[openssl] master update
dev at ddvo.net
dev at ddvo.net
Mon Jun 22 14:43:31 UTC 2020
The branch master has been updated
via b0d5c1cb0773588dca69875e122fac75252ccdf6 (commit)
via 93a7d24179ee5f61a2350b547dfcd522f6a4b9b0 (commit)
via 6bb74ecb87f496faa777b609a03a2ce422b60197 (commit)
via 1e24c82435d22138394edbc534f36b1760351dae (commit)
via be7f84e2e24dcf98524be8aea3014be6d3a556ab (commit)
via 713b3f76a769e8961884b85bac5f207f76bc96ef (commit)
via 7d40faca54e64e9c6efa48c6d11e46d3037121c4 (commit)
via 11baa470a21b514ab247071e80273ddc0a80c504 (commit)
from e197158bd5b5a5674b8ea67e838bac47395c66f9 (commit)
- Log -----------------------------------------------------------------
commit b0d5c1cb0773588dca69875e122fac75252ccdf6
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Sun Jun 21 15:44:26 2020 +0200
test/run_tests.pl: Document new VFO and VFP modes in INSTALL.md
Reviewed-by: Nicola Tuveri <nic.tuv at gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12175)
commit 93a7d24179ee5f61a2350b547dfcd522f6a4b9b0
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Sat Jun 20 17:20:20 2020 +0200
test/run_tests.pl: Improve indentation parsing workaround for VFO and VFP mode
Reviewed-by: Nicola Tuveri <nic.tuv at gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12175)
commit 6bb74ecb87f496faa777b609a03a2ce422b60197
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Sat Jun 20 17:07:52 2020 +0200
test/run_tests.pl: Improve newline output for VFO and VFP mode
Reviewed-by: Nicola Tuveri <nic.tuv at gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12175)
commit 1e24c82435d22138394edbc534f36b1760351dae
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Sat Jun 20 17:22:41 2020 +0200
Speed-up for tests in 81-test_cmp_cli_data/test_connection.csv
Reviewed-by: Nicola Tuveri <nic.tuv at gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12175)
commit be7f84e2e24dcf98524be8aea3014be6d3a556ab
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Thu Jun 18 07:30:09 2020 +0200
Disable tests in cmp_vfy_test.c that make no sense if FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
Reviewed-by: Nicola Tuveri <nic.tuv at gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12175)
commit 713b3f76a769e8961884b85bac5f207f76bc96ef
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Thu Jun 18 07:42:22 2020 +0200
81-test_cmp_cli.t: Disable CLI-based tests in case fuzzing is enabled
Reviewed-by: Nicola Tuveri <nic.tuv at gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12175)
commit 7d40faca54e64e9c6efa48c6d11e46d3037121c4
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Thu Jun 18 06:33:43 2020 +0200
81-test_cmp_cli.t: Do connections to 127.0.0.1 (e.g., Mock server) without proxy
Fixes #12156
Reviewed-by: Nicola Tuveri <nic.tuv at gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12175)
commit 11baa470a21b514ab247071e80273ddc0a80c504
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Wed Jun 17 08:12:19 2020 +0200
Fix CMP -days option range checking and test failing with enable-ubsan
Reviewed-by: Nicola Tuveri <nic.tuv at gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12175)
-----------------------------------------------------------------------
Summary of changes:
INSTALL.md | 52 +++++++++++++---------
apps/cmp.c | 9 ++--
crypto/cmp/cmp_ctx.c | 12 ++---
crypto/cmp/cmp_err.c | 3 ++
crypto/cmp/cmp_msg.c | 15 ++++---
crypto/crmf/crmf_lib.c | 26 +++--------
crypto/err/openssl.txt | 5 ++-
...alidity.pod => OSSL_CRMF_MSG_set0_validity.pod} | 40 +++++++++--------
include/openssl/cmperr.h | 3 ++
include/openssl/crmf.h | 3 +-
include/openssl/crmferr.h | 2 +-
test/cmp_vfy_test.c | 21 ++++++++-
test/recipes/81-test_cmp_cli.t | 24 +++++++---
.../81-test_cmp_cli_data/test_connection.csv | 11 ++---
.../81-test_cmp_cli_data/test_enrollment.csv | 2 +-
test/run_tests.pl | 19 +++++---
util/libcrypto.num | 2 +-
17 files changed, 150 insertions(+), 99 deletions(-)
rename doc/man3/{OSSL_CRMF_MSG_set_validity.pod => OSSL_CRMF_MSG_set0_validity.pod} (68%)
diff --git a/INSTALL.md b/INSTALL.md
index 981a86af04..5afd1acae2 100644
--- a/INSTALL.md
+++ b/INSTALL.md
@@ -1560,7 +1560,7 @@ Configuration Problems
The `./config` script tries hard to guess your operating system, but in some
cases it does not succeed. You will see a message like the following:
- $ ./config
+ ./config
Operating system: x86-whatever-minix
This system (minix) is not supported. See file INSTALL for details.
@@ -1618,7 +1618,7 @@ Note: To make the output readable, pleace add a 'code fence' (three backquotes
` ``` ` on a separate line) before and after your output:
```
- $ ./Configure [your arguments...]
+ ./Configure [your arguments...]
[output...]
