -modulus options. Fixes #21403 Reviewed-by: Dmitry Belyavskiy Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22026) (cherry picked from commit d2873946dfaff5537ea3d1adf3890e33a3f276ff) Signed-off-by: fly2x --- apps/req.c | 8 ++++---- test/recipes/25-test_req.t | 13 ++++++++++++- 2 files changed, 16 insertions(+), 5 deletions(-) diff --git a/apps/req.c b/apps/req.c index 73b320a709..926f0796bc 100644 --- a/apps/req.c +++ b/apps/req.c @@ -990,10 +990,10 @@ int req_main(int argc, char **argv) else tpubkey = X509_REQ_get0_pubkey(req); if (tpubkey == NULL) { - fprintf(stdout, "Modulus is unavailable\n"); + BIO_puts(bio_err, "Modulus is unavailable\n"); goto end; } - fprintf(stdout, "Modulus="); + BIO_puts(out, "Modulus="); if (EVP_PKEY_is_a(tpubkey, "RSA") || EVP_PKEY_is_a(tpubkey, "RSA-PSS")) { BIGNUM *n = NULL; @@ -1002,9 +1002,9 @@ int req_main(int argc, char **argv) BN_print(out, n); BN_free(n); } else { - fprintf(stdout, "Wrong Algorithm type"); + BIO_puts(out, "Wrong Algorithm type"); } - fprintf(stdout, "\n"); + BIO_puts(out, "\n"); } if (!noout && !gen_x509) { diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t index 35541aed12..c41673509b 100644 --- a/test/recipes/25-test_req.t +++ b/test/recipes/25-test_req.t @@ -15,7 +15,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/; setup("test_req"); -plan tests => 44; +plan tests => 46; require_ok(srctop_file('test', 'recipes', 'tconversion.pl')); @@ -473,3 +473,14 @@ my $cert = "self-signed_CA_with_keyUsages.pem"; generate_cert($cert, "-in", srctop_file(@certs, "ext-check.csr"), "-copy_extensions", "copy"); has_keyUsage($cert, 1); + +# Generate cert using req with '-modulus' +ok(run(app(["openssl", "req", "-x509", "-new", "-days", "365", + "-key", srctop_file("test", "testrsa.pem"), + "-config", srctop_file('test', 'test.cnf'), + "-out", "testreq-cert.pem", + "-modulus"])), "cert req creation - with -modulus"); + +# Verify cert +ok(run(app(["openssl", "x509", "-in", "testreq-cert.pem", + "-noout", "-text"])), "cert verification"); -- Gitee From f16de7d551adac050e71c76dcf62324116a73399 Mon Sep 17 00:00:00 2001 From: Dmitry Misharov Date: Thu, 7 Sep 2023 13:52:46 +0200 Subject: [PATCH 14/50] remove unused Appveyour config Reviewed-by: Hugo Landau Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22000) (cherry picked from commit 8ac32e1e1b1a786366333acf897d332339610e6b) Signed-off-by: fly2x --- appveyor.yml | 82 ---------------------------------------------------- 1 file changed, 82 deletions(-) delete mode 100644 appveyor.yml diff --git a/appveyor.yml b/appveyor.yml deleted file mode 100644 index 9bb6f04e0a..0000000000 --- a/appveyor.yml +++ /dev/null @@ -1,82 +0,0 @@ -image: - - Visual Studio 2017 - -platform: - - x64 - - x86 - -environment: - fast_finish: true - matrix: - - VSVER: 15 - -configuration: - - shared - - minimal - -for: - - - branches: - only: - - master - configuration: - - shared - - plain - - minimal - -before_build: - - ps: >- - Install-Module VSSetup -Scope CurrentUser - - ps: >- - Get-VSSetupInstance -All - - ps: >- - If ($env:Platform -Match "x86") { - $env:VCVARS_PLATFORM="x86" - $env:TARGET="VC-WIN32 no-asm --strict-warnings" - } Else { - $env:VCVARS_PLATFORM="amd64" - $env:TARGET="VC-WIN64A-masm" - } - - ps: >- - If ($env:Configuration -Match "shared") { - $env:CONFIG_OPTS="enable-fips" - } ElseIf ($env:Configuration -Match "minimal") { - $env:CONFIG_OPTS="no-bulk no-asm -DOPENSSL_SMALL_FOOTPRINT" - } Else { - $env:CONFIG_OPTS="no-fips no-shared" - } - - call "C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Auxiliary\Build\vcvarsall.bat" %VCVARS_PLATFORM% - - mkdir _build - - cd _build - - perl ..\Configure %TARGET% no-makedepend %CONFIG_OPTS% - - perl configdata.pm --dump - - cd .. - - ps: >- - If ($env:BUILDONLY -or $env:MAKEVERBOSE) { - $env:NMAKE="nmake" - } Else { - $env:NMAKE="nmake /S" - } - - ps: >- - gci env:* | sort-object name - -build_script: - - cd _build - - "%NMAKE% build_all_generated" - - "%NMAKE% PERL=no-perl" - - cd .. - -test_script: - - cd _build - - ps: >- - if ($env:Configuration -Match "plain") { - cmd /c "%NMAKE% test VERBOSE_FAILURE=yes 2>&1" - } Else { - cmd /c "%NMAKE% test VERBOSE_FAILURE=yes TESTS=-test_fuzz 2>&1" - } - - ps: >- - if ($env:Configuration -Match "shared") { - mkdir ..\_install - cmd /c "%NMAKE% install DESTDIR=..\_install 2>&1" - } - - cd .. -- Gitee From 0a325734faeab4f97eaa6824b4418b9b10d2b577 Mon Sep 17 00:00:00 2001 From: Bernd Edlinger Date: Thu, 7 Sep 2023 19:22:25 +0200 Subject: [PATCH 15/50] Fix a possible memleak in rsa_pub_encode That seems to be only an issue for RSA-PSS with parameters. Spotted by code review, so it looks like there is no test coverage for this. Reviewed-by: Dmitry Belyavskiy Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22032) (cherry picked from commit 285eb1688f05ad477fefc681bf05d0afedc46d40) Signed-off-by: fly2x --- crypto/rsa/rsa_ameth.c | 5 ++++- test/recipes/15-test_rsapss.t | 10 +++++++++- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c index e3bf12784c..77208d820d 100644 --- a/crypto/rsa/rsa_ameth.c +++ b/crypto/rsa/rsa_ameth.c @@ -60,13 +60,16 @@ static int rsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey) if (!rsa_param_encode(pkey, &str, &strtype)) return 0; penclen = i2d_RSAPublicKey(pkey->pkey.rsa, &penc); - if (penclen <= 0) + if (penclen <= 0) { + ASN1_STRING_free(str); return 0; + } if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(pkey->ameth->pkey_id), strtype, str, penc, penclen)) return 1; OPENSSL_free(penc); + ASN1_STRING_free(str); return 0; } diff --git a/test/recipes/15-test_rsapss.t b/test/recipes/15-test_rsapss.t index cea1c605d1..1bfa919158 100644 --- a/test/recipes/15-test_rsapss.t +++ b/test/recipes/15-test_rsapss.t @@ -16,7 +16,7 @@ use OpenSSL::Test::Utils; setup("test_rsapss"); -plan tests => 16; +plan tests => 18; #using test/testrsa.pem which happens to be a 512 bit RSA ok(run(app(['openssl', 'dgst', '-sign', srctop_file('test', 'testrsa.pem'), '-sha1', @@ -124,3 +124,11 @@ ok(run(app(['openssl', 'dgst', '-prverify', srctop_file('test', 'testrsa.pem'), ok(!run(app([ 'openssl', 'rsa', '-in' => data_file('negativesaltlen.pem')], '-out' => 'badout'))); + +ok(run(app(['openssl', 'genpkey', '-algorithm', 'RSA-PSS', '-pkeyopt', 'rsa_keygen_bits:1024', + '-pkeyopt', 'rsa_pss_keygen_md:SHA256', '-pkeyopt', 'rsa_pss_keygen_saltlen:10', + '-out', 'testrsapss.pem'])), + "openssl genpkey RSA-PSS with pss parameters"); +ok(run(app(['openssl', 'pkey', '-in', 'testrsapss.pem', '-pubout', '-text'])), + "openssl pkey, execute rsa_pub_encode with pss parameters"); +unlink 'testrsapss.pem'; -- Gitee From 69d131a3d68446ec007c7b30d3e4039d5685e39c Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 8 Sep 2023 15:28:45 +0200 Subject: [PATCH 16/50] Add CVE-2023-4807 fix to CHANGES.md and NEWS.md Reviewed-by: Matt Caswell Reviewed-by: Hugo Landau Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22033) (cherry picked from commit 0be7510f49e498532708fd03628fc3fc62ee7875) Signed-off-by: fly2x --- CHANGES.md | 23 ++++++++++++++++++++++- NEWS.md | 4 +++- 2 files changed, 25 insertions(+), 2 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index accc680a81..e531ad09de 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -24,7 +24,27 @@ OpenSSL 3.1 ### Changes between 3.1.2 and 3.1.3 [xx XXX xxxx] - * none yet + * Fix POLY1305 MAC implementation corrupting XMM registers on Windows. + + The POLY1305 MAC (message authentication code) implementation in OpenSSL + does not save the contents of non-volatile XMM registers on Windows 64 + platform when calculating the MAC of data larger than 64 bytes. Before + returning to the caller all the XMM registers are set to zero rather than + restoring their previous content. The vulnerable code is used only on newer + x86_64 processors supporting the AVX512-IFMA instructions. + + The consequences of this kind of internal application state corruption can + be various - from no consequences, if the calling application does not + depend on the contents of non-volatile XMM registers at all, to the worst + consequences, where the attacker could get complete control of the + application process. However given the contents of the registers are just + zeroized so the attacker cannot put arbitrary values inside, the most likely + consequence, if any, would be an incorrect result of some application + dependent calculations or a crash leading to a denial of service. + + ([CVE-2023-4807]) + + *Bernd Edlinger* ### Changes between 3.1.1 and 3.1.2 [1 Aug 2023] @@ -19836,6 +19856,7 @@ ndif +[CVE-2023-4807]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-4807 [CVE-2023-3817]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3817 [CVE-2023-3446]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446 [CVE-2023-2975]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2975 diff --git a/NEWS.md b/NEWS.md index f12caf627d..c6a538ae39 100644 --- a/NEWS.md +++ b/NEWS.md @@ -21,7 +21,8 @@ OpenSSL 3.1 ### Major changes between OpenSSL 3.1.2 and OpenSSL 3.1.3 [under development] - * none + * Fix POLY1305 MAC implementation corrupting XMM registers on Windows + ([CVE-2023-4807]) ### Major changes between OpenSSL 3.1.1 and OpenSSL 3.1.2 [1 Aug 2023] @@ -1468,6 +1469,7 @@ OpenSSL 0.9.x +[CVE-2023-4807]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-4807 [CVE-2023-3817]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3817 [CVE-2023-3446]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446 [CVE-2023-2975]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2975 -- Gitee From 87895ed4a9b0116888ce0a9151ecb467b0493b8f Mon Sep 17 00:00:00 2001 From: Vladimir Kotal Date: Tue, 5 Sep 2023 11:13:47 +0200 Subject: [PATCH 17/50] augment man pages with information about PKCS12KDF in FIPS mode Reviewed-by: Paul Dale Reviewed-by: Dmitry Belyavskiy Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21965) (cherry picked from commit 4ee8c1fb51687ea811fc2abf87e173c70d018bc2) Signed-off-by: fly2x --- doc/man3/PKCS12_create.pod | 7 ++++++- doc/man3/PKCS12_gen_mac.pod | 2 ++ doc/man7/EVP_KDF-PKCS12KDF.pod | 6 +++++- doc/man7/migration_guide.pod | 9 +++++++++ 4 files changed, 22 insertions(+), 2 deletions(-) diff --git a/doc/man3/PKCS12_create.pod b/doc/man3/PKCS12_create.pod index dc0f06d9d3..f528330c04 100644 --- a/doc/man3/PKCS12_create.pod +++ b/doc/man3/PKCS12_create.pod @@ -42,7 +42,8 @@ can all be set to zero and sensible defaults will be used. These defaults are: AES password based encryption (PBES2 with PBKDF2 and AES-256-CBC) for private keys and certificates, the PBKDF2 and MAC key derivation iteration count of B (currently 2048), and -MAC algorithm HMAC with SHA2-256. +MAC algorithm HMAC with SHA2-256. The MAC key derivation algorithm used +for the outer PKCS#12 structure is PKCS12KDF. The default MAC iteration count is 1 in order to retain compatibility with old software which did not interpret MAC iteration counts. If such compatibility @@ -68,6 +69,8 @@ I or I can be set to -1 indicating that no encryption should be used. I can be set to -1 and the MAC will then be omitted entirely. +This can be useful when running with the FIPS provider as the PKCS12KDF +is not a FIPS approvable algorithm. PKCS12_create() makes assumptions regarding the encoding of the given pass phrase. @@ -83,7 +86,9 @@ IETF RFC 7292 (L) =head1 SEE ALSO +L, L, +L, L =head1 HISTORY diff --git a/doc/man3/PKCS12_gen_mac.pod b/doc/man3/PKCS12_gen_mac.pod index c4610ecaa4..07f8855ecf 100644 --- a/doc/man3/PKCS12_gen_mac.pod +++ b/doc/man3/PKCS12_gen_mac.pod @@ -22,6 +22,7 @@ PKCS12_verify_mac - Functions to create and manipulate a PKCS#12 structure PKCS12_gen_mac() generates an HMAC over the entire PKCS#12 object using the supplied password along with a set of already configured parameters. +The default key generation mechanism used is PKCS12KDF. PKCS12_verify_mac() verifies the PKCS#12 object's HMAC using the supplied password. @@ -57,6 +58,7 @@ IETF RFC 7292 (L) =head1 SEE ALSO L, +L, L, L diff --git a/doc/man7/EVP_KDF-PKCS12KDF.pod b/doc/man7/EVP_KDF-PKCS12KDF.pod index 8b256af39a..ecca1dc637 100644 --- a/doc/man7/EVP_KDF-PKCS12KDF.pod +++ b/doc/man7/EVP_KDF-PKCS12KDF.pod @@ -46,6 +46,9 @@ RFC 7292 section B.3. =head1 NOTES +This algorithm is not available in the FIPS provider as it is not FIPS +approvable. + A typical application of this algorithm is to derive keying material for an encryption algorithm from a password in the "pass", a salt in "salt", and an iteration count. @@ -68,7 +71,8 @@ L, L, L, L, -L +L, +L =head1 HISTORY diff --git a/doc/man7/migration_guide.pod b/doc/man7/migration_guide.pod index 11a849b7fe..d9e4b37b2b 100644 --- a/doc/man7/migration_guide.pod +++ b/doc/man7/migration_guide.pod @@ -326,6 +326,15 @@ context and property query and will call an extended version of the key/IV derivation function which supports these parameters. This includes L, L and L. +=head4 PKCS#12 KDF versus FIPS + +Unlike in 1.x.y, the PKCS12KDF algorithm used when a PKCS#12 structure +is created with a MAC that does not work with the FIPS provider as the PKCS12KDF +is not a FIPS approvable mechanism. + +See L, L, L, +L. + =head4 Windows thread synchronization changes Windows thread synchronization uses read/write primitives (SRWLock) when -- Gitee From 1ee5de28cd255bbfaa2ef80017dd19675668a727 Mon Sep 17 00:00:00 2001 From: Neil Horman Date: Tue, 29 Aug 2023 15:42:48 -0400 Subject: [PATCH 18/50] make inability to dup/clone ciphers an error There should be no reason that a cipher can't be duplicated Fixes #21887 Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21933) (cherry picked from commit 39d857bb610d25b3de4e414264246ec41753c446) Signed-off-by: fly2x --- test/evp_test.c | 28 ++++++++++++++++++++++------ 1 file changed, 22 insertions(+), 6 deletions(-) diff --git a/test/evp_test.c b/test/evp_test.c index 280e19c0b8..ce72998b7c 100644 --- a/test/evp_test.c +++ b/test/evp_test.c @@ -709,6 +709,9 @@ static int cipher_test_enc(EVP_TEST *t, int enc, int ok = 0, tmplen, chunklen, tmpflen, i; EVP_CIPHER_CTX *ctx_base = NULL; EVP_CIPHER_CTX *ctx = NULL, *duped; + int fips_dupctx_supported = (fips_provider_version_ge(libctx, 3, 0, 11) + && fips_provider_version_lt(libctx, 3, 1, 0)) + || fips_provider_version_ge(libctx, 3, 1, 3); t->err = "TEST_FAILURE"; if (!TEST_ptr(ctx_base = EVP_CIPHER_CTX_new())) @@ -839,18 +842,30 @@ static int cipher_test_enc(EVP_TEST *t, int enc, /* Test that the cipher dup functions correctly if it is supported */ ERR_set_mark(); - if (EVP_CIPHER_CTX_copy(ctx, ctx_base)) { - EVP_CIPHER_CTX_free(ctx_base); - ctx_base = NULL; - } else { - EVP_CIPHER_CTX_free(ctx); - ctx = ctx_base; + if (!EVP_CIPHER_CTX_copy(ctx, ctx_base)) { + if (fips_dupctx_supported) { + TEST_info("Doing a copy of Cipher %s Fails!\n", + EVP_CIPHER_get0_name(expected->cipher)); + ERR_print_errors_fp(stderr); + goto err; + } else { + TEST_info("Allowing copy fail as an old fips provider is in use."); + } } /* Likewise for dup */ duped = EVP_CIPHER_CTX_dup(ctx); if (duped != NULL) { EVP_CIPHER_CTX_free(ctx); ctx = duped; + } else { + if (fips_dupctx_supported) { + TEST_info("Doing a dup of Cipher %s Fails!