@@ -1638,9 +1638,9 @@ If the build succeeded previously, but fails after a source or configuration
change, it might be helpful to clean the build tree before attempting another
build. Use this command:
- $ make clean # Unix
- $ mms clean ! (or mmk) OpenVMS
- $ nmake clean # Windows
+ make clean # Unix
+ mms clean ! (or mmk) OpenVMS
+ nmake clean # Windows
Assembler error messages can sometimes be sidestepped by using the
"no-asm" configuration option.
@@ -1658,37 +1658,45 @@ Test Failures
-------------
If some tests fail, look at the output. There may be reasons for the failure
-that isn't a problem in OpenSSL itself (like a malfunction with Perl).
+that isn't a problem in OpenSSL itself (like an OS malfunction or a Perl issue).
You may want increased verbosity, that can be accomplished like this:
-Verbosity on failure only (make macro VERBOSE_FAILURE or VF):
+Full verbosity (`make` macro `VERBOSE` or `V`):
+
+ make V=1 test # Unix
+ mms /macro=(V=1) test ! OpenVMS
+ nmake V=1 test # Windows
+
+Verbosity on test failure (`VERBOSE_FAILURE` or `VF´, Unix example shown):
+
+ make test VF=1
+
+Verbosity on failed (sub-)tests only (`VERBOSE_FAILURES_ONLY` or `VFO`):
- $ make VF=1 test # Unix
- $ mms /macro=(VF=1) test ! OpenVMS
- $ nmake VF=1 test # Windows
+ make test VFO=1
-Full verbosity (make macro VERBOSE or V):
+Verbosity on failed (sub-)tests, in addition progress on succeeded (sub-)tests
+(`VERBOSE_FAILURES_PROGRESS` or `VFP`):
- $ make V=1 test # Unix
- $ mms /macro=(V=1) test ! OpenVMS
- $ nmake V=1 test # Windows
+ make test VFP=1
If you want to run just one or a few specific tests, you can use
the make variable TESTS to specify them, like this:
- $ make TESTS='test_rsa test_dsa' test # Unix
- $ mms/macro="TESTS=test_rsa test_dsa" test ! OpenVMS
- $ nmake TESTS='test_rsa test_dsa' test # Windows
+ make TESTS='test_rsa test_dsa' test # Unix
+ mms/macro="TESTS=test_rsa test_dsa" test ! OpenVMS
+ nmake TESTS='test_rsa test_dsa' test # Windows
-And of course, you can combine (Unix example shown):
+And of course, you can combine (Unix examples shown):
- $ make VF=1 TESTS='test_rsa test_dsa' test
+ make test TESTS='test_rsa test_dsa' VF=1
+ make test TESTS="test_cmp_*" VFO=1
You can find the list of available tests like this:
- $ make list-tests # Unix
- $ mms list-tests ! OpenVMS
- $ nmake list-tests # Windows
+ make list-tests # Unix
+ mms list-tests ! OpenVMS
+ nmake list-tests # Windows
Have a look at the manual for the perl module Test::Harness to
see what other HARNESS_* variables there are.
diff --git a/apps/cmp.c b/apps/cmp.c
index f80410fe9c..05fae77d38 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -1880,9 +1880,12 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *e)
}
}
- if (opt_days > 0)
- (void)OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_VALIDITY_DAYS,
- opt_days);
+ if (opt_days > 0
+ && !OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_VALIDITY_DAYS,
+ opt_days)) {
+ CMP_err("could to set requested cert validity period");
+ goto err;
+ }
if (opt_policies != NULL && opt_policy_oids != NULL) {
CMP_err("cannot have policies both via -policies and via -policy_oids");
diff --git a/crypto/cmp/cmp_ctx.c b/crypto/cmp/cmp_ctx.c
index 9f70de5038..558414bb5c 100644
--- a/crypto/cmp/cmp_ctx.c
+++ b/crypto/cmp/cmp_ctx.c
@@ -916,14 +916,14 @@ int OSSL_CMP_CTX_set_option(OSSL_CMP_CTX *ctx, int opt, int val)
break;
}
if (val < min_val) {
- CMPerr(0, CMP_R_INVALID_ARGS);
+ CMPerr(0, CMP_R_VALUE_TOO_SMALL);
return 0;
}
switch (opt) {
case OSSL_CMP_OPT_LOG_VERBOSITY:
if (val > OSSL_CMP_LOG_DEBUG) {
- CMPerr(0, CMP_R_INVALID_ARGS);
+ CMPerr(0, CMP_R_VALUE_TOO_LARGE);
return 0;
}
ctx->log_verbosity = val;
@@ -957,7 +957,7 @@ int OSSL_CMP_CTX_set_option(OSSL_CMP_CTX *ctx, int opt, int val)
break;
case OSSL_CMP_OPT_POPO_METHOD:
if (val > OSSL_CRMF_POPO_KEYAGREE) {
- CMPerr(0, CMP_R_INVALID_ARGS);
+ CMPerr(0, CMP_R_VALUE_TOO_LARGE);
return 0;
}
ctx->popoMethod = val;
@@ -982,13 +982,13 @@ int OSSL_CMP_CTX_set_option(OSSL_CMP_CTX *ctx, int opt, int val)
break;
case OSSL_CMP_OPT_REVOCATION_REASON:
if (val > OCSP_REVOKED_STATUS_AACOMPROMISE) {
- CMPerr(0, CMP_R_INVALID_ARGS);
+ CMPerr(0, CMP_R_VALUE_TOO_LARGE);
return 0;
}
ctx->revocationReason = val;
break;
default:
- CMPerr(0, CMP_R_INVALID_ARGS);
+ CMPerr(0, CMP_R_INVALID_OPTION);
return 0;
}
@@ -1044,7 +1044,7 @@ int OSSL_CMP_CTX_get_option(const OSSL_CMP_CTX *ctx, int opt)
case OSSL_CMP_OPT_REVOCATION_REASON:
return ctx->revocationReason;
default:
- CMPerr(0, CMP_R_INVALID_ARGS);
+ CMPerr(0, CMP_R_INVALID_OPTION);
return -1;
}
}
diff --git a/crypto/cmp/cmp_err.c b/crypto/cmp/cmp_err.c
index 5f2f713b08..1ee1002233 100644
--- a/crypto/cmp/cmp_err.c
+++ b/crypto/cmp/cmp_err.c
@@ -85,6 +85,7 @@ static const ERR_STRING_DATA CMP_str_reasons[] = {
{ERR_PACK(ERR_LIB_CMP, 0, CMP_R_FAIL_INFO_OUT_OF_RANGE),
"fail info out of range"},
{ERR_PACK(ERR_LIB_CMP, 0, CMP_R_INVALID_ARGS), "invalid args"},
+ {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_INVALID_OPTION), "invalid option"},
{ERR_PACK(ERR_LIB_CMP, 0, CMP_R_MISSING_KEY_INPUT_FOR_CREATING_PROTECTION),
"missing key input for creating protection"},
{ERR_PACK(ERR_LIB_CMP, 0, CMP_R_MISSING_KEY_USAGE_DIGITALSIGNATURE),
@@ -143,6 +144,8 @@ static const ERR_STRING_DATA CMP_str_reasons[] = {
"unsupported key type"},
{ERR_PACK(ERR_LIB_CMP, 0, CMP_R_UNSUPPORTED_PROTECTION_ALG_DHBASEDMAC),
"unsupported protection alg dhbasedmac"},
+ {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_VALUE_TOO_LARGE), "value too large"},
+ {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_VALUE_TOO_SMALL), "value too small"},
{ERR_PACK(ERR_LIB_CMP, 0, CMP_R_WRONG_ALGORITHM_OID),
"wrong algorithm oid"},
{ERR_PACK(ERR_LIB_CMP, 0, CMP_R_WRONG_CERTID_IN_RP), "wrong certid in rp"},
diff --git a/crypto/cmp/cmp_msg.c b/crypto/cmp/cmp_msg.c
index 9735a1c0b7..bbc3e9157e 100644
--- a/crypto/cmp/cmp_msg.c
+++ b/crypto/cmp/cmp_msg.c
@@ -253,12 +253,17 @@ static OSSL_CRMF_MSG *crm_new(OSSL_CMP_CTX *ctx, int bodytype, int rid)
NULL /* serial */))
goto err;
if (ctx->days != 0) {
- time_t notBefore, notAfter;
-
- notBefore = time(NULL);
- notAfter = notBefore + 60 * 60 * 24 * ctx->days;
- if (!OSSL_CRMF_MSG_set_validity(crm, notBefore, notAfter))
+ time_t now = time(NULL);
+ ASN1_TIME *notBefore = ASN1_TIME_adj(NULL, now, 0, 0);
+ ASN1_TIME *notAfter = ASN1_TIME_adj(NULL, now, ctx->days, 0);
+
+ if (notBefore == NULL
+ || notAfter == NULL
+ || !OSSL_CRMF_MSG_set0_validity(crm, notBefore, notAfter)) {
+ ASN1_TIME_free(notBefore);
+ ASN1_TIME_free(notAfter);
goto err;
+ }
}
/* extensions */
diff --git a/crypto/crmf/crmf_lib.c b/crypto/crmf/crmf_lib.c
index c20a6da0f2..7530120ff3 100644
--- a/crypto/crmf/crmf_lib.c
+++ b/crypto/crmf/crmf_lib.c
@@ -244,35 +244,23 @@ OSSL_CRMF_CERTTEMPLATE *OSSL_CRMF_MSG_get0_tmpl(const OSSL_CRMF_MSG *crm)
}
-int OSSL_CRMF_MSG_set_validity(OSSL_CRMF_MSG *crm, time_t from, time_t to)
+int OSSL_CRMF_MSG_set0_validity(OSSL_CRMF_MSG *crm,
+ ASN1_TIME *notBefore, ASN1_TIME *notAfter)
{
- OSSL_CRMF_OPTIONALVALIDITY *vld = NULL;
- ASN1_TIME *from_asn = NULL;
- ASN1_TIME *to_asn = NULL;
+ OSSL_CRMF_OPTIONALVALIDITY *vld;
OSSL_CRMF_CERTTEMPLATE *tmpl = OSSL_CRMF_MSG_get0_tmpl(crm);
if (tmpl == NULL) { /* also crm == NULL implies this */