\n", + EVP_CIPHER_get0_name(expected->cipher)); + ERR_print_errors_fp(stderr); + goto err; + } else { + TEST_info("Allowing dup fail as an old fips provider is in use."); + } } ERR_pop_to_mark(); @@ -1035,6 +1050,7 @@ static int cipher_test_run(EVP_TEST *t) int rv, frag = 0; size_t out_misalign, inp_misalign; + TEST_info("RUNNING TEST FOR CIPHER %s\n", EVP_CIPHER_get0_name(cdat->cipher)); if (!cdat->key) { t->err = "NO_KEY"; return 0; -- Gitee From 7e0223d5b6030fa39bd2b3d72e63e7fb71e347ea Mon Sep 17 00:00:00 2001 From: Neil Horman Date: Fri, 1 Sep 2023 09:10:35 -0400 Subject: [PATCH 19/50] Add dupctx support to aead ciphers Add dupctx method support to to ciphers implemented with IMPLEMENT_aead_cipher This includes: aes--gcm aria--ccm aria--gcm sm4--gcm Fixes #21887 Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21933) (cherry picked from commit 0239fb3db77e9de2031c5054854cba8e417c1b72) Signed-off-by: fly2x --- .../implementations/ciphers/cipher_aes_ccm.c | 20 +++++++++++++++++++ .../implementations/ciphers/cipher_aes_gcm.c | 9 +++++++++ .../implementations/ciphers/cipher_aria_ccm.c | 9 +++++++++ .../implementations/ciphers/cipher_aria_gcm.c | 9 +++++++++ .../implementations/ciphers/cipher_sm4_ccm.c | 9 +++++++++ .../implementations/ciphers/cipher_sm4_gcm.c | 9 +++++++++ .../include/prov/ciphercommon_aead.h | 5 +++++ 7 files changed, 70 insertions(+) diff --git a/providers/implementations/ciphers/cipher_aes_ccm.c b/providers/implementations/ciphers/cipher_aes_ccm.c index bb4b1e1e64..3930f52d60 100644 --- a/providers/implementations/ciphers/cipher_aes_ccm.c +++ b/providers/implementations/ciphers/cipher_aes_ccm.c @@ -33,6 +33,26 @@ static void *aes_ccm_newctx(void *provctx, size_t keybits) return ctx; } +static void *aes_ccm_dupctx(void *provctx) +{ + PROV_AES_CCM_CTX *ctx = provctx; + PROV_AES_CCM_CTX *dupctx = NULL; + + if (ctx == NULL) + return NULL; + dupctx = OPENSSL_memdup(provctx, sizeof(*ctx)); + if (dupctx == NULL) + return NULL; + /* + * ossl_cm_initctx, via the ossl_prov_aes_hw_ccm functions assign a + * provctx->ccm.ks.ks to the ccm context key so we need to point it to + * the memduped copy + */ + dupctx->base.ccm_ctx.key = &dupctx->ccm.ks.ks; + + return dupctx; +} + static OSSL_FUNC_cipher_freectx_fn aes_ccm_freectx; static void aes_ccm_freectx(void *vctx) { diff --git a/providers/implementations/ciphers/cipher_aes_gcm.c b/providers/implementations/ciphers/cipher_aes_gcm.c index 0081ca6cd7..0a15693cc1 100644 --- a/providers/implementations/ciphers/cipher_aes_gcm.c +++ b/providers/implementations/ciphers/cipher_aes_gcm.c @@ -34,6 +34,15 @@ static void *aes_gcm_newctx(void *provctx, size_t keybits) return ctx; } +static void *aes_gcm_dupctx(void *provctx) +{ + PROV_AES_GCM_CTX *ctx = provctx; + + if (ctx == NULL) + return NULL; + return OPENSSL_memdup(ctx, sizeof(*ctx)); +} + static OSSL_FUNC_cipher_freectx_fn aes_gcm_freectx; static void aes_gcm_freectx(void *vctx) { diff --git a/providers/implementations/ciphers/cipher_aria_ccm.c b/providers/implementations/ciphers/cipher_aria_ccm.c index d6b5517ee0..39a96a6f14 100644 --- a/providers/implementations/ciphers/cipher_aria_ccm.c +++ b/providers/implementations/ciphers/cipher_aria_ccm.c @@ -28,6 +28,15 @@ static void *aria_ccm_newctx(void *provctx, size_t keybits) return ctx; } +static void *aria_ccm_dupctx(void *provctx) +{ + PROV_ARIA_CCM_CTX *ctx = provctx; + + if (ctx == NULL) + return NULL; + return OPENSSL_memdup(ctx, sizeof(*ctx)); +} + static void aria_ccm_freectx(void *vctx) { PROV_ARIA_CCM_CTX *ctx = (PROV_ARIA_CCM_CTX *)vctx; diff --git a/providers/implementations/ciphers/cipher_aria_gcm.c b/providers/implementations/ciphers/cipher_aria_gcm.c index b412bd3202..6ffa0910fa 100644 --- a/providers/implementations/ciphers/cipher_aria_gcm.c +++ b/providers/implementations/ciphers/cipher_aria_gcm.c @@ -27,6 +27,15 @@ static void *aria_gcm_newctx(void *provctx, size_t keybits) return ctx; } +static void *aria_gcm_dupctx(void *provctx) +{ + PROV_ARIA_GCM_CTX *ctx = provctx; + + if (ctx == NULL) + return NULL; + return OPENSSL_memdup(ctx, sizeof(*ctx)); +} + static OSSL_FUNC_cipher_freectx_fn aria_gcm_freectx; static void aria_gcm_freectx(void *vctx) { diff --git a/providers/implementations/ciphers/cipher_sm4_ccm.c b/providers/implementations/ciphers/cipher_sm4_ccm.c index 38e75016e9..fa4b216a02 100644 --- a/providers/implementations/ciphers/cipher_sm4_ccm.c +++ b/providers/implementations/ciphers/cipher_sm4_ccm.c @@ -28,6 +28,15 @@ static void *sm4_ccm_newctx(void *provctx, size_t keybits) return ctx; } +static void *sm4_ccm_dupctx(void *provctx) +{ + PROV_SM4_CCM_CTX *ctx = provctx; + + if (ctx == NULL) + return NULL; + return OPENSSL_memdup(ctx, sizeof(*ctx)); +} + static void sm4_ccm_freectx(void *vctx) { PROV_SM4_CCM_CTX *ctx = (PROV_SM4_CCM_CTX *)vctx; diff --git a/providers/implementations/ciphers/cipher_sm4_gcm.c b/providers/implementations/ciphers/cipher_sm4_gcm.c index ce1aa2b07d..88761a30f0 100644 --- a/providers/implementations/ciphers/cipher_sm4_gcm.c +++ b/providers/implementations/ciphers/cipher_sm4_gcm.c @@ -29,6 +29,15 @@ static void *sm4_gcm_newctx(void *provctx, size_t keybits) return ctx; } +static void *sm4_gcm_dupctx(void *provctx) +{ + PROV_SM4_GCM_CTX *ctx = provctx; + + if (ctx == NULL) + return NULL; + return OPENSSL_memdup(ctx, sizeof(*ctx)); +} + static void sm4_gcm_freectx(void *vctx) { PROV_SM4_GCM_CTX *ctx = (PROV_SM4_GCM_CTX *)vctx; diff --git a/providers/implementations/include/prov/ciphercommon_aead.h b/providers/implementations/include/prov/ciphercommon_aead.h index 1d017175d3..de3dd52ee7 100644 --- a/providers/implementations/include/prov/ciphercommon_aead.h +++ b/providers/implementations/include/prov/ciphercommon_aead.h @@ -23,9 +23,14 @@ static void * alg##kbits##lc##_newctx(void *provctx) \ { \ return alg##_##lc##_newctx(provctx, kbits); \ } \ +static void * alg##kbits##lc##_dupctx(void *src) \ +{ \ + return alg##_##lc##_dupctx(src); \ +} \ const OSSL_DISPATCH ossl_##alg##kbits##lc##_functions[] = { \ { OSSL_FUNC_CIPHER_NEWCTX, (void (*)(void))alg##kbits##lc##_newctx }, \ { OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))alg##_##lc##_freectx }, \ + { OSSL_FUNC_CIPHER_DUPCTX, (void (*)(void))alg##kbits##lc##_dupctx }, \ { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))ossl_##lc##_einit }, \ { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))ossl_##lc##_dinit }, \ { OSSL_FUNC_CIPHER_UPDATE, (void (*)(void))ossl_##lc##_stream_update }, \ -- Gitee From 36b52a2d50c0ef6a708b32f8b6fb0d343f4e0b33 Mon Sep 17 00:00:00 2001 From: Neil Horman Date: Fri, 1 Sep 2023 11:28:33 -0400 Subject: [PATCH 20/50] implement dupctx for aes_WRAP methods create a dupctx method for aes_WRAP implementations of all sizes Fixes #21887 Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21933) (cherry picked from commit 2c021e7d11f03ede2330398c4fd8e8c7bd8768ee) Signed-off-by: fly2x --- .../implementations/ciphers/cipher_aes_wrp.c | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/providers/implementations/ciphers/cipher_aes_wrp.c b/providers/implementations/ciphers/cipher_aes_wrp.c index 8bddf475e2..945bdc5a18 100644 --- a/providers/implementations/ciphers/cipher_aes_wrp.c +++ b/providers/implementations/ciphers/cipher_aes_wrp.c @@ -66,6 +66,26 @@ static void *aes_wrap_newctx(size_t kbits, size_t blkbits, return wctx; } +static void *aes_wrap_dupctx(void *wctx) +{ + PROV_AES_WRAP_CTX *ctx = wctx; + PROV_AES_WRAP_CTX *dctx = wctx; + + if (ctx == NULL) + return NULL; + dctx = OPENSSL_memdup(ctx, sizeof(*ctx)); + + if (dctx != NULL && dctx->base.tlsmac != NULL && dctx->base.alloced) { + dctx->base.tlsmac = OPENSSL_memdup(dctx->base.tlsmac, + dctx->base.tlsmacsize); + if (dctx->base.tlsmac == NULL) { + OPENSSL_free(dctx); + dctx = NULL; + } + } + return dctx; +} + static void aes_wrap_freectx(void *vctx) { PROV_AES_WRAP_CTX *wctx = (PROV_AES_WRAP_CTX *)vctx; @@ -281,6 +301,7 @@ static int aes_wrap_set_ctx_params(void *vctx, const OSSL_PARAM params[]) { OSSL_FUNC_CIPHER_UPDATE, (void (*)(void))aes_##mode##_cipher }, \ { OSSL_FUNC_CIPHER_FINAL, (void (*)(void))aes_##mode##_final }, \ { OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))aes_##mode##_freectx }, \ + { OSSL_FUNC_CIPHER_DUPCTX, (void (*)(void))aes_##mode##_dupctx }, \ { OSSL_FUNC_CIPHER_GET_PARAMS, \ (void (*)(void))aes_##kbits##_##fname##_get_params }, \ { OSSL_FUNC_CIPHER_GETTABLE_PARAMS, \ -- Gitee From 3c5bc3b01d3574d85812fb8eee5df869dd39f3bb Mon Sep 17 00:00:00 2001 From: Neil Horman Date: Fri, 1 Sep 2023 13:22:03 -0400 Subject: [PATCH 21/50] implement dupctx for chacha20_poly1305 Same as chacha20 in the last commit, just clone the ctx and its underlying tlsmac array if its allocated Fixes #21887 Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21933) (cherry picked from commit df93b3c9e72571876bd01e5a50a5ba8368c6c77f) Signed-off-by: fly2x --- .../ciphers/cipher_chacha20_poly1305.c | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/providers/implementations/ciphers/cipher_chacha20_poly1305.c b/providers/implementations/ciphers/cipher_chacha20_poly1305.c index abe670add7..2b271b1d94 100644 --- a/providers/implementations/ciphers/cipher_chacha20_poly1305.c +++ b/providers/implementations/ciphers/cipher_chacha20_poly1305.c @@ -23,6 +23,7 @@ static OSSL_FUNC_cipher_newctx_fn chacha20_poly1305_newctx; static OSSL_FUNC_cipher_freectx_fn chacha20_poly1305_freectx; +static OSSL_FUNC_cipher_dupctx_fn chacha20_poly1305_dupctx; static OSSL_FUNC_cipher_encrypt_init_fn chacha20_poly1305_einit; static OSSL_FUNC_cipher_decrypt_init_fn chacha20_poly1305_dinit; static OSSL_FUNC_cipher_get_params_fn chacha20_poly1305_get_params; @@ -58,6 +59,25 @@ static void *chacha20_poly1305_newctx(void *provctx) return ctx; } +static void *chacha20_poly1305_dupctx(void *provctx) +{ + PROV_CHACHA20_POLY1305_CTX *ctx = provctx; + PROV_CHACHA20_POLY1305_CTX *dctx = NULL; + + if (ctx == NULL) + return NULL; + dctx = OPENSSL_memdup(ctx, sizeof(*ctx)); + if (dctx != NULL && dctx->base.tlsmac != NULL && dctx->base.alloced) { + dctx->base.tlsmac = OPENSSL_memdup(dctx->base.tlsmac, + dctx->base.tlsmacsize); + if (dctx->base.tlsmac == NULL) { + OPENSSL_free(dctx); + dctx = NULL; + } + } + return dctx; +} + static void chacha20_poly1305_freectx(void *vctx) { PROV_CHACHA20_POLY1305_CTX *ctx = (PROV_CHACHA20_POLY1305_CTX *)vctx; @@ -310,6 +330,7 @@ static int chacha20_poly1305_final(void *vctx, unsigned char *out, size_t *outl, const OSSL_DISPATCH ossl_chacha20_ossl_poly1305_functions[] = { { OSSL_FUNC_CIPHER_NEWCTX, (void (*)(void))chacha20_poly1305_newctx }, { OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))chacha20_poly1305_freectx }, + { OSSL_FUNC_CIPHER_DUPCTX, (void (*)(void))chacha20_poly1305_dupctx }, { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))chacha20_poly1305_einit }, { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))chacha20_poly1305_dinit }, { OSSL_FUNC_CIPHER_UPDATE, (void (*)(void))chacha20_poly1305_update }, -- Gitee From 65e7e9928a744fea909d93f6e563f73d884c59ff Mon Sep 17 00:00:00 2001 From: Neil Horman Date: Fri, 1 Sep 2023 13:47:15 -0400 Subject: [PATCH 22/50] Add dupctx support to rc4_hmac_md5 algo Pretty straightforward, just clone the requested context, no pointers to fixup Fixes #21887 Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21933) (cherry picked from commit 123c85864fa7fe97d8ae3a09989d410501d957a5) Signed-off-by: fly2x --- .../ciphers/cipher_aes_cbc_hmac_sha.c | 18 ++++++++++++++++++ .../ciphers/cipher_rc4_hmac_md5.c | 11 +++++++++++ 2 files changed, 29 insertions(+) diff --git a/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c b/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c index f9a8a58041..e9a9a2a54c 100644 --- a/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c +++ b/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c @@ -334,6 +334,16 @@ static void *aes_cbc_hmac_sha1_newctx(void *provctx, size_t kbits, return ctx; } +static void *aes_cbc_hmac_sha1_dupctx(void *provctx) +{ + PROV_AES_HMAC_SHA1_CTX *ctx = provctx; + + if (ctx == NULL) + return NULL; + + return OPENSSL_memdup(ctx, sizeof(*ctx)); +} + static void aes_cbc_hmac_sha1_freectx(void *vctx) { PROV_AES_HMAC_SHA1_CTX *ctx = (PROV_AES_HMAC_SHA1_CTX *)vctx; @@ -361,6 +371,13 @@ static void *aes_cbc_hmac_sha256_newctx(void *provctx, size_t kbits, return ctx; } +static void *aes_cbc_hmac_sha256_dupctx(void *provctx) +{ + PROV_AES_HMAC_SHA256_CTX *ctx = provctx; + + return OPENSSL_memdup(ctx, sizeof(*ctx)); +} + static void aes_cbc_hmac_sha256_freectx(void *vctx) { PROV_AES_HMAC_SHA256_CTX *ctx = (PROV_AES_HMAC_SHA256_CTX *)vctx; @@ -386,6 +403,7 @@ static int nm##_##kbits##_##sub##_get_params(OSSL_PARAM params[]) \ const OSSL_DISPATCH ossl_##nm##kbits##sub##_functions[] = { \ { OSSL_FUNC_CIPHER_NEWCTX, (void (*)(void))nm##_##kbits##_##sub##_newctx },\ { OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))nm##_##sub##_freectx }, \ + { OSSL_FUNC_CIPHER_DUPCTX, (void (*)(void))nm##_##sub##_dupctx}, \ { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))nm##_einit }, \ { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))nm##_dinit }, \ { OSSL_FUNC_CIPHER_UPDATE, (void (*)(void))nm##_update }, \ diff --git a/providers/implementations/ciphers/cipher_rc4_hmac_md5.c b/providers/implementations/ciphers/cipher_rc4_hmac_md5.c index c46c6eab63..9e99f462ec 100644 --- a/providers/implementations/ciphers/cipher_rc4_hmac_md5.c +++ b/providers/implementations/ciphers/cipher_rc4_hmac_md5.c @@ -34,6 +34,7 @@ static OSSL_FUNC_cipher_encrypt_init_fn rc4_hmac_md5_einit; static OSSL_FUNC_cipher_decrypt_init_fn rc4_hmac_md5_dinit; static OSSL_FUNC_cipher_newctx_fn rc4_hmac_md5_newctx; static OSSL_FUNC_cipher_freectx_fn rc4_hmac_md5_freectx; +static OSSL_FUNC_cipher_dupctx_fn rc4_hmac_md5_dupctx; static OSSL_FUNC_cipher_get_ctx_params_fn rc4_hmac_md5_get_ctx_params; static OSSL_FUNC_cipher_gettable_ctx_params_fn rc4_hmac_md5_gettable_ctx_params; static OSSL_FUNC_cipher_set_ctx_params_fn rc4_hmac_md5_set_ctx_params; @@ -71,6 +72,15 @@ static void rc4_hmac_md5_freectx(void *vctx) OPENSSL_clear_free(ctx, sizeof(*ctx)); } +static void *rc4_hmac_md5_dupctx(void *vctx) +{ + PROV_RC4_HMAC_MD5_CTX *ctx = vctx; + + if (ctx == NULL) + return NULL; + return OPENSSL_memdup(ctx, sizeof(*ctx)); +} + static int rc4_hmac_md5_einit(void *ctx, const unsigned char *key, size_t keylen, const unsigned char *iv, size_t ivlen, const OSSL_PARAM params[]) @@ -214,6 +224,7 @@ static int rc4_hmac_md5_get_params(OSSL_PARAM params[]) const OSSL_DISPATCH ossl_rc4_hmac_ossl_md5_functions[] = { { OSSL_FUNC_CIPHER_NEWCTX, (void (*)(void))rc4_hmac_md5_newctx }, { OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))rc4_hmac_md5_freectx }, + { OSSL_FUNC_CIPHER_DUPCTX, (void (*)(void))rc4_hmac_md5_dupctx }, { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))rc4_hmac_md5_einit }, { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))rc4_hmac_md5_dinit }, { OSSL_FUNC_CIPHER_UPDATE, (void (*)(void))rc4_hmac_md5_update }, -- Gitee From f37ce716c61084594f6b88e2dd94c6fba52c2437 Mon Sep 17 00:00:00 2001 From: Bernd Edlinger Date: Mon, 11 Sep 2023 12:34:02 +0200 Subject: [PATCH 23/50] Fix a memleak in prepare_rsa_params This affects only RSA-PSS keys with params using negative salt legth, or in case of out of memory. This fixes a memory leak reported in #22049. Reviewed-by: Hugo Landau Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22061) (cherry picked from commit 46def829afa4d8bed8f53d484bdf842d65f0e176) Signed-off-by: fly2x --- providers/implementations/encode_decode/encode_key2any.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/providers/implementations/encode_decode/encode_key2any.c b/providers/implementations/encode_decode/encode_key2any.c index efbaa0d8cd..c2f3dc85be 100644 --- a/providers/implementations/encode_decode/encode_key2any.c +++ b/providers/implementations/encode_decode/encode_key2any.c @@ -858,14 +858,17 @@ static int prepare_rsa_params(const void *rsa, int nid, int save, case 1: if ((str = OPENSSL_malloc(str_sz)) == NULL || !WPACKET_init_der(&pkt, str, str_sz)) { + WPACKET_cleanup(&pkt); goto err; } break; } if (!ossl_DER_w_RSASSA_PSS_params(&pkt, -1, pss) || !WPACKET_finish(&pkt) - || !WPACKET_get_total_written(&pkt, &str_sz)) + || !WPACKET_get_total_written(&pkt, &str_sz)) { + WPACKET_cleanup(&pkt); goto err; + } WPACKET_cleanup(&pkt); /* -- Gitee From 57a6b867f0cccb14fb6ea8c98279d54ec66561e6 Mon Sep 17 00:00:00 2001 From: Dimitri Papadopoulos <3234522+DimitriPapadopoulos@users.noreply.github.com> Date: Mon, 11 Sep 2023 13:35:27 +0200 Subject: [PATCH 24/50] Fix typos found by codespell in openssl-3.1 Only modify doc/man* in the openssl-3.1 branch. Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22065) Signed-off-by: fly2x --- doc/man1/openssl-cms.pod.in | 2 +- doc/man3/EVP_MAC.pod | 2 +- doc/man3/EVP_SIGNATURE.pod | 2 +- doc/man3/OSSL_CMP_CTX_new.pod | 2 +- doc/man3/SSL_new.pod | 2 +- doc/man5/x509v3_config.pod | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/doc/man1/openssl-cms.pod.in b/doc/man1/openssl-cms.pod.in index c63a7f330b..a97eea0d71 100644 --- a/doc/man1/openssl-cms.pod.in +++ b/doc/man1/openssl-cms.pod.in @@ -391,7 +391,7 @@ option. =item I ... This is an alternative to using the B<-recip> option when encrypting a message. -One or more certificate filennames may be given. +One or more certificate filenames may be given. =item B<-I> diff --git a/doc/man3/EVP_MAC.pod b/doc/man3/EVP_MAC.pod index 11140a63bf..7e58d59255 100644 --- a/doc/man3/EVP_MAC.pod +++ b/doc/man3/EVP_MAC.pod @@ -181,7 +181,7 @@ EVP_MAC_CTX_set_params() passes chosen parameters to the underlying context, given a context I. The set of parameters given with I determine exactly what parameters are passed down. -If I are NULL, the unterlying context should do nothing and return 1. +If I are NULL, the underlying context should do nothing and return 1. Note that a parameter that is unknown in the underlying context is simply ignored. Also, what happens when a needed parameter isn't passed down is diff --git a/doc/man3/EVP_SIGNATURE.pod b/doc/man3/EVP_SIGNATURE.pod index 7587a2f543..8b44f883eb 100644 --- a/doc/man3/EVP_SIGNATURE.pod +++ b/doc/man3/EVP_SIGNATURE.pod @@ -61,7 +61,7 @@ EVP_SIGNATURE_get0_provider() returns the provider that I was fetched from. EVP_SIGNATURE_do_all_provided() traverses all SIGNATURE implemented by all -activated roviders in the given library context I, and for each of the +activated providers in the given library context I, and for each of the implementations, calls the given function I with the implementation method and the given I as argument. diff --git a/doc/man3/OSSL_CMP_CTX_new.pod b/doc/man3/OSSL_CMP_CTX_new.pod index e81fb08b00..41d334887f 100644 --- a/doc/man3/OSSL_CMP_CTX_new.pod +++ b/doc/man3/OSSL_CMP_CTX_new.pod @@ -182,7 +182,7 @@ clearing the internal CMP transaction (aka session) status, PKIStatusInfo, and any previous results (newCert, newChain, caPubs, and extraCertsIn) from the last executed transaction. It also clears any ITAVs that were added by OSSL_CMP_CTX_push0_genm_ITAV(). -All other field values (i.e., CMP options) are retained for potential re-use. +All other field values (i.e., CMP options) are retained for potential reuse. OSSL_CMP_CTX_set_option() sets the given value for the given option (e.g., OSSL_CMP_OPT_IMPLICIT_CONFIRM) in the given OSSL_CMP_CTX structure. diff --git a/doc/man3/SSL_new.pod b/doc/man3/SSL_new.pod index 59d275523f..f9b8678246 100644 --- a/doc/man3/SSL_new.pod +++ b/doc/man3/SSL_new.pod @@ -35,7 +35,7 @@ MUST NOT have yet started the SSL handshake. For connections that are not in their initial state SSL_dup() just increments an internal reference count and returns the I handle. It may be possible to use L to recycle an SSL handle that is not in its initial -state for re-use, but this is best avoided. Instead, save and restore +state for reuse, but this is best avoided. Instead, save and restore the session, if desired, and construct a fresh handle for each connection. The subset of settings in I that are duplicated are: diff --git a/doc/man5/x509v3_config.pod b/doc/man5/x509v3_config.pod index 1830092394..fe24cb3456 100644 --- a/doc/man5/x509v3_config.pod +++ b/doc/man5/x509v3_config.pod @@ -93,7 +93,7 @@ numeric identifier, as shown here: email.2 = steve@example.org The syntax of raw extensions is defined by the source code that parses -the extension but should be documened. +the extension but should be documented. See L for an example of a raw extension. If an extension type is unsupported, then the I extension syntax -- Gitee From 337deb87f975d11bd63ea09b3dd84c7edc8472a5 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 11 Sep 2023 17:23:46 +0200 Subject: [PATCH 25/50] d2i_ECPKParameters and i2d_ECPKParameters are not deprecated So do not document them as such. Fixes #22068 Reviewed-by: Paul Dale Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22069) (cherry picked from commit 2508629765403375b3075300a0951705ec26fe27) Signed-off-by: fly2x --- doc/man3/d2i_RSAPrivateKey.pod | 2 -- doc/man3/d2i_X509.pod | 2 ++ 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/man3/d2i_RSAPrivateKey.pod b/doc/man3/d2i_RSAPrivateKey.pod index 5156f0edb2..6ad06aa048 100644 --- a/doc/man3/d2i_RSAPrivateKey.pod +++ b/doc/man3/d2i_RSAPrivateKey.pod @@ -28,7 +28,6 @@ d2i_RSA_PUBKEY_fp, d2i_DHparams, d2i_DHparams_bio, d2i_DHparams_fp, -d2i_ECPKParameters, d2i_ECParameters, d2i_ECPrivateKey, d2i_ECPrivateKey_bio, @@ -56,7 +55,6 @@ i2d_DSA_PUBKEY, i2d_DSA_PUBKEY_bio, i2d_DSA_PUBKEY_fp, i2d_DSAparams, -i2d_ECPKParameters, i2d_ECParameters, i2d_ECPrivateKey, i2d_ECPrivateKey_bio, diff --git a/doc/man3/d2i_X509.pod b/doc/man3/d2i_X509.pod index c79a964e6d..9226ef77c3 100644 --- a/doc/man3/d2i_X509.pod +++ b/doc/man3/d2i_X509.pod @@ -53,6 +53,7 @@ d2i_DIST_POINT, d2i_DIST_POINT_NAME, d2i_DSA_SIG, d2i_ECDSA_SIG, +d2i_ECPKParameters, d2i_EDIPARTYNAME, d2i_ESS_CERT_ID, d2i_ESS_CERT_ID_V2, @@ -223,6 +224,7 @@ i2d_DIST_POINT, i2d_DIST_POINT_NAME, i2d_DSA_SIG, i2d_ECDSA_SIG, +i2d_ECPKParameters, i2d_EDIPARTYNAME, i2d_ESS_CERT_ID, i2d_ESS_CERT_ID_V2, -- Gitee From f2c4ab051182abf0f143ae539d013a05c624d8a0 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 12 Sep 2023 18:54:48 +0200 Subject: [PATCH 26/50] Revert "Add dupctx support to rc4_hmac_md5 algo" This reverts commit d9f84aef6033804e4c7ebf28ee88fcd2c63161d6. Reviewed-by: Paul Dale Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22081) Signed-off-by: fly2x --- .../ciphers/cipher_aes_cbc_hmac_sha.c | 18 ------------------ .../ciphers/cipher_rc4_hmac_md5.c | 11 ----------- 2 files changed, 29 deletions(-) diff --git a/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c b/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c index e9a9a2a54c..f9a8a58041 100644 --- a/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c +++ b/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c @@ -334,16 +334,6 @@ static void *aes_cbc_hmac_sha1_newctx(void *provctx, size_t kbits, return ctx; } -static void *aes_cbc_hmac_sha1_dupctx(void *provctx) -{ - PROV_AES_HMAC_SHA1_CTX *ctx = provctx; - - if (ctx == NULL) - return NULL; - - return OPENSSL_memdup(ctx, sizeof(*ctx)); -} - static void aes_cbc_hmac_sha1_freectx(void *vctx) { PROV_AES_HMAC_SHA1_CTX *ctx = (PROV_AES_HMAC_SHA1_CTX *)vctx; @@ -371,13 +361,6 @@ static void *aes_cbc_hmac_sha256_newctx(void *provctx, size_t kbits, return ctx; } -static void *aes_cbc_hmac_sha256_dupctx(void *provctx) -{ - PROV_AES_HMAC_SHA256_CTX *ctx = provctx; - - return OPENSSL_memdup(ctx, sizeof(*ctx)); -} - static void aes_cbc_hmac_sha256_freectx(void *vctx) { PROV_AES_HMAC_SHA256_CTX *ctx = (PROV_AES_HMAC_SHA256_CTX *)vctx; @@ -403,7 +386,6 @@ static int nm##_##kbits##_##sub##_get_params(OSSL_PARAM params[]) \ const OSSL_DISPATCH ossl_##nm##kbits##sub##_functions[] = { \ { OSSL_FUNC_CIPHER_NEWCTX, (void (*)(void))nm##_##kbits##_##sub##_newctx },\ { OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))nm##_##sub##_freectx }, \ - { OSSL_FUNC_CIPHER_DUPCTX, (void (*)(void))nm##_##sub##_dupctx}, \ { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))nm##_einit }, \ { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))nm##_dinit }, \ { OSSL_FUNC_CIPHER_UPDATE, (void (*)(void))nm##_update }, \ diff --git a/providers/implementations/ciphers/cipher_rc4_hmac_md5.c b/providers/implementations/ciphers/cipher_rc4_hmac_md5.c index 9e99f462ec..c46c6eab63 100644 --- a/providers/implementations/ciphers/cipher_rc4_hmac_md5.c +++ b/providers/implementations/ciphers/cipher_rc4_hmac_md5.c @@ -34,7 +34,6 @@ static OSSL_FUNC_cipher_encrypt_init_fn rc4_hmac_md5_einit; static OSSL_FUNC_cipher_decrypt_init_fn rc4_hmac_md5_dinit; static OSSL_FUNC_cipher_newctx_fn rc4_hmac_md5_newctx; static OSSL_FUNC_cipher_freectx_fn rc4_hmac_md5_freectx; -static OSSL_FUNC_cipher_dupctx_fn rc4_hmac_md5_dupctx; static OSSL_FUNC_cipher_get_ctx_params_fn rc4_hmac_md5_get_ctx_params; static OSSL_FUNC_cipher_gettable_ctx_params_fn rc4_hmac_md5_gettable_ctx_params; static OSSL_FUNC_cipher_set_ctx_params_fn rc4_hmac_md5_set_ctx_params; @@ -72,15 +71,6 @@ static void rc4_hmac_md5_freectx(void *vctx) OPENSSL_clear_free(ctx, sizeof(*ctx)); } -static void *rc4_hmac_md5_dupctx(void *vctx) -{ - PROV_RC4_HMAC_MD5_CTX *ctx = vctx; - - if (ctx == NULL) - return NULL; - return OPENSSL_memdup(ctx, sizeof(*ctx)); -} - static int rc4_hmac_md5_einit(void *ctx, const unsigned char *key, size_t keylen, const unsigned char *iv, size_t ivlen, const OSSL_PARAM params[]) @@ -224,7 +214,6 @@ static int rc4_hmac_md5_get_params(OSSL_PARAM params[]) const OSSL_DISPATCH ossl_rc4_hmac_ossl_md5_functions[] = { { OSSL_FUNC_CIPHER_NEWCTX, (void (*)(void))rc4_hmac_md5_newctx }, { OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))rc4_hmac_md5_freectx }, - { OSSL_FUNC_CIPHER_DUPCTX, (void (*)(void))rc4_hmac_md5_dupctx }, { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))rc4_hmac_md5_einit }, { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))rc4_hmac_md5_dinit }, { OSSL_FUNC_CIPHER_UPDATE, (void (*)(void))rc4_hmac_md5_update }, -- Gitee From cac4e5627abfb00a4632555cf5d3c5904a743002 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 12 Sep 2023 18:54:53 +0200 Subject: [PATCH 27/50] Revert "implement dupctx for chacha20_poly1305" This reverts commit 603b4c332f817cfc14a0d8b30d1e5a198f575644. Reviewed-by: Paul Dale Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22081) Signed-off-by: fly2x --- .../ciphers/cipher_chacha20_poly1305.c | 21 ------------------- 1 file changed, 21 deletions(-) diff --git a/providers/implementations/ciphers/cipher_chacha20_poly1305.c b/providers/implementations/ciphers/cipher_chacha20_poly1305.c index 2b271b1d94..abe670add7 100644 --- a/providers/implementations/ciphers/cipher_chacha20_poly1305.c +++ b/providers/implementations/ciphers/cipher_chacha20_poly1305.c @@ -23,7 +23,6 @@ static OSSL_FUNC_cipher_newctx_fn chacha20_poly1305_newctx; static OSSL_FUNC_cipher_freectx_fn chacha20_poly1305_freectx; -static OSSL_FUNC_cipher_dupctx_fn chacha20_poly1305_dupctx; static OSSL_FUNC_cipher_encrypt_init_fn chacha20_poly1305_einit; static OSSL_FUNC_cipher_decrypt_init_fn chacha20_poly1305_dinit; static OSSL_FUNC_cipher_get_params_fn chacha20_poly1305_get_params; @@ -59,25 +58,6 @@ static void *chacha20_poly1305_newctx(void *provctx) return ctx; } -static void *chacha20_poly1305_dupctx(void *provctx) -{ - PROV_CHACHA20_POLY1305_CTX *ctx = provctx; - PROV_CHACHA20_POLY1305_CTX *dctx = NULL; - - if (ctx == NULL) - return NULL; - dctx = OPENSSL_memdup(ctx, sizeof(*ctx)); - if (dctx != NULL && dctx->base.tlsmac != NULL && dctx->base.alloced) { - dctx->base.tlsmac = OPENSSL_memdup(dctx->base.tlsmac, - dctx->base.tlsmacsize); - if (dctx->base.tlsmac == NULL) { - OPENSSL_free(dctx); - dctx = NULL; - } - } - return dctx; -} - static void chacha20_poly1305_freectx(void *vctx) { PROV_CHACHA20_POLY1305_CTX *ctx = (PROV_CHACHA20_POLY1305_CTX *)vctx; @@ -330,7 +310,6 @@ static int chacha20_poly1305_final(void *vctx, unsigned char *out, size_t *outl, const OSSL_DISPATCH ossl_chacha20_ossl_poly1305_functions[] = { { OSSL_FUNC_CIPHER_NEWCTX, (void (*)(void))chacha20_poly1305_newctx }, { OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))chacha20_poly1305_freectx }, - { OSSL_FUNC_CIPHER_DUPCTX, (void (*)(void))chacha20_poly1305_dupctx }, { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))chacha20_poly1305_einit }, { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))chacha20_poly1305_dinit }, { OSSL_FUNC_CIPHER_UPDATE, (void (*)(void))chacha20_poly1305_update }, -- Gitee From 48dca7f4835217411f8c69c93b407e8119504249 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 12 Sep 2023 18:54:54 +0200 Subject: [PATCH 28/50] Revert "implement dupctx for aes_WRAP methods" This reverts commit 819ae76bb76540a4321e548851e23099ddf71e8e. Reviewed-by: Paul Dale Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22081) Signed-off-by: fly2x --- .../implementations/ciphers/cipher_aes_wrp.c | 21 ------------------- 1 file changed, 21 deletions(-) diff --git a/providers/implementations/ciphers/cipher_aes_wrp.c b/providers/implementations/ciphers/cipher_aes_wrp.c index 945bdc5a18..8bddf475e2 100644 --- a/providers/implementations/ciphers/cipher_aes_wrp.c +++ b/providers/implementations/ciphers/cipher_aes_wrp.c @@ -66,26 +66,6 @@ static void *aes_wrap_newctx(size_t kbits, size_t blkbits, return wctx; } -static void *aes_wrap_dupctx(void *wctx) -{ - PROV_AES_WRAP_CTX *ctx = wctx; - PROV_AES_WRAP_CTX *dctx = wctx; - - if (ctx == NULL) - return NULL; - dctx = OPENSSL_memdup(ctx, sizeof(*ctx)); - - if (dctx != NULL && dctx->base.tlsmac != NULL && dctx->base.alloced) { - dctx->base.tlsmac = OPENSSL_memdup(dctx->base.tlsmac, - dctx->base.tlsmacsize); - if (dctx->base.tlsmac == NULL) { - OPENSSL_free(dctx); - dctx = NULL; - } - } - return dctx; -} - static void aes_wrap_freectx(void *vctx) { PROV_AES_WRAP_CTX *wctx = (PROV_AES_WRAP_CTX *)vctx; @@ -301,7 +281,6 @@ static int aes_wrap_set_ctx_params(void *vctx, const OSSL_PARAM params[]) { OSSL_FUNC_CIPHER_UPDATE, (void (*)(void))aes_##mode##_cipher }, \ { OSSL_FUNC_CIPHER_FINAL, (void (*)(void))aes_##mode##_final }, \ { OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))aes_##mode##_freectx }, \ - { OSSL_FUNC_CIPHER_DUPCTX, (void (*)(void))aes_##mode##_dupctx }, \ { OSSL_FUNC_CIPHER_GET_PARAMS, \ (void (*)(void))aes_##kbits##_##fname##_get_params }, \ { OSSL_FUNC_CIPHER_GETTABLE_PARAMS, \ -- Gitee From 9ad92afe824016c05e4d15bc0fd1bcf944cd1313 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 12 Sep 2023 18:54:55 +0200 Subject: [PATCH 29/50] Revert "Add dupctx support to aead ciphers" This reverts commit a982016c56f8c631e0906b0a33f4feaf3d20a2ff. Reviewed-by: Paul Dale Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22081) Signed-off-by: fly2x --- .../implementations/ciphers/cipher_aes_ccm.c | 20 ------------------- .../implementations/ciphers/cipher_aes_gcm.c | 9 --------- .../implementations/ciphers/cipher_aria_ccm.c | 9 --------- .../implementations/ciphers/cipher_aria_gcm.c | 9 --------- .../implementations/ciphers/cipher_sm4_ccm.c | 9 --------- .../implementations/ciphers/cipher_sm4_gcm.c | 9 --------- .../include/prov/ciphercommon_aead.h | 5 ----- 7 files changed, 70 deletions(-) diff --git a/providers/implementations/ciphers/cipher_aes_ccm.c b/providers/implementations/ciphers/cipher_aes_ccm.c index 3930f52d60..bb4b1e1e64 100644 --- a/providers/implementations/ciphers/cipher_aes_ccm.c +++ b/providers/implementations/ciphers/cipher_aes_ccm.c @@ -33,26 +33,6 @@ static void *aes_ccm_newctx(void *provctx, size_t keybits) return ctx; } -static void *aes_ccm_dupctx(void *provctx) -{ - PROV_AES_CCM_CTX *ctx = provctx; - PROV_AES_CCM_CTX *dupctx = NULL; - - if (ctx == NULL) - return NULL; - dupctx = OPENSSL_memdup(provctx, sizeof(*ctx)); - if (dupctx == NULL) - return NULL; - /* - * ossl_cm_initctx, via the ossl_prov_aes_hw_ccm functions assign a - * provctx->ccm.ks.ks to the ccm context key so we need to point it to - * the memduped copy - */ - dupctx->base.ccm_ctx.key = &dupctx->ccm.ks.ks; - - return dupctx; -} - static OSSL_FUNC_cipher_freectx_fn aes_ccm_freectx; static void aes_ccm_freectx(void *vctx) { diff --git a/providers/implementations/ciphers/cipher_aes_gcm.c b/providers/implementations/ciphers/cipher_aes_gcm.c index 0a15693cc1..0081ca6cd7 100644 --- a/providers/implementations/ciphers/cipher_aes_gcm.c +++ b/providers/implementations/ciphers/cipher_aes_gcm.c @@ -34,15 +34,6 @@ static void *aes_gcm_newctx(void *provctx, size_t keybits) return ctx; } -static void *aes_gcm_dupctx(void *provctx) -{ - PROV_AES_GCM_CTX *ctx = provctx; - - if (ctx == NULL) - return