- CRMFerr(CRMF_F_OSSL_CRMF_MSG_SET_VALIDITY, CRMF_R_NULL_ARGUMENT);
+ CRMFerr(CRMF_F_OSSL_CRMF_MSG_SET0_VALIDITY, CRMF_R_NULL_ARGUMENT);
return 0;
}
- if (from != 0 && ((from_asn = ASN1_TIME_set(NULL, from)) == NULL))
- goto err;
- if (to != 0 && ((to_asn = ASN1_TIME_set(NULL, to)) == NULL))
- goto err;
if ((vld = OSSL_CRMF_OPTIONALVALIDITY_new()) == NULL)
- goto err;
-
- vld->notBefore = from_asn;
- vld->notAfter = to_asn;
-
+ return 0;
+ vld->notBefore = notBefore;
+ vld->notAfter = notAfter;
tmpl->validity = vld;
-
return 1;
- err:
- ASN1_TIME_free(from_asn);
- ASN1_TIME_free(to_asn);
- return 0;
}
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index a30b808a25..1585688c83 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -378,7 +378,7 @@ CRMF_F_OSSL_CRMF_MSG_SET0_SINGLEPUBINFO:113:OSSL_CRMF_MSG_set0_SinglePubInfo
CRMF_F_OSSL_CRMF_MSG_SET_CERTREQID:114:OSSL_CRMF_MSG_set_certReqId
CRMF_F_OSSL_CRMF_MSG_SET_PKIPUBLICATIONINFO_ACTION:115:\
OSSL_CRMF_MSG_set_PKIPublicationInfo_action
-CRMF_F_OSSL_CRMF_MSG_SET_VALIDITY:116:OSSL_CRMF_MSG_set_validity
+CRMF_F_OSSL_CRMF_MSG_SET0_VALIDITY:116:OSSL_CRMF_MSG_set0_validity
CRMF_F_OSSL_CRMF_PBMP_NEW:117:OSSL_CRMF_pbmp_new
CRMF_F_OSSL_CRMF_PBM_NEW:118:OSSL_CRMF_pbm_new
CRYPTO_F_CMAC_CTX_NEW:120:CMAC_CTX_new
@@ -2119,6 +2119,7 @@ CMP_R_FAILED_EXTRACTING_PUBKEY:141:failed extracting pubkey
CMP_R_FAILURE_OBTAINING_RANDOM:110:failure obtaining random
CMP_R_FAIL_INFO_OUT_OF_RANGE:129:fail info out of range
CMP_R_INVALID_ARGS:100:invalid args
+CMP_R_INVALID_OPTION:174:invalid option
CMP_R_MISSING_KEY_INPUT_FOR_CREATING_PROTECTION:130:\
missing key input for creating protection
CMP_R_MISSING_KEY_USAGE_DIGITALSIGNATURE:142:missing key usage digitalsignature
@@ -2157,6 +2158,8 @@ CMP_R_UNSUPPORTED_ALGORITHM:136:unsupported algorithm
CMP_R_UNSUPPORTED_KEY_TYPE:137:unsupported key type
CMP_R_UNSUPPORTED_PROTECTION_ALG_DHBASEDMAC:154:\
unsupported protection alg dhbasedmac
+CMP_R_VALUE_TOO_LARGE:175:value too large
+CMP_R_VALUE_TOO_SMALL:177:value too small
CMP_R_WRONG_ALGORITHM_OID:138:wrong algorithm oid
CMP_R_WRONG_CERTID_IN_RP:187:wrong certid in rp
CMP_R_WRONG_PBM_VALUE:155:wrong pbm value
diff --git a/doc/man3/OSSL_CRMF_MSG_set_validity.pod b/doc/man3/OSSL_CRMF_MSG_set0_validity.pod
similarity index 68%
rename from doc/man3/OSSL_CRMF_MSG_set_validity.pod
rename to doc/man3/OSSL_CRMF_MSG_set0_validity.pod
index 2544c65775..3f86bfaf07 100644
--- a/doc/man3/OSSL_CRMF_MSG_set_validity.pod
+++ b/doc/man3/OSSL_CRMF_MSG_set0_validity.pod
@@ -2,7 +2,7 @@
=head1 NAME
-OSSL_CRMF_MSG_set_validity,
+OSSL_CRMF_MSG_set0_validity,
OSSL_CRMF_MSG_set_certReqId,
OSSL_CRMF_CERTTEMPLATE_fill,
OSSL_CRMF_MSG_set0_extensions,
@@ -15,7 +15,8 @@ OSSL_CRMF_MSGS_verify_popo
#include <openssl/crmf.h>
- int OSSL_CRMF_MSG_set_validity(OSSL_CRMF_MSG *crm, time_t from, time_t to);
+ int OSSL_CRMF_MSG_set0_validity(OSSL_CRMF_MSG *crm,
+ ASN1_TIME *notBefore, ASN1_TIME *notAfter);
int OSSL_CRMF_MSG_set_certReqId(OSSL_CRMF_MSG *crm, int rid);
@@ -37,29 +38,32 @@ OSSL_CRMF_MSGS_verify_popo
=head1 DESCRIPTION
-OSSL_CRMF_MSG_set_validity() sets B<from> as notBefore and B<to> as notAfter
-as the validity in the certTemplate of B<crm>.
+OSSL_CRMF_MSG_set0_validity() sets the I<notBefore> and I<notAfter> fields
+as validity constraints in the certTemplate of I<crm>.
+Any of the I<notBefore> and I<notAfter> parameters may be NULL,
+which means no constraint for the respective field.
+On success ownership of I<notBefore> and I<notAfter> is transferred to I<crm>.
-OSSL_CRMF_MSG_set_certReqId() sets B<rid> as the certReqId of B<crm>.
+OSSL_CRMF_MSG_set_certReqId() sets I<rid> as the certReqId of I<crm>.
-OSSL_CRMF_CERTTEMPLATE_fill() sets those fields of the certTemplate B<tmpl>
-for which non-NULL values are provided: B<pubkey>, B<subject>, B<issuer>,
-and/or B<serial>.
-On success the reference counter of the B<pubkey> (if given) is incremented,
-while the B<subject>, B<issuer>, and B<serial> structures (if given) are copied.
+OSSL_CRMF_CERTTEMPLATE_fill() sets those fields of the certTemplate I<tmpl>
+for which non-NULL values are provided: I<pubkey>, I<subject>, I<issuer>,
+and/or I<serial>.
+On success the reference counter of the I<pubkey> (if given) is incremented,
+while the I<subject>, I<issuer>, and I<serial> structures (if given) are copied.
-OSSL_CRMF_MSG_set0_extensions() sets B<exts> as the extensions in the
-certTemplate of B<crm>. Frees any pre-existing ones and consumes B<exts>.
+OSSL_CRMF_MSG_set0_extensions() sets I<exts> as the extensions in the
+certTemplate of I<crm>. Frees any pre-existing ones and consumes I<exts>.
-OSSL_CRMF_MSG_push0_extension() pushes the X509 extension B<ext> to the
-extensions in the certTemplate of B<crm>. Consumes B<ext>.
+OSSL_CRMF_MSG_push0_extension() pushes the X509 extension I<ext> to the
+extensions in the certTemplate of I<crm>. Consumes I<ext>.
OSSL_CRMF_MSG_create_popo() creates and sets the Proof-of-Possession (POPO)
-according to the method B<ppmtd> in B<crm>.
+according to the method I<ppmtd> in I<crm>.
In case the method is OSSL_CRMF_POPO_SIGNATURE the POPO is calculated
-using the private B<pkey> and the digest algorithm NID B<dgst>.
+using the private I<pkey> and the digest algorithm NID I<dgst>.
-B<ppmtd> can be one of the following:
+I<ppmtd> can be one of the following:
=over 8
@@ -82,7 +86,7 @@ challenge-response exchange (challengeResp) not yet supported.
=back
OSSL_CRMF_MSGS_verify_popo verifies the Proof-of-Possession of the request with
-the given B<rid> in the list of B<reqs>. Optionally accepts RAVerified.
+the given I<rid> in the list of I<reqs>. Optionally accepts RAVerified.
=head1 RETURN VALUES
diff --git a/include/openssl/cmperr.h b/include/openssl/cmperr.h
index d1ce2256fa..d220e55c5e 100644
--- a/include/openssl/cmperr.h
+++ b/include/openssl/cmperr.h
@@ -74,6 +74,7 @@ int ERR_load_CMP_strings(void);
# define CMP_R_FAILURE_OBTAINING_RANDOM 110
# define CMP_R_FAIL_INFO_OUT_OF_RANGE 129
# define CMP_R_INVALID_ARGS 100
+# define CMP_R_INVALID_OPTION 174
# define CMP_R_MISSING_KEY_INPUT_FOR_CREATING_PROTECTION 130
# define CMP_R_MISSING_KEY_USAGE_DIGITALSIGNATURE 142
# define CMP_R_MISSING_PRIVATE_KEY 131
@@ -109,6 +110,8 @@ int ERR_load_CMP_strings(void);
# define CMP_R_UNSUPPORTED_ALGORITHM 136
# define CMP_R_UNSUPPORTED_KEY_TYPE 137
# define CMP_R_UNSUPPORTED_PROTECTION_ALG_DHBASEDMAC 154
+# define CMP_R_VALUE_TOO_LARGE 175
+# define CMP_R_VALUE_TOO_SMALL 177
# define CMP_R_WRONG_ALGORITHM_OID 138
# define CMP_R_WRONG_CERTID_IN_RP 187
# define CMP_R_WRONG_PBM_VALUE 155
diff --git a/include/openssl/crmf.h b/include/openssl/crmf.h
index d262a9b759..bf9c1c6159 100644
--- a/include/openssl/crmf.h
+++ b/include/openssl/crmf.h
@@ -105,7 +105,8 @@ int OSSL_CRMF_MSG_set1_regInfo_utf8Pairs(OSSL_CRMF_MSG *msg,
int OSSL_CRMF_MSG_set1_regInfo_certReq(OSSL_CRMF_MSG *msg,
const OSSL_CRMF_CERTREQUEST *cr);
-int OSSL_CRMF_MSG_set_validity(OSSL_CRMF_MSG *crm, time_t from, time_t to);
+int OSSL_CRMF_MSG_set0_validity(OSSL_CRMF_MSG *crm,
+ ASN1_TIME *notBefore, ASN1_TIME *notAfter);
int OSSL_CRMF_MSG_set_certReqId(OSSL_CRMF_MSG *crm, int rid);
int OSSL_CRMF_MSG_get_certReqId(const OSSL_CRMF_MSG *crm);
int OSSL_CRMF_MSG_set0_extensions(OSSL_CRMF_MSG *crm, X509_EXTENSIONS *exts);
diff --git a/include/openssl/crmferr.h b/include/openssl/crmferr.h
index 22936c620e..17e5c85cc2 100644
--- a/include/openssl/crmferr.h
+++ b/include/openssl/crmferr.h
@@ -44,7 +44,7 @@ int ERR_load_CRMF_strings(void);
# define CRMF_F_OSSL_CRMF_MSG_SET0_SINGLEPUBINFO 0
# define CRMF_F_OSSL_CRMF_MSG_SET_CERTREQID 0
# define CRMF_F_OSSL_CRMF_MSG_SET_PKIPUBLICATIONINFO_ACTION 0
-# define CRMF_F_OSSL_CRMF_MSG_SET_VALIDITY 0
+# define CRMF_F_OSSL_CRMF_MSG_SET0_VALIDITY 0
# define CRMF_F_OSSL_CRMF_PBMP_NEW 0
# define CRMF_F_OSSL_CRMF_PBM_NEW 0
# endif
diff --git a/test/cmp_vfy_test.c b/test/cmp_vfy_test.c