NULL; - return OPENSSL_memdup(ctx, sizeof(*ctx)); -} - static OSSL_FUNC_cipher_freectx_fn aes_gcm_freectx; static void aes_gcm_freectx(void *vctx) { diff --git a/providers/implementations/ciphers/cipher_aria_ccm.c b/providers/implementations/ciphers/cipher_aria_ccm.c index 39a96a6f14..d6b5517ee0 100644 --- a/providers/implementations/ciphers/cipher_aria_ccm.c +++ b/providers/implementations/ciphers/cipher_aria_ccm.c @@ -28,15 +28,6 @@ static void *aria_ccm_newctx(void *provctx, size_t keybits) return ctx; } -static void *aria_ccm_dupctx(void *provctx) -{ - PROV_ARIA_CCM_CTX *ctx = provctx; - - if (ctx == NULL) - return NULL; - return OPENSSL_memdup(ctx, sizeof(*ctx)); -} - static void aria_ccm_freectx(void *vctx) { PROV_ARIA_CCM_CTX *ctx = (PROV_ARIA_CCM_CTX *)vctx; diff --git a/providers/implementations/ciphers/cipher_aria_gcm.c b/providers/implementations/ciphers/cipher_aria_gcm.c index 6ffa0910fa..b412bd3202 100644 --- a/providers/implementations/ciphers/cipher_aria_gcm.c +++ b/providers/implementations/ciphers/cipher_aria_gcm.c @@ -27,15 +27,6 @@ static void *aria_gcm_newctx(void *provctx, size_t keybits) return ctx; } -static void *aria_gcm_dupctx(void *provctx) -{ - PROV_ARIA_GCM_CTX *ctx = provctx; - - if (ctx == NULL) - return NULL; - return OPENSSL_memdup(ctx, sizeof(*ctx)); -} - static OSSL_FUNC_cipher_freectx_fn aria_gcm_freectx; static void aria_gcm_freectx(void *vctx) { diff --git a/providers/implementations/ciphers/cipher_sm4_ccm.c b/providers/implementations/ciphers/cipher_sm4_ccm.c index fa4b216a02..38e75016e9 100644 --- a/providers/implementations/ciphers/cipher_sm4_ccm.c +++ b/providers/implementations/ciphers/cipher_sm4_ccm.c @@ -28,15 +28,6 @@ static void *sm4_ccm_newctx(void *provctx, size_t keybits) return ctx; } -static void *sm4_ccm_dupctx(void *provctx) -{ - PROV_SM4_CCM_CTX *ctx = provctx; - - if (ctx == NULL) - return NULL; - return OPENSSL_memdup(ctx, sizeof(*ctx)); -} - static void sm4_ccm_freectx(void *vctx) { PROV_SM4_CCM_CTX *ctx = (PROV_SM4_CCM_CTX *)vctx; diff --git a/providers/implementations/ciphers/cipher_sm4_gcm.c b/providers/implementations/ciphers/cipher_sm4_gcm.c index 88761a30f0..ce1aa2b07d 100644 --- a/providers/implementations/ciphers/cipher_sm4_gcm.c +++ b/providers/implementations/ciphers/cipher_sm4_gcm.c @@ -29,15 +29,6 @@ static void *sm4_gcm_newctx(void *provctx, size_t keybits) return ctx; } -static void *sm4_gcm_dupctx(void *provctx) -{ - PROV_SM4_GCM_CTX *ctx = provctx; - - if (ctx == NULL) - return NULL; - return OPENSSL_memdup(ctx, sizeof(*ctx)); -} - static void sm4_gcm_freectx(void *vctx) { PROV_SM4_GCM_CTX *ctx = (PROV_SM4_GCM_CTX *)vctx; diff --git a/providers/implementations/include/prov/ciphercommon_aead.h b/providers/implementations/include/prov/ciphercommon_aead.h index de3dd52ee7..1d017175d3 100644 --- a/providers/implementations/include/prov/ciphercommon_aead.h +++ b/providers/implementations/include/prov/ciphercommon_aead.h @@ -23,14 +23,9 @@ static void * alg##kbits##lc##_newctx(void *provctx) \ { \ return alg##_##lc##_newctx(provctx, kbits); \ } \ -static void * alg##kbits##lc##_dupctx(void *src) \ -{ \ - return alg##_##lc##_dupctx(src); \ -} \ const OSSL_DISPATCH ossl_##alg##kbits##lc##_functions[] = { \ { OSSL_FUNC_CIPHER_NEWCTX, (void (*)(void))alg##kbits##lc##_newctx }, \ { OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))alg##_##lc##_freectx }, \ - { OSSL_FUNC_CIPHER_DUPCTX, (void (*)(void))alg##kbits##lc##_dupctx }, \ { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))ossl_##lc##_einit }, \ { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))ossl_##lc##_dinit }, \ { OSSL_FUNC_CIPHER_UPDATE, (void (*)(void))ossl_##lc##_stream_update }, \ -- Gitee From 9c27b6859cf18a56a2bbf77c884d0d6c8241a587 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 12 Sep 2023 18:54:55 +0200 Subject: [PATCH 30/50] Revert "make inability to dup/clone ciphers an error" This reverts commit d739b3e05e749d4310b7310c007a4f3b8d5f8556. Reviewed-by: Paul Dale Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22081) Signed-off-by: fly2x --- test/evp_test.c | 28 ++++++---------------------- 1 file changed, 6 insertions(+), 22 deletions(-) diff --git a/test/evp_test.c b/test/evp_test.c index ce72998b7c..280e19c0b8 100644 --- a/test/evp_test.c +++ b/test/evp_test.c @@ -709,9 +709,6 @@ static int cipher_test_enc(EVP_TEST *t, int enc, int ok = 0, tmplen, chunklen, tmpflen, i; EVP_CIPHER_CTX *ctx_base = NULL; EVP_CIPHER_CTX *ctx = NULL, *duped; - int fips_dupctx_supported = (fips_provider_version_ge(libctx, 3, 0, 11) - && fips_provider_version_lt(libctx, 3, 1, 0)) - || fips_provider_version_ge(libctx, 3, 1, 3); t->err = "TEST_FAILURE"; if (!TEST_ptr(ctx_base = EVP_CIPHER_CTX_new())) @@ -842,30 +839,18 @@ static int cipher_test_enc(EVP_TEST *t, int enc, /* Test that the cipher dup functions correctly if it is supported */ ERR_set_mark(); - if (!EVP_CIPHER_CTX_copy(ctx, ctx_base)) { - if (fips_dupctx_supported) { - TEST_info("Doing a copy of Cipher %s Fails!\n", - EVP_CIPHER_get0_name(expected->cipher)); - ERR_print_errors_fp(stderr); - goto err; - } else { - TEST_info("Allowing copy fail as an old fips provider is in use."); - } + if (EVP_CIPHER_CTX_copy(ctx, ctx_base)) { + EVP_CIPHER_CTX_free(ctx_base); + ctx_base = NULL; + } else { + EVP_CIPHER_CTX_free(ctx); + ctx = ctx_base; } /* Likewise for dup */ duped = EVP_CIPHER_CTX_dup(ctx); if (duped != NULL) { EVP_CIPHER_CTX_free(ctx); ctx = duped; - } else { - if (fips_dupctx_supported) { - TEST_info("Doing a dup of Cipher %s Fails!\n", - EVP_CIPHER_get0_name(expected->cipher)); - ERR_print_errors_fp(stderr); - goto err; - } else { - TEST_info("Allowing dup fail as an old fips provider is in use."); - } } ERR_pop_to_mark(); @@ -1050,7 +1035,6 @@ static int cipher_test_run(EVP_TEST *t) int rv, frag = 0; size_t out_misalign, inp_misalign; - TEST_info("RUNNING TEST FOR CIPHER %s\n", EVP_CIPHER_get0_name(cdat->cipher)); if (!cdat->key) { t->err = "NO_KEY"; return 0; -- Gitee From 472b1f44492828a12269c6f0dadc77f9bc3d513d Mon Sep 17 00:00:00 2001 From: Bernd Edlinger Date: Mon, 11 Sep 2023 12:26:46 +0200 Subject: [PATCH 31/50] Fix memory leaks in ssl_old_test.c This fixes a few memory leaks reported in #22049. If SSL_CTX_set0_tmp_dh_pkey rejects the temp dh key due to security restrictions (even when @SECLEVEL=0 is used!) then the caller has to delete the PKEY object. That is different to how the deprecated SSL_CTX_set_tmp_dh_pkey was designed to work. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22060) (cherry picked from commit 21f0b80cd4b32ba80843b812b01a6056daf14093) Signed-off-by: fly2x --- test/ssl_old_test.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/test/ssl_old_test.c b/test/ssl_old_test.c index d09d5ab3a9..09c9706a7c 100644 --- a/test/ssl_old_test.c +++ b/test/ssl_old_test.c @@ -1525,8 +1525,10 @@ int main(int argc, char *argv[]) ERR_print_errors(bio_err); goto end; } - SSL_CTX_set0_tmp_dh_pkey(s_ctx, dhpkey); - SSL_CTX_set0_tmp_dh_pkey(s_ctx2, dhpkey); + if (!SSL_CTX_set0_tmp_dh_pkey(s_ctx, dhpkey)) + EVP_PKEY_free(dhpkey); + if (!SSL_CTX_set0_tmp_dh_pkey(s_ctx2, dhpkey)) + EVP_PKEY_free(dhpkey); } #endif -- Gitee From ff29cd651306ad2d7e800f5edd1981379099a311 Mon Sep 17 00:00:00 2001 From: Bernd Edlinger Date: Tue, 5 Sep 2023 16:59:45 +0200 Subject: [PATCH 32/50] Fix engine cleanup error handling Error handling in engine_cleanup_add_first/last was broken and caused memory leaks. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/21971) (cherry picked from commit 00f2efccf5b9671a7af2b12571068258e9c255a5) Signed-off-by: fly2x --- crypto/engine/eng_lib.c | 24 +++++++++++++++--------- crypto/engine/eng_list.c | 10 +++++++--- crypto/engine/eng_local.h | 4 ++-- crypto/engine/eng_table.c | 8 +++++--- 4 files changed, 29 insertions(+), 17 deletions(-) diff --git a/crypto/engine/eng_lib.c b/crypto/engine/eng_lib.c index 68bed5a7d7..9ef71a21af 100644 --- a/crypto/engine/eng_lib.c +++ b/crypto/engine/eng_lib.c @@ -133,28 +133,34 @@ static ENGINE_CLEANUP_ITEM *int_cleanup_item(ENGINE_CLEANUP_CB *cb) return item; } -void engine_cleanup_add_first(ENGINE_CLEANUP_CB *cb) +int engine_cleanup_add_first(ENGINE_CLEANUP_CB *cb) { ENGINE_CLEANUP_ITEM *item; if (!int_cleanup_check(1)) - return; + return 0; item = int_cleanup_item(cb); - if (item != NULL) - if (sk_ENGINE_CLEANUP_ITEM_insert(cleanup_stack, item, 0) <= 0) - OPENSSL_free(item); + if (item != NULL) { + if (sk_ENGINE_CLEANUP_ITEM_insert(cleanup_stack, item, 0)) + return 1; + OPENSSL_free(item); + } + return 0; } -void engine_cleanup_add_last(ENGINE_CLEANUP_CB *cb) +int engine_cleanup_add_last(ENGINE_CLEANUP_CB *cb) { ENGINE_CLEANUP_ITEM *item; + if (!int_cleanup_check(1)) - return; + return 0; item = int_cleanup_item(cb); if (item != NULL) { - if (sk_ENGINE_CLEANUP_ITEM_push(cleanup_stack, item) <= 0) - OPENSSL_free(item); + if (sk_ENGINE_CLEANUP_ITEM_push(cleanup_stack, item) > 0) + return 1; + OPENSSL_free(item); } + return 0; } /* The API function that performs all cleanup */ diff --git a/crypto/engine/eng_list.c b/crypto/engine/eng_list.c index 04c73c7628..d3bd0c0dc2 100644 --- a/crypto/engine/eng_list.c +++ b/crypto/engine/eng_list.c @@ -78,12 +78,16 @@ static int engine_list_add(ENGINE *e) ERR_raise(ERR_LIB_ENGINE, ENGINE_R_INTERNAL_LIST_ERROR); return 0; } - engine_list_head = e; - e->prev = NULL; /* * The first time the list allocates, we should register the cleanup. */ - engine_cleanup_add_last(engine_list_cleanup); + if (!engine_cleanup_add_last(engine_list_cleanup)) { + CRYPTO_DOWN_REF(&e->struct_ref, &ref); + ERR_raise(ERR_LIB_ENGINE, ENGINE_R_INTERNAL_LIST_ERROR); + return 0; + } + engine_list_head = e; + e->prev = NULL; } else { /* We are adding to the tail of an existing list. */ if ((engine_list_tail == NULL) || (engine_list_tail->next != NULL)) { diff --git a/crypto/engine/eng_local.h b/crypto/engine/eng_local.h index c0b9df0f5d..261f7b8b08 100644 --- a/crypto/engine/eng_local.h +++ b/crypto/engine/eng_local.h @@ -46,8 +46,8 @@ typedef struct st_engine_cleanup_item { ENGINE_CLEANUP_CB *cb; } ENGINE_CLEANUP_ITEM; DEFINE_STACK_OF(ENGINE_CLEANUP_ITEM) -void engine_cleanup_add_first(ENGINE_CLEANUP_CB *cb); -void engine_cleanup_add_last(ENGINE_CLEANUP_CB *cb); +int engine_cleanup_add_first(ENGINE_CLEANUP_CB *cb); +int engine_cleanup_add_last(ENGINE_CLEANUP_CB *cb); /* We need stacks of ENGINEs for use in eng_table.c */ DEFINE_STACK_OF(ENGINE) diff --git a/crypto/engine/eng_table.c b/crypto/engine/eng_table.c index d6a7452c76..6628c612b9 100644 --- a/crypto/engine/eng_table.c +++ b/crypto/engine/eng_table.c @@ -93,9 +93,11 @@ int engine_table_register(ENGINE_TABLE **table, ENGINE_CLEANUP_CB *cleanup, added = 1; if (!int_table_check(table, 1)) goto end; - if (added) - /* The cleanup callback needs to be added */ - engine_cleanup_add_first(cleanup); + /* The cleanup callback needs to be added */ + if (added && !engine_cleanup_add_first(cleanup)) { + lh_ENGINE_PILE_free(&(*table)->piles); + *table = NULL; + } while (num_nids--) { tmplate.nid = *nids; fnd = lh_ENGINE_PILE_retrieve(&(*table)->piles, &tmplate); -- Gitee From 5eb2cfaa73ff86669bcf336ffd54ea2286e8ffb4 Mon Sep 17 00:00:00 2001 From: Bernd Edlinger Date: Fri, 15 Sep 2023 09:56:01 +0200 Subject: [PATCH 33/50] Fix a merge mistake in engne_list_add master version increments the struct_ref early and needs to decrement the struct_ref on error, while 3.1 and 3.0 increment the struct_ref later. Reviewed-by: Tom Cosgrove Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22115) Signed-off-by: fly2x --- crypto/engine/eng_list.c | 1 - 1 file changed, 1 deletion(-) diff --git a/crypto/engine/eng_list.c b/crypto/engine/eng_list.c index d3bd0c0dc2..d9e620dc58 100644 --- a/crypto/engine/eng_list.c +++ b/crypto/engine/eng_list.c @@ -82,7 +82,6 @@ static int engine_list_add(ENGINE *e) * The first time the list allocates, we should register the cleanup. */ if (!engine_cleanup_add_last(engine_list_cleanup)) { - CRYPTO_DOWN_REF(&e->struct_ref, &ref); ERR_raise(ERR_LIB_ENGINE, ENGINE_R_INTERNAL_LIST_ERROR); return 0; } -- Gitee From 35c1e79de9b4662d2d442de694542cc01501c364 Mon Sep 17 00:00:00 2001 From: Olga Batyshkina Date: Mon, 7 Aug 2023 15:14:53 +0200 Subject: [PATCH 34/50] Fix PKCS#12 creation error when certificate contains auxiliary data Prefer friendly name passed by the caller and calculated local key id to ones found in certificate auxiliary data when creating PKCS#12. Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21675) (cherry picked from commit 388a8e731445d190a46ec27b2ff5b4bf334d526b) Signed-off-by: fly2x --- crypto/pkcs12/p12_crt.c | 62 ++++++++++++++++++++++++------------ test/pkcs12_format_test.c | 66 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 108 insertions(+), 20 deletions(-) diff --git a/crypto/pkcs12/p12_crt.c b/crypto/pkcs12/p12_crt.c index 00c7129746..b92a16cec3 100644 --- a/crypto/pkcs12/p12_crt.c +++ b/crypto/pkcs12/p12_crt.c @@ -14,6 +14,12 @@ static int pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG) **pbags, PKCS12_SAFEBAG *bag); +static PKCS12_SAFEBAG *pkcs12_add_cert_bag(STACK_OF(PKCS12_SAFEBAG) **pbags, + X509 *cert, + const char *name, + int namelen, + unsigned char *keyid, + int keyidlen); static int copy_bag_attr(PKCS12_SAFEBAG *bag, EVP_PKEY *pkey, int nid) { @@ -40,6 +46,9 @@ PKCS12 *PKCS12_create_ex(const char *pass, const char *name, EVP_PKEY *pkey, int i; unsigned char keyid[EVP_MAX_MD_SIZE]; unsigned int keyidlen = 0; + int namelen = -1; + unsigned char *pkeyid = NULL; + int pkeyidlen = -1; /* Set defaults */ if (nid_cert == NID_undef) @@ -64,11 +73,16 @@ PKCS12 *PKCS12_create_ex(const char *pass, const char *name, EVP_PKEY *pkey, } if (cert) { - bag = PKCS12_add_cert(&bags, cert); - if (name && !PKCS12_add_friendlyname(bag, name, -1)) - goto err; - if (keyidlen && !PKCS12_add_localkeyid(bag, keyid, keyidlen)) - goto err; + if (name == NULL) + name = (char *)X509_alias_get0(cert, &namelen); + if (keyidlen > 0) { + pkeyid = keyid; + pkeyidlen = keyidlen; + } else { + pkeyid = X509_keyid_get0(cert, &pkeyidlen); + } + + bag = pkcs12_add_cert_bag(&bags, cert, name, namelen, pkeyid, pkeyidlen); } /* Add all other certificates */ @@ -139,30 +153,23 @@ PKCS12 *PKCS12_create(const char *pass, const char *name, EVP_PKEY *pkey, X509 * iter, mac_iter, keytype, NULL, NULL); } -PKCS12_SAFEBAG *PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG) **pbags, X509 *cert) +static PKCS12_SAFEBAG *pkcs12_add_cert_bag(STACK_OF(PKCS12_SAFEBAG) **pbags, + X509 *cert, + const char *name, + int namelen, + unsigned char *keyid, + int keyidlen) { PKCS12_SAFEBAG *bag = NULL; - char *name; - int namelen = -1; - unsigned char *keyid; - int keyidlen = -1; /* Add user certificate */ if ((bag = PKCS12_SAFEBAG_create_cert(cert)) == NULL) goto err; - /* - * Use friendlyName and localKeyID in certificate. (if present) - */ - - name = (char *)X509_alias_get0(cert, &namelen); - - if (name && !PKCS12_add_friendlyname(bag, name, namelen)) + if (name != NULL && !PKCS12_add_friendlyname(bag, name, namelen)) goto err; - keyid = X509_keyid_get0(cert, &keyidlen); - - if (keyid && !PKCS12_add_localkeyid(bag, keyid, keyidlen)) + if (keyid != NULL && !PKCS12_add_localkeyid(bag, keyid, keyidlen)) goto err; if (!pkcs12_add_bag(pbags, bag)) @@ -173,7 +180,22 @@ PKCS12_SAFEBAG *PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG) **pbags, X509 *cert) err: PKCS12_SAFEBAG_free(bag); return NULL; +} + +PKCS12_SAFEBAG *PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG) **pbags, X509 *cert) +{ + char *name = NULL; + int namelen = -1; + unsigned char *keyid = NULL; + int keyidlen = -1; + + /* + * Use friendlyName and localKeyID in certificate. (if present) + */ + name = (char *)X509_alias_get0(cert, &namelen); + keyid = X509_keyid_get0(cert, &keyidlen); + return pkcs12_add_cert_bag(pbags, cert, name, namelen, keyid, keyidlen); } PKCS12_SAFEBAG *PKCS12_add_key_ex(STACK_OF(PKCS12_SAFEBAG) **pbags, diff --git a/test/pkcs12_format_test.c