index 583e7c2fbb..297c01edb2 100644
--- a/test/cmp_vfy_test.c
+++ b/test/cmp_vfy_test.c
@@ -158,6 +158,7 @@ static int test_validate_msg_mac_alg_protection(void)
return result;
}
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
static int test_validate_msg_mac_alg_protection_bad(void)
{
SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up);
@@ -176,6 +177,7 @@ static int test_validate_msg_mac_alg_protection_bad(void)
EXECUTE_TEST(execute_validate_msg_test, tear_down);
return result;
}
+#endif
static int add_trusted(OSSL_CMP_CTX *ctx, X509 *cert)
{
@@ -214,10 +216,12 @@ static int test_validate_msg_signature_trusted_ok(void)
return test_validate_msg_signature_partial_chain(0);
}
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
static int test_validate_msg_signature_trusted_expired(void)
{
return test_validate_msg_signature_partial_chain(1);
}
+#endif
static int test_validate_msg_signature_srvcert_wrong(void)
{
@@ -246,10 +250,12 @@ static int test_validate_msg_signature_srvcert(int bad_sig)
return result;
}
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
static int test_validate_msg_signature_bad(void)
{
return test_validate_msg_signature_srvcert(1);
}
+#endif
static int test_validate_msg_signature_sender_cert_srvcert(void)
{
@@ -298,6 +304,7 @@ static int test_validate_msg_signature_sender_cert_extracert(void)
}
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
static int test_validate_msg_signature_sender_cert_absent(void)
{
SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up);
@@ -309,7 +316,7 @@ static int test_validate_msg_signature_sender_cert_absent(void)
EXECUTE_TEST(execute_validate_msg_test, tear_down);
return result;
}
-
+#endif
static int test_validate_with_sender(const X509_NAME *name, int expected)
{
@@ -335,6 +342,7 @@ static int test_validate_msg_signature_unexpected_sender(void)
return test_validate_with_sender(X509_get_subject_name(root), 0);
}
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
static int test_validate_msg_unprotected_request(void)
{
SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up);
@@ -346,6 +354,7 @@ static int test_validate_msg_unprotected_request(void)
EXECUTE_TEST(execute_validate_msg_test, tear_down);
return result;
}
+#endif
static void setup_path(CMP_VFY_TEST_FIXTURE **fixture, X509 *wrong, int expired)
{
@@ -607,19 +616,29 @@ int setup_tests(void)
ADD_TEST(test_verify_popo_bad);
#endif
ADD_TEST(test_validate_msg_signature_trusted_ok);
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
ADD_TEST(test_validate_msg_signature_trusted_expired);
+#endif
ADD_TEST(test_validate_msg_signature_srvcert_wrong);
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
ADD_TEST(test_validate_msg_signature_bad);
+#endif
ADD_TEST(test_validate_msg_signature_sender_cert_srvcert);
ADD_TEST(test_validate_msg_signature_sender_cert_untrusted);
ADD_TEST(test_validate_msg_signature_sender_cert_trusted);
ADD_TEST(test_validate_msg_signature_sender_cert_extracert);
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
ADD_TEST(test_validate_msg_signature_sender_cert_absent);
+#endif
ADD_TEST(test_validate_msg_signature_expected_sender);
ADD_TEST(test_validate_msg_signature_unexpected_sender);
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
ADD_TEST(test_validate_msg_unprotected_request);
+#endif
ADD_TEST(test_validate_msg_mac_alg_protection);
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
ADD_TEST(test_validate_msg_mac_alg_protection_bad);
+#endif
/* Cert path validation tests */
ADD_TEST(test_validate_cert_path_ok);
diff --git a/test/recipes/81-test_cmp_cli.t b/test/recipes/81-test_cmp_cli.t
index 3be02c6166..8ddb3c2daf 100644
--- a/test/recipes/81-test_cmp_cli.t
+++ b/test/recipes/81-test_cmp_cli.t
@@ -20,10 +20,12 @@ use Data::Dumper; # for debugging purposes only
setup("test_cmp_cli");
-plan skip_all => "This test is not supported in a no-cmp build"
+plan skip_all => "These tests are not supported in a no-cmp build"
if disabled("cmp");
-plan skip_all => "This test is not supported in a no-ec build"
+plan skip_all => "These tests are not supported in a no-ec build"