b/test/pkcs12_format_test.c index 5597250a25..30bd881a46 100644 --- a/test/pkcs12_format_test.c +++ b/test/pkcs12_format_test.c @@ -790,6 +790,70 @@ err: } #endif +static int pkcs12_recreate_test(void) +{ + int ret = 0; + X509 *cert = NULL; + X509 *cert_parsed = NULL; + EVP_PKEY *pkey = NULL; + EVP_PKEY *pkey_parsed = NULL; + PKCS12 *p12 = NULL; + PKCS12 *p12_parsed = NULL; + PKCS12 *p12_recreated = NULL; + const unsigned char *cert_bytes = CERT1; + const unsigned char *key_bytes = KEY1; + BIO *bio = NULL; + + cert = d2i_X509(NULL, &cert_bytes, sizeof(CERT1)); + if (!TEST_ptr(cert)) + goto err; + pkey = d2i_AutoPrivateKey(NULL, &key_bytes, sizeof(KEY1)); + if (!TEST_ptr(pkey)) + goto err; + p12 = PKCS12_create("pass", NULL, pkey, cert, NULL, NID_aes_256_cbc, + NID_aes_256_cbc, 2, 1, 0); + if (!TEST_ptr(p12)) + goto err; + if (!TEST_int_eq(ERR_peek_error(), 0)) + goto err; + + bio = BIO_new(BIO_s_mem()); + if (!TEST_ptr(bio)) + goto err; + if (!TEST_int_eq(i2d_PKCS12_bio(bio, p12), 1)) + goto err; + p12_parsed = PKCS12_init_ex(NID_pkcs7_data, testctx, NULL); + if (!TEST_ptr(p12_parsed)) + goto err; + p12_parsed = d2i_PKCS12_bio(bio, &p12_parsed); + if (!TEST_ptr(p12_parsed)) + goto err; + if (!TEST_int_eq(PKCS12_parse(p12_parsed, "pass", &pkey_parsed, + &cert_parsed, NULL), 1)) + goto err; + + /* cert_parsed also contains auxiliary data */ + p12_recreated = PKCS12_create("new_pass", NULL, pkey_parsed, cert_parsed, + NULL, NID_aes_256_cbc, NID_aes_256_cbc, + 2, 1, 0); + if (!TEST_ptr(p12_recreated)) + goto err; + if (!TEST_int_eq(ERR_peek_error(), 0)) + goto err; + + ret = 1; +err: + BIO_free(bio); + PKCS12_free(p12); + PKCS12_free(p12_parsed); + PKCS12_free(p12_recreated); + EVP_PKEY_free(pkey); + EVP_PKEY_free(pkey_parsed); + X509_free(cert); + X509_free(cert_parsed); + return ret; +} + typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, @@ -871,6 +935,8 @@ int setup_tests(void) if (default_libctx) ADD_TEST(pkcs12_create_test); #endif + if (default_libctx) + ADD_TEST(pkcs12_recreate_test); ADD_ALL_TESTS(test_single_key_enc_pass, OSSL_NELEM(passwords)); ADD_ALL_TESTS(test_single_key_enc_iter, OSSL_NELEM(iters)); ADD_TEST(test_single_key_with_attrs); -- Gitee From 7ccedaa4ddc2353cb68a437b4e4e124f96b3e095 Mon Sep 17 00:00:00 2001 From: Sumitra Sharma Date: Tue, 12 Sep 2023 12:00:21 +0530 Subject: [PATCH 35/50] Enhance code safety and readability in SSL_get_shared_ciphers() This commit introduces two key improvements: 1. Improve code safety by replacing the conditional statement with `if (n >= size)` and using OPENSSL_strnlen() instead of strlen(). This change ensures proper buffer size handling and adheres to secure coding practices. 2. Enhance code readability by substituting `strcpy(p, c->name)` with `memcpy(p, c->name, n)`. This adjustment prioritizes code clarity and maintenance, even while mitigating a minimal buffer overflow risk. These enhancements bolster the code's robustness and comprehensibility, aligning with secure coding principles and best practices. Fixes #19837 Signed-off-by: Sumitra Sharma Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21934) (cherry picked from commit 2743594d73e65c38375c619e89ec62579e2c24a9) Signed-off-by: fly2x --- ssl/ssl_lib.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 148af9f5c0..f87c9e2ea8 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -2810,14 +2810,14 @@ char *SSL_get_shared_ciphers(const SSL *s, char *buf, int size) if (sk_SSL_CIPHER_find(srvrsk, c) < 0) continue; - n = strlen(c->name); - if (n + 1 > size) { + n = OPENSSL_strnlen(c->name, size); + if (n >= size) { if (p != buf) --p; *p = '\0'; return buf; } - strcpy(p, c->name); + memcpy(p, c->name, n); p += n; *(p++) = ':'; size -= n + 1; -- Gitee From e176712ca87721588f21f9d2b2c3d0a9cf0d570f Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Sat, 3 Jun 2023 17:15:06 +0200 Subject: [PATCH 36/50] CMP doc: various small corrections, mostly on PBM vs. MAC-based protection Reviewed-by: Paul Dale Reviewed-by: Matt Caswell Reviewed-by: David von Oheimb (Merged from https://github.com/openssl/openssl/pull/21138) (cherry picked from commit 4a1073981fcff530d3f810b536514eb45d5d0bae) Signed-off-by: fly2x --- doc/man1/openssl-cmp.pod.in | 24 +++++++++++++----------- doc/man3/OSSL_CMP_CTX_new.pod | 28 ++++++++++++++-------------- doc/man3/OSSL_CMP_exec_certreq.pod | 6 +++--- 3 files changed, 30 insertions(+), 28 deletions(-) diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in index 403d28d281..86625d42cf 100644 --- a/doc/man1/openssl-cmp.pod.in +++ b/doc/man1/openssl-cmp.pod.in @@ -659,11 +659,12 @@ is typically used when authenticating with pre-shared key (password-based MAC). =item B<-secret> I -Prefer PBM-based message protection with given source of a secret value. -The secret is used for creating PBM-based protection of outgoing messages -and (as far as needed) for validating PBM-based protection of incoming messages. -PBM stands for Password-Based Message Authentication Code. +Provides the source of a secret value to use with MAC-based message protection. This takes precedence over the B<-cert> and B<-key> options. +The secret is used for creating MAC-based protection of outgoing messages +and for validating incoming messages that have MAC-based protection. +The algorithm used by default is Password-Based Message Authentication Code (PBM) +as defined in RFC 4210 section 5.1.3.1. For more information about the format of I see L. @@ -682,7 +683,8 @@ while the subject of B<-oldcert> or B<-subjectName> may provide fallback values. The issuer of this certificate is used as one of the recipient fallback values and as fallback issuer entry in the certificate template of IR/CR/KUR messages. -When using signature-based message protection, this "protection certificate" +When performing signature-based message protection, +this "protection certificate", also called "signer certificate", will be included first in the extraCerts field of outgoing messages and the signature is done with the corresponding key. In Initialization Request (IR) messages this can be used for authenticating @@ -713,8 +715,8 @@ have no effect on the certificate verification enabled via this option. The corresponding private key file for the client's current certificate given in the B<-cert> option. -This will be used for signature-based message protection unless -the B<-secret> option indicating PBM or B<-unprotected_requests> is given. +This will be used for signature-based message protection unless the B<-secret> +option indicating MAC-based protection or B<-unprotected_requests> is given. It is also used as a fallback for the B<-newkey> option with IR/CR/KUR messages. @@ -730,7 +732,7 @@ L. =item B<-digest> I Specifies name of supported digest to use in RFC 4210's MSG_SIG_ALG -and as the one-way function (OWF) in MSG_MAC_ALG. +and as the one-way function (OWF) in C. If applicable, this is used for message protection and proof-of-possession (POPO) signatures. To see the list of supported digests, use C. @@ -738,7 +740,7 @@ Defaults to C. =item B<-mac> I -Specifies the name of the MAC algorithm in MSG_MAC_ALG. +Specifies the name of the MAC algorithm in C. To get the names of supported MAC algorithms use C and possibly combine such a name with the name of a supported digest algorithm, e.g., hmacWithSHA256. @@ -1170,7 +1172,7 @@ In order to update the enrolled certificate one may call openssl cmp -section insta,kur -using with PBM-based protection or +using MAC-based protection with PBM or openssl cmp -section insta,kur,signature @@ -1229,7 +1231,7 @@ Then it can start using the new cert and key. -newkey cl_key_new.pem -certout cl_cert.pem cp cl_key_new.pem cl_key.pem -This command sequence can be repated as often as needed. +This command sequence can be repeated as often as needed. =head2 Requesting information from CMP server diff --git a/doc/man3/OSSL_CMP_CTX_new.pod b/doc/man3/OSSL_CMP_CTX_new.pod index 41d334887f..ce7db8f2f0 100644 --- a/doc/man3/OSSL_CMP_CTX_new.pod +++ b/doc/man3/OSSL_CMP_CTX_new.pod @@ -260,12 +260,12 @@ The following options can be set: =item B The NID of the digest algorithm to be used as one-way function (OWF) - in RFC 4210's MSG_MAC_ALG for PBM-based message protection. + for MAC-based message protection with password-based MAC (PBM). + See RFC 4210 section 5.1.3.1 for details. Default is SHA256. =item B - The NID of the MAC algorithm to be used in RFC 4210's MSG_MAC_ALG - for PBM-based message protection. + The NID of the MAC algorithm to be used for message protection with PBM. Default is HMAC-SHA1 as per RFC 4210. =item B @@ -450,8 +450,8 @@ The reference counts of those certificates handled successfully are increased. OSSL_CMP_CTX_get0_untrusted(OSSL_CMP_CTX *ctx) returns a pointer to the list of untrusted certs, which may be empty if unset. -OSSL_CMP_CTX_set1_cert() sets the CMP signer certificate -related to the private key used for CMP message protection. +OSSL_CMP_CTX_set1_cert() sets the CMP signer certificate, also called protection +certificate, related to the private key for signature-based message protection. Therefore the public key of this I must correspond to the private key set before or thereafter via OSSL_CMP_CTX_set1_pkey(). When using signature-based protection of CMP request messages @@ -481,15 +481,15 @@ OSSL_CMP_CTX_set1_pkey() sets the client's private key corresponding to the CMP signer certificate set via OSSL_CMP_CTX_set1_cert(). This key is used create signature-based protection (protectionAlg = MSG_SIG_ALG) of outgoing messages -unless a PBM secret has been set via OSSL_CMP_CTX_set1_secretValue(). +unless a symmetric secret has been set via OSSL_CMP_CTX_set1_secretValue(). The I argument may be NULL to clear the entry. -OSSL_CMP_CTX_set1_secretValue() sets the byte string I with length I -as PBM secret in the given I or clears it if the I argument is NULL. -If present, this secret is used to create PBM-based protection of outgoing -messages and to verify any PBM-based protection of incoming messages -(protectionAlg = MSG_MAC_ALG). PBM stands for Password-Based MAC. -PBM-based protection takes precedence over signature-based protection. +OSSL_CMP_CTX_set1_secretValue() sets in I the byte string I of length +I to use as pre-shared secret, or clears it if the I argument is NULL. +If present, this secret is used to create MAC-based authentication and integrity +protection (rather than applying signature-based protection) +of outgoing messages and to verify authenticity and integrity of incoming +messages that have MAC-based protection (protectionAlg = C). OSSL_CMP_CTX_set1_referenceValue() sets the given referenceValue I with length I in the given I or clears it if the I argument is NULL. @@ -500,7 +500,7 @@ then the sender field will contain the NULL-DN and the senderKID field of the CMP message header must be set. When signature-based protection is used the senderKID will be set to the subjectKeyIdentifier of the CMP signer certificate as far as present. -If not present or when PBM-based protection is used +If not present or when MAC-based protection is used the I value is taken as the fallback value for the senderKID. OSSL_CMP_CTX_set1_recipient() sets the recipient name that will be used in the @@ -731,7 +731,7 @@ Set up a CMP client context for sending requests and verifying responses: OSSL_CMP_CTX_set1_serverPath(cmp_ctx, path_or_alias); OSSL_CMP_CTX_set0_trustedStore(cmp_ctx, ts); -Set up client credentials for password-based protection (PBM): +Set up symmetric credentials for MAC-based message protection such as PBM: OSSL_CMP_CTX_set1_referenceValue(cmp_ctx, ref, ref_len); OSSL_CMP_CTX_set1_secretValue(cmp_ctx, sec, sec_len); diff --git a/doc/man3/OSSL_CMP_exec_certreq.pod b/doc/man3/OSSL_CMP_exec_certreq.pod index 3df517677c..4fa224fda7 100644 --- a/doc/man3/OSSL_CMP_exec_certreq.pod +++ b/doc/man3/OSSL_CMP_exec_certreq.pod @@ -42,7 +42,7 @@ client-server transactions, i.e., sequences of CMP requests and responses. All functions take a populated OSSL_CMP_CTX structure as their first argument. Usually the server name, port, and path ("CMP alias") need to be set, as well as -credentials the client can use for authenticating itself to the client. +credentials the client can use for authenticating itself to the server. In order to authenticate the server the client typically needs a trust store. The functions return their respective main results directly, while there are also accessor functions for retrieving various results and status information @@ -72,7 +72,7 @@ and need to be filled in using L, L, L, etc. For P10CR, L needs to be used instead. The enrollment session may be blocked by sleeping until the addressed -CA (or an intermedate PKI component) can fully process and answer the request. +CA (or an intermediate PKI component) can fully process and answer the request. OSSL_CMP_try_certreq() is an alternative to the above functions that is more flexible regarding what to do after receiving a checkAfter value. @@ -119,7 +119,7 @@ See RFC 4210 section 5.3.19 and appendix E.5 for details. CMP is defined in RFC 4210 (and CRMF in RFC 4211). -So far the CMP client implementation is limited to one request per CMP message +The CMP client implementation is limited to one request per CMP message (and consequently to at most one response component per CMP message). =head1 RETURN VALUES -- Gitee From 8504f830071e79136f7dbb49c9e4fcbbfe5319d8 Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Sat, 3 Jun 2023 17:17:14 +0200 Subject: [PATCH 37/50] CMP app and API doc: add note on critical server auth on receiving trust anchor certs Reviewed-by: Paul Dale Reviewed-by: Matt Caswell Reviewed-by: David von Oheimb (Merged from https://github.com/openssl/openssl/pull/21138) (cherry picked from commit 5e721ecee5a8c9c27e392fb3770d221709bde1a7) Signed-off-by: fly2x --- doc/man1/openssl-cmp.pod.in | 7 +++++++ doc/man3/OSSL_CMP_exec_certreq.pod | 8 ++++++++ 2 files changed, 15 insertions(+) diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in index 86625d42cf..70a509979b 100644 --- a/doc/man1/openssl-cmp.pod.in +++ b/doc/man1/openssl-cmp.pod.in @@ -1099,6 +1099,13 @@ only affect the certificate verification enabled via the B<-out_trusted> option. =head1 NOTES +When a client obtains from a CMP server CA certificates that it is going to +trust, for instance via the C field of a certificate response, +authentication of the CMP server is particularly critical. +So special care must be taken setting up server authentication +using B<-trusted> and related options for certificate-based authentication +or B<-secret> for MAC-based protection. + When setting up CMP configurations and experimenting with enrollment options typically various errors occur until the configuration is correct and complete. When the CMP server reports an error the client will by default diff --git a/doc/man3/OSSL_CMP_exec_certreq.pod b/doc/man3/OSSL_CMP_exec_certreq.pod index 4fa224fda7..6ba62723f5 100644 --- a/doc/man3/OSSL_CMP_exec_certreq.pod +++ b/doc/man3/OSSL_CMP_exec_certreq.pod @@ -122,6 +122,14 @@ CMP is defined in RFC 4210 (and CRMF in RFC 4211). The CMP client implementation is limited to one request per CMP message (and consequently to at most one response component per CMP message). +When a client obtains from a CMP server CA certificates that it is going to +trust, for instance via the caPubs field of a certificate response, +authentication of the CMP server is particularly critical. +So special care must be taken setting up server authentication in I +using functions such as +L (for certificate-based authentication) or +L (for MAC-based protection). + =head1 RETURN VALUES OSSL_CMP_exec_certreq(), OSSL_CMP_exec_IR_ses(), OSSL_CMP_exec_CR_ses(), -- Gitee From 181ff306285cbd873035931519c4af894a04fa5b Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Tue, 19 Sep 2023 14:57:48 +0200 Subject: [PATCH 38/50] Copyright year updates Reviewed-by: Matt Caswell Release: yes Signed-off-by: fly2x --- .github/workflows/compiler-zoo.yml | 2 +- .github/workflows/coveralls.yml | 2 +- .github/workflows/fips-checksums.yml | 2 +- .github/workflows/fips-old.yml | 2 +- .github/workflows/fuzz-checker.yml | 2 +- .github/workflows/run-checker-ci.yml | 2 +- .github/workflows/run-checker-daily.yml | 2 +- .github/workflows/run-checker-merge.yml | 2 +- .github/workflows/windows.yml | 2 +- README.md | 2 +- crypto/aes/asm/vpaes-loongarch64.pl | 2 +- crypto/arm_arch.h | 2 +- crypto/armv4cpuid.pl | 2 +- crypto/asn1/a_strnid.c | 2 +- crypto/asn1/asn1_gen.c | 2 +- crypto/bn/asm/armv4-gf2m.pl | 2 +- crypto/bn/asm/armv4-mont.pl | 2 +- crypto/chacha/asm/chacha-armv4.pl | 2 +- crypto/cmp/cmp_asn.c | 2 +- crypto/cmp/cmp_status.c | 2 +- crypto/cms/cms_local.h | 2 +- crypto/cms/cms_sd.c | 2 +- crypto/ec/ec_key.c | 2 +- crypto/encode_decode/decoder_lib.c | 2 +- crypto/encode_decode/decoder_pkey.c | 2 +- crypto/encode_decode/encoder_pkey.c | 2 +- crypto/engine/eng_list.c | 2 +- crypto/engine/eng_local.h | 2 +- crypto/engine/eng_table.c | 2 +- crypto/mem.c | 2 +- crypto/pem/pem_pkey.c | 2 +- crypto/perlasm/arm-xlate.pl | 2 +- crypto/pkcs12/p12_crt.c | 2 +- crypto/poly1305/asm/poly1305-armv4.pl | 2 +- crypto/poly1305/asm/poly1305-x86_64.pl | 2 +- crypto/provider_core.c | 2 +- crypto/sha/asm/sha1-armv4-large.pl | 2 +- crypto/sha/asm/sha256-armv4.pl | 2 +- crypto/sha/asm/sha512-armv4.pl | 2 +- crypto/srp/srp_vfy.c | 2 +- crypto/store/store_lib.c | 2 +- crypto/threads_pthread.c | 2 +- doc/man1/openssl-cms.pod.in | 2 +- doc/man1/openssl-ts.pod.in | 2 +- doc/man3/BIO_s_mem.pod | 2 +- doc/man3/CMS_sign.pod | 2 +- doc/man3/EVP_MAC.pod | 2 +- doc/man3/EVP_SIGNATURE.pod | 2 +- doc/man3/OSSL_CMP_exec_certreq.pod | 2 +- doc/man3/OSSL_HTTP_REQ_CTX.pod | 2 +- doc/man3/OSSL_HTTP_transfer.pod | 2 +- doc/man3/PKCS12_create.pod | 2 +- doc/man3/PKCS12_gen_mac.pod | 2 +- doc/man3/SSL_new.pod | 2 +- doc/man3/d2i_RSAPrivateKey.pod | 2 +- doc/man5/x509v3_config.pod | 2 +- doc/man7/EVP_KDF-PKCS12KDF.pod | 2 +- fuzz/x509.c | 2 +- providers/implementations/ciphers/cipher_chacha20.c | 2 +- providers/implementations/encode_decode/decode_msblob2key.c | 2 +- providers/implementations/encode_decode/decode_pvk2key.c | 2 +- providers/implementations/encode_decode/encode_key2any.c | 2 +- providers/implementations/keymgmt/ecx_kmgmt.c | 2 +- providers/implementations/keymgmt/mac_legacy_kmgmt.c | 2 +- ssl/ssl_lib.c | 2 +- ssl/statem/extensions_srvr.c | 2 +- test/chacha_internal_test.c | 2 +- test/cmsapitest.c | 2 +- test/endecode_test.c | 2 +- test/pbetest.c | 2 +- test/pkcs12_format_test.c | 2 +- test/provider_internal_test.c | 2 +- test/recipes/15-test_rsapss.t | 2 +- test/recipes/25-test_req.t | 2 +- test/recipes/30-test_defltfips.t | 2 +- test/recipes/30-test_evp.t | 2 +- test/recipes/99-test_fuzz_x509.t | 2 +- test/ssl_old_test.c | 2 +- test/testutil/main.c | 2 +- 79 files changed, 79 insertions(+), 79 deletions(-) diff --git a/.github/workflows/compiler-zoo.yml b/.github/workflows/compiler-zoo.yml index 4f17322ec5..9932b39f95 100644 --- a/.github/workflows/compiler-zoo.yml +++ b/.github/workflows/compiler-zoo.yml @@ -1,4 +1,4 @@ -# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/.github/workflows/coveralls.yml b/.github/workflows/coveralls.yml index 5aa595ce8d..bcdcab45c7 100644 --- a/.github/workflows/coveralls.yml +++ b/.github/workflows/coveralls.yml @@ -1,4 +1,4 @@ -# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/.github/workflows/fips-checksums.yml b/.github/workflows/fips-checksums.yml index 002494f58c..1b56755bfb 100644 --- a/.github/workflows/fips-checksums.yml +++ b/.github/workflows/fips-checksums.yml @@ -1,4 +1,4 @@ -# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/.github/workflows/fips-old.yml b/.github/workflows/fips-old.yml index 3589c83266..88c6fe281f 100644 --- a/.github/workflows/fips-old.yml +++ b/.github/workflows/fips-old.yml @@ -1,4 +1,4 @@ -# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/.github/workflows/fuzz-checker.yml b/.github/workflows/fuzz-checker.yml index ce6d894a98..3e84fdbac6 100644 --- a/.github/workflows/fuzz-checker.yml +++ b/.github/workflows/fuzz-checker.yml @@ -1,4 +1,4 @@ -# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/.github/workflows/run-checker-ci.yml b/.github/workflows/run-checker-ci.yml index 73ee5f1f80..101c44f1b2 100644 --- a/.github/workflows/run-checker-ci.yml +++ b/.github/workflows/run-checker-ci.yml @@ -1,4 +1,4 @@ -# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/.github/workflows/run-checker-daily.yml b/.github/workflows/run-checker-daily.yml index 8b7252b128..1716ed3327 100644 --- a/.github/workflows/run-checker-daily.yml +++ b/.github/workflows/run-checker-daily.yml @@ -1,4 +1,4 @@ -# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/.github/workflows/run-checker-merge.yml b/.github/workflows/run-checker-merge.yml index 14dfa7c2d4..7154b6b62d 100644 --- a/.github/workflows/run-checker-merge.yml +++ b/.github/workflows/run-checker-merge.yml @@ -1,4 +1,4 @@ -# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index 8c518d17d9..10005d3522 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -1,4 +1,4 @@ -# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/README.md b/README.md index f542b722df..cc7acd8154 100644 --- a/README.md +++ b/README.md @@ -166,7 +166,7 @@ attempting to develop or distribute cryptographic code. Copyright ========= -Copyright (c) 1998-2022 The OpenSSL Project +Copyright (c) 1998-2023 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson diff --git a/crypto/aes/asm/vpaes-loongarch64.pl b/crypto/aes/asm/vpaes-loongarch64.pl index 2f6abba1b7..c85ec40db2 100644 --- a/crypto/aes/asm/vpaes-loongarch64.pl +++ b/crypto/aes/asm/vpaes-loongarch64.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/arm_arch.h b/crypto/arm_arch.h index ce9f31b0c5..7d35a19d1d 100644 --- a/crypto/arm_arch.h +++ b/crypto/arm_arch.h @@ -1,5 +1,5 @@ /* - * Copyright 2011-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2011-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/armv4cpuid.pl b/crypto/armv4cpuid.pl index 78dc90c520..04b342551c 100644 --- a/crypto/armv4cpuid.pl +++ b/crypto/armv4cpuid.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/asn1/a_strnid.c b/crypto/asn1/a_strnid.c index c960daf5cb..d052935661 100644 --- a/crypto/asn1/a_strnid.c +++ b/crypto/asn1/a_strnid.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/asn1/asn1_gen.c b/crypto/asn1/asn1_gen.c index 5a15c6a5d9..402ab34e6a 100644 --- a/crypto/asn1/asn1_gen.c +++ b/crypto/asn1/asn1_gen.c @@ -1,5 +1,5 @@ /* - * Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bn/asm/armv4-gf2m.pl b/crypto/bn/asm/armv4-gf2m.pl index b0b87ef611..17af0e0774 100644 --- a/crypto/bn/asm/armv4-gf2m.pl +++ b/crypto/bn/asm/armv4-gf2m.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2011-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2011-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bn/asm/armv4-mont.pl b/crypto/bn/asm/armv4-mont.pl index ab69c2186b..d85da92406 100644 --- a/crypto/bn/asm/armv4-mont.pl +++ b/crypto/bn/asm/armv4-mont.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/chacha/asm/chacha-armv4.pl b/crypto/chacha/asm/chacha-armv4.pl index 3fdecf2d28..ac32d5bda7 100755 --- a/crypto/chacha/asm/chacha-armv4.pl +++ b/crypto/chacha/asm/chacha-armv4.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/cmp/cmp_asn.c b/crypto/cmp/cmp_asn.c index 5c47a1a067..a8de73ad97 100644 --- a/crypto/cmp/cmp_asn.c +++ b/crypto/cmp/cmp_asn.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * diff --git a/crypto/cmp/cmp_status.c b/crypto/cmp/cmp_status.c index 637b041911..68144aa4fe 100644 --- a/crypto/cmp/cmp_status.c +++ b/crypto/cmp/cmp_status.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * diff --git a/crypto/cms/cms_local.h b/crypto/cms/cms_local.h index 7dd9891520..c262a906f8 100644 --- a/crypto/cms/cms_local.h +++ b/crypto/cms/cms_local.h @@ -1,5 +1,5 @@ /* - * Copyright 2008-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/cms/cms_sd.c b/crypto/cms/cms_sd.c index e7028d6736..6af8fa313b 100644 --- a/crypto/cms/cms_sd.c +++ b/crypto/cms/cms_sd.c @@ -1,5 +1,5 @@ /* - * Copyright 2008-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c index 7b9d95c65b..901630dad5 100644 --- a/crypto/ec/ec_key.c +++ b/crypto/ec/ec_key.c @@ -1,5 +1,5 @@ /* - * Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/crypto/encode_decode/decoder_lib.c b/crypto/encode_decode/decoder_lib.c index 653c1ed658..952d55b96d 100644 --- a/crypto/encode_decode/decoder_lib.c +++ b/crypto/encode_decode/decoder_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/encode_decode/decoder_pkey.c b/crypto/encode_decode/decoder_pkey.c index fa66cbe735..5afad9bd88 100644 --- a/crypto/encode_decode/decoder_pkey.c +++ b/crypto/encode_decode/decoder_pkey.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/encode_decode/encoder_pkey.c b/crypto/encode_decode/encoder_pkey.c index 24b16f5a55..7b9584953d 100644 --- a/crypto/encode_decode/encoder_pkey.c +++ b/crypto/encode_decode/encoder_pkey.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/engine/eng_list.c b/crypto/engine/eng_list.c index d9e620dc58..f2eed3b071 100644 --- a/crypto/engine/eng_list.c +++ b/crypto/engine/eng_list.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/crypto/engine/eng_local.h b/crypto/engine/eng_local.h index 261f7b8b08..a3e637a4d2 100644 --- a/crypto/engine/eng_local.h +++ b/crypto/engine/eng_local.h @@ -1,5 +1,5 @@ /* - * Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/crypto/engine/eng_table.c b/crypto/engine/eng_table.c index 6628c612b9..3138a15260 100644 --- a/crypto/engine/eng_table.c +++ b/crypto/engine/eng_table.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/mem.c b/crypto/mem.c index e146f31b21..40e4e90dd8 100644 --- a/crypto/mem.c +++ b/crypto/mem.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/pem/pem_pkey.c b/crypto/pem/pem_pkey.c index 7822b8b00b..4deee46ce5 100644 --- a/crypto/pem/pem_pkey.c +++ b/crypto/pem/pem_pkey.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/perlasm/arm-xlate.pl b/crypto/perlasm/arm-xlate.pl index ac77fc6ebd..3bdae9c0c7 100755 --- a/crypto/perlasm/arm-xlate.pl +++ b/crypto/perlasm/arm-xlate.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/pkcs12/p12_crt.c b/crypto/pkcs12/p12_crt.c index b92a16cec3..26a444f868 100644 --- a/crypto/pkcs12/p12_crt.c +++ b/crypto/pkcs12/p12_crt.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/poly1305/asm/poly1305-armv4.pl b/crypto/poly1305/asm/poly1305-armv4.pl index 7cc681838d..b98beefa18 100755 --- a/crypto/poly1305/asm/poly1305-armv4.pl +++ b/crypto/poly1305/asm/poly1305-armv4.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/poly1305/asm/poly1305-x86_64.pl b/crypto/poly1305/asm/poly1305-x86_64.pl index 24bab9d0bc..4cddca1c51 100755 --- a/crypto/poly1305/asm/poly1305-x86_64.pl +++ b/crypto/poly1305/asm/poly1305-x86_64.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/provider_core.c b/crypto/provider_core.c index fbda28f16e..adba486532 100644 --- a/crypto/provider_core.c +++ b/crypto/provider_core.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/sha/asm/sha1-armv4-large.pl b/crypto/sha/asm/sha1-armv4-large.pl index ec7195a070..2832c5b530 100644 --- a/crypto/sha/asm/sha1-armv4-large.pl +++ b/crypto/sha/asm/sha1-armv4-large.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/sha/asm/sha256-armv4.pl b/crypto/sha/asm/sha256-armv4.pl index 0ac72bda63..8bac84b1a8 100644 --- a/crypto/sha/asm/sha256-armv4.pl +++ b/crypto/sha/asm/sha256-armv4.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/sha/asm/sha512-armv4.pl b/crypto/sha/asm/sha512-armv4.pl index 5579cda6e9..c8b8110671 100644 --- a/crypto/sha/asm/sha512-armv4.pl +++ b/crypto/sha/asm/sha512-armv4.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c index edcfb0c76e..96d511ffe6 100644 --- a/crypto/srp/srp_vfy.c +++ b/crypto/srp/srp_vfy.c @@ -1,5 +1,5 @@ /* - * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2004, EdelKey Project. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/crypto/store/store_lib.c b/crypto/store/store_lib.c index 428ac64748..b14db063f8 100644 --- a/crypto/store/store_lib.c +++ b/crypto/store/store_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/threads_pthread.c b/crypto/threads_pthread.c index ec4cddb3af..801855c930 100644 --- a/crypto/threads_pthread.c +++ b/crypto/threads_pthread.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/openssl-cms.pod.in b/doc/man1/openssl-cms.pod.in index a97eea0d71..65a61ee97f 100644 --- a/doc/man1/openssl-cms.pod.in +++ b/doc/man1/openssl-cms.pod.in @@ -902,7 +902,7 @@ The B<-engine> option was deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2008-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/openssl-ts.pod.in b/doc/man1/openssl-ts.pod.in index 0f9049d2a4..3e7f7c4be9 100644 --- a/doc/man1/openssl-ts.pod.in +++ b/doc/man1/openssl-ts.pod.in @@ -652,7 +652,7 @@ L =head1 COPYRIGHT -Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/BIO_s_mem.pod b/doc/man3/BIO_s_mem.pod index 31b2daf33d..3bbc3e7fcf 100644 --- a/doc/man3/BIO_s_mem.pod +++ b/doc/man3/BIO_s_mem.pod @@ -174,7 +174,7 @@ and BUF_MEM structure: =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/CMS_sign.pod b/doc/man3/CMS_sign.pod index a701c4d0fa..03bfc6fce1 100644 --- a/doc/man3/CMS_sign.pod +++ b/doc/man3/CMS_sign.pod @@ -132,7 +132,7 @@ The CMS_sign_ex() method was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_MAC.pod b/doc/man3/EVP_MAC.pod index 7e58d59255..56ac92a486 100644 --- a/doc/man3/EVP_MAC.pod +++ b/doc/man3/EVP_MAC.pod @@ -481,7 +481,7 @@ These functions were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_SIGNATURE.pod b/doc/man3/EVP_SIGNATURE.pod index 8b44f883eb..1f534ef338 100644 --- a/doc/man3/EVP_SIGNATURE.pod +++ b/doc/man3/EVP_SIGNATURE.pod @@ -106,7 +106,7 @@ The functions described here were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_CMP_exec_certreq.pod b/doc/man3/OSSL_CMP_exec_certreq.pod index 6ba62723f5..0cabc3bad5 100644 --- a/doc/man3/OSSL_CMP_exec_certreq.pod +++ b/doc/man3/OSSL_CMP_exec_certreq.pod @@ -171,7 +171,7 @@ The OpenSSL CMP support was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_HTTP_REQ_CTX.pod b/doc/man3/OSSL_HTTP_REQ_CTX.pod index ccce26ab62..e86516469d 100644 --- a/doc/man3/OSSL_HTTP_REQ_CTX.pod +++ b/doc/man3/OSSL_HTTP_REQ_CTX.pod @@ -268,7 +268,7 @@ The functions described here were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_HTTP_transfer.pod b/doc/man3/OSSL_HTTP_transfer.pod index 8325e1dd47..6a4d7d2dce 100644 --- a/doc/man3/OSSL_HTTP_transfer.pod +++ b/doc/man3/OSSL_HTTP_transfer.pod @@ -282,7 +282,7 @@ All the functions described here were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/PKCS12_create.pod b/doc/man3/PKCS12_create.pod index f528330c04..92e588062a 100644 --- a/doc/man3/PKCS12_create.pod +++ b/doc/man3/PKCS12_create.pod @@ -101,7 +101,7 @@ standards. =head1 COPYRIGHT -Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/PKCS12_gen_mac.pod b/doc/man3/PKCS12_gen_mac.pod index 07f8855ecf..a72df145fe 100644 --- a/doc/man3/PKCS12_gen_mac.pod +++ b/doc/man3/PKCS12_gen_mac.pod @@ -64,7 +64,7 @@ L =head1 COPYRIGHT -Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_new.pod b/doc/man3/SSL_new.pod index f9b8678246..2b52276916 100644 --- a/doc/man3/SSL_new.pod +++ b/doc/man3/SSL_new.pod @@ -124,7 +124,7 @@ L =head1 COPYRIGHT -Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/d2i_RSAPrivateKey.pod b/doc/man3/d2i_RSAPrivateKey.pod index 6ad06aa048..08cd2c85e5 100644 --- a/doc/man3/d2i_RSAPrivateKey.pod +++ b/doc/man3/d2i_RSAPrivateKey.pod @@ -307,7 +307,7 @@ L =head1 COPYRIGHT -Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man5/x509v3_config.pod b/doc/man5/x509v3_config.pod index fe24cb3456..044904022d 100644 --- a/doc/man5/x509v3_config.pod +++ b/doc/man5/x509v3_config.pod @@ -590,7 +590,7 @@ L =head1 COPYRIGHT -Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/EVP_KDF-PKCS12KDF.pod b/doc/man7/EVP_KDF-PKCS12KDF.pod index ecca1dc637..9865365698 100644 --- a/doc/man7/EVP_KDF-PKCS12KDF.pod +++ b/doc/man7/EVP_KDF-PKCS12KDF.pod @@ -80,7 +80,7 @@ This functionality was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/fuzz/x509.c b/fuzz/x509.c index 6293f1a5c5..e2d2639164 100644 --- a/fuzz/x509.c +++ b/fuzz/x509.