if disabled("ec");
+plan skip_all => "These tests are not supported in a fuzz build"
+ if !disabled("fuzz-libfuzzer") || !disabled("fuzz-afl");
plan skip_all => "Tests involving server not available on Windows or VMS"
if $^O =~ /^(VMS|MSWin32)$/;
@@ -249,12 +251,22 @@ sub load_tests {
$line =~ s{_PBM_PORT}{$pbm_port}g;
$line =~ s{_PBM_REF}{$pbm_ref}g;
$line =~ s{_PBM_SECRET}{$pbm_secret}g;
- my $noproxy = $line =~ m/,\s*-no_proxy\s*,(.*?)(,|$)/ ? $1 : $no_proxy;
- next LOOP if $no_proxy && ($noproxy =~ $server_host)
- && $line =~ m/,\s*-proxy\s*,/;
+
next LOOP if $server_tls == 0 && $line =~ m/,\s*-tls_used\s*,/;
- $line =~ s{-section,,}{-section,,-proxy,$proxy,} unless $line =~ m/,\s*-proxy\s*,/;
+ my $noproxy = $no_proxy;
+ if ($line =~ m/,\s*-no_proxy\s*,(.*?)(,|$)/) {
+ $noproxy = $1;
+ } elsif ($server_host eq "127.0.0.1") {
+ # do connections to localhost (e.g., Mock server) without proxy
+ $line =~ s{-section,,}{-section,,-no_proxy,127.0.0.1,} ;
+ }
+ if ($line =~ m/,\s*-proxy\s*,/) {
+ next LOOP if $no_proxy && ($noproxy =~ $server_host);
+ } else {
+ $line =~ s{-section,,}{-section,,-proxy,$proxy,};
+ }
$line =~ s{-section,,}{-config,../$test_config,-section,$server_name $aspect,};
+
my @fields = grep /\S/, split ",", $line;
s/^<EMPTY>$// for (@fields); # used for proxy=""
s/^\s+// for (@fields); # remove leading whitespace from elements
diff --git a/test/recipes/81-test_cmp_cli_data/test_connection.csv b/test/recipes/81-test_cmp_cli_data/test_connection.csv
index eceac6eb94..7e4775afec 100644
--- a/test/recipes/81-test_cmp_cli_data/test_connection.csv
+++ b/test/recipes/81-test_cmp_cli_data/test_connection.csv
@@ -12,17 +12,14 @@ TBD,IP address, -section,, -server,_SERVER_IP:_SERVER_PORT,,,,
1,server port negative, -section,, -server,_SERVER_HOST:-10,,,,,BLANK,,BLANK,,BLANK,,BLANK,
1,server missing argument, -section,, -server,,,,,,BLANK,,BLANK,,BLANK,,BLANK,
1,server with default port, -section,, -server,_SERVER_HOST,,,,,BLANK,,BLANK,,BLANK,,BLANK,
-1,server IP address bad syntax: double '.', -section,, -server,127.0.0..1:_SERVER_PORT,,,,,BLANK,,BLANK,,BLANK,,BLANK,
-1,server domain bad syntax: double '.', -section,, -server,_SERVER_HOST..com:_SERVER_PORT,,,,,BLANK,,BLANK,,BLANK,,BLANK,
-1,server port bad syntax: missing ':', -section,, -server,_SERVER_HOST.80,,,,,BLANK,,BLANK,,BLANK,,BLANK,
+1,server port bad syntax: leading garbage, -section,, -server,_SERVER_HOST:x/+80,,,,,BLANK,,BLANK,,BLANK,,BLANK,
1,server port bad synatx: trailing garbage, -section,, -server,_SERVER_HOST:_SERVER_PORT+/x.,,,,,BLANK,,BLANK,,BLANK,,BLANK,
1,server with TLS port, -section,, -server,_SERVER_HOST:_SERVER_TLS,,,,,BLANK,,BLANK,,BLANK,,BLANK,
TBD,server IP address with TLS port, -section,, -server,_SERVER_IP:_SERVER_TLS,,,,,BLANK,,BLANK,,BLANK,,BLANK,
,,,,,,,,,,,,,,,,,,,,,,,,,
-1,proxy bad ipv4 address syntax: extra cell, -section,, -server,_SERVER_HOST:_SERVER_PORT, -proxy,127.0.0.0.0:8888,,,BLANK,,BLANK,,BLANK,,BLANK, -no_proxy,nonmatch.com
-1,proxy port out of range, -section,, -server,_SERVER_HOST:_SERVER_PORT, -proxy,127.0.0.1:65536,,,BLANK,,BLANK,,BLANK,,BLANK, -no_proxy,nonmatch.com
-1,proxy IP address bad syntax: double '.', -section,, -server,_SERVER_HOST:_SERVER_PORT, -proxy,127.0.0..1:8888,,,BLANK,,BLANK,,BLANK,,BLANK, -no_proxy,nonmatch.com
-1,proxy default port, -section,, -server,_SERVER_HOST:_SERVER_PORT, -proxy,127.0.0.1,,,BLANK,,BLANK,,BLANK,,BLANK, -no_proxy,nonmatch.com
+1,proxy port bad syntax: leading garbage, -section,, -server,_SERVER_HOST:_SERVER_PORT, -proxy,127.0.0.1:x*/8888,,,BLANK,,BLANK,,BLANK,,BLANK, -no_proxy,nonmatch.com,-msg_timeout,1
+1,proxy port out of range, -section,, -server,_SERVER_HOST:_SERVER_PORT, -proxy,127.0.0.1:65536,,,BLANK,,BLANK,,BLANK,,BLANK, -no_proxy,nonmatch.com,-msg_timeout,1
+1,proxy default port, -section,, -server,_SERVER_HOST:_SERVER_PORT, -proxy,127.0.0.1,,,BLANK,,BLANK,,BLANK,,BLANK, -no_proxy,nonmatch.com,-msg_timeout,1
1,proxy missing argument, -section,, -server,_SERVER_HOST:_SERVER_PORT, -proxy,,,,BLANK,,BLANK,,BLANK,,BLANK, -no_proxy,nonmatch.com
,,,,,,,,,,,,,,,,,,,,,,,,,
1,path missing argument, -section,,,,,, -path,,BLANK,,BLANK,,BLANK,,BLANK,