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/providers/implementations/ciphers/cipher_chacha20.c b/providers/implementations/ciphers/cipher_chacha20.c index 81cfd52773..ef80a515d7 100644 --- a/providers/implementations/ciphers/cipher_chacha20.c +++ b/providers/implementations/ciphers/cipher_chacha20.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/encode_decode/decode_msblob2key.c b/providers/implementations/encode_decode/decode_msblob2key.c index 80c6e0a91e..b9d0cabada 100644 --- a/providers/implementations/encode_decode/decode_msblob2key.c +++ b/providers/implementations/encode_decode/decode_msblob2key.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/encode_decode/decode_pvk2key.c b/providers/implementations/encode_decode/decode_pvk2key.c index 4eeeaf425a..2d7cb15e53 100644 --- a/providers/implementations/encode_decode/decode_pvk2key.c +++ b/providers/implementations/encode_decode/decode_pvk2key.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/encode_decode/encode_key2any.c b/providers/implementations/encode_decode/encode_key2any.c index c2f3dc85be..03d8b26ec6 100644 --- a/providers/implementations/encode_decode/encode_key2any.c +++ b/providers/implementations/encode_decode/encode_key2any.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/keymgmt/ecx_kmgmt.c b/providers/implementations/keymgmt/ecx_kmgmt.c index 831681412a..987d38456f 100644 --- a/providers/implementations/keymgmt/ecx_kmgmt.c +++ b/providers/implementations/keymgmt/ecx_kmgmt.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/keymgmt/mac_legacy_kmgmt.c b/providers/implementations/keymgmt/mac_legacy_kmgmt.c index a55dcb0320..ba3a46324f 100644 --- a/providers/implementations/keymgmt/mac_legacy_kmgmt.c +++ b/providers/implementations/keymgmt/mac_legacy_kmgmt.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index f87c9e2ea8..687cb162f8 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c index 2e2db5fa31..498ff6bb5e 100644 --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/chacha_internal_test.c b/test/chacha_internal_test.c index d52479b658..d316bfd7b3 100644 --- a/test/chacha_internal_test.c +++ b/test/chacha_internal_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/cmsapitest.c b/test/cmsapitest.c index ffc9a0c98a..dbb05cd496 100644 --- a/test/cmsapitest.c +++ b/test/cmsapitest.c @@ -1,5 +1,5 @@ /* - * Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/endecode_test.c b/test/endecode_test.c index b334d427eb..e28fd41b75 100644 --- a/test/endecode_test.c +++ b/test/endecode_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/pbetest.c b/test/pbetest.c index 7bf0680785..cfffc2b932 100644 --- a/test/pbetest.c +++ b/test/pbetest.c @@ -1,5 +1,5 @@ /* - * Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/pkcs12_format_test.c b/test/pkcs12_format_test.c index 30bd881a46..f9a68133e2 100644 --- a/test/pkcs12_format_test.c +++ b/test/pkcs12_format_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/provider_internal_test.c b/test/provider_internal_test.c index bccce7159e..1fe8fb0cc5 100644 --- a/test/provider_internal_test.c +++ b/test/provider_internal_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/15-test_rsapss.t b/test/recipes/15-test_rsapss.t index 1bfa919158..35be4784fc 100644 --- a/test/recipes/15-test_rsapss.t +++ b/test/recipes/15-test_rsapss.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t index c41673509b..6ae09c2b8f 100644 --- a/test/recipes/25-test_req.t +++ b/test/recipes/25-test_req.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/30-test_defltfips.t b/test/recipes/30-test_defltfips.t index 103f28da76..c8f145405b 100644 --- a/test/recipes/30-test_defltfips.t +++ b/test/recipes/30-test_defltfips.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/30-test_evp.t b/test/recipes/30-test_evp.t index 8ae22ab16c..f3fc36c2eb 100644 --- a/test/recipes/30-test_evp.t +++ b/test/recipes/30-test_evp.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/99-test_fuzz_x509.t b/test/recipes/99-test_fuzz_x509.t index 7ca3ee8ae7..b0b86365d1 100644 --- a/test/recipes/99-test_fuzz_x509.t +++ b/test/recipes/99-test_fuzz_x509.t @@ -1,5 +1,5 @@ #!/usr/bin/env perl -# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/ssl_old_test.c b/test/ssl_old_test.c index 09c9706a7c..0a7d78d564 100644 --- a/test/ssl_old_test.c +++ b/test/ssl_old_test.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * diff --git a/test/testutil/main.c b/test/testutil/main.c index 2945bb52b8..32e32d8328 100644 --- a/test/testutil/main.c +++ b/test/testutil/main.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy -- Gitee From 488b0e08af98201b318edf816b03af2f9a5112bc Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Tue, 19 Sep 2023 15:01:36 +0200 Subject: [PATCH 39/50] make update Reviewed-by: Matt Caswell Release: yes Signed-off-by: fly2x --- providers/fips-sources.checksums | 32 ++++++++++++++++---------------- providers/fips.checksum | 2 +- 2 files changed, 17 insertions(+), 17 deletions(-) diff --git a/providers/fips-sources.checksums b/providers/fips-sources.checksums index 1be4c8c5e6..c1b5ce4542 100644 --- a/providers/fips-sources.checksums +++ b/providers/fips-sources.checksums @@ -29,18 +29,18 @@ e397a5781893e97dd90a5a52049633be12a43f379ec5751bca2a6350c39444c8 crypto/aes/asm 5ee643fd833120756300d92722fa9c8fe2ab58764d64b11350f86c41687b8d7a crypto/aes/asm/bsaes-armv8.pl 0726a2c4c15c27a12b2f7d5e16863df4a1b1daa7b7d9b728f621b2b224d290e6 crypto/aes/asm/bsaes-x86_64.pl 762cadf988080f45d1a2f1232058688ac3f5afe76767649d15513a7a5eedcf38 crypto/aes/asm/vpaes-armv8.pl -4b723628a4ea14a763c3b21afa2439534ccf9d21480f2d0e3a0f5ee270169c23 crypto/aes/asm/vpaes-loongarch64.pl +14146589f53dc898fa86aeffd0e0ba36737b04da26ab0b14c1da09a28836c8f8 crypto/aes/asm/vpaes-loongarch64.pl c3541865cd02d81101cdbab4877ed82772e6980d2c677b9008b38fa1b26d36d4 crypto/aes/asm/vpaes-ppc.pl 3ec24185750a995377516bc2fb2eae8b1c52094c6fff093bff591837fc12d6c3 crypto/aes/asm/vpaes-x86.pl 060bb6620f50af9afecdf97df051b45b9a50be9daf343dfec1cbb29693ce00a4 crypto/aes/asm/vpaes-x86_64.pl 2bc67270155e2d6c7da87d9070e005ee79cea18311004907edfd6a078003532a crypto/alphacpuid.pl 269e52f8867c13ca75d2f88ec1f89b692cb8c6c3ee89abe2fd3c1821925191d8 crypto/arm64cpuid.pl -e9194b598c77a5090408bfb6adf729ea85d3a234ed7a4b5fcb22dadb4f88dfcf crypto/armcap.c -a43f2c1eef16146943745f684f2add7d186924932a47abf7fb0760cba02804e6 crypto/armv4cpuid.pl +7144d95f74d8f84b5c32fe5b343c1d6d958a96ffcf9d0374a343cd82e599d753 crypto/armcap.c +b0f528db5658d7c98657eb322bf78e326202f43da88f7c56ada053a494be9977 crypto/armv4cpuid.pl 16739d54200fb81ca7835b5814f965022a2ab41589c7787e2697e3ea72d4fafa crypto/asn1_dsa.c 819c9fd2b0cae9aab81c3cbd1815c2e22949d75f132f649b5883812d0bbaa39a crypto/bn/asm/alpha-mont.pl -0070595128b250b9ebdebe48ce53d2d27ca16ec4f7c6c8bd169ab2e4a913b2d1 crypto/bn/asm/armv4-gf2m.pl -8c1c53a725b8a4f92b8a353bfeeb393be94198df41c912e3270f9e654417b250 crypto/bn/asm/armv4-mont.pl +ccca12612deaa8b3792ade2fc912731fad1b5b7e8b39875e51159fec97b93d9e crypto/bn/asm/armv4-gf2m.pl +281767fa5ad336aca9887867012fbee9003340c59ff0b39340870ccd8124d976 crypto/bn/asm/armv4-mont.pl 12203c1af986c729fc227832ed03b103e56bdac2568878e5635ab037be01609a crypto/bn/asm/armv8-mont.pl cb4ad7b7461fcb8e2a0d52881158d0211b79544842d4eae36fc566869a2d62c8 crypto/bn/asm/bn-586.pl 636da7e2a66272a81f9c99e90b36c6f132ad6236c739e8b9f2e7315f30b72edd crypto/bn/asm/c64xplus-gf2m.pl @@ -177,7 +177,7 @@ ae1637d89287c9d22a34bdc0d67f6e01262a2f8dcef9b61369dba8c334f5a80d crypto/ec/ec2_ 86e2becf9b3870979e2abefa1bd318e1a31820d275e2b50e03b17fc287abb20a crypto/ec/ec_check.c 265f911b9d4aada326a2d52cd8a589b556935c8b641598dcd36c6f85d29ce655 crypto/ec/ec_curve.c 8cfd0dcfb5acbf6105691a2d5e2826dba1ff3906707bc9dd6ff9bffcc306468f crypto/ec/ec_cvt.c -ec6b509d9fa3af18c7ca83624d3426ffdd63a9936bcabddb9c23eddc142f2b2d crypto/ec/ec_key.c +0139b6fc533a885b4a8c2929c3b9c61c676d53e32ddda05c57618714724fa9f7 crypto/ec/ec_key.c 7e40fc646863e0675bbb90f075b809f61bdf0600d8095c8366858d9533ab7700 crypto/ec/ec_kmeth.c 57c6107e235ace603498eadde6bcb03ede2e2e828c0041ed2084a42aa5eb7144 crypto/ec/ec_lib.c a8a4690e42b4af60aad822aa8b16196df337906af53ea4db926707f7b596ff27 crypto/ec/ec_local.h @@ -272,12 +272,12 @@ a0097ff2da8955fe15ba204cb54f3fd48a06f846e2b9826f507b26acf65715c3 crypto/params_ 98eb56498937aca2d4fca8670760485f8b342b7dcd84442f8e114d47310eacbf crypto/ppccap.c 46fa4994a6234a98a2845d9337475913f6bc229f1928abc82224de7edf2784b8 crypto/ppccpuid.pl 467c416422ecf61e3b713c5eb259fdbcb4aa73ae8dee61804d0b85cfd3fff4f7 crypto/property/defn_cache.c -7b3e6585a25db7f3c51b33037de050118ef0cc70dd1f931d476c3002bc309524 crypto/property/property.c +0d6df2dfb9896ed00c27e97f190ccd9d581e54e16fb1cbaba587ad1b34c5f1b2 crypto/property/property.c 66da4f28d408133fb544b14aeb9ad4913e7c5c67e2826e53f0dc5bf4d8fada26 crypto/property/property_local.h 988e14f794b50729aa9e809e1160d7c52cc77bc891df037ac19cefa946df20cc crypto/property/property_parse.c a7cefda6a117550e2c76e0f307565ce1e11640b11ba10c80e469a837fd1212a3 crypto/property/property_query.c 20e69b9d594dfc443075eddbb0e6bcc0ed36ca51993cd50cc5a4f86eb31127f8 crypto/property/property_string.c -0d2fba9cbb87ad30e0238727662b01e8e7c20a341e6658d26b8c162aea912878 crypto/provider_core.c +8bf2a635dbd2977f8e52506fc23392c9be78d1928114c1754c8d577916645082 crypto/provider_core.c d0af10d4091b2032aac1b7db80f8c2e14fa7176592716b25b9437ab6b53c0a89 crypto/provider_local.h 5ba2e1c74ddcd0453d02e32612299d1eef18eff8493a7606c15d0dc3738ad1d9 crypto/provider_predefined.c 470406e440ed0f117743fb645e4c9ac5319df03a06863675f88ebfd3be820a64 crypto/rand/rand_lib.c @@ -319,7 +319,7 @@ a859fc8cb073b2d0012a93f3155a75fb6eb677441462b0de4f8cf8df1445e970 crypto/sha/asm 831b8b02ab25d78ba6300ce960d96c13439bfba5844e13061e19c4e25cbacc3d crypto/sha/asm/keccak1600p8-ppc.pl 75d832db9bf0e98e7a5c522169060a6dd276c5118cfb297fc3f1111f55cd4007 crypto/sha/asm/sha1-586.pl c96e87d4f5311cd73bbdf499acc03418588be12426d878e157dd67e0099e0219 crypto/sha/asm/sha1-alpha.pl -4ba6d1c7f12fe76bf39babea966f0a4b7f8769e0c0510cbfc2c46a65dd62d45c crypto/sha/asm/sha1-armv4-large.pl +ab1b54d71393dabba340438f5e2a34517d5d7de6030a67d71fcad744b3b7c036 crypto/sha/asm/sha1-armv4-large.pl 3ca053a2a27550b6076d2f12579899b027b2eadc0f30bef867c3eeae03e5e8bf crypto/sha/asm/sha1-armv8.pl 11d332b4e058e9fa418d6633316d2e9f9bf520a08b2d933e877bdf38b2edefcf crypto/sha/asm/sha1-c64xplus.pl 32ff0e701a7b8f25bcfe8477b20795de54f536527bd87d3ce694fd9aaae356d4 crypto/sha/asm/sha1-ia64.pl @@ -333,11 +333,11 @@ b5ffd7b6dbb04c05de7efa2945adb67ea845e7e61a3bf163a532f7b6acdf4267 crypto/sha/asm 74d197cdd72400cabbff7e173f72c8976723081508b095dc995e8cd1abf3daa6 crypto/sha/asm/sha1-thumb.pl a59a86293e28f5600609dc8af2b39c5285580ae8636520990b000eeeb67bb889 crypto/sha/asm/sha1-x86_64.pl c099059ef107f548ea2c2bab64a4eb8c277070ce6d74c4d32bb9808dc19c5fa3 crypto/sha/asm/sha256-586.pl -b9cee5c5a283f61f601d2dba68a7a76e7aba10bfafffc1a5c4987f9c0aa6f87d crypto/sha/asm/sha256-armv4.pl +b320fa75cf2dda0e7081071aeb46452040ec3946ac7272ed5659b3d72f84b804 crypto/sha/asm/sha256-armv4.pl 93ddc97651ee3e779144a3c6b3e46a1bc4aa81e75cd7b9df068a2aef8743d25f crypto/sha/asm/sha256-c64xplus.pl 8be5c5d69733ecb16774aa8410b4bcb3623a9f060d2be103d8aa67bf6e4c5843 crypto/sha/asm/sha256-mb-x86_64.pl dd82e1311703abb019975fc7b61fb87d67e1ed916dddd065aced051e851114b9 crypto/sha/asm/sha512-586.pl -8d84164f3cfd53290c0c14bb5655510b7a9238857866328c0604d64b4e76fe21 crypto/sha/asm/sha512-armv4.pl +a1140ec67c33909c13b2eba62fd465c2043d83d86721add4da29ce55b8fcc0d6 crypto/sha/asm/sha512-armv4.pl e840aeed694a04153364585989f09a791422c95260cfe5b89c3f8c57e0916a1c crypto/sha/asm/sha512-armv8.pl 6f548a088feae3b6faa179653ba449df9d3f5cda1e0561e5b5f120b32274d1eb crypto/sha/asm/sha512-c64xplus.pl 9fa54fbc34fd881f4b344374b9b4f8fb15b641424be7af9a31c71af89ae5d577 crypto/sha/asm/sha512-ia64.pl @@ -360,7 +360,7 @@ c50c584c55e56347bb43aca4b796b5344d70daece3061f586b79c871c21f5d1a crypto/sparse_ 8da78169fa8c09dc3c29c9bf1602b22e88c5eac4815e274ba1864c166e31584b crypto/stack/stack.c 67ba8d87fbbb7c9a9e438018e7ecfd1cedd4d00224be05755580d044f5f1317a crypto/threads_lib.c a41ae93a755e2ec89b3cb5b4932e2b508fdda92ace2e025a2650a6da0e9e972c crypto/threads_none.c -2637a8727dee790812b000f2e02b336f7907949df633dda72938bbaafdb204fe crypto/threads_pthread.c +3729e2bd36f945808b578e0d89fac0fcb3114e4fc9381614bcbd8a9869991716 crypto/threads_pthread.c 88423960f0414f6fd41fba4f4c67f9f7260c2741e4788adcd52493e895ec8027 crypto/threads_win.c fd6c27cf7c6b5449b17f2b725f4203c4c10207f1973db09fd41571efe5de08fd crypto/x86_64cpuid.pl bbec287bb9bf35379885f8f8998b7fd9e8fc22efee9e1b299109af0f33a7ee16 crypto/x86cpuid.pl @@ -586,13 +586,13 @@ abe2b0f3711eaa34846e155cffc9242e4051c45de896f747afd5ac9d87f637dc providers/impl a66987548504bbe5bb81b80e7c1e190ab68abd852fb04f59ae40fd4e93160841 providers/implementations/kdfs/tls1_prf.c 1e5aaa6dc3bb52b0b5a07e662386b71e0e3ee7c83b9f15a4144ab24264c7431c providers/implementations/kdfs/x942kdf.c 8e8b9094c757c78638f60d7bde822a035adeecde11f9565cbd24c1322ec7e06b providers/implementations/kem/rsa_kem.c -37120f8a420de0e44b7dc1f31b50d59520e5318cf546e83684e0c3de5c7b76c5 providers/implementations/keymgmt/dh_kmgmt.c -2a4493c9e68f41d37d7ec69c272005c6df7b1a34db2d49663f52e836e4fd888c providers/implementations/keymgmt/dsa_kmgmt.c +9d5eb7e056e790b1b4292ec7af03fbf0b26e34625c70eb36643451965bcfc696 providers/implementations/keymgmt/dh_kmgmt.c +a329f57cb041cd03907e9d996fbc2f378ee116c7f8d7fbf1ea08b7a5df7e0304 providers/implementations/keymgmt/dsa_kmgmt.c 9bc88451d3ae110c7a108ee73d3b3b6bda801ec3494d2dfb9c9970b85c2d34fe providers/implementations/keymgmt/ec_kmgmt.c 258ae17bb2dd87ed1511a8eb3fe99eed9b77f5c2f757215ff6b3d0e8791fc251 providers/implementations/keymgmt/ec_kmgmt_imexport.inc -d77ece2494e6b12a6201a2806ee5fb24a6dc2fa3e1891a46012a870e0b781ab1 providers/implementations/keymgmt/ecx_kmgmt.c +011c36aad6834729043f23eacab417732541ee23916d9afa5bb9164862be00bb providers/implementations/keymgmt/ecx_kmgmt.c 053a2be39a87f50b877ebdbbf799cf5faf8b2de33b04311d819d212ee1ea329b providers/implementations/keymgmt/kdf_legacy_kmgmt.c -e30357311e4a3e1c78266af6315fd1fc99584bfb09f4a7cd0ddc7261cf1e17e1 providers/implementations/keymgmt/mac_legacy_kmgmt.c +1646b477fa231dd0f6c22444c99098f9b447cab0d39ff69b811262469d4dbe09 providers/implementations/keymgmt/mac_legacy_kmgmt.c 19f22fc70a6321441e56d5bd4aab3d01d52d17069d4e4b5cefce0f411ecece75 providers/implementations/keymgmt/rsa_kmgmt.c d0eff68c72e177c3fe0c77bc8c38eded7e3ce41f72042e2c034c706a12284dd5 providers/implementations/macs/cmac_prov.c e69aa06f8f3c6f5a26702b9f44a844b8589b99dc0ee590953a29e8b9ef10acbe providers/implementations/macs/gmac_prov.c diff --git a/providers/fips.checksum b/providers/fips.checksum index cecbafd35a..66d8995442 100644 --- a/providers/fips.checksum +++ b/providers/fips.checksum @@ -1 +1 @@ -89f749c416427df81cbc7fed9e9bfebb65bb201ae4a383b647cc5d774ced0129 providers/fips-sources.checksums +21be74107ee92b5ab2e205c5cd5f34303808b27bfd9fe17c17650e7c2c0aad38 providers/fips-sources.checksums -- Gitee From f773bf2b1fc9181b117ba1e53ad7a916da4dcec3 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Tue, 19 Sep 2023 15:01:49 +0200 Subject: [PATCH 40/50] Prepare for release of 3.1.3 Reviewed-by: Matt Caswell Release: yes Signed-off-by: fly2x --- CHANGES.md | 2 +- NEWS.md | 2 +- VERSION.dat | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index e531ad09de..37832f6014 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -22,7 +22,7 @@ OpenSSL Releases OpenSSL 3.1 ----------- -### Changes between 3.1.2 and 3.1.3 [xx XXX xxxx] +### Changes between 3.1.2 and 3.1.3 [19 Sep 2023] * Fix POLY1305 MAC implementation corrupting XMM registers on Windows. diff --git a/NEWS.md b/NEWS.md index c6a538ae39..692a73a52b 100644 --- a/NEWS.md +++ b/NEWS.md @@ -19,7 +19,7 @@ OpenSSL Releases OpenSSL 3.1 ----------- -### Major changes between OpenSSL 3.1.2 and OpenSSL 3.1.3 [under development] +### Major changes between OpenSSL 3.1.2 and OpenSSL 3.1.3 [19 Sep 2023] * Fix POLY1305 MAC implementation corrupting XMM registers on Windows ([CVE-2023-4807]) diff --git a/VERSION.dat b/VERSION.dat index 665509bc14..3f5764cc63 100644 --- a/VERSION.dat +++ b/VERSION.dat @@ -1,7 +1,7 @@ MAJOR=3 MINOR=1 PATCH=3 -PRE_RELEASE_TAG=dev +PRE_RELEASE_TAG= BUILD_METADATA= -RELEASE_DATE="" +RELEASE_DATE="19 Sep 2023" SHLIB_VERSION=3 -- Gitee From 34523516c43fcc70a1af998bfa74b093cef78817 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Tue, 19 Sep 2023 15:02:32 +0200 Subject: [PATCH 41/50] Prepare for 3.1.4 Reviewed-by: Matt Caswell Release: yes Signed-off-by: fly2x --- CHANGES.md | 4 ++++ NEWS.md | 4 ++++ VERSION.dat | 6 +++--- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 37832f6014..edb2ce987d 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -22,6 +22,10 @@ OpenSSL Releases OpenSSL 3.1 ----------- +### Changes between 3.1.3 and 3.1.4 [xx XXX xxxx] + + * none yet + ### Changes between 3.1.2 and 3.1.3 [19 Sep 2023] * Fix POLY1305 MAC implementation corrupting XMM registers on Windows. diff --git a/NEWS.md b/NEWS.md index 692a73a52b..0e14aa88ea 100644 --- a/NEWS.md +++ b/NEWS.md @@ -19,6 +19,10 @@ OpenSSL Releases OpenSSL 3.1 ----------- +### Major changes between OpenSSL 3.1.3 and OpenSSL 3.1.4 [under development] + + * none + ### Major changes between OpenSSL 3.1.2 and OpenSSL 3.1.3 [19 Sep 2023] * Fix POLY1305 MAC implementation corrupting XMM registers on Windows diff --git a/VERSION.dat b/VERSION.dat index 3f5764cc63..7a8c84dbc6 100644 --- a/VERSION.dat +++ b/VERSION.dat @@ -1,7 +1,7 @@ MAJOR=3 MINOR=1 -PATCH=3 -PRE_RELEASE_TAG= +PATCH=4 +PRE_RELEASE_TAG=dev BUILD_METADATA= -RELEASE_DATE="19 Sep 2023" +RELEASE_DATE="" SHLIB_VERSION=3 -- Gitee From 2d59085c45e2f4876a7a5c1378164266cf7455e2 Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Mon, 18 Sep 2023 16:02:21 +0200 Subject: [PATCH 42/50] enc: "bad decrypt" only in decryption CLA: trivial Signed-off-by: Mathieu Tortuyaux Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22134) (cherry picked from commit 0e138b7b591f160a50aff22f662254d1b39c9cac) Signed-off-by: fly2x --- apps/enc.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/apps/enc.c b/apps/enc.c index b3bf4cc259..c275046cf5 100644 --- a/apps/enc.c +++ b/apps/enc.c @@ -624,7 +624,10 @@ int enc_main(int argc, char **argv) } } if (!BIO_flush(wbio)) { - BIO_printf(bio_err, "bad decrypt\n"); + if (enc) + BIO_printf(bio_err, "bad encrypt\n"); + else + BIO_printf(bio_err, "bad decrypt\n"); goto end; } -- Gitee From f7d751dcb6111e639a0d717402ac4f844f135fd3 Mon Sep 17 00:00:00 2001 From: Sumitra Sharma Date: Mon, 18 Sep 2023 16:38:11 +0530 Subject: [PATCH 43/50] Add documentation for the function SSL_CONF_CTX_finish. Add documentation for the function SSL_CONF_CTX_finish() in man3. Fixes #22084 Signed-off-by: Sumitra Sharma Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22128) (cherry picked from commit 955c133ccccd2b6e3f5a1b1342045111fe8b3e86) Signed-off-by: fly2x --- doc/man3/SSL_CONF_CTX_set_ssl_ctx.pod | 8 ++++++++ util/missingssl.txt | 1 - 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/doc/man3/SSL_CONF_CTX_set_ssl_ctx.pod b/doc/man3/SSL_CONF_CTX_set_ssl_ctx.pod index 06cc1e4ec5..b74c869b83 100644 --- a/doc/man3/SSL_CONF_CTX_set_ssl_ctx.pod +++ b/doc/man3/SSL_CONF_CTX_set_ssl_ctx.pod @@ -2,6 +2,7 @@ =head1 NAME +SSL_CONF_CTX_finish, SSL_CONF_CTX_set_ssl_ctx, SSL_CONF_CTX_set_ssl - set context to configure =head1 SYNOPSIS @@ -10,6 +11,7 @@ SSL_CONF_CTX_set_ssl_ctx, SSL_CONF_CTX_set_ssl - set context to configure void SSL_CONF_CTX_set_ssl_ctx(SSL_CONF_CTX *cctx, SSL_CTX *ctx); void SSL_CONF_CTX_set_ssl(SSL_CONF_CTX *cctx, SSL *ssl); + int SSL_CONF_CTX_finish(SSL_CONF_CTX *cctx); =head1 DESCRIPTION @@ -23,6 +25,10 @@ B structure B. Any previous B or B associated with B is cleared. Subsequent calls to SSL_CONF_cmd() will be sent to B. +The function SSL_CONF_CTX_finish() must be called after all configuration +operations have been completed. It is used to finalise any operations +or to process defaults. + =head1 NOTES The context need not be set or it can be set to B in which case only @@ -32,6 +38,8 @@ syntax checking of commands is performed, where possible. SSL_CONF_CTX_set_ssl_ctx() and SSL_CTX_set_ssl() do not return a value. +SSL_CONF_CTX_finish() returns 1 for success and 0 for failure. + =head1 SEE ALSO L, diff --git a/util/missingssl.txt b/util/missingssl.txt index 48219fd99a..41ca8a8bbc 100644 --- a/util/missingssl.txt +++ b/util/missingssl.txt @@ -3,7 +3,6 @@ ERR_load_SSL_strings(3) SRP_Calc_A_param(3) SSL_COMP_get_name(3) SSL_COMP_set0_compression_methods(3) -SSL_CONF_CTX_finish(3) SSL_CTX_SRP_CTX_free(3) SSL_CTX_SRP_CTX_init(3) SSL_CTX_get0_certificate(3) -- Gitee From 2e6edfcda22c5e622cd8adf3f09f1ac9793c7e2f Mon Sep 17 00:00:00 2001 From: Pauli Date: Tue, 19 Sep 2023 11:07:21 +1000 Subject: [PATCH 44/50] coverity: NULL dereference Fixes coverity 1544699. Reviewed-by: Matt Caswell Reviewed-by: Tim Hudson Reviewed-by: Tomas Mraz Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/22138) (cherry picked from commit be01f609f98a8930f2c91b813715e515a88f4d54) Signed-off-by: fly2x --- crypto/engine/eng_table.c | 1 + 1 file changed, 1 insertion(+) diff --git a/crypto/engine/eng_table.c b/crypto/engine/eng_table.c index 3138a15260..9dc3144bbf 100644 --- a/crypto/engine/eng_table.c +++ b/crypto/engine/eng_table.c @@ -97,6 +97,7 @@ int engine_table_register(ENGINE_TABLE **table, ENGINE_CLEANUP_CB *cleanup, if (added && !engine_cleanup_add_first(cleanup)) { lh_ENGINE_PILE_free(&(*table)->piles); *table = NULL; + goto end; } while (num_nids--) { tmplate.nid = *nids; -- Gitee From 2bc630050da36e62913c62bd1e3c67cd67f914b9 Mon Sep 17 00:00:00 2001 From: Bernd Edlinger Date: Mon, 11 Sep 2023 06:38:31 +0200 Subject: [PATCH 45/50] Fix some memory leaks in the openssl app In some error cases the normal cleanup did not happen, but instead an exit(1) which caused some memory leaks, as reported in #22049. Reviewed-by: Tom Cosgrove Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/22055) (cherry picked from commit 8c040c086ca11a519975c58961a5dc933aa6524a) Signed-off-by: fly2x --- apps/dgst.c | 2 ++ apps/dhparam.c | 2 ++ apps/dsaparam.c | 2 ++ apps/gendsa.c | 2 ++ apps/genpkey.c | 2 ++ apps/genrsa.c | 2 ++ apps/lib/apps.c | 8 ++++---- apps/req.c | 2 ++ 8 files changed, 18 insertions(+), 4 deletions(-) diff --git a/apps/dgst.c b/apps/dgst.c index e12389197d..3f02af0d57 100644 --- a/apps/dgst.c +++ b/apps/dgst.c @@ -320,6 +320,8 @@ int dgst_main(int argc, char **argv) sigkey = app_keygen(mac_ctx, mac_name, 0, 0 /* not verbose */); /* Verbose output would make external-tests gost-engine fail */ EVP_PKEY_CTX_free(mac_ctx); + if (sigkey == NULL) + goto end; } if (hmac_key != NULL) { diff --git a/apps/dhparam.c b/apps/dhparam.c index 66b0bd6551..4f372c3178 100644 --- a/apps/dhparam.c +++ b/apps/dhparam.c @@ -222,6 +222,8 @@ int dhparam_main(int argc, char **argv) } tmppkey = app_paramgen(ctx, alg); + if (tmppkey == NULL) + goto end; EVP_PKEY_CTX_free(ctx); ctx = NULL; if (dsaparam) { diff --git a/apps/dsaparam.c b/apps/dsaparam.c index b5555282be..cb3f9d9eaf 100644 --- a/apps/dsaparam.c +++ b/apps/dsaparam.c @@ -218,6 +218,8 @@ int dsaparam_main(int argc, char **argv) goto end; } pkey = app_keygen(ctx, "DSA", numbits, verbose); + if (pkey == NULL) + goto end; assert(private); if (outformat == FORMAT_ASN1) i = i2d_PrivateKey_bio(out, pkey); diff --git a/apps/gendsa.c b/apps/gendsa.c index 27feb793fe..34f7af377d 100644 --- a/apps/gendsa.c +++ b/apps/gendsa.c @@ -146,6 +146,8 @@ int gendsa_main(int argc, char **argv) goto end; } pkey = app_keygen(ctx, "DSA", nbits, verbose); + if (pkey == NULL) + goto end; assert(private); if (!PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, passout)) { diff --git a/apps/genpkey.c b/apps/genpkey.c index d00754eeac..8774a4ee28 100644 --- a/apps/genpkey.c +++ b/apps/genpkey.c @@ -183,6 +183,8 @@ int genpkey_main(int argc, char **argv) pkey = do_param ? app_paramgen(ctx, algname) : app_keygen(ctx, algname, 0, 0 /* not verbose */); + if (pkey == NULL) + goto end; if (do_param) { rv = PEM_write_bio_Parameters(out, pkey); diff --git a/apps/genrsa.c b/apps/genrsa.c index 4436b7fa17..390a5d72a7 100644 --- a/apps/genrsa.c +++ b/apps/genrsa.c @@ -203,6 +203,8 @@ opthelp: goto end; } pkey = app_keygen(ctx, "RSA", num, verbose); + if (pkey == NULL) + goto end; if (verbose) { BIGNUM *e = NULL; diff --git a/apps/lib/apps.c b/apps/lib/apps.c index 7052b11e52..d5dc7edebd 100644 --- a/apps/lib/apps.c +++ b/apps/lib/apps.c @@ -3351,8 +3351,8 @@ EVP_PKEY *app_keygen(EVP_PKEY_CTX *ctx, const char *alg, int bits, int verbose) BIO_printf(bio_err, "Warning: generating random key material may take a long time\n" "if the system has a poor entropy source\n"); if (EVP_PKEY_keygen(ctx, &res) <= 0) - app_bail_out("%s: Error generating %s key\n", opt_getprog(), - alg != NULL ? alg : "asymmetric"); + BIO_printf(bio_err, "%s: Error generating %s key\n", opt_getprog(), + alg != NULL ? alg : "asymmetric"); return res; } @@ -3364,8 +3364,8 @@ EVP_PKEY *app_paramgen(EVP_PKEY_CTX *ctx, const char *alg) BIO_printf(bio_err, "Warning: generating random key parameters may take a long time\n" "if the system has a poor entropy source\n"); if (EVP_PKEY_paramgen(ctx, &res) <= 0) - app_bail_out("%s: Generating %s key parameters failed\n", - opt_getprog(), alg != NULL ? alg : "asymmetric"); + BIO_printf(bio_err, "%s: Generating %s key parameters failed\n", + opt_getprog(), alg != NULL ? alg : "asymmetric"); return res; } diff --git a/apps/req.c b/apps/req.c index 926f0796bc..41191803ae 100644 --- a/apps/req.c +++ b/apps/req.c @@ -685,6 +685,8 @@ int req_main(int argc, char **argv) EVP_PKEY_CTX_set_app_data(genctx, bio_err); pkey = app_keygen(genctx, keyalgstr, newkey_len, verbose); + if (pkey == NULL) + goto end; EVP_PKEY_CTX_free(genctx); genctx = NULL; -- Gitee From a88534f7fd50d9bd7b41cdfc1327aaacfc69c7e7 Mon Sep 17 00:00:00 2001 From: Bernd Edlinger Date: Tue, 19 Sep 2023 20:15:18 +0200 Subject: [PATCH 46/50] Fix error handling in CRYPTO_get_ex_new_index If an out of memory error happens when the index zero is reserved in a newly created ip->meth stack object, that reservation is not done in a second attempt, which makes various X_set_ex_data overwrite the value of X_set_app_data. Reviewed-by: Paul Dale Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22149) (cherry picked from commit d4f22a915ac50570015a23ad794032c4fb9496cb) Signed-off-by: fly2x --- crypto/ex_data.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/crypto/ex_data.c b/crypto/ex_data.c index 0268da2a10..f92d0505fd 100644 --- a/crypto/ex_data.c +++ b/crypto/ex_data.c @@ -171,6 +171,8 @@ int ossl_crypto_get_ex_new_index_ex(OSSL_LIB_CTX *ctx, int class_index, * "app_data" routines use ex_data index zero. See RT 3710. */ if (ip->meth == NULL || !sk_EX_CALLBACK_push(ip->meth, NULL)) { + sk_EX_CALLBACK_free(ip->meth); + ip->meth = NULL; ERR_raise(ERR_LIB_CRYPTO, ERR_R_MALLOC_FAILURE); goto err; } -- Gitee From 803157082c1fe8f2736e1ac890e19d575c16791a Mon Sep 17 00:00:00 2001 From: Bernd Edlinger Date: Wed, 20 Sep 2023 15:45:56 +0200 Subject: [PATCH 47/50] Fix error handling in lhash contract When the realloc fails in contract, this not a fatal error, since the memory is only shrinked. It is also no option to exit the function at this point, since that would leave the hash table in an inconsistent state. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22154) (cherry picked from commit 5fbfd641aeebdf4b29a0749e13a79a1e59502878) Signed-off-by: fly2x --- crypto/lhash/lhash.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto/lhash/lhash.c b/crypto/lhash/lhash.c index c319a44c7b..8623bcb395 100644 --- a/crypto/lhash/lhash.c +++ b/crypto/lhash/lhash.c @@ -266,12 +266,12 @@ static void contract(OPENSSL_LHASH *lh) if (n == NULL) { /* fputs("realloc error in lhash",stderr); */ lh->error++; - return; + } else { + lh->b = n; } lh->num_alloc_nodes /= 2; lh->pmax /= 2; lh->p = lh->pmax - 1; - lh->b = n; } else lh->p--; -- Gitee From d871335853027800699ebc5939abe24ed3fcf535 Mon Sep 17 00:00:00 2001 From: Steffen Klee Date: Wed, 20 Sep 2023 00:04:18 +0200 Subject: [PATCH 48/50] Fix test_cms if DSA is not supported CLA: trivial Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22150) (cherry picked from commit dee2129802d9694d72e8745aec2d8bd4577ee4ee) Signed-off-by: fly2x --- test/recipes/80-test_cms.t | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t index 165cbbe98b..9fa2daae8a 100644 --- a/test/recipes/80-test_cms.t +++ b/test/recipes/80-test_cms.t @@ -1050,9 +1050,13 @@ with({ exit_checker => sub { return shift == 6; } }, # Test case for return value mis-check reported in #21986 with({ exit_checker => sub { return shift == 3; } }, sub { - ok(run(app(['openssl', 'cms', '-sign', - '-in', srctop_file("test", "smcont.txt"), - '-signer', srctop_file("test/smime-certs", "smdsa1.pem"), - '-md', 'SHAKE256'])), - "issue#21986"); + SKIP: { + skip "DSA is not supported in this build", 1 if $no_dsa; + + ok(run(app(['openssl', 'cms', '-sign', + '-in', srctop_file("test", "smcont.txt"), + '-signer', srctop_file("test/smime-certs", "smdsa1.pem"), + '-md', 'SHAKE256'])), + "issue#21986"); + } }); -- Gitee From 5809969c41fe221a9a947d77b6b3210b53d3b61d Mon Sep 17 00:00:00 2001 From: Huiyue Xu Date: Thu, 14 Sep 2023 16:21:35 +0800 Subject: [PATCH 49/50] Do not include sparse_array.o in libssl sparse_array.o is not needed in libssl at 3.0.x version. Signed-off-by: Huiyue Xu Reviewed-by: Matt Caswell Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22111) (cherry picked from commit a31cd07af1ca34cdbbd2b077a933208d447ed0b2) Signed-off-by: fly2x --- crypto/build.info | 2 -- 1 file changed, 2 deletions(-) diff --git a/crypto/build.info b/crypto/build.info index b67658c3ce..aafa2197a1 100644 --- a/crypto/build.info +++ b/crypto/build.info @@ -101,8 +101,6 @@ $UTIL_COMMON=\ context.c sparse_array.c asn1_dsa.c packet.c param_build.c \ param_build_set.c der_writer.c threads_lib.c params_dup.c -SHARED_SOURCE[../libssl]=sparse_array.c - SOURCE[../libcrypto]=$UTIL_COMMON \ mem.c mem_sec.c \ cversion.c info.c cpt_err.c ebcdic.c uid.c o_time.c o_dir.c \ -- Gitee From c54edf1bbb131a8487a67c7efb5bba45a46f69ee Mon Sep 17 00:00:00 2001 From: "Matthias St. Pierre" Date: Thu, 21 Sep 2023 16:43:43 +0200 Subject: [PATCH 50/50] no-engine: fix signing with legacy app method based keys Signing with an app method based key (i.e. an `EVP_PKEY` which wraps an `RSA` key with an application defined `RSA_METHOD`) used to work in 1.1.1. That feature was broken in commit 60488d2434, but later on fixed by @t8m in commit b247113c05 (see #14859). This commit corrects a minor flaw of the fix, which affects only `no-engine` builds: the special treatment for foreign keys is guarded by an `OPENSSL_NO_ENGINE` check. Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell Reviewed-by: Dmitry Belyavskiy Reviewed-by: Todd Short (Merged from https://github.com/openssl/openssl/pull/22163) (cherry picked from commit 1acc3e8cc3c69187b55cc557c1bc03278ab38063) Signed-off-by: fly2x --- crypto/evp/pmeth_lib.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c index ce6e1a1ccb..ba1971ce46 100644 --- a/crypto/evp/pmeth_lib.c +++ b/crypto/evp/pmeth_lib.c @@ -251,10 +251,11 @@ static EVP_PKEY_CTX *int_ctx_new(OSSL_LIB_CTX *libctx, */ if (e != NULL) pmeth = ENGINE_get_pkey_meth(e, id); - else if (pkey != NULL && pkey->foreign) + else +# endif /* OPENSSL_NO_ENGINE */ + if (pkey != NULL && pkey->foreign) pmeth = EVP_PKEY_meth_find(id); else -# endif app_pmeth = pmeth = evp_pkey_meth_find_added_by_application(id); /* END legacy */ -- Gitee