diff --git a/test/recipes/81-test_cmp_cli_data/test_enrollment.csv b/test/recipes/81-test_cmp_cli_data/test_enrollment.csv
index 64fb3fdcd6..305302e180 100644
--- a/test/recipes/81-test_cmp_cli_data/test_enrollment.csv
+++ b/test/recipes/81-test_cmp_cli_data/test_enrollment.csv
@@ -27,7 +27,7 @@ expected,description, -section,val, -cmd,val, -newkey,val,val, -newkeypass,val,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
0,days 1, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,, -days,1,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,test.cert.pem,, -out_trusted,root.crt,,BLANK,,BLANK,,,
0,days 0, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,, -days,0,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,test.cert.pem,, -out_trusted,root.crt,,BLANK,,BLANK,,,
-0,days 36500, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,, -days,36500,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,test.cert.pem,, -out_trusted,root.crt,,BLANK,,BLANK,,,
+0,days 365*100 beyond 2038, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,, -days,36500,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,test.cert.pem,, -out_trusted,root.crt,,BLANK,,BLANK,,,
1,days missing arg, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,, -days,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,test.cert.pem,, -out_trusted,root.crt,,BLANK,,BLANK,,,
1,days negative, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,, -days,-10,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,test.cert.pem,, -out_trusted,root.crt,,BLANK,,BLANK,,,
1,days no not integer, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,, -days,1.5,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,test.cert.pem,, -out_trusted,root.crt,,BLANK,,BLANK,,,
diff --git a/test/run_tests.pl b/test/run_tests.pl
index bd83a6b988..8306c6018a 100644
--- a/test/run_tests.pl
+++ b/test/run_tests.pl
@@ -134,7 +134,6 @@ $eres = eval {
my $class = shift;
my %opts = %{ shift() };
my $failure_verbosity = $openssl_args{failure_verbosity};
- print "\n" if $failure_verbosity == 1 || $failure_verbosity == 2;
my @plans = (); # initial level, no plan yet
my $output_buffer = "";
@@ -158,24 +157,30 @@ $eres = eval {
my $tests_planned = $is_plan && $self->tests_planned;
my $is_test = $self->is_test;
my $is_ok = $is_test && $self->is_ok;
- # workaround in case parser not coping with indentation:
+
+ # workaround for parser not coping with sub-test indentation
if ($self->is_unknown) {
+ my $level = $#plans;
+ my $indent = $level < 0 ? "" : " " x ($level * 4);
+
($is_plan, $tests_planned) = (1, $1)
- if ($self->as_string =~ m/^\s+1\.\.(\d+)/);
+ if ($self->as_string =~ m/^$indent 1\.\.(\d+)/);
($is_test, $is_ok) = (1, !$1)
- if ($self->as_string =~ m/^\s+(not )?ok /);
+ if ($self->as_string =~ m/^$indent(not )?ok /);
}
+
if ($is_plan) {
push @plans, $tests_planned;
$output_buffer = ""; # ignore comments etc. until plan
} elsif ($is_test) { # result of a test
pop @plans if @plans && --($plans[-1]) <= 0;
print $output_buffer if !$is_ok;
- print $self->as_string."\n"
+ print "\n".$self->as_string
if !$is_ok || $failure_verbosity == 2;
$output_buffer = "";
- } else { # typically comment or unknown
- $output_buffer .= $self->as_string."\n";
+ } elsif ($self->as_string ne "") {
+ # typically is_comment or is_unknown
+ $output_buffer .= "\n".$self->as_string;
}
}
}
diff --git a/util/libcrypto.num b/util/libcrypto.num
index acaa17394e..683cddbc79 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -4546,7 +4546,7 @@ OSSL_CRMF_MSG_set1_regCtrl_oldCertID ? 3_0_0 EXIST::FUNCTION:CRMF
OSSL_CRMF_CERTID_gen ? 3_0_0 EXIST::FUNCTION:CRMF
OSSL_CRMF_MSG_set1_regInfo_utf8Pairs ? 3_0_0 EXIST::FUNCTION:CRMF
OSSL_CRMF_MSG_set1_regInfo_certReq ? 3_0_0 EXIST::FUNCTION:CRMF
-OSSL_CRMF_MSG_set_validity ? 3_0_0 EXIST::FUNCTION:CRMF
+OSSL_CRMF_MSG_set0_validity ? 3_0_0 EXIST::FUNCTION:CRMF
OSSL_CRMF_MSG_set_certReqId ? 3_0_0 EXIST::FUNCTION:CRMF
OSSL_CRMF_MSG_get_certReqId ? 3_0_0 EXIST::FUNCTION:CRMF
OSSL_CRMF_MSG_set0_extensions ? 3_0_0 EXIST::FUNCTION:CRMF
More information about the openssl-commits